23
Need to conceal your metadata?
Typically, frequently non technical journalists give the glib response to “use encryption”, rattle off their favourite record of technologies, and oversimplify things to the point of risk.
The depressing truth is the fact that a lot of individuals are not equipped to do a great job of shielding their content or their metadata, and without insuring all the threats, it is irresponsible for anyone to say.
The belief that all you require is anonymity and encryption technologies to get around law enforcement is simplistic.
It is at least likely that they comprehend what they are saying.
But since there is still a belief that even the non technical user can choose a “One Odd Trick” strategy to getting around the Australian government’s data retention regime, Vulture South want to spell out the hazards at every point.
Using Tor: Tor supplies restricted anonymity. The best-documented and best-tested strikes against Tor have one requiring demand – that the attacker have access to the network infrastructure taking the traffic.
Public WiFi: A public WiFi hotspot, the argument goes, will not be giving over your metadata to the authorities, because there is an exemption of forms in the laws.
The very first issue here is that one level of information – your link to an ISP – is shielded.
For instance, do you understand which version of WiFi router the public network is using? Which degree of the hotspot that is firmware is working?
Encrypt your emails: A lot of journalists consider that a program like PGP is a reply to the data retention regime, when it is not of the government.
It should be clear to say this, but it is not: PGP shields the content of the email, not the “non-content data” the Australian government needs kept.
It is an example of precariously-woolly thinking, as it might support someone without technical nous to believe “ok, got PGP, now it is safe to leak”.
Actually, the simplistic “use encryption” guidance could raise the danger both for journalist and source. What will happen if, for instance, a journalist’s capability to open a document encrypted by a leaker as suggesting collusion between them both was taken by a court?
Yes, there are methods to mitigate the dangers – but the over simplification of operational security into “use encryption, use Tor, you are shielded” is what concerns me here.
Leak by means of a safe fall website: Additionally , this is debatable.
In giving this guidance, content and non-content data is confusing. The risk-free drop-website was created to take care of your identity and content in the server end, but it will not intrinsically shield non-content information at your ending – your connection to the World Wide Web, your place, the reality that you just made a link to an IP address related to the drop website, etc.
The company of shielding that non-content data is down to you personally.
And as far as the fall- the security of website: it is just as great as the code base. In a world that is experienced Poodle Heartbleed and FREAK in the space of a year -website’s security appears foolhardy, to say the least.
Alarmingly insecure, as you possibly, less safe than you might be; or always have been.
While The Register isn’t a subscriber to “nothing to hide, nothing to dread” theory, the operational protection issues we have discussed here begin together with the premise which you’re already of interest to authorities. Then the data gathered about you likely will not be used in the event you are not.
It is that word “likely” that underlines, in party, why Vulture South remains sad about the hurried passage of the laws, the insufficient political discourse surrounding it, and the woefully insufficient protections offered to the average citizen.
There are no comments.