Journalist and digital rights activist Danny O'Brien came to GUADEC to try to educate GNOME hackers about
the threats facing journalists, their computers, and their online
communication from governments and organized crime. But free software can
help, so he wanted to outline the features that he thinks could be added to
desktops to help secure them and protect the privacy of all users, not just
journalists. Part of his job as internet advocacy coordinator for the Committee to Protect Journalists (CPJ) is to talk
to internet developers and "persuade them to think about how
journalists in repressive regimes are affected" by the choices those
O'Brien has written for multiple publications including Wired UK and
the Need To Know email newsletter that he founded, which ceased
publication in 2007. He has also worked for the Electronic Frontier
Foundation (EFF) as activist coordinator and most recently its
international outreach coordinator. He is now with CPJ, which is
an organization that seeks to protect journalists from various threats,
both physical and in the online world. "They know the levers of
power to get people out of trouble, or to stop them from getting into
it", he said.
He started out by explaining that journalists do not understand recursion
as he found out when he tried to unpack GUADEC (GNOME users' and
developers' European conference) for his boss. The use of an acronym as
the first word of an unpacked acronym was problematic enough, but when
tried to explain that GNOME is (or was) the GNU Network Object Model
Environment, he sensed he was getting in a bit too deep. Then he had to
try to explain "GNU's Not Unix".
The problems that many in the online and free software worlds have been
concerned about for years are finally becoming mainstream he
said. "Powerful forces are trying to stop the spread of information
online", and that message is finally starting to get out. He put up
the recent xkcd comic ("It's the
world's tiniest open-source violin") as an example of one place
where those concerns are starting to get some mainstream attention.
He pointed to a number of different attacks against the computers of
journalists, generally from governments, but sometimes also from organized
crime syndicates. It's not just repressive regimes that target
journalists, he said, noting reports on the CPJ website regarding Japanese
journalists who have been subjected to governmental pressure and mistreatment.
One of the more insidious attacks against journalists' computers was an
email sent to foreign journalists based in Shanghai and Beijing from a
fictional editor for The Straits Times. The email was a credible
request for assistance in contacting people on a list contained in a PDF
attachment—a PDF with a zero-day exploit that installed spyware on
the computer. It was not just the foreign correspondents who were
targeted, however, as the email was also sent to the native Chinese
assistants of the correspondents, which is a list that would be difficult
to generate—unless a large intelligence agency was involved.
Another common tactic used by governments to intimidate and spy on
journalists is to raid the offices of a television/radio station or
publication because the
organization supposedly owes back taxes. All of the computer equipment is
then seized for evidence. A variation of that scheme was recently used in
Kyrgyzstan where a television station was raided due to alleged software
"piracy" and all of the computers were confiscated. Whether tax or
copyright violation charges are ever filed is irrelevant because the
government is really after the information stored on the computers.
Free software hackers have more of an interest in these kinds of problems
"than just not [being] the ones affected". There are things
that free software already does fairly well because those hackers
"have an interest in creating secure systems", but there's more that could
be done. It makes sense for it to be the free software community that
fixes these problems, because it is "not beholden to big
interests", O'Brien said.
So what is the "low hanging fruit"? Encryption is one area
that is relatively well covered, at least for the web, with TLS. It
provides security for both publishers, readers, and commenters that is
protected from even "state-sized interceptors". It makes
simple censorship more difficult. The well-known Great Firewall of China looks for keywords, while the lesser-known Great English
Firewall matches URLs to a list of child pornography sites; each of those
censorship methods is blocked by encrypting web traffic.
But there all sorts of internet protocols that are plaintext. "Since
we don't use telnet any more, why should our code?" He was
disappointed that the Telepathy communication framework doesn't ship with
encryption support because it makes his job harder when recommending tools
He mentioned some Russian journalists that he had talked to who don't talk
on the telephone because they believe it to be bugged. They also only use
Gmail over HTTPS, "which is fine if you trust Google", but
they switched to using Yahoo Messenger "because they heard good
things about it"—unfortunately Messenger isn't encrypted.
O'Brien said that the reason they didn't know that it "is less secure
is because their desktop isn't telling them".
SSL certificates are another area of concern. Certificates can be forged
by governments or other entities and then used in targeted attacks to
intercept encrypted communications. The journalists that O'Brien deals
with are the "canaries in a coal mine" for these kinds of
problems. It is a "challenge for user experience" to
alert the user to things like changed certificates, but there are also
technical barriers as the libraries often don't return that kind of status
to the applications.
He would like to see desktops have some sort of "advocate" for
user security that would check and report on privacy and security issues
with the software being used. User privacy and security are
"pervasive concerns that should live on the desktop", O'Brien
said. The desktop is becoming more intertwined with the web so it would be
very beneficial to have some kind of
active monitoring that is "sitting there checking that the systems
When someone wants to communicate with multiple friends, why does the data
have to be sent to a central server, he asked. He would like to see the
desktop become a "first-class player on the internet" by
communicating in a decentralized, peer-to-peer fashion.
that know they don't want people to have privacy recognize that the desktop
is the gatekeeper. A person's desktop is their "heart of
trust", he said. "We have a responsibility to take the freedom
that we take for granted and give it to people whose only privacy is their
O'Brien came to GUADEC because he believes that the project can help solve
the problems in the privacy and security areas. GNOME has the "user
experience chops" to make
these kinds of changes, while continuing to produce a usable desktop.
While he is particularly focused on journalists, the changes he advocates
would be useful to many, but making them usable too will be a big challenge.
to post comments)