Afterword for Cory Doctorow's Attack Surface
Published in 2020, Attack Surface is the third book in the Little Brother series.
My job is to enable and empower journalists to do their work securely—to communicate with sources, research sensitive stories, and publish hard-hitting news. When I was growing up in Oslo, Norway, I wanted to study law and support families in child custody cases. I didn't think I'd become a vocal defender of press freedom, end-to-end encryption, and online anonymity.
I got my first computer when I was 15 years old. It was an HP Compaq with a 4 GB hard drive and Windows Millenium Edition. I replaced the operating system with Slackware a year or two later, followed by Red Hat and Debian. I remember a fascination with learning how to do things I wasn’t supposed to do. And I loved the puzzles, the challenges, and the never-ending stream of things to dig into. I still do.
I first heard about The Tor Project in 2009. I thought it was interesting that one could use technology to be anonymous online. I wanted to understand how the system worked. I read about the software, the servers run by volunteers, and attacks against the Tor network. It was only later, and gradually, that I recognized how crucial Tor is for different communities. Enabling ordinary people to circumvent censorship, access blocked sites, and express themselves online.
When I support journalists with practical security, I focus on three things. The steps they can take given their starting point, the time they can dedicate to learning new tools and workflows, and the context that they work in. Sandboxes, air gapped devices, and burner phones do have a place in a journalist's toolkit. But for digital security to be a part of the journalistic process, our guidance must be easy to follow. Looking for a place to start? Try this:
Secure your online accounts with two-factor authentication. This prevents unauthorized parties from gaining access — even if they have your password. Check out Google’s Advanced Protection Program for extra features.
Review third-party apps and integrations linked to your accounts. Only keep the apps and integrations that you know you’ll want to use moving forward. Don’t need the meme generator you set up five years ago? Disable it or close it down.
Use a password manager to create and store unique passwords for your accounts. This will help you avoid reusing passwords across sites. This, in turn, will make it more difficult for someone to log in to your accounts even if they have one of your passwords.
Keep your devices secure by installing the most recent software updates. These updates include fixes for security issues, as well as new features and emojis. Enable automatic updates on your laptops and phones, if you haven't done so already.
Email and direct messages are convenient ways to interact with people. But what you send and receive is often stored by default and visible to the platform providers. Instead, try using Signal, WhatsApp or Facebook Messenger's "Secret Conversations" feature.
Practical security means balancing staying safe and taking actions to move forward. In my work, I often collaborate with journalists to find secure ways to achieve their goals — whether they're going on a high-risk trip to Syria or setting up a Twitter account for the first time. I wouldn't want anyone to throw out all electronics and go live in the forest. I want us to enjoy a social, connected life while understanding what that means for us and the people we are close to.
A security engineer friend of mine says that says that “everybody deserves good security.” This principle does not limit itself to corporate accounts, systems, or devices, nor to standard working hours. Tanisha doesn’t stop being an activist when she’s not attending Alliance meetings. Cory doesn’t stop being an author when he’s not writing. We must focus on securing identities, not only the role someone plays between the hours of 9 and 5.
“Just don’t do it” is the phrase that continues to fail us when it comes to security awareness training. Every day, we make trade-offs in exchange for solutions that enhance our lifestyle. Google tracks your location but helps you get to your meeting on time. Amazon tracks your likes and dislikes but provides you with personalized recommendations. Some period trackers share data with third-parties but help you keep up with your flow and cycle.
It's not realistic or fair to tell people that if they want to be more secure, they should avoid doing common things. Like click on links, use public wireless networks, and post on Facebook. That would be like telling people not to send nudes. It doesn’t work. And there’s nothing inherently wrong with these things either. People want to make connections, share ideas, and take part in global conversations. In an ideal world, they would do so securely by default.
But that’s in an ideal world, and we don’t live in that world. Unfortunately, lawmakers argue that a secure, networked future requires surveillance, censorship, and backdoors. Where law enforcement agencies repeatedly say that online anonymity is a threat to their ability to solve cases. Where politicians demand that tech companies break encryption for everyone in an effort to fight terror, drugs, and online child predation.
What's also unfortunate is that people lose sight of what end-to-end encryption affords us. Room to explore, space to be ourselves, and protection for our online life. I'm grateful to those who advocate for anonymity, despite receiving threats online. There is a need to balance online privacy, everyday security and the ability to solve crime. But not at the cost of individuality, freedom, and self-expression.
Authorities will, from time to time, talk about needing a backdoor to see what people are doing online. And in doing so, asserting that it’s possible to have one just for the “good guys.” I can assure you this does not exist. And even if it did, who would decide who the “good guys” are? Who would decide what’s right or wrong, what’s acceptable or not, what should be available or censored?
Don't accept the solutions proposed by the authorities without data to back them up. Whether it's backdoors, unlimited data retention, or enhanced surveillance, demand to know how effective today’s measures are. What’s working, what’s not, and how new solutions will change things. Make sure you understand the negative impact — the cost — that new solutions have on our lives. Only then can we start to make better choices for ourselves and our collective future.
The front pages of newspapers tell stories of courageous acts by ordinary people. People like you and me making the difficult decision to speak up. About surveillance, election interference, harassment, climate change, global spread of a new virus. This book is a powerful reminder that you, like Masha, can choose how you live your life. How you use your skills, knowledge, and time. I encourage you to look at how you spend your days and see what you find.
What will you stand for?