Harlo Holmes on Newsroom Security in 2017
The Freedom of the Press Foundation’s Director of Digital Security on the biggest risks newsrooms face
Harlo Holmes is a media scholar, software programmer, and activist who leads digital security work for the Freedom of the Press Foundation, the organization co-founded by Daniel Ellsberg and Trevor Timm in 2012 to fund and protect adversarial investigative journalism. Holmes has long been a contributor to the open source mobile security collective The Guardian Project, and was a founding member of the DeepLab cyberfeminist collective. In 2014, Holmes was a Knight-Mozilla Fellow at the New York Times.
She agreed to speak with us last week, and the following is a lightly edited transcript of our conversation.
Digital Security at the Freedom of the Press Foundation
You’re the Director of Newsroom Security at the Freedom of the Press Foundation—what is the scope of your work in that role?
I head up the New York office—most of the rest of our team is out in San Francisco and we have a team of three that do digital security. Day to day, we write a lot of curricula and guides, some of which are publicly shared, and some that we render into newsletters and podcasts. We also consult with particular orgs or groups directly—people get in touch with us and request training. We interview them about their specific goals because it’s not always one-size-fits-all advice, and from there we create an action plan or curriculum or workshop agenda and produce it with them.
And sometimes we work on bespoke solutions—for particular problems that someone might have. For example, I was approached about recording a conversation with a source that they were conducting over Signal. It wasn’t that that source didn’t want to participate, but that the source didn’t necessarily want to have the metadata right now associated with that all, so they wanted to do it over Signal. So I did a lot of research about what it means to introduce an app such as [the one you use] onto your device and the particular security implications of that, if the recordings are hosted on a third-party server, what that means. And then we went shopping and bought a whole bunch of old-school AV equipment, so we could hook up a bunch of connector cables, plug in the wires, and record microphone and headphone input and output onto a two-track mixer and make an “analog” recording.
So that’s an example of the kind of bespoke solutions we work on with people.
And then on my off-time we do a lot of research into existing tools and workflows to prod them for their vulnerabilities and ways they can be misused or abused, so we can make better recommendations. And we also play with new toys and new workflows and see what is most applicable for power users to bolster their security.
What kinds of organizations come to you for training? I’m sure you can’t talk about specifics, but do you mostly see major newsrooms or local organizations? How would you characterize your clients?
It definitely spans the gamut. We’ve gone into a lot of national papers, physical big buildings with dedicated IT staff and entire teams that get together and learn about digital security together but then we also work with independent journalists who have specific questions. Those tend to be face-to-face meetings in our office or at a cafe where they’d like to meet, or even over a call. And sometimes we put together events for groups of people who are associated, like a guild or a union, or who just get together for something crypto-party-like. It’s all over the place, and we’re happy to have the capacity to serve people at various points, where they are.
Do you mostly work with US-based organizations, or do you work with international folks as well?
We do mostly work within the US, simply because that’s where our name recognition lies, although we’d be interested in working more internationally.
The work that the FPF does isn’t limited to digital security, though that’s a huge component of what we do. FPF also provides legal support, financial support in the form of crowdfunding, and technical support. So between all four components, a lot of our expertise is grounded in the US context, especially when it comes to legal advice and what we can do, legally, to advocate for people.
In terms of digital security, although I personally have a fair amount of international experience, we’re starting to realize more and more that where you actually live does matter as far as what you can actually do, and what the rules and best practices for the equipment you can use are.
We do have international expertise, but we’re most comfortable with the US context. There are plenty of awesome orgs that do similar work to ours in other countries, and it’s very important to us that when we’re out on the conference circuit, we always check in with those people and compare notes and tactics, and know who we can recommend. So if somebody comes to me and lives in England, I know that they should reach out to Privacy International, things like that. And it’s perfectly okay to share those resources.
Security Challenges in Journalism
From where you sit, what are the most challenging security issues for journalists and news organizations working in the US right now?
Well, we shall see! We’re at a little bit of a crossroads.
About a year ago, credential management and anti-phishing and things that were the hot button issues. And they still are—phishing doesn’t get more advanced, but it’s a sleight of hand trick, a social engineering attack, so the next time it arises, it’s going to be something you didn’t think of. It’s not going to be any more dangerous, but it’s also not going to be any less dangerous. It’s just going to change its face. So teaching people to be vigilant about that is always beneficial, but at this point, it’s low-hanging fruit.
One thing we’re grappling with right now is how to do cross-border work. It used to be that you would worry about people who were doing deep investigative journalism across borders, and you’d worry more about what happened when they try to leave the country that they were in. Now we have to worry about every side of the crossing—what happens when you leave home vs. when you arrive where you’re going, and what happens when you’re about to return home vs. when you finally get home. Putting together solutions that work for each of those four critical steps is one of the most pressing issues right now.
Another thing we have to contend with is…hitting a wall. A year or two ago, we all got on-the-to-end encryption bandwagon. That was one of the most influential things in terms of what we expect, not only in newsrooms but also as general consumers, in terms of data protection. But then when you look at what happened to Mega…where even though the blobs are encrypted, what happens if you literally deny people access to that data? That’s an example of a wall. We have the encryption, we know that the data is safe, but if for some reason the data disappears and becomes inaccessible to you, that’s a wall. That’s another thing I have on my radar: trying to build resilience into these tools. Resilience in the face of obstruction.
Every day is a new bowl of scorpions.
Does this stuff play out differently for freelance journalists and those in small newsrooms, versus big organizations like the NYT and Washington Post?
In terms of border crossings, people who are independent freelancers and shop stories to a variety of newsrooms are very very concerned, and then you talk to people at the biggest corporations, and they have the exact same concerns. We’re all in the same boat.
The crucial difference is that if you’re working with corporate backing, you have a lot more wiggle room in terms of burner devices. But there’s still hope for everybody.
News Nerds as Security Ambassadors
A lot of our readers are developers, interactive designers, and data folks in newsrooms. Are there any security-related actions you would urge those people, in particular, to take?
I’ll preface this by saying that I am lucky to have a deeper background in technology than the average person, but when I’m wearing my digital security training hat, I have to realize that I can’t bring everybody up to that level of experience. You have to come at it from the stance of a power user, rather than as a programmer. Knowing how software works on the inside can help you choose or evaluate the things you’re going to train people on, but once you’ve made those decisions you have to approach people as a power user yourself, rather than as a programmer.
That’s simply because if you put too many barriers in people’s way, they will override your great but overly complicated suggestions and go back to doing exactly what they were doing before.
Even in corporate organizations, I have seen time and time again that when the IT department—which doesn’t have a a focus on in implementing user-specific digital security—people will go over their heads and make trouble, because IT doesn’t speak their language.
Everyday (Border) Carry
What do you personally carry when you cross borders?
I have two cardinal rules: One is to only bring what you need—so if you can afford to take a break from sensitive work emails, by all means do so. And two, don’t try to be tricky, because doing things that ultimately put you in a place where you have to lie or be dishonest about what you have, or can give people access to, is not likely to work out in your favor.
With that in mind, there are a couple of things that I think are fun. I’m excited about Chromebooks, they’re cheap, they’re a little bit security-via-obscurity, but they tend to be a little more resilient against malware and viruses. They’re manufactured but incredibly cheap. So if someone takes your device from you, you can either be sure they could only have done so much to it, or you can wipe them continuously. Or replace them if need be, because they’re cheap.
I like traveling with a travel router, so I’ve been using a Net Aid Kit, made by Free Press Unlimited, I’ve been using that to have a handy VPN connection, and it’s so dead simple to spin up, a great offering.
And I travel with a burner phone because that’s the way I do things. Setting up various travel workflows has gotten rid of a lot of my fear of wiping and resetting.
How would you define a travel workflow?
It’s a plan for which devices you’re going to bring, what data you will put on them, how you manage access, and what happens if you lose them. I think that’s something people might need to get used to—treating your devices as data vehicles rather than this precious piece of hardware. Learning how to spin up something and wipe it properly is also a good thing to be in practice with.
The Guardian Project
Since I’ve known you, you’ve also been involved with the Guardian Project on top of everything else you do—what’s going on over there these days? Are you still working with them?
I am still affiliated with them, at a minimal capacity in terms of writing code, but right now they’re revisiting the rich codebase they have been working on for the past couple of years. They’re revisiting the Panic Button, one thing we’d worked on maybe about six years ago, because the capabilities of Android OS have changed so much. Now that has become something called the PanicKit, which allows you to stack actions that respond to a panic button. What’s interesting about that is that it shows that the developer mindset around these types of tools has to evolve with what people demand of Android as a platform.
And as always, we are still working on the groundwork we’d laid with CameraV/InformaCam. Now there’s a project called Proof Mode, which has a pared-down and less proprietary output, and it’s more workable than the system we’d set up before. And of course the flagship products are still in development, such as Orbot and Orfox. ChatSecure is going to be sunsetted on the Android side, but not on the iOS side, in favor of a product called ZOM, which puts a more user-friendly face on Jabber.
Now that the Signal protocol has showed itself to be one of the most cryptographically robust solutions that we have for end-to-end security—and modular enough to be worked into many different experiences and apps, we are exploring how to best leverage that in projects to come.
It’s an incredibly exciting time for Guardian Project development, though unfortunately, my schedule doesn’t permit me to code too much with them.
Coming Up Next
What else should we know about that you’re working on?
Harlo Holmes is the Director of Newsroom Digital Security at Freedom of the Press Foundation. She strives to help individual journalists in various media organizations become confident and effective in securing their communications within their newsrooms, with their sources, and with the public at large. She is a media scholar, software programmer, and activist; and contributes regularly to the open source mobile security collective the Guardian Project.