The Committee to Protect Journalists published an article yesterday exploring whether Google+ was a viable platform for journalists to interact with sources on sensitive topics.
In a generally positive review that outlines the dangers reporters and their sources face when communicating via digital channels the author writes:
So, how secure is Google+ for at-risk reporters? From Day 1, everything on Google+ is encrypted with https. That means that no one, not even a maliciously motivated government with control of your local ISP, can intercept your private conversations.
Let’s stop, pause, recalibrate and explore what HTTPS is and does.
HTTPS is a protocol that encrypts information shared at the point of contact between a User and the service that User is connecting with. You might know it from your experiences with online banking. That is, go to your bank’s Web site and instead of “http” at the beginning of the address, you”ll see an added “S” to the URL indicating that you’re now in a “secure” environment.
At a very high level, this is how it works: When you attempt to connect with a secure server, an encrypted “handshake” occurs. Basically, you say, “Hello” to the server, the server sends an encrypted message back which you (ie, your browser) then answer, and once the “handshake” is confirmed, the rest of your communications pass back and forth under this layer of encryption.
While secure for most purposes, it’s not fool proof. For example, “man in the middle” attacks can occur whereby an eavesdropping third party intercepts the initial request and fakes — and then controls — communication between the two parties.
Point being, to say, “[N]o one, not even a maliciously motivated government with control of your local ISP, can intercept your private conversations,” simply isn’t the case.
Beyond that, just because the servers are secure doesn’t mean they can’t be hacked or broken into. We need just look back a month to reports that Chinese hackers hacked Google’s Gmail which, yes, is HTTPS protected.
“As with most targeted attacks, the intruders gained access to an organization by sending a tailored attack to one or a few targeted individuals,” George Kurtz, CTO of McAfee, a technology security firm, explained at the time. “These attacks will look like they come from a trusted source, leading the target to fall for the trap and clicking a link or file… Once the malware is downloaded and installed, it opens a back door that allows the attacker to perform reconnaissance and gain complete control over the compromised system.”
So, long story long: HTTPS isn’t a security panacea and we hope the CPJ amends their Google+ review with these considerable caveats.
There are, after all, reporters and activists around the globe that listen very carefully to what they have to say.
The Report an Error Alliance launched yesterday to help publishers engage community feedback on errors in the stories they’re telling.
This initiative aims to move news organizations of all shapes and sizes towards a common standard for online error reporting. The goal is to ensure more mistakes get corrected, and to find better ways of including the public in the correction process.
Most news articles have options that enable people to print, share or email the content; we’re endorsing a new option: “Report an Error.” Why? The vast majority of corrections that appear in the press are a result of readers and members of the public pointing out mistakes. Yet the best research we have revealed that roughly only two percent of factual errors are corrected by newspapers. We need more corrections, not fewer. And we need to enable the public to play a more active role in error reporting.
You can join the alliance in support of the idea at the Report an Error site. Hopefully, as they advocate, we’ll seem more icons like this across the web in the near future:
REPORT AN ERROR.
Double hopefully: publishers will actually pay attention to crowdsourced fact checking as tips and comments roll in.