Blog

How Information Asymmetry Helped Find Abducted Kids

Lab Co-Director Ryan Calo is featured in a Washington Post article describing how police used Spotify and other streaming services to located abducted kids in Mexico. Calo explains:

“This is a classic case of ‘information asymmetry,’ said University of Washington law professor Ryan Calo, meaning when companies, government agencies or police departments have more information about your online habits than you even realize is out there.

‘There’s an enormous underestimation of your digital footprint,’ Calo said. ‘You might not realize how much your data is being stored, but you also might not realize how many parties have access to it. Think about all the uses to which this information can be put.'”

Understanding Journalists Information Security Choices

This blog post, cross-posted from the Tow Center, describes recent work studying computer security in journalist-source communications, a collaboration between Susan McGregor at the Columbia Journalism School, UW HCI+D Masters students Polina Charters and Tobin Holliday, and TPL affiliated faculty member Franziska Roesner.

Understanding Journalists Information Security Choices

by Susan McGregor

In the roughly two years since the Snowden revelations, information security and source protection has become an ongoing focus of conferences, surveys, and how-to guides geared towards the journalism community. Yet despite chilling effects, targeted hacking, and the high-profile prosecution of sources, a Pew Research Center survey (conducted in association with the Tow Center) of investigative journalists released just a few months ago found that relatively few of them had changed their practices in light of these events.

On its surface, this seems counterintuitive. If journalists know that their communications and data may be under surveillance or the target of attack, why haven’t they adapted their practices to mitigate these risks? Surely both protecting and reassuring sources is crucial to building the kind of relationships on which essential journalism is based. Yet apart from select news organizations, strong information security is still seen as optional by many working journalists.

Eight months ago, my collaborators and I set out to explore why this might be, by learning more about how journalists collect, store and transmit information on a day-to-day basis. The full results of this study – based on in-depth interviews with institutional journalists at a range of news organizations on two continents – will be presented at USENIX Security in August, but the paper is already available for download here.

Many of our findings will not surprise industry professionals, yet present shared challenges faced by organizations and journalists across coverage areas and countries, suggesting opportunities for collaboration and additional development:

The infrastructure and overhead of many security-enhancing tools are incompatible with journalists’ and sources’ available technologies. Sources’ preferences tend to drive journalists’ use of a particular communication channel, and the most vulnerable sources may have limited or non-exclusive access to the accounts and devices required to use existing information security tools.  For example, some participants reported working with sources that owned only a feature phone or did not personally own a computer.

Journalists’ information security priorities are influenced by the resources and culture of their organization. Several of our study participants felt that they did not have anyone within their organization to ask about information security issues; of those that did, many referenced a colleague covering information security rather than a technical expert. Many study participants also lacked both the software to secure their communications and data (such as PGP), and the privileges to install such software on their work computers.

The risks, benefits and best applications of existing tools are poorly understood. Only one journalist in our study expressed concerns about the use of third-party communication and data storage tools, despite weak legal protections for the extensive data and metadata stored with them. Likewise, participants expressed skepticism about using anonymity-supporting platforms like SecureDrop, even though it can be used to conduct ongoing conversations between journalists and sources to verify submitted data.

Journalists have unaddressed information management needs. Many participants reported using third party and/or cloud based tools – often connected to personal accounts – to collect, organize and search story-related research, notes and other data. While these systems introduce vulnerabilities, they indicate an opportunity to create secure, journalism-oriented software solutions for note and data storage, organization, and retrieval.

Journalists tend to think of information security as an individual rather than a collective problem. Many of our participants said that they did not believe their work was likely to be the subject of either legal or technical targeting. Yet many participants also reported some sharing of resources with editors, proofreaders or collaborators, meaning an attack on a colleague could affect their work or vice versa.

While the results of this work suggest that there is still much to improve about journalists’ information security practices, it also highlights some distinct paths for future research, tool development and educational interventions, some of which are already in development. In addition, we are currently conducting research around the challenges to information security that journalistic outlets experience at an organizational level, and are actively seeking collaborators. If you are interested in learning how your organization can help with this work, please contact Susan McGregor.

Lab members research on Teleoperated Robots Featured by MIT Tech Review

Lab members Tamara Bonaci and Howard Chizeck’s work on the security of Teleoperated robots has recently been featured in a number of science news reports including MIT Tech, Popular Science, and Ars Technica.

“Tamara Bonaci and pals at the University of Washington in Seattle examine the special pitfalls associated with the communications technology involved in telesurgery. In particular, they show how a malicious attacker can disrupt the behavior of a telerobot during surgery and even take over such a robot, the first time a medical robot has been hacked in this way.”

AccommodatingTechnology – 25 years after the Americans with Disabilities Act

redsquare2

May 29, 2015
Kane Hall 225 (Walker-Ames Room)
Friday, May 29
1:00 pm – 4:00 pm

This year marks the 25th Anniversary of the signing of the Americans with Disabilities Act (ADA). While there have been incredible advances in technology over the past quarter century, new technologies also regularly surface issues of accessibility. Join the University of Washington’s Tech Policy Lab for an afternoon roundtable where we will discuss current accessibility efforts, new technologies’ accessibility, and individual choice in the use of assistive technologies. We plan to explore topics such as: how emerging technologies like augmented reality can be assistive as well as present challenges for accessibility; efforts to crowdsource location accessibility information; and the cultural implications of assistive technologies that individuals may not wish to use, like neuroprosthetics and robotic augmentation.

How Technology Impacts Civil Liberties with Co-Director Ryan Calo

DataPrivacyWords

Newly-emerging technologies affect us all in a multitude of ways and today’s turned-on, always-connected world has reached an all-time high. O’Connor, president of the Center for Democracy & Technology, will discuss how the internet and interconnected world shape our lives, impact our civil liberties, and inform our daily decisions. Other panelists include Ryan Calo, faculty director of the University of Washington’s Tech Policy Lab; Racquel Russell, Director of Government Relations and Public Affairs for Zillow; and Matt Wood, the General Manager of Product Strategy for Amazon Web Services. From the Internet of Things to the wireless technologies in automobiles, the panelists will explain the range of this digital world and what steps can be made to stay plugged in, while still maintaining personal privacy and security. The panel will be moderated by Jenny Durkan, former United States Attorney and Quinn Emanuel’s Global Chair of the Cyber Law and Privacy Group. Ira Rubinstein, CDT Board of Directors, Research Fellow and Adjunct Professor at NYU School of Law will be giving a special welcome to the program.