Wednesday, 11 July 2007

Why documentary photographers and photojournalists should protect their privacy online and how

Picture this:
A controversial and major political social group suddenly decides to have their annual outdoor event down the road from you. You start to think things over and wonder if you can get access to cover the event without getting lynched by the group, you have done work for other political social groups that blatantly oppose the group you are now considering.

Normally this would not be a problem, but you are aware that due to the group’s reputation, they do check out who is who. It is here that the fun starts; I can type in my name to a search engine and it appears all over the web. I have also done research on the controversial group by visiting their official web site and non official sites. But I failed to stop to consider what my innocent little surf has just divulged about my computer and my location?

It is not unusual for a photographer to research material gleaned online from email and other sources, often on sensitive subjects. By mixing work and pleasure you are opening up to the world who and what you do. If part of your online life is compromised - all of it may be threatened. My Photography website has my name all over it and my home address with all the contact details to pinpoint to where I live and who I am.

If part of your online life is compromised - all of it may be threatened.

The answer is of course to have a dual identity with a false/second web site, but caution needs to be considered as your PC leaks information all over the place, the ideal would be to use a computer solely for the alias identity. This means all login’s email are kept separate, the site is built from the alias computer, all images are kept separate (remember the exif details and file naming etc. that are attached to your images when you make a picture, might need to be changed) all software registration needs to be under a separate identity, too so it is quite a head ache, What you can’t do is book your holiday stuff one minute with your real ID then go back to your alias in the next breath researching some dodgy individualall on the same PC.

You can use things like Virtual Privacy Machine or a live boot version of Linux to browse but your ISP will still stay the same.

Have a quick look at Browserspy or Showmyip to understand what website owners can find out about you using nothing more than your internet connection. Defending your privacy is not something that can only be achieved through the right software and a good firewall. Often your best defence is common sense and a canny understanding of hacking and criminal technique. Criminal networks are increasingly using 'social engineering' to trick internet users into divulging passwords and security information. In 2006, Myspace users who clicked on what they thought were legitimate links were actually carried to a criminal site designed to obtain personal data.

You probably have had the email asking to verify your details of from a bank you don’t use, but what about an email from the one you do bank with? A slip you make in your lunch hour on a social networking site or careless lack of interest from an email could see your money plundered and may therefore compromise months of painstaking research in to the barging or worse yet put you, your family at risk.

Bear in mind that you may not be the only person with a stake in your privacy and security. "When a reporter or photojournalist promises confidentiality to a source, he or she should be prepared to take whatever steps are necessary to make sure that the identity isn't revealed, whether deliberately or through carelessness.

Remember it’s not just computers that have identity, mobile phones, PDA, wallets/purses, mail and your rubbish and you, also need to be taken care of and you can still bump into someone who knows you for who you really are and blow your cover; it’s a small world. How small, quite a few years ago I was in the middle east with the military, no wars or conflict were happening then but I did bump into a neighbour from across the road who was on holiday, it can be that small…! How easy is it for an operator to search for a mobile phone number on their network and see who it is registered too?

Meanwhile, staff at an Orange call centre were found to have shared log-ins, meaning customer information could potentially have been accessed by unauthorised workers. When you think of social movements they have a large number of supporters that are not paid staff, how many work for utility companies, phone companies, councils etc. that may have access to finding your name or address to verify who you are and how you pay for the service and what bank!

Bear in mind that you may not be the only person with a stake in your privacy and security. "When a reporter or photojournalist promises confidentiality to a source, he or she should be prepared to take whatever steps are necessary to make sure that the identity isn't revealed, whether deliberately or through carelessness.

A series of remarkable challenges to the principle of freedom of online expression have been made in the US in the form of lawsuits known as 'cyberslapps'. This occurs when corporations or public figures attempt to intimidate or reveal the identity of people who criticise them online. These lawsuits tend to work because they target people who cannot afford the legal costs of opposing them. It will probably be happening in the UK sooner or laterThe subpoenas involved often require ISPs to reveal personal information.

According to, a coalition involving the American Civil Liberties Union, the Electronic Frontier Foundation and Public Citizen among others, ISPs may reveal your personal information in response to a subpoena before you know about the legal action.

Privacy International and the Electronic Privacy Information Center (EPIC) state that the 'current privacy picture in the UK is decidedly grim' yes you heard ‘grim’. This is partly down to the electronic surveillance allowed under the Regulation of Investigatory Powers Act 2000 (RIPA), which places an obligation on 'Communication Service Providers' to provide 'a reasonable interception capability'. In 2003 there were 1,983 warrants for interceptions issued in England and Scotland under the Act. Privacy International says these surveillance powers, coupled with moves towards a national ID scheme and weak Freedom of Information (FOI) legislation, mean the UK is the worst-performing western democracy in its 'surveillance league table'.

Your privacy and professional security may be vulnerable in ways that were scarcely imaginable just a few years ago. Do you think you can be traced by a simple document from your office? Most people would not think so. But the reality is that the US government managed to persuade many desktop printer makers to deploy technology that encodes documents (using tracking dots) in a way that identifies individual machines. According to the Electronic Frontier Foundation, no law exists to prevent authorities from using the technology to compromise privacy. It also says that other governments are using the technology in surveillance operations.

While there are good reasons why journalists and photographers need to take even more care online, there are also ways they can take advantage of new services and technology to defeat the crooks and avoid surveillance. One way of combating laptop theft, for example, is subscription to a service that helps you recover your stolen computer when it is next connected to the internet.

See the Undercover service for Macs and the PCPhoneHome equivalent for PCs. A better way is to have the whole hard drive encrypted, with password access at boot up (see truecrypt link below regarding being forced for password retrieval)Another remarkable service that enables Mac users to detect unwanted outbound connections and 'network parasites' is Little Snitch.

Other helpful tools and sites are listed below.

Most people are surprised about how vulnerable email is to eavesdropping and surveillance. While it is very hard for an 'outsider' to access your mail while it is in transit, your email is at risk at both ends of its journey.An 'insider', such as someone at ISP level or in one of the networks through which your email travels, can access and even edit email content.

Through 'social engineering', someone may gain access to your ISP account or access an unencrypted WiFi network. The recipient of the email may be equally vulnerable and any interception will access the 'plain text' content of ordinary email.One of the best things you can do, therefore, is to encrypt your sensitive email communication and one of the best solutions is the desktop package for home offices available from PGP. It is PC and Mac compatible and works with a range of popular email clients such as Microsoft Outlook 2007, Qualcomm Eudora 6.2 and Apple Macintosh's Mail.

Unencrypted WiFi
If you set up a wireless network and a wireless internet connection, then your router will probably give you an option of encrypted access. Use it. Unencrypted or poorly configured wireless networks are frighteningly common. "Most people who buy a WiFi router for home don't bother to set up strong encryption," says Stephen Doig. "When I turn on my laptop at home, I can see half a dozen other WiFi signals nearby, most of them wide open."You should also never use an unencrypted WiFi connection that you stumble upon by chance when you are on the move. These can be 'honey pot' networks that are left open with the aim of luring people into using a conveniently open connection. While your connection is free, your traffic will have no privacy.

Search engines
Most people are surprised to learn that all of the major search engines maintain a record of your search string history. If you have an account with a search engine (for example if you use Google's Gmail) then your history will be directly linked to your name. But even if you do not have an account, your history may be linked to your IP address.

In 2006, AOL accidentally disclosed the records of more than half a million users long enough for the data to be copied and made available from a variety of sources. Some companies defend the logging of search strings, claiming they are developing 'hyper personal' search results based on your interests. But privacy campaigners say the safeguards and privacy policies are far too lax.

Shock and horror
Major companies in the UK have been breaching data protection act

Mr Thomas, the UK’s information commissioner told the BBC there were concerns about internet search engines which keep detailed histories of each individual's online activity.
"We're leaving these electronic footprints right through our lives these days," he said.

The annual report also highlighted a recent glitch on the Medical Training Application Service website which left trainee doctors' personal details open to public view.

A total of 12 high street banks were guilty of discarding customers' personal details - including bank statements, cut up credit cards and loan applications - in unsecured bins outside their premises, the commissioner found. Source BBC
To avoid compromising your privacy:

• Do not put personal information in search strings. For example, do not search for your own credit card number or your address.
• Be aware that your search history will be logged to you personally if you create a search engine account. If you do create an account, modify your search behaviour and delete your search history if you can.
• Consider using other tactics such as blocking cookies or browsing anonymously (see below).

For more information on protecting your online search privacy, see the EFF page on search engine privacy.

Social networking
Networking sites such as Myspace and Facebook are grist to the mill for people involved in the media industry, but you need to maintain your caution to defend your privacy. Social network sites are increasingly being targeted by attackers who set up 'phishing scams' (see below). You need to configure your privacy settings carefully or avoid adding any sensitive information and be careful about how much you reveal to new 'friends'. A common 'social engineering' form of industrial espionage is to befriend someone online just long enough to get them to reveal insider information, the EFF says.

The practice of defrauding people by tricking them into divulging access passwords to banking sites and other private information has seen phenomenal growth. The number of unique phishing sites detected by the Anti-Phising Working Group rose to 55,643 in April 2007. These phishing scams hijacked 172 different brands as cover.Typically these scams involve fake emails inviting people to change their passwords or PIN numbers either in direct response to the email or via counterfeit web pages. These attacks have grown in sophistication and complexity and sometimes involve very detailed counterfeit websites that mimic banks, credit card companies and other organisations. What surprises many people is that this counterfeiting can, and often does, involve a fake URL - in other words the URL that appears in the browser looks perfectly normal but, in reality, takes the user to a scam site. If you fall victim to these scams, your entire online identity can be put at risk. For information about how to spot phishing emails and fake websites see:
Get Safe Online and follow the links to Avoid criminal websites.

• The Anti-Phishing Working Group consumer advice page.

Avoid monitoring and surveillance
Marketing firms monitor web use using 'cookies'. These are small text files that sites place onto your computer that can enable the site owner to monitor your web activity. Most are only accessible to those site owners who placed them; others can be used by marketing companies to track your general web browsing.While it is tempting to block all cookies in order to defend your privacy, cookie use is so widespread that many sites are difficult to use without them. EFF recommends configuring your browser to allow only 'session cookies'. This means that the useful cookies are enabled while the ones that can be used to track your history will expire at the end of your browsing session. But you must remember to quit your browser regularly. For more information about configuring your browser to disable cookies, see this EFF page.

If you do not set your computer to allow only 'session' cookies, then Stephen Doig recommends purging them on a daily basis using your own browser's tools. For more options for managing cookies see this page. But managing or blocking cookies does not hide your IP address from website owners.

One way to defend your work is to find a secure way to browse anonymously. Two of the best options are Tor and Anonymizer.
Both have plug-ins for Firefox browser that is considered less leaky than Internet explorer.

TrackMeNot is a lightweight browser extension that helps protect web searchers from surveillance and data-profiling by search engines. It does so not by means of concealment or encryption (i.e. covering one's tracks), but instead, paradoxically, by the opposite strategy: noise and obfuscation. With TrackMeNot, actual web searches, lost in a cloud of false leads, are essentially hidden in plain view. User-installed TrackMeNot works with the Firefox Browser and popular search engines (AOL, Yahoo!, Google, and MSN) and requires no 3rd-party servers or services.

How it worksTrackMeNot runs in Firefox as a low-priority background process that periodically issues randomized search-queries to popular search engines, e.g., AOL, Yahoo!, Google, and MSN. It hides users' actual search trails in a cloud of 'ghost' queries, significantly increasing the difficulty of aggregating such data into accurate or identifying user profiles. As of version 0.4, TMN's static word list has been replaced with a dynamic query mechanism which 'evolves' each client (uniquely) over time, parsing the results of its searches for 'logical' future query terms with which to replace those already used.

Journalists are also advised to view:
Hints and Tips for Whistle-blowers at @spyb...lowers_hin.html

and Security and Encryption FAQ at pan...ndEncryptionFaq

Some more web sites worth visiting. Off...ecord_Messaging product...rivecryptpp.php pan...ndEncryptionFaq pan...thTorAndStunnel