Managing risk to the media from emerging networked technologies
Lead Research Organisation:
University of Oxford
Department Name: Computer Science
Abstract
This thesis investigates the research question: How can members of the press in democratic countries improve their identification of, protection from, and resilience against threats from the Internet of Things (IoT)?
This question is important because the existence and maintenance of a free press can be used as a barometer for the state of a democratic society, as public access to factual information about powerful people and organisations is key to an educated electorate. Therefore, attempts to curtail transparent, accessible and free journalism can be seen as threats to a branch of the critical national infrastructure of a democracy, and thus to the democratic state itself. This has potential implications on an individual human rights level and in terms of international relations and security. This project falls best within the EPSRC Global Uncertainties research area, as it investigates the threat to the free press branch of democratic infrastructure posed by emerging technologies and new legislation.
The thesis pilot study investigated how some high-risk members of the media perceive and combat IoT threats to their work and wellbeing. The study found that most of the pilot study interviewees only had an abstract idea of IoT threats, thus highlighting the need for further research and resources. All interviewees said that their primary strategy for mitigation of IoT threats is simply to avoid interaction with IoT devices. However, 26 out of 34 surveyed cyber security experts said that they believed that it would be impossible for members of the general public to opt-out of interaction with the IoT within the next five years, which would render the primary strategy given by all journalist respondents completely redundant. A solution applicable to both the work and work practices of journalists, as well as understandable for journalists to implement themselves, represents a clear gap in current practice and academic literature. Therefore, this thesis has created a multi-piece toolkit that enables members of the press to identify threats from IoT devices to themselves and their work, and then identify the countermeasures best suited to their context, customisable on numerous levels.
The toolkit is also informed by this thesis' comparative profiling and analysis of the journalistic security environment in four democracies (UK, US, Taiwan, Australia), so that the solutions presented are grounded in reality. These country profiles comprehensively investigate and document what journalists and media organisations are currently doing, procedurally and technologically, to protect themselves against innovative and well-resourced attackers. The profiles compare this information with the recommendations of experts from a variety of backgrounds, including academic, governmental and non-governmental.
The toolkit includes:(1) A conceptual model to categorise IoT devices by environment (location), via systematic literature review, intended to demonstrate to members of the media the scope and scale of where IoT devices may present threats.(2) A second conceptual categorisation of IoT threats to journalists, covering threats to information as well as related legal and physical threats, also created by literature review of currently feasible capabilities.(3) An interactive framework of countermeasures to the threats to ensure that members of the media can effectively decide how to protect themselves. These countermeasures are linked to phases of the overarching editorial workflow, to ensure that their implementation is feasible and that they are clearly useful by/for specific role categories within the media.
This project falls best within the EPSRC Global Uncertainties research area, as it investigates the threat to the free press branch of democratic infrastructure posed by emerging technologies and new legislation.
This question is important because the existence and maintenance of a free press can be used as a barometer for the state of a democratic society, as public access to factual information about powerful people and organisations is key to an educated electorate. Therefore, attempts to curtail transparent, accessible and free journalism can be seen as threats to a branch of the critical national infrastructure of a democracy, and thus to the democratic state itself. This has potential implications on an individual human rights level and in terms of international relations and security. This project falls best within the EPSRC Global Uncertainties research area, as it investigates the threat to the free press branch of democratic infrastructure posed by emerging technologies and new legislation.
The thesis pilot study investigated how some high-risk members of the media perceive and combat IoT threats to their work and wellbeing. The study found that most of the pilot study interviewees only had an abstract idea of IoT threats, thus highlighting the need for further research and resources. All interviewees said that their primary strategy for mitigation of IoT threats is simply to avoid interaction with IoT devices. However, 26 out of 34 surveyed cyber security experts said that they believed that it would be impossible for members of the general public to opt-out of interaction with the IoT within the next five years, which would render the primary strategy given by all journalist respondents completely redundant. A solution applicable to both the work and work practices of journalists, as well as understandable for journalists to implement themselves, represents a clear gap in current practice and academic literature. Therefore, this thesis has created a multi-piece toolkit that enables members of the press to identify threats from IoT devices to themselves and their work, and then identify the countermeasures best suited to their context, customisable on numerous levels.
The toolkit is also informed by this thesis' comparative profiling and analysis of the journalistic security environment in four democracies (UK, US, Taiwan, Australia), so that the solutions presented are grounded in reality. These country profiles comprehensively investigate and document what journalists and media organisations are currently doing, procedurally and technologically, to protect themselves against innovative and well-resourced attackers. The profiles compare this information with the recommendations of experts from a variety of backgrounds, including academic, governmental and non-governmental.
The toolkit includes:(1) A conceptual model to categorise IoT devices by environment (location), via systematic literature review, intended to demonstrate to members of the media the scope and scale of where IoT devices may present threats.(2) A second conceptual categorisation of IoT threats to journalists, covering threats to information as well as related legal and physical threats, also created by literature review of currently feasible capabilities.(3) An interactive framework of countermeasures to the threats to ensure that members of the media can effectively decide how to protect themselves. These countermeasures are linked to phases of the overarching editorial workflow, to ensure that their implementation is feasible and that they are clearly useful by/for specific role categories within the media.
This project falls best within the EPSRC Global Uncertainties research area, as it investigates the threat to the free press branch of democratic infrastructure posed by emerging technologies and new legislation.
Planned Impact
It is part of the nature of Cyber Security - and a key reason for the urgency in developing new research approaches - that it now is a concern of every section of society, and so the successful CDT will have a very broad impact indeed. We will ensure impact for:
* The IT industry; vendors of hardware and software, and within this the IT Security industry;
* High value/high assurance sectors such as banking, bio-medical domains, and critical infrastructure, and more generally the CISO community across many industries;
* The mobile systems community, mobile service providers, handset and platform manufacturers, those developing the technologies of the internet of things, and smart cities;
* Defence sector, MoD/DSTL in particular, defence contractors, and the intelligence community;
* The public sector more generally, in its own activities and in increasingly important electronic engagement with the citizen;
* The not-for-profit sector, education, charities, and NGOs - many of whom work in highly contended contexts, but do not always have access to high-grade cyber defensive skills.
Impact in each of these will be achieved in fresh elaborations of threat and risk models; by developing new fundamental design approaches; through new methods of evaluation, incorporating usability criteria, privacy, and other societal concerns; and by developing prototype and proof-of-concept solutions exhibiting these characteristics. These impacts will retain focus through the way that the educational and research programme is structured - so that the academic and theoretical components are directed towards practical and anticipated problems motivated by the sectors listed here.
* The IT industry; vendors of hardware and software, and within this the IT Security industry;
* High value/high assurance sectors such as banking, bio-medical domains, and critical infrastructure, and more generally the CISO community across many industries;
* The mobile systems community, mobile service providers, handset and platform manufacturers, those developing the technologies of the internet of things, and smart cities;
* Defence sector, MoD/DSTL in particular, defence contractors, and the intelligence community;
* The public sector more generally, in its own activities and in increasingly important electronic engagement with the citizen;
* The not-for-profit sector, education, charities, and NGOs - many of whom work in highly contended contexts, but do not always have access to high-grade cyber defensive skills.
Impact in each of these will be achieved in fresh elaborations of threat and risk models; by developing new fundamental design approaches; through new methods of evaluation, incorporating usability criteria, privacy, and other societal concerns; and by developing prototype and proof-of-concept solutions exhibiting these characteristics. These impacts will retain focus through the way that the educational and research programme is structured - so that the academic and theoretical components are directed towards practical and anticipated problems motivated by the sectors listed here.
Organisations
People |
ORCID iD |
| Lucas Kello (Primary Supervisor) | |
| Anjuli Shere (Student) |
Publications
Shere A
(2020)
Now you [don't] see me: how have new legislation and changing public awareness of the UK surveillance state impacted OSINT investigations?
in Journal of Cyber Policy
Shere Anjuli R. K.
(2020)
Security should be there by default: Investigating how journalists perceive and respond to risks from the Internet of Things
in arXiv e-prints
| Description | So far, I have published five peer-reviewed papers based on studies funded through this award. I have also presented my research via SPRITE+, IoTSF, Al Jazeera, The Conversation, and the New Statesman. I have conducted over 70 interviews relating to this topic, many of which have contributed to four case study profiles on Taiwan, Australia, the United Kingdom and the United States. As a result, I have created two taxonomies relating to the consumer Internet of Things and associated threats to the press, and a framework of countermeasures to these IoT threats to the media. |
| Exploitation Route | I have conducted 70+ expert interviews looking at the novel internet-connected devices and the threats they can pose to journalists and sources. I have used the resulting data to create taxonomies so that members of the media can understand their own threat landscapes and communicate risk (using both a narrative method and a diagrammatic method). I've also created a framework that enables the press to work through a process to determine their risk and potential mitigative measures, to help to safeguard a free press from hostile actors. |
| Sectors | Digital/Communication/Information Technologies (including Software) Government Democracy and Justice Security and Diplomacy Other |
| URL | https://scholar.google.co.uk/citations?user=1RTYSdwAAAAJ&hl=en |
| Description | My pilot study compared and contrasted the self-disclosed security behaviours of 16 journalists with 34 cyber security expert recommendations, in order to find out whether the journalists should maintain or could improve their security strategies to protect against both immediate and long-term internet-connected threats. The paper (published at EuroUSEC 2020) demonstrated that a selection of journalists from around the world who work on high-risk topics, including organised crime or authoritarian regimes, are unaware of the threats stemming from the rising prevalence of consumer Internet of Things (IoT) devices. My study also showed that those who are aware have inadequate protection strategies or none at all. As a result, I have had a number of formal and informal discussions members of the media industry (including journalistic security trainers, media lawyers and investigative journalists) to inform them of threats associated with the consumer IoT and provide provisional suggestions for mitigations. The feedback I have received indicates that these individuals have a heightened and more accurate awareness of these threats as a result of our conversations and are eager to use the final output of my thesis research to implement long term policy and cultural shifts at their media organisations and within the press more broadly. I also presented my taxonomic work at IoTSF, which allowed me to demonstrate to professionals within the security and technology industries that there are ways to involve and craft research around specific high-risk user-groups. This talk received very positive feedback from conference organisers and attendees. |
| First Year Of Impact | 2018 |
| Sector | Government, Democracy and Justice,Other |
| Impact Types | Cultural Policy & public services |
| Description | "Growth of privately held data increases risk of espionage" (co-written with Neil Ashdown) for Jane's Intelligence Review |
| Form Of Engagement Activity | A magazine, newsletter or online publication |
| Part Of Official Scheme? | No |
| Geographic Reach | National |
| Primary Audience | Public/other audiences |
| Results and Impact | I co-wrote an article with a PhD student from RHUL, Neil Ashdown, that reflected the intersection of both our research areas. |
| Year(s) Of Engagement Activity | 2020 |
| URL | https://www.janes.com/images/assets/638/94638/Growth_of_privately_held_data_increases_risk_of_espion... |
| Description | "Police surveillance of Black Lives Matter shows the danger technology poses to democracy" (co-written with Jason R. C. Nurse) for The Conversation |
| Form Of Engagement Activity | A magazine, newsletter or online publication |
| Part Of Official Scheme? | No |
| Geographic Reach | International |
| Primary Audience | Public/other audiences |
| Results and Impact | I co-wrote this article with one of my supervisors. From this, I received requests from a number of other outlets for information on the ways in which novel technologies can be used for surveillance of both the press and protesters. |
| Year(s) Of Engagement Activity | 2020 |
| URL | http://theconversation.com/police-surveillance-of-black-lives-matter-shows-the-danger-technology-pos... |
| Description | Article in journalist-facing academic research site |
| Form Of Engagement Activity | A magazine, newsletter or online publication |
| Part Of Official Scheme? | No |
| Geographic Reach | International |
| Primary Audience | Media (as a channel to the public) |
| Results and Impact | I wrote an article in the style of a tipsheet for journalists that condensed my IoT devices taxonomy. It categorieses the IoT devices journalists might encounter at work and at home, and briefly outlined how these devices can threaten their work and wellbeing. I received lots of unsolicited positive feedback via email and social media about the article. |
| Year(s) Of Engagement Activity | 2021 |
| URL | https://journalistsresource.org/home/how-the-internet-of-things-poses-a-threat-to-journalists/ |
| Description | Interviewed for "How is technology being used to track Black Lives Matter protestors?" episode of the University of Oxford's 'Oxford Sparks: Big Questions' podcast series |
| Form Of Engagement Activity | A broadcast e.g. TV/radio/film/podcast (other than news/press) |
| Part Of Official Scheme? | No |
| Geographic Reach | Local |
| Primary Audience | Schools |
| Results and Impact | I was interviewed for the Oxford Sparks podcast, to make the topics of surveillance and civil liberties accessible for younger audiences. |
| Year(s) Of Engagement Activity | 2020 |
| URL | https://www.oxfordsparks.ox.ac.uk/content/how-technology-being-used-track-black-lives-matter-protest... |
| Description | Interviewed on "Protecting Journalists Online" for a threat intelligence podcast |
| Form Of Engagement Activity | A press release, press conference or response to a media enquiry/interview |
| Part Of Official Scheme? | No |
| Geographic Reach | International |
| Primary Audience | Professional Practitioners |
| Results and Impact | Interviewed on "Protecting Journalists Online" for Recorded Future's 'Inside Security Intelligence' podcast |
| Year(s) Of Engagement Activity | 2021 |
| URL | https://www.recordedfuture.com/podcast-episode-205/ |
| Description | Panellist on "Digital Surveillance and Protesters: Black Lives Matter, Hong Kong, and Belarus" for the Oxford University Amnesty International Society |
| Form Of Engagement Activity | A formal working group, expert panel or dialogue |
| Part Of Official Scheme? | No |
| Geographic Reach | International |
| Primary Audience | Undergraduate students |
| Results and Impact | The practical implications of my research, particularly relating to specific case study countries, was relevant to this panel discussion that fostered debate on the current state of technological surveillance globally and how this affects civil liberties. |
| Year(s) Of Engagement Activity | 2020 |
| URL | https://www.crowdcast.io/e/digital-surveillance-and |
| Description | Presented "One way or another, they're going to get you: Threats to press freedom from the Internet of Things" at the 6th Annual Internet of Things Security Foundation Conference |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Geographic Reach | International |
| Primary Audience | Industry/Business |
| Results and Impact | I gave a presentation on my research outcomes, primarily focusing on my threat taxonomy, to a large audience, who provided incredibly positive feedback and engaged eagerly during the Q&A portion of the event. |
| Year(s) Of Engagement Activity | 2020 |
| URL | https://iotsfconference.com/anjuli-shere/ |
| Description | Presented a snapshot of my research (poster and lightning talk) at the SPRITE+ Showcase |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Geographic Reach | National |
| Primary Audience | Postgraduate students |
| Results and Impact | My SPRITE+ talk allowed me to meet other students and interested parties from across the country and to engage with them regarding our shared academic interests. I also condensed my research into a 3-minute talk, to enable quick consumption by the general public. |
| Year(s) Of Engagement Activity | 2021 |
| URL | https://spritehub.org/how-the-consumer-internet-of-things-threatens-journalists-security-and-what-ca... |
| Description | Thanked for my expert contribution to "We know what you did during lockdown" - A Financial Times Film |
| Form Of Engagement Activity | A broadcast e.g. TV/radio/film/podcast (other than news/press) |
| Part Of Official Scheme? | No |
| Geographic Reach | National |
| Primary Audience | Media (as a channel to the public) |
| Results and Impact | I contributed information on my research findings to a production team working for the Financial Times to help them construct a film about technological tracking by the government during the pandemic, written by James Graham. |
| Year(s) Of Engagement Activity | 2021 |
| URL | https://www.youtube.com/watch?v=4WTpO9y2Dh4 |