Internet

Facebook joins Global Network Initiative

2013-05-22T16:00:55Z

With more than a billion users, Facebook is not only the biggest global social network but also an increasingly important forum for journalists. In some repressive countries it has even served as a publishing platform for journalists whose newspapers or news websites have been closed down. That is why journalists and bloggers should note today's news that after a year of standing on the threshold, Facebook has decided to step inside the Global Network Initiative tent.

]]> There they'll find competitors Google, Microsoft, and Yahoo huddled with human rights defenders and ethical investors trying to work through some of the thorny challenges to freedom of expression and user privacy posed by powerful political and commercial interests worldwide.

Facebook held nonrenewable "observer status" with GNI for the past year and had to decide this month whether to publicly commit to GNI principles or walk away.

One of the biggest hurdles for any corporation joining the initiative is the opening up of its inner workings to outside scrutiny. Companies must agree to allow independent assessors to evaluate regularly whether they have put in place systems to uphold GNI principles and whether those systems are working. This would entail, for example, examining how a company handled a demand from a government for information about a user; did it simply hand over that information or did it push back? Much of the impetus to create GNI came after Yahoo provided information to the Chinese authorities which helped them identify reporter Shi Tao as the source of a story that led to his imprisonment.

The three founding companies mentioned above are already deeply into the assessment process. Facebook will not begin it assessment until 2015.

[CPJ is part of GNI, and Robert Mahoney is a GNI board member.]

So your Twitter account is hacked? Reset, tweet, pray.

2013-04-24T19:07:12Z

That is a bogus @ap tweet.
-- AP CorpComm (@AP_CorpComm) April 23, 2013

More than a quarter million Twitter accounts have been hacked worldwide, the social media company disclosed in February, but Tuesday's attack on The Associated Press's verified account, @AP, had unusual effect. The Dow Jones industrial average fell 143 points after someone hijacked the AP's account to falsely tweet that two explosions at the White House had wounded President Barack Obama. The market recovered, but the hacking--just the latest in a series of attacks on news organizations--sent shudders through a profession that's grown accustomed to breaking its news on Twitter.

]]> So what to do if your Twitter account is hacked? The best advice is not to let it happen in the first place; the AP said the attack on its Twitter account was preceded by a phishing expedition--an attempt to extract usernames and passwords--that was launched against its corporate network.

We'll work backward in this piece. If your account has already been hacked, a first step is to request a password reset from Twitter by going to this Twitter page, "My account has been hacked," and then using the password reset form and following instructions.

If you still see unauthorized Tweets indicating the account remains hijacked, the next step is to check the external applications accessing your account. Steve Hill, an Indiana-based, internet technology blogger, recommends going into your Twitter account's settings and clicking on applications to see the list of apps, such as Facebook or TweetDeck, that are being allowed access to your account. "Identify the applications you don't recognize or are not comfortable allowing access," adds Hill, "and click 'Revoke Access.'" Then try resetting your Twitter password again.

If you still can't recover the account on your own, you can send Twitter a "Support request," and click on "Hacked account."

Beginning Tuesday evening, CPJ sought out the advice of analysts and fellow journalists, a collection that we've Storified. Several followers suggested some good preventive steps, while others expressed bewilderment about what they might do in case of an attack.

Alex Howard, Government 2.0 Washington correspondent for O'Reilly Media, offered this suggestion for follow-up messages to Twitter (and a higher power):

@7skiestech @acarvin file a ticket with @safety, tweet at @twitter staff, pray.
-- Alex Howard (@digiphile) April 23, 2013

The goal of this tactic is to get your message heard by a human being who can respond. In that vein, you could also tweet at individual Twitter staff members you know or who might be receptive to your problem.

But whatever you do, don't bother calling Twitter on the phone. The firm's San Francisco line answers with a recording saying, "For customer support, press 1." After you press 1, another recorded voice says, "Unfortunately, Twitter does not provide user support over the telephone."

The voice on the recording goes on to suggest that you try Twitter's Help Center at support.twitter.com. The voice continues: "Our help center contains information about contacting our team via email." But any such email addresses on the Help Center page are either missing or very hard to find, which may explain why @digiphile concluded his Tweet by suggesting that you add a dose of prayer to your efforts.

The AP is hardly alone in facing attack. CBS News reported that the Twitter accounts of its news programs, "60 Minutes" and "48 Hours," were compromised over the weekend. On Monday, hackers accessed two International Federation of Association Football's Twitter accounts to send a flurry of false tweets alleging corruption by FIFA leadership.

Twitter has been criticized for failing to deploy two-step (or two-factor) authentication, which would make it harder for hackers to gain access to an account. Providers such as Google, Microsoft, and Facebook already offer this. Wired reported Tuesday that Twitter is now testing a two-step process with hopes of releasing it incrementally to users. Wired describes the two-step process:

When logging in from a new location, it requires users to enter a password and a randomly generated code sent to a device, typically via a text message or smartphone application. In other words, accessing an account requires having two things: something you know (the password) and something you have (a previously registered device).

But for now, security is mainly in your own hands. Some basic steps can help limit your exposure. Avoid clicking on any strange links that come to you within either your Twitter feed or Direct Messages on Twitter. "Think before you click!" advises Andrea Vahl, a social media consultant, author, and community manager of the online magazine Social Media Examiner.

Change your password regularly and make sure it is a strong password involving multiple types of characters like r7#. The CPJ Journalist Security Guide recommends creating a passphrase using different character types that you will remember and that is unique to you. Something like, Icbm#&!Tawh, for "I can't believe my #&! Twitter account was hacked."

Make sure you are on Twitter's actual site before logging on, Vahl notes. A website can be made to look like Twitter so check the URL to be sure that it says: https://twitter.com. Twitter automatically loads an https address, which provides more security than the simple http. Vahl also recommends adding your mobile number to your account. "Twitter can verify your account if it's been hacked through your mobile phone and restore your access quicker," she notes.

Twitter has a page, "Keeping your account secure," that explains preventive measures in detail. The page also reminds users to keep their computer and operating systems updated with the most recent security patches and anti-virus software. This is important. Many journalists and human rights activists working in less developed nations can attest to the risk of having one's devices infected through the use of pirated or outdated software.

Enrique Piraces, a colleague at Human Rights Watch who specializes in digital security, tells us that preventative steps are especially important for those who don't work for large organizations. In response to our queries, he said that dealing with a hacking attack on your own poses big challenges.

@pressfreedom Good/hard question. Unless part of a large org most channels r ad-hoc, reactive. That is why prevention goes a long way.
-- epiraces (@epiraces) April 23, 2013

China decrees use of foreign news must be approved

2013-04-18T20:27:18Z

You have to wonder how this will be enforced, but China's State Administration of Press Publication, Radio, Film and Television has issued a "Notice on Strengthening Control of Media Personnel's Online Activities" (关于加强新闻采编人员网络活动管理的通知). Chinese media organizations have been told to stop posting foreign media news without government permission: "Without authorization, no kind of media outlets shall arbitrarily use media release from overseas media agencies and media websites," is the way Caijing magazine translated it.

]]> The directive also says, "News work units that have established official weibo accounts must keep records for their managing work unit and appoint a person to be responsible for posting information." Our colleagues at the Berkley-based China Digital Times explain that officially approved social media sites like Sina Weibo and others had "allowed journalists to skirt press censorship, posting information about the Wenzhou train crash, the Southern Weekly protest, and other major events on their personal accounts. Media organizations have even issued weibo in defiance of propaganda directives. The government has caught on and is now attempting to stymy this outlet."

To make sure everyone got the message, an article headlined "SARFT to enhance control over editors' online activities," explaining the new rules, was apparently published by almost all state-run media at the same time. You can find an unofficial translation here posted by the China-watching website A Big Enough Forest. The directive comes in an effort "to promote the establishment of a healthy news order" the official explanation reads.

According to the translation, the new directive also requires that editors "must quickly delete harmful information. News editors must receive permission from their work units to set up professional Weibo accounts, and must not post information on Weibo that violates laws, regulations, or managing rules from their own media organizations. Without approval, they are not permitted to post any kind of information obtained through their professional activities."

Other than the day-to-day (and sometimes minute-to-minute) editorial guidelines flowing out of what used to be called the central propaganda department, this is the first major censorship directive to be handed down under the new government of Premier Li Keqiang. If there were any hopes of a liberalized attitude toward media under the new regime, this part of the official explanation for the directive, as translated by A Big Enough Forest, should make clear that won't be happening anytime soon:

The "Notice" requires that news editors must uphold the policy of encouraging unity and stability, and promoting positive coverage in the main, while actively using traditional media, news sites, blogs, Weibo accounts and other methods of information dissemination to broadcast mainstream information, guide public opinion, and take the initiative to reject leaks and broadcasts of harmful information; they must not use or report online information that has not been verified through official channels, and must not disseminate or repost online rumors or speculative information.

And, courtesy of China Digital Times, a point of clarification for China watchers enamored of state agency acronyms: The State Administration of Press Publication, Radio, Film and Television is a new ministry formed from the merger of the State Administration of Radio, Film, and Television (SARFT) and the General Administration of Press Publication (GAPP). That should make handing down censorship directives just that much easier.

Working with phone companies on free expression

2013-03-12T17:34:24Z

For more than six years the Committee to Protect Journalists has been working with freedom of expression advocates, investors, and giant Internet companies to promote online freedoms. Absent from the discussions under the umbrella of the Global Network Initiative have been the telecommunications companies--vital gateways to the Internet for journalists and bloggers, particularly in much of the global South. Today things have changed.

]]> Some telecom companies took part in the early GNI negotiations, but when it came time to commit in 2008, they said they were not ready to join. But telecom companies are under increasing public scrutiny around the world as governments make more and more demands for access to the treasure troves of information they hold on all of us who go online, send a text message, or make a phone call.

A group of companies known as the Industry Dialogue, which have been meeting since 2011 to address these concerns, today committed to work with GNI over the next two years. The companies are: Alcatel-Lucent, France Telecom-Orange, Millicom, Nokia Siemens Networks, Telefonica, Telenor, TeliaSonera, and Vodafone. These firms, though based in Europe, have global reach.

Although the telecom companies are not joining GNI, their willingness to engage is a positive first step. And the Dialogue remains open for more telecom companies to join.

As censorship wanes, cyberattacks rise in Burma

2013-02-11T16:29:44Z

Cyberattacks on news websites and apparent government hacking into journalists' email accounts have raised new questions about the integrity of media reforms in Burma. The New York Times reported on Sunday that several journalists who regularly cover Burma-related news recently received warning messages from Google that their email accounts may have been hacked by "state-sponsored attackers."

]]> Burma-based Associated Press reporter Aye Aye Win and Thailand-based Swedish reporter Bertil Lintner both recently received the Google warnings, according to The New York Times report. Irrawaddy reporter Saw Yan Naing and Weekly Eleven News Journal Executive Editor Nay Htun Naing told CPJ that they, too, had recently been warned by Google that their accounts may have been compromised.

All of the journalists have reported on the armed conflict between ethnic guerillas and government forces in the country's northern Kachin state, despite official attempts to bar reporting from the area. Weekly Eleven was the first local publication to report in late December that government forces had used air power against rebel positions--news that sparked international condemnation of the conflict's escalation.

While President Thein Sein's quasi-civilian administration has loosened restrictions on the press--for example, ending pre-publication censorship of newspapers and magazines last year--many local journalists and editors remain skeptical about his government's commitment to press and Internet freedoms.

The Electronic Act, a law used to prosecute and jail journalists under the previous military junta, is still on the books and allows for seven- to 15-year prison terms for receiving or sending information over the Internet deemed a threat to state security, community peace and tranquility, or national solidarity.

The Google warning said that "we believe that state-sponsored attackers may be attempting to compromise your account or computer" and "It's likely that you received emails containing malicious attachments, links to malicious software downloads, or links to fake websites that are designed to steal your passwords or other personal information."

The warnings follow cyberattacks against independent local media. Weekly Eleven's website was hacked and temporarily disabled on January 15 and 16, according to a February 5 memorandum of complaint, addressed to the National Press Council and copied to Thein Sein, calling for an independent investigation into the attacks. The letter, written by Weekly Eleven Chief Editor Wai Phyo and reviewed by CPJ, said the hackers identified themselves as "Red Army Team."

The Voice, another local news publication, reported that anonymous hackers referring to themselves as "MMFC" and "Anonymous Myanmar" infiltrated and posted unsanctioned information to their Facebook page on February 4, according to the same memorandum.

Exile-run media groups like Irrawaddy and Democratic Voice of Burma have been hit in the past with anonymous distributed denial-of-service (DDoS) attacks that disabled their websites at crucial news junctures, such as during the 2007 government crackdown on Buddhist monk-led street protests. Government officials have consistently denied responsibility for those attacks.

This time, however, there are significant leads that a truly independent probe should actively pursue. In his complaint letter, Wai Phyo noted that the military-aligned Myanmar Express in reports on its website rightly predicted the cyberattacks against Weekly Eleven and had previously published the same information that was posted by hackers to The Voice's Facebook page.

"It is strongly suspected that the people representing Myanmar Express website seem to be some army officers with a hardline attitude and outlook who are collaborating with some department that is displeased with ongoing democratization," Wai Phyo wrote.

Burma's Ministry of Defense has chafed at critical reporting, saying in a rare public statement on January 29 that international organizations, embassies, and media were "fabricating news" about the Kachin conflict. If peeved army officials are indeed responsible for the recent cyberattacks, Thein Sein can make good on his reform vows by punishing them under the law while allowing the media to report freely on the conflict without fear of reprisal on the ground or in cyberspace.

Drawing lessons from Chinese attacks on US media

2013-02-07T17:38:21Z

Not every media company is as tempting a target for hackers as The New York Times, The Washington Post, or The Wall Street Journal. Not every company can afford high-priced computer security consultants, either. Is there anything that everyday reporters and their editors can learn about protecting themselves, based on the revelatory details the Times and other targets made public last week?

]]> As we wrote at the time, the cyber-attacks on the Times, the Post, and the Journal came as no surprise to foreign reporters working in China or elsewhere who repeatedly face fake emails, custom malware, and hacking attacks on their webmail. But the level of access that the hackers obtained at the Times' main offices, and the publication of details by their technical advisers, can be instructive.

The Times revealed that it had been persistently attacked by hackers for four months. The attackers specifically aimed for access to emails and contacts kept by reporters covering the financial affairs of China's premier, Wen Jiabao, and his relatives. There was no smoking gun indicating that this was the work of state-sponsored hackers, but the Times' security experts, Mandiant, said the target, the techniques, and the timing of the attacks strongly suggest it was planned by Chinese hackers working under the guidance of the Chinese military.

The Post was later reported to be using the same company to fight off an attack that began in 2011. The Journal said the FBI had warned them of a breach in their security in mid-2012. On Tuesday, Rupert Murdoch, chairman of the paper's owner, News Corp., tweeted that "[the] Chinese [are] still hacking us, or were over [the] weekend."

The first lesson: Even if your employer has a dedicated computer security detail (most do not), you should still make the security of your own computer a personal matter. Hackers target the weakest leak in order to enter a system, and do not differentiate between personal or professional systems. The New York Times indicated in its report that the first breach was a personal "spear-phishing" mail sent to a Times employee on his or her own computer. The most convincing of these attacks use personal details gleaned from public sources or private intelligence. Be careful what email attachments you open. Don't use the same password on different services, even if one is professional and the other private. With the cracking of passwords used by Times employees on an internal system, other accounts used by those employees elsewhere became vulnerable, the Times implied. Follow our advice and others on developing your own computer security regime.

Second, you should understand that hackers can gain access to a great deal of incidental material, even when their attacks fail at their goals. It is reassuring that even when the Times hackers were attempting to target investigators in China, they were unable to penetrate the additional security those reporters used. But, this same group now presumably has a large amount of other information--including names, passwords, and personal information on other reporters. Such information can be used in future attacks, or may be traded to other groups with other targets. Twitter lost control of the (obfuscated) database holding the passwords and email addresses of its earliest users this week. That information could be used as tradable knowledge for more targeted attacks on reporters who re-used their Twitter passwords on other services.

For now, these professional, advanced, and persistent attacks are being conducted in cases of well-financed industrial espionage or sophisticated state-level spying. But given the impunity with which these hackers operate, it's only a matter of time before the data they collect and the tactics they use will trickle down to common crooks or petty dictators.

Which brings us to a third point. Both China and the United States are now suspected of using malware and the illegal entry of computer systems as tactics in their foreign policy. China spies on American news media; the U.S. is assumed to have been behind StuxNet, a customized piece of malware targeting the Iranian nuclear program.

There are no clearly defined international norms that govern these practices. As China's Ministry of Defense told The New York Times, "Chinese laws prohibit any action including hacking that damages Internet security," and similar laws apply in Iran and the U.S. But if nations believe that they can conduct these operations abroad against any target without consequence, in an environment where all countries see hacking as legitimate statecraft, then journalists will inevitably be among the many unprotected groups that will suffer for it.

In the end, the only weapon journalists have to defend themselves against such attacks is vigilance, and their most well-worn weapon: transparency. The New York Times, Washington Post, and The Wall Street Journal all took an important step when they began publicizing the attacks they have faced. They can continue to help smaller media companies and individual reporters by publishing more details, and pressuring governments to outlaw cyber-attacks as a tool of international affairs.

Yahoo HTTPS mail not a moment too soon, nor too late

2013-01-09T22:50:11Z

I remember sitting with a Yahoo employee in 2009, talking about the lack of protective encryption on Yahoo's Web mail accounts. Like many, the employee had been caught up in the news of how Iranians were using the Internet to document and protest the presidential elections in that country, and had grown worried about the possibility of governments intercepting Yahoo customer's emails without due process. As an immigrant from a repressive regime, he told me, he was aware of how much danger this posed. He said he was going to raise the topic internally.

]]> A year later, I met him again. Turning on "https" or secure sockets layer (SSL) encryption for Yahoo Mail, it was clear, was going to be a fairly major undertaking. The infrastructure that Yahoo had built to cope with millions of users was not easy to convert to support "https" connections. He had heard that the proposal reached board level before being put to one side. His company, he felt, had let him down.

Three years later, Yahoo has a new board, and a new chief executive. Within the Global Network Initiative and without, human rights groups had repeatedly encouraged Yahoo to protect its mail users from spying. Late last year, we got word from Yahoo that they were experimentally rolling out SSL as an option. Last week, the company quietly revealed its availability to all users.

I can't say that the change in priorities came about as a direct result of Yahoo's new leadership, but its CEO freely acknowledged that public pressure played a role.

@dangillmor Thanks, Dan!Twitter spoke and we listened.This was very important and we're doing our best.More to come...
— marissamayer (@marissamayer) January 6, 2013

The announcement was quickly buried in more bad news for Internet security, however. Google announced Thursday that users in Turkey were being tricked into using a fake certificate for their connections to Google's own email and other secure services. The trick being used is one that could potentially remove the protection of any "https" site. Then on Monday, reports came through of a new, unconnected, security vulnerability in Yahoo Mail.

In the face of flaws both in Yahoo's software and the nature of the SSL infrastructure itself, is there any value to Yahoo's change of heart, and to the effort put into switching to an encrypted service?

I'd strongly argue that there is. The computer security staff at large Internet companies have a good idea of the sort of attackers from which they need to protect users, and strategies they can use to do so. That list of common foes won't be the same as the attackers that dissident and independent journalists fear. Yahoo and Google expect cybercriminals, not local law-enforcement or corrupt officials. But many of the protections that Internet companies can erect to protect the general consumer can also protect vulnerable reporters.

Google quickly spotted the fraudulent certificate and publicly warned companies like Apple, Mozilla, and Microsoft to identify and reject it. Yahoo fixed the temporary flaw in its software. Both of these steps protected the general userbase--and it protected the most vulnerable users.

The best security measures are the ones which protect all users, from all attacks. Sometimes companies cannot commit to such a high level of protection. But the average user is better served when they do. If you advocate for that level of protection, you're also helping those who might face more determined and more powerful adversaries. And there is the side-effect of respecting the wishes of your most diligent employees: those who speak up on behalf of your customers.

In the meantime, whether you're a reporter under a repressive regime or any other Yahoo mail user, you should turn on SSL encryption now. And don't click on any strange links.

China's name registration will only aid cybercriminals

2012-12-28T22:24:20Z

China's mounting crackdown on online news dissemination took an extra step today, when the country's Standing Committee of the National People's Congress, its de facto legislative body, announced new requirements on Internet service providers and mobile phone companies to identify their users. The new rules would potentially allow ISPs and the authorities to more closely tie real identities to posts and commentary on micro-blogging sites like Weibo, as well as connect text messaging and mobile phone conversations to individuals.

]]> The announcement follows a series of new restrictions on Internet access in the country, including the blocking of virtual private network (VPN) connections used to evade the "Great Firewall;" the blocking of major foreign news sites' reporting on Chinese leaders; and censoring discussions on domestic social media. The timing of the new steps is particularly troubling to those who anticipated that restrictions would ease after the Communist Party's National Congress in November, where new leaders were appointed, The New York Times notes.

Demanding real names for mobile phone users and even websites is not unique to China, but it seems unlikely that the reasons that the Chinese authorities gave--to protect against cybercriminals--are the entirety of the thinking behind the ruling.

"Nowadays on the Internet there are very serious problems with citizens' personal electronic information being recklessly collected, used without approval, illegally disclosed, and even traded and sold," the Times quoted a member of the Standing Committee as saying.

But China's new rules will hardly improve matters. In fact, real identity systems exacerbate the problem, by requiring users to upload the identity information and documents that others can use to commit fraud.

South Korea passed a law in 2004 requiring all forums to collect the state resident registration numbers (the equivalent of a U.S. Social Security number) of their users. In August 2011, hackers broke into the system used to verify the numbers, and obtained the personal details, including the resident registration numbers, of 35 million people, around 70% of the entire population. The companies involved blamed Chinese hackers. The rule was later struck down by the Korean Supreme Court as an unconstitutional restraint on free speech. In 2010, Mexico retroactively required all of its mobile phone users to provide their personal details with the carrier. Shortly after the deadline for registration passed, copies of the official databases--including the names and home addresses of police officers--were found for sale at Mexico City's Tepito flea market.

China's state media attempted to head off critics of the new policy, while conceding that it would be used to target online conversations. "Reports state that the identity policy will clamp down on the freedom of speech in Chinese cyberspace," said China's English-language Xinhua News Agency, "But the accusers should know that freedom without limits or responsibility is chaotic and dangerous... The rule should only be feared by slanderers who wish to take advantage of online anonymity."

In Internet freedom fight, why the ITU matters (for now)

2012-12-14T17:39:49Z

For most of its almost-150-year history, the meetings of the International Telecommunication Union (ITU), the United Nations' communications standards body, have been rather predictable affairs.

]]> Representatives of the world's governments regularly gather to sign off on technical recommendations drafted by the technocrats of telephone companies and government bureaucrats. The diplomats would then return home to encode the minutiae of the regulations into their governments' communications policies. Less frequently the same officials met to renegotiate the terms and scope of the ITU's work, to take into account new telecommunications innovation (like radio or television) that may have come into view. It's a meticulous and slow-moving body of international technical co-operation which for over a century has ensured that radio stations don't interfere with each other, communication satellites pass safely in the night, and that telephone lines in one country can seamlessly connect to those in another.

The work behind such standards and definitions, however, has a far wider effect than just fine-tuning our communication devices. Telecommunications standards shape the media they describe, and can influence how free those media are. As long as the majority of media passes through cables and between aerials, the outcome of these technical arguments will have a serious knock-on effect on press freedom.

This week's ITU meeting in Dubai was intended to be another uncontroversial renegotiation of its organizing principles, the International Telecommunication Regulations or ITRs. Instead, deep divides emerged, with the United States and at least a dozen other countries (out of 193 member states) exercising their strongest sanction by refusing to sign the ITU's final document.

At the heart of the dispute was the belief, on the U.S. side, that the ITU should not get involved in Internet regulation; and the insistence of others that the ITU has a role to play in management of the Net.

The Internet has a long history of ruffling feathers at the ITU. Here's a journalist's report from an earlier spat, back in 1976:

There is a heated international argument over who will control packet-switched communication networks--the carriers or the users... Many multi-terminal users believe they can maximize the benefit of packet service only by employing end-to-end communication protocols... This contention makes the carriers livid and helps explain why the argument was gathering heat at the Geneva [ITU] meetings.

That was a description by Phil Hirsch of Datamation of the first conflict between the young advocates for what became the Internet, and the ITU's own standard designers.

The fight then reflects the fight now. The ITU is run by governments, who at that time mostly directly controlled their countries' telephone networks through state-owned telephone companies ("the carriers"). Back in 1976, the ITU's in-house design for the future was a protocol called X.25. It assumed the future of the new digital network would be similarly, centrally controlled by the same state-run telephone companies.

The United States' ARPANET TCP/IP protocol, designed by Vint Cerf's team of academics and sponsored by the U.S. military, was the competition. It was an "end-to-end communication protocol," which meant the power and responsibility for almost every aspect of how data was sent and received shifted to end-users instead.

The ITU lost that battle. The users, it seemed, wanted more control. TCP/IP dominates our packet-switched Internet, not the ITU's X.25 protocol.

As a consequence, the descendants of those "carriers" ended up losing a great deal of power over what passes over their digital networks. Indeed, everyone lost the ability to control the flow of information online. Countries like China have policies explicitly in place to limit and filter Internet news, but they are often stymied by Internet users' ability to adopt new software and web platforms, and the network's resistance to central mandates. All of that slipperiness, so useful to fight censorship and propagate the news, comes from the network's decentralized design and TCP/IP's triumph over more centralized protocols like X.25.

The incentives and biases that made X.25 the ITU's favorite protocol are still present today. The ITU remains the exclusive domain of governments, advised by large incumbent telecommunications companies. Its deliberations have traditionally taken place behind closed doors , with a limited set of participants invited by governments. At best, its delegates prefer carefully documented, precisely controlled, and universally proven approaches. At worst, its technical decisions are disproportionately influenced by the authoritarian bent of some participating nations, including countries unfriendly to press freedom such as Saudi Arabia, China, and the United Arab Emirates.

What standards govern the wider Internet, by contrast, have always been more free-wheeling. The process in its own informal standards bodies is sometimes chaotic, and often bypassed entirely. There's no Internet standard or oversight board for Skype, for instance. BitTorrent, one of the most popular protocols online due to its use in sharing large (often copyright-infringing) files, has never been near a standards body.

But no one compels anyone to use Skype or BitTorrent, nor the more official standards of the Internet and the Web. And no international organization exists that might suggest that users should not be allowed to use those protocols. The users' choices take precedence.

The fear among Internet freedom advocates was that by having the ITU assume some of the roles of defining the protocols of the Internet, arguments for more direct government control would trump those offering more flexibility or freedoms.

The past 12 days in Dubai showed that to be the case. Telephone companies lobbied to up-end the pricing system of the Net. A proposal to encode human rights obligations into the organization's charter failed after objections from China, Algeria, and Iran. Finally, a late-night act of procedural sleight-of-hand led to clauses about the Internet being pasted into the proposed treaty. By the final day, several countries, including the U.S., the United Kingdom, Australia, Kenya, and India, declined to sign the end result.

If the leadership of the ITU was serious about taking more control over Internet affairs, its plan failed. In the wake of the ITU's split vote, the Internet remains as loosely coordinated and user-driven by default as it has always been.

That's not a universally positive result for online press freedom. While all the countries declining to sign the ITU treaty cited control of the Internet as the reason, academic Milton Mueller has suggested that another proposal , requiring countries to provide "non-discriminatory access to modern telecommunications," might have inspired the United States' ire. The resolution, a sore point for years, was prompted by the effects of the U.S. sanctions on Internet availability in the Sudan. Other proposals in the ITU document, including on transparency and notification about the use of Internet "kill switches", would have promoted connectivity in the face of government suppression, not limited it.

And Internet regulation is not all sweetness and light without the ITU. Many countries suspected the U.S. of wanting to maintain control of the domain name system through its support for ICANN, the American private company that manages the more central elements of the domain name infrastructure. The ITU may be secretive, but by comparison ICANN is positively opaque, and continues to lack the international involvement that the ITU can genuinely boast. As Ethan Zuckerman notes, the Internet is not perfect as it is, and lacks obvious ways to change for the better.

But perhaps the most worrying potential future for the Internet will happen whether the ITU is able to recover from this diplomatic collapse or not.

For 35 years, Internet advocates' concerns with the ITU have been with its dominant voices: governments and their closely associated incumbent telecom companies. In the next decade, a large part of end-user Internet traffic will be shifting to mobile broadband devices. Mobile networks are largely run by those same incumbent telcos. Their networks are heavily regulated and controlled by local governments. Mobile companies are free to block protocols like Skype, censor websites, and spy on their users, with little oversight or global condemnation. It would be a tragedy if the pioneers of the Internet fought off the slow-moving bureaucratic threat of the ITU, only to lose control of their ideals to those same forces in the fast-moving and unregulated wilds of the mobile Internet. Their victory at the ITU would be pyrrhic; and the real losers would be journalists and their audiences, reading news on a mobile but spied-upon and censored Internet.

Syria's desperate move to cut links won't succeed

2012-11-30T18:52:15Z

The Syrian Internet, like the country, appears to have been collapsing into a patchwork of unconnected systems for some time. I spent time talking to Syrians tech activists this week in Tunisia before Thursday's shutdown, and their reports from the front painted a picture of two different networks.

]]> In government-controlled regions, they said, the Internet was available, but heavily controlled. Cybercafés had mandatory ID requirements, video cameras trained on screens and visitors, and keystroke loggers whose contents were collected daily by security personnel. At checkpoints, Assad forces were said to be visually checking laptops for programs like Tor and TrueCrypt that would allow users to get around the government controls.

In the rebel-controlled areas, Internet connectivity was shut down, and almost all external digital communication was via satellite phone. Rebels have seized cell towers, the activists told us, but are struggling to establish their own communications services.

Nonetheless, there's a profound difference between the Assad regime's previous policy of attempting to control the flow of news and information from Syrians to the outside world, and within rebel controlled regions, and Thursday's mass shutdown, which was still in effect Friday. The evidence from companies like Cloudflare and Renesys shows that Syria followed the same kill switch procedure as Egypt--an orderly shutdown of almost routes within the country, managed by the government's continuing control over the edge routers that announce those pathways to the outside world.

As it was in Egypt, this is a desperate act. Killing the entire Internet stops Assad's allies from using it--as they have with some effect, intercepting unencrypted communications and distributing malware to opposition activists. It prevents not just anti-Assad propaganda from leaving the country, but any information at all. It suspends modern business communication, and any reporting.

No news, they say, is good news. But if a regime has so lost control of its country that suspending any and all communications is better than permitting even the smallest peep of objective reporting to escape its grip: well, as Egypt showed, that has to be bad news for that regime.

And even such drastic steps are not going to prevent the news from escaping Syria.

Even before the cut-off, there were plenty of witnesses smuggling video and reports out of Syria using USB sticks. The jamming of satellite phones is used but not ubiquitous, activists say. The reception areas of mobile phone networks in Syria's neighboring countries reach past their borders. Syria's technical community inside and outside the country were already working on alternatives to the state Internet infrastructure, and that work goes on--mesh networks, dial-up systems, and satellite phone media centers. None of these will be able to replace the economic and social functions of a fully-functioning Internet. But they will be used by reporters and citizen journalists to uncover the truth. That function of an open society, at least, will not be stopped by an Internet kill switch.

Dear CPJ: Some malware from your 'friend'

2012-08-30T20:32:23Z

We talk a lot about hacking attacks against individual journalists here, but what typifies an attempt to access a reporter's computer? Joel Simon, CPJ's executive director, received an email last week that reflects some characteristics of a malware attack against a journalist or activist. There was nothing particularly notable about the targeting. (Like many reporters, CPJ receives such attempts occasionally). The attack failed at the first fence, and my casual investigation into the source was inconclusive. There are no shocking answers or big headlines to draw from this attack. But it does illustrate a contemporary reality: Opportunistic assailants regularly shower journalists with software attacks.

]]> The email was marked as being from "Rony Kevin," a misspelling of Rony Koven, who works with the World Press Freedom Committee, a partner press freedom organization. The originating Yahoo account wasn't his, of course; the attackers had no connection with Koven at all.

The subject of the mail was "Fw: Journalists arrested in Gambia," and the content of the mail was boilerplate text about reporters who had been recently imprisoned, followed by "Please review the attachments for more information." The text was actually copied and pasted from this Article 19 alert. The text promised more information in an attached ZIP file, called "Details," which it said was password encoded with the letters "CPJ."

CPJ staffers are, as you might imagine, extremely cautious about opening strange attachments, but, after the mail had been quarantined, and in a suitably safe computing environment, I took a closer look at the attachments' contents. Out of the five documents in the Details.zip file, one was a text copy of the Article 19 article, three were accompanying pictures of the Gambian journalists--and one file was a Windows program, disguised as an image, which would have starting running if anyone clicked on it. (It would probably have also triggered several dozen anti-virus Klaxxon warnings, but some people don't use anti-virus software or ignore it.)

Taking a closer look at that executable with some simple analysis tools, it was clear that the real job of the program was to unpack a piece of malware, stick it somewhere innocuous on the computer, and set it up to run automatically in the future. The unpacking code was a standard utility, with some comments in Chinese. At this point, I handed the file over to security researcher Morgan Marquis-Boire to see what he could make of it. Morgan let me know that the file was indeed malware and, when started, began communicating with a machine in Indonesia. I've mailed the administrators of that machine, but as usual, they did not reply. For now, the trail has run cold.

What can we learn from this attack? The fake identity of the email's source and the content about Gambian journalists suggest that somebody had dedicated some time to understanding CPJ, its interests, and its network of partners. This is all evidence of "spear-phishing"--a person or group targeting a particular individual or organization, rather than the usual fraudsters and spammers attempting to exploit hundreds or thousands of generic Internet users. Whoever sent this wanted access to CPJ's computers in particular, and was willing to spend at least some resources obtaining information that would make their emails convincing to us, and perhaps other international press freedom groups like the World Press Freedom Committee and Article 19.

The encryption of the Zip file was a smart way to get past the simplest anti-virus software. Anti-virus software that runs automatically wouldn't know the password so it would not be able to automatically unzip the attachment and look inside for trouble. The personalized password also helps make the email seem more genuine.

The Chinese language in the executable means that this malware has come from a toolkit that used Chinese elements. There are plenty of Russian and Chinese tools floating around the international computer underground, however. You might not need to speak Chinese to use a piece of software with Chinese comments embedded within it, so I don't think you can draw many conclusions from that.

Neither can you draw much from the use of an Indonesian command-and-control center. Just because the first stop for information sent from the infected computer is Jakarta, that doesn't mean that it's the final destination. That machine is undoubtedly an innocent system, taken over remotely by the attackers, and used as a convenient middleman for their activities.

So we don't have much information about the specific identity of the hackers. We do know, however, that they exist: This isn't an attacker who particularly cares to cover his tracks and doesn't mind too much if the attack fails.

The software is generic, and could have been obtained by anyone interested in conducting an attack. There's nothing that shouts state actors here, except perhaps for the target. There aren't many other reasons to spend time specifically targeting press freedom groups, unless you are able to sell control of their computers to a third party who cares to disrupt or monitor their activities.

Who are those third parties? Whoever they are, their tactics are illegal in most countries. And their long-term targets are surely not NGOs like ours, but the journalists we seek to defend.

Weak cyber protections lead to personal, institutional risk

2012-08-06T22:14:27Z

The Syrian civil war is also a propaganda war. With the Assad regime and the rebels both attempting to assure their supporters and the world that they are on the brink of victory, how the facts are reported has become central to the struggle. Hackers working in support of Assad loyalists this week decided to take a shortcut, attacking the Reuters news agency's blogging platform and one of its Twitter accounts, and planting false stories about the vanquishing of rebel leaders and wavering support for them from abroad.

]]> The stories and tweets were unconvincing, and none spread much further than their home sites. The majority of readers disseminating the repurposed Twitter stream appeared to be Assad partisans, either keen to spread the misconceptions or to believe them themselves.

The attacks demonstrate, however, how media institutions are at risk of targeted attacks by state-supported electronic activists--and that hackers will attempt to leverage the outlying parts of a large organization to take wider control, or at least the appearance of wider control.

Neither Reuters' blogging site nor its minor Twitter accounts feed the company's authoritative wire service, but as a consequence they may not have the same levels of heavy protection against misuse. A weak password used by a single person could have granted an outsider the power to post publicly to either service.

Even when a hacker's target is an individual journalist and not his or her media organization, things can escalate to affect the institutions journalists work for. When the tech reporting site Gizmodo's Twitter account was taken over on Friday, it was through an attack on one of its former reporters, Mat Honan. Gizmodo's reporting has made it unpopular in some quarters, but Honan says that he was the target, and that Gizmodo was "collateral damage." His Twitter account was linked to Gizmodo's corporate account, and the attackers used one to post to the other.

Honan's story should give anyone pause about their own digital safety, especially if they rely on external companies. His Twitter account was taken over by a hacker who persuaded a tech support line operator to reset the password to his Apple account. The attacker used this account to change his linked Gmail and Twitter account information, and then proceeded to use the "remote wipe" feature on the latest Apple iPhone and laptops to disable and delete the content of his phone, iPad and Macbook. As a freelancer, Honan did not have offline backup of his work. (Honan says he is waiting for a response from Apple the company; meanwhile, Apple tech support is helping with damage control).

Honan has corresponded with an individual who claims to be his hacker, and says that the real intent of the compromise was his three-letter Twitter account. Whether it's by common cybercriminals or state-supported propagandists, journalists are being targeted as individuals. The organizations that employ them need to invest resources and training to improve their cyber-security; not least because when one person's security is compromised, everyone who relies on that person is also under threat.

For journalists, danger lurking in your email

2012-07-27T11:47:42Z

This week, Morgan Marquis-Boire and Bill Marczak of the University of Toronto's Citizen Lab provided a disturbing look into the likely use of a commercial surveillance program, FinFisher, to remotely invade and control the computers of Bahraini activists. After the software installs itself onto unsuspecting users' computer, it can record and relay emails, screenshots, and Skype audio conversations. It was deployed against Bahraini users after being concealed in seemingly innocent emails.

]]> In one example decoded by Marquis-Boire's team, the message was crafted to appear to be from Melissa Chan, a journalist working for Al-Jazeera English. The attackers were using Chan's reputation as a journalist to trick their victims into opening the document.

Chan now works for Al-Jazeera in Jerusalem, but when she was a correspondent in China she was the target of email attacks herself. In an attempt to take control of her real Gmail address, a message was sent to her from someone implying they were connected to China's "Jasmine revolution." The independent Bahraini newspaper Al-Wasat said it has been targeted with fake messages from sources as well--not to deliver malware, but to trick it into running false stories the government then used to try to discredit the paper.

Fake email sources are relatively easy to imitate. The "From" address used in the Bahraini attack was not Chan's own email address, but a throwaway Gmail account that looked like an address ("melissa.aljazeera@gmail.com") Chan might conceivably use.

Broad caution with unknown correspondents is a defense: If you don't download attachments and don't click on links in strange emails, you aren't vulnerable to the hacking attacks these emails are designed to allow. When I spoke to Chan about the attacks in her name, she noted that "many people do not look at the email address, but just the 'Last Name, First Name.' ... There were one or two times when I wasn't sure about the sender and I wrote back asking them to identify themselves in a way I'd know was definitely him/her."

That's a good technique, but it's even better if you can use an alternative medium for your fact-checking. Use a phone call or instant messaging to confirm a message before opening any attachment. If an attacker has already used malware to take control of another users' computer, they may have access to private information. They can also act as a "man in the middle" online, relaying email questions and answers between two unsuspecting correspondents--but able to spy or add their own fabrications. A live phone call is harder to fake.

In terms of sophistication, it's hard to know what to think of the Bahraini espionage revealed by Citizen Lab. In some ways, the masquerade was clumsy--but, then, if it had been more convincing, it may have gone unnoticed. We only see the results of unsuccessful espionage. Still, even that is enough to see the damage being caused to the reputations of journalists and the safety of their communications. Security services faking messages from real journalists in order to spy on activists is a grave danger to press freedom.

Citizen Lab's analysis demonstrates that spyware supposedly made for law enforcement purposes by the UK company Gamma International is now being used in ways that no democratic society can tolerate. Gamma should immediately reveal whether they have been selling this technology to the Bahraini authorities and what it intends to do to prevent abuses from recurring.

Face-blurring comes into focus for journalists

2012-07-20T21:24:24Z

This week, YouTube announced a feature that should catch the eye of video journalists and bloggers working in dangerous conditions. After uploading a video to YouTube, you can now deploy a "blur faces" post-production tool that, in theory, should disguise the visual identity of everyone on the screen. The Hindu newspaper has an excellent how-to guide for their readers.

]]> Face-blurring can be an important security tool for journalists working in regions where witnesses are punished simply for talking to the media. Documenting events in the manner they occur remains the common professional mandate, but in certain instances, such as protecting a vulnerable news source providing sensitive information, blurring a facial image can serve an important purpose. It's another iteration of the age-old equation of reporting the news while protecting your sources; each journalist must strike his or her own balance.

YouTube's new feature is not yet perfect and, as Google warns, some hand-holding is needed. The algorithm is optimized for speed more than accuracy, which means that it can sometimes miss a face, or overcompensate. There isn't yet an interface for choosing which faces to blur or how to disguise voices. It may fail to work on your particular video because the faces are moving too much or the recognition system fails to consistently spot them.

Nonetheless, it's an important step forward. Google says that it first considered face-blurring after activists requested the feature in a 2011 report compiled by Witness, the organization that uses video and other technology to defend human rights. Face-blurring is something that will be appreciated by thousands of other YouTube users, from protective parents to merry pranksters, but the most compelling argument for its use came from videographers trying to report the news while protecting those they cover.

Journalists need a wider range of such capabilities, and they need them embedded in consumer applications. Consumer Internet services, after all, have become entwined in the lives of professional and citizen journalists. It often falls to individual reporters to use these tools, instead of relying on an editor down the line.

You can't quite hand off all your security problems to the cloud, though. Google's face-blurring works only with its copy of the video, not the original source on your local device. There's some early work by technologists such as the Guardian Project to bring real-time face-blurring to android cameras. But integrating such capabilities into the early stages of a professional work flow is not easy; even computer security experts are still struggling with how to permanently delete recorded content from modern flash storage.

These problems are hard and require long-term research. Face-blurring is one of the first steps in a long road that involves the active involvement and advocacy of companies, technologists, activists, and journalists. Without feedback and support, companies will quietly let these features "bitrot" away. And without active advocacy and criticism, other essential parts of the same emerging security infrastructure will never get built.

Perhaps the best incentive to maintain and improve these privacy-protecting features is if the companies involved sense it's something they're actively competing to provide to their customers, rather than generously offering. I suspect it's just coincidence that Google's face-blurring was launched the same week as Facebook was being hauled over the coals in the U.S. Senate over its facial recognition, but that fact is almost certainly why YouTube's addition got some extra coverage. After a decade of consumer Internet services competing on ease of data-sharing, it will be equally rewarding to journalists if they were to start competing on better data protection.

Internet law: a good bad example of Russia's backsliding

2012-07-13T19:16:30Z

Russia's State Duma has passed a number of new laws in the past week, all seemingly aimed at reining in civil society and criticism of public figures. The bills would re-criminalize defamation and impose limits and labels on NGOs. They follow the introduction last month of excessive fines for unauthorized protests.

]]> One of this week's bills, Duma Bill 89417 is a proposed Internet statute that, among other provisions, would create a blacklist of websites that all Russians Internet service providers (ISPs) would have to block and refuse to host. The bill was hurried through the legislature in one week. (The defamation bill was approved today in the Duma's third and final reading; jail terms were eliminated from an earlier draft, but fines were allowed reaching as high as 5 million rubles or about US$153,000, news reports said.) Both bills now await President Vladimir Putin's signature.

Bill 89417 demonstrates everything that is wrong with this flurry of new legislation. Rather than fixing old legal problems, as the government claims, it exacerbates them, and to the extent it mirrors other countries' laws, it demonstrates just how much Russia is diverging from accepted international norms of human rights.

The new law ostensibly fixes flaws in a previous media regulation bill. At the very end of 2010, the Duma passed Law 436-FZ, which required all "information products," including Internet hosted material, deemed unsuitable for children to be marked with visible warnings. The law was due to take effect on September 1, 2012.

Internet technologists had warned that 436-FZ was too broad, and would require individual comments and home pages to be marked with age-appropriate ratings in the style of American movies. The new law supposedly corrects this. It amends the law to exclude the majority of Internet content, although still requires "online publications" to give ratings. The term is ambiguous, but apparently includes online news services.

The amendments also include the creation of a centralized blacklist of websites. After criticism from, among others, Prime Minister Dmitry Medvedev, the criteria for being included on the blacklist has been narrowed--it now is specifically tied to child-safety related content, including child pornography, material encouraging drug use, and suicide advice. Which sites should be placed on the blacklist, however, is to be solely determined by a new Russian agency, with no further oversight. Under a separate exemption, the Russian courts can place sites on the registry without limit, provided their content is "banned in the Russian media."

As with its predecessor, the new bill creates more questions and opens more loopholes than it addresses. Will the blacklist be secret? If so, how will websites be able to appeal being included (which, according to the law, they are only permitted to do for three months after introduction)? If websites do not appeal within the three-month timeframe, will they remain on the blacklist permanently? Will sites that do not contain age ratings be subject to bans by the courts? Will that include foreign news sites that may be unaware or unwilling to comply with Russian labeling requirements? Will a single page be sufficient to ban an entire site or IP address? How will sites be reported? Will it be possible to trigger a ban by maliciously injecting prohibited content into vulnerable sites? If such content is removed, will the ban remain?

If Russia's lawmakers are seeking to imitate other country's laws in the area of child protection, they have failed to learn key lessons. Russia's version of Wikipedia was one of the largest sites to protest the new law, as well it might. A similar, albeit voluntary, blacklist in the U.K. led the U.S. version of Wikpedia to be blocked by some ISPs in that country following the reporting of a single Wikipedia-hosted image. In the United States, the 1996 Communication Decency Act included provisions that would criminalize the distribution of obscene content to children, but these were overturned by the U.S. courts as creating unconstitutional limits on Internet expression.

Russia's compulsory prohibitions suffer from many of the same potential problems as the current U.K. system--enforced secrecy, arbitrary blocks, technical challenges, and a limited effect on the actual issue of child pornography. It carries with it the same wider impact on Internet expression that may be child-unfriendly, but is vital to an open society--including the free reporting of adult matters. Add to that the dangers of handing such power to censor the Net to a centralized and unaccountable government agency, allied with an administration increasingly unfriendly to dissent, and you are left with a law that will do little good, and probably much harm.

Politicians like Medvedev have pointed to its uncensored Internet as proof their country respects a free press. That Russia will so quickly abandon that standard shows how fragile its respect can be.