Glistener: Online Security: Verification and Validation

An overview of key points for activists to bear in mind for online security, or tactics to bring into play in case of an online incursion by members of anyone’s so-called “Cyber Army” – updated version of my December 2011 post “Battle Hardening Against Cyber Soldiers” for Cyber Security Awareness Month.

When it comes to online security, your first responsibility is to yourself, and that has never been more clear than now, with the daily diet of revelations about the allegedly massive scale of global government spying and surveillance finally raising awareness. Of at least equal importance, is the need to stay alert to the risks your actions might create for others in your online network. Every time you share, tag, mention or otherwise connect someone else to your content, you are highlighting your relationship in the context of that content. A simple typing error, a hastily copied story, or unbridled haste to share without fact-checking, can alter that context dramatically, and potentially with rather more serious consequences that any of us previously imagined. Increase your personal security first, using the same logic as those flight safety rules about oxygen masks. Here’s a handy article from the New Scientist, about how to try and evade the NSA dragnet, to help you get started.

Being part of an online network means you need to be able to justify each of your online relationships, and pay attention to any unexpected changes. Harsh as it might seem, treat all former contacts, who reappear after an absence, with neutral (not hostile) caution. Accounts do get hacked, and occasionally, people do get recruited to “the other team” or put under pressure to reveal passwords. If you didn’t put a challenge/response protocol* in place with your trusted contact before they dropped off the grid, so you could verify their identity when they reappear at some future point, then you have to assume there is a 50% chance they are not the person you once knew until they can prove themselves to your satisfaction. Similarly, do not feel obliged to “follow back” or accept every friend request unless you feel confident about doing so. Set some standards for yourself about why and how you plan to grow your network. If you are simply feeling insecure, ego-driven, or lonely, be honest with yourself about your motivations, and try to keep them in check so that they don’t compromise your security.

*Establish a challenge/response protocol with your trusted contacts. This is an agreed question you can ask the other person and an agreed response they must give. Like a password reminder.

Tip: Do NOT use any of your existing password reminder Q&A’s

New accounts, especially breathlessly dramatic ones, should also be treated with measured caution. Wait for verification of all news, especially any that will have serious or long-term repercussions. We learned this the hard way when a very plausible fraud appeared on Twitter in the middle of protest and declared that bit.ly shortened links were blocked in Iran. The ensuing panic and last-minute changes caused a lot of people a great deal of unnecessary extra effort, and some of the suggested alternative link shortening sites are no longer operational, meaning that archived content which includes links using these now defunct services are effectively dead.

“Breaking News” reports always seem to demand an urgent response, where in fact they should be treated as “unconfirmed news“. As we all know, a lie is halfway around the social network world before the truth has got its pants on. So, as always, wait and verify, verify, verify. Remember that even the most experienced social media users and big name mass media outlets like the BBC, MBC, CNN etc have all been fooled by fake news, or been too quick to rush to headlines without checking facts; at times, they are even revealed to be responsible for it . If you do happen to post a report in good faith, which later turns out to be false, you should be willing to spend at least as much time retracting it and letting everyone know, than the time you spent sharing it.

Mark unconfirmed status updates as UNCONFIRMED or UNCONF. Do not remove text that identifies news as unconfirmed when re-tweeting or re-posting.

Be cautious with private message requests or emails containing sensational news, documents, image, videos etc. asking you to share news. Suggest to whoever sent it that they post it themselves and you (might) share their update. If they claim to be unable to use or create a social network account, suggest they use liveleak.com, where you can share images, documents, videos and post text updated using an alias. Run a search for the information being privately shared with you, to see if it can be verified, or if anyone is posting warnings about it.

Watch out for people re-using images from unrelated events. Use Google or Tin Eye to search for images by url or by uploading them. Try using Storyful’s Multisearch tool to help you verify news and look for more sources. What other tools do you know of? Add the best to your favorites, and share them often.

Check for images having been altered using special analysis tools like Image Metadata Manager or JPEGSnoop or the fotoforensics.com website.

As far as possible, try to stay transparent in your methods and analysis, and let your network help you by reaching out for help verifying reports, checking facts, or translating content.

Fake videos seem to be all the rage these days, while innocent cameramen are being murdered, kidnapped or harassed, and citizen journalists – or indeed, anyone carrying a smart phone or camera – face increasing pressure from police and authorities.

Here is my current list of suggestions, ideas and wishes for video checking and verification:

Time and Date – video camera clocks can be changed of course, but we used to encourage activists in Iran or elsewhere to show us that day’s newspaper, social media status updates on a screen, or a live TV broadcast in the background of their video.
Incentifying crowdsourced verification by rewarding the crowd. Not necessarily restricted to financial rewards, there are many different ways to motivate using more humanitarian methods, media coverage, thanking helpers with mentions, gamified social media decals etc – see this video for an example (at 10m42s) : Digital Humanitarians: Patrick Meier at TEDxTraverseCity 2013
Patience. There is often no good reason for the rush to post unverified news. This sense of urgency was more relevant four or five years ago, when mainstream media was thumbing its nose at “irrelevant, pointless” social media and users felt driven to prove their worth and expose the slow-footed traditional press. Now social media has gained almost universal acceptance, we should adjust the idea of competition to be first to break “all” news – at the cost of validity – and only apply it where it adds value, such as disaster relief.
Details. We need to encourage those posting video to take the time to add important details – names, dates, locations, background facts, and tagging – for example, while also blurring faces of vulnerable subjects.
Communication – it’s a 2-way street. We need to understand the importance of leaving comments of encouragement, feedback, guidance. At present, too much video is being posted and consumed in a communication vacuum.
Archiving. Too many videos get pulled offline, and any video exposing serious abuse by authorities is at risk of being censored either formally or informally. There are sites that will save text or image content, but I don’t know of any reliable, consistent, centralised effort to preserve video or audio. It’s left to quick-thinking people to save these items privately.
Translation. Really, this should be first on the list. The lack of organised, consistent volunteer efforts to crowdsource translation beggars belief. If you know anyone who can build an app for this, I have a rough design outline that’s been gathering dust for the past 4 years.
Gratuitous violence and shock tactics are on the increase (and being pushed by Facebook and major news outlets when it suits them) and little good has come of it, if any. People are being traumatised, becoming immune to it, or turning away. This is very damaging to the prospects of crowdsourced verification, because the gore factor is a deterrent to many potential helpers. I resist sharing the 18+ content being posted as relevant to human rights abuse, in the hope that, if we don’t encourage the trend by reacting, rewarding, or promoting, it will fall out of favour.
We need an open source tool for video that works like JPEG Snoop, to extract information about the video, camera, settings, GPS etc.

Your comments and suggestions are very welcome on these subjects – drop me an email through the contact form or leave a comment below.

Take responsibility for your online safety and security

Change to a strong password and keep changing it, if not daily then as often as you can.
Scan your computer to check for intrusions, keyloggers, rootkits, malware, and trojans and keep your security software up to date.
Make sure that your recovery details for websites like Twitter, FaceBook & blogs etc are accurate and up to date.
Protect the email accounts you use to register with websites and services.
Use https to access websites and services, so that when you do connect, the information you send is encrypted.
Copy and paste login names and passwords rather than type them.
Do not store unencrypted user names and passwords on your computer.
Protect files on your computer or on external storage devices or removable storage like flash drives, SD cards or USB sticks using encryption, such as TrueCrypt.
Use a password on all your devices.

Be alert for apparently innocent requests for information about your own or anyone else’s details, such as location, online activity, other connections, friends or contacts.