Hello again!

It’s Martin, principal researcher at Freedom of the Press Foundation (FPF), with our regular update on the U.S. Journalism School Digital Security Curriculum.

Before we jump in, I want to share that we’re hiring a Monitoring, Evaluation, Research, and Learning (MERL) consultant to help us develop a monitoring and evaluation framework for our digital security training courses. Are you a good fit, or know someone who is? Check out the job description and please share the posting widely!

J-school security curriculum highlights

  • In light of Twitter’s decision to rebrand to X, we’ve made updates in several modules throughout the curriculum to remove or update mentions of the company. As part of these updates, we’ve also changed some examples that included account breaches involving Twitter.
  • In the “Obfuscating location” module, we updated the example of a Wi-Fi location service. We previously listed Mozilla Location Service — a project that Mozilla is retiring. We now list the wireless network mapping tool, WIGLE.net.

Highlights from digital security in the news

  • 404 Media reported on leaked documents from mobile forensics company Cellebrite dating back to April 2024, showing which devices it can and cannot unlock using its phone-cracking tools. Among other things, the reporting shows the company has an easier time unlocking Samsung phones than recent Google Pixel devices, and that Cellebrite was still working on exploits to break into iPhone 15 devices months after they were released. https://www.404media.co/leaked-docs-show-what-phones-cellebrite-can-and-cant-unlock/ (Suggested modules: Device protection, Law enforcement surveillance tech)
  • The New York Times suffered a breach of its GitHub repository. Following the breach, attackers posted a 273GB archive of the newsroom’s source code on the anonymous image board, 4chan. In a statement, the Times said, “There is no indication of unauthorized access to Times-owned systems nor impact to our operations related to this event.” However, security experts caution this source code could be used to help attackers develop exploits targeting newsroom infrastructure. https://www.csoonline.com/article/2140389/new-york-times-plays-down-impact-of-source-code-leak.html (Suggested module: Malware)
  • AT&T suffered a data breach affecting “nearly all” of its customers during a six-month period in 2022. The data includes call and text records of conversations between customers and anyone they spoke to. This necessarily includes a huge number of phone numbers that are not AT&T customers as well, and could expose sensitive connections, including journalists and their sources. Read our team’s breakdown on this breach and what journalists should do in response. https://freedom.press/training/blog/att-breach (Suggested module: Chat safety)
  • Geofence data — information about the location of phones in one area during a given period — can help law enforcement investigators identify suspects. However, it also necessarily scoops up location data from everyone in the area, including innocent bystanders. In a case where Google was served with a geofence warrant to help identify a bank robber, the 4th U.S. Circuit Court of Appeals finds this practice did not violate the Fourth Amendment right to privacy. The court reasoned that when customers expose their location data to Google, they have no reasonable expectation of privacy over this data and the government is therefore allowed to make the search. https://www.techdirt.com/2024/07/18/fourth-circuit-finds-in-favor-of-geofence-dragnet-deployed-to-catch-robbery-suspect/ (Suggested modules: Obfuscating location, Legal requests in the U.S.)

What we’re reading:

As always, let me and our digital security team know how you're using the curriculum, what’s useful and how it can be improved! Feel free to respond to this email or [email protected].

Thanks so much,
Martin