Wednesday, August 08, 2012

Responding to Wired's ad hominem hatchet job

I have long been a fan of Wired's coverage of privacy and security issues, particularly the insightful reporting and analysis by Ryan Singel, currently the editor of the Threat Level blog. It is for that reason that I am saddened to see Ryan stoop to twisting my words in support of a lengthy character assassination piece targeted against me.

Brief background

Two weeks ago, Wired published a glowing, 2000 word story by Quinn Norton about CryptoCat, an encrypted chat tool. Quinn was not the first journalist to shower praise upon Cryptocat -- writers at the New York Times and Forbes had previously done so too.

I subsequently published a lengthy blog post, which compared the media's coverage of Cryptocat, a relatively new, unproven security tool, to the media's previous fawning coverage of Haystack, a tool which, once analyzed by experts, was revealed to be pure snakeoil.

The message in my blog post -- that journalists risk exposing their readers to harm when they hype unproven security technologies -- was directed at the media as a whole. In support of my argument, I cited glowing praise for such technologies printed in the Guardian, the New York Times, Newsweek, Forbes and, Wired.

Today, Ryan Singel, the editor at Wired's Threat Level blog responded to my blog post, but incorrectly frames my criticism as if it were solely directed at Quinn Norton and her coverage of Cryptocat. In doing so, Ryan inaccurately paints me as a sexist, security-community insider who is unfairly criticizing a tool "created by an outsider to the clubby crypto community and one that’s written up by a woman and reviewed by a female security expert."

The importance of dissenting technical experts

One of the biggest criticisms of Norton's story I expressed in my blog post of was the fact that she did not quote a single technical expert that was critical of Cryptocat, even though there are quite a few who have been vocal with their concerns:

Other than Kobeissi, Norton's only other identified sources in the story are Meredith Patterson, a security researcher that was previously critical of Cryptocat who is quoted saying "although [Cryptocat] got off to a bumpy start, he’s risen to the occasion admirably" and an unnamed active member of Anonymous, who is quoted saying "if it's a hurry and someone needs something quickly, [use] Cryptocat."
As I also noted in my post:
Even though their voices were not heard in the Wired profile, several prominent experts in the security community have criticized the web-based version of Cryptocat. These critics include Thomas Ptacek, Zooko Wilcox-O'Hearn, Moxie Marlinspike and Jake Appelbaum.
Singel frames my criticism here as sexist. Meredith Patterson is a woman, whereas the Cryptocat critics I named were all men. Singel claims that, "Patterson, one of the all-too few female security researchers, doesn’t seem to count for much in Soghoian’s analysis." He adds later, "instead, Soghoian believes, Norton should have turned to one of four more vocal critics he names — all of them men."

As an initial matter, let me say that I have genuine respect for Meredith and her skills as a security researcher. We've known each other for several years, have attended several privacy conferences together, and have a shared goal in keeping the communications of users out of the prying hands of the government. Nowhere in my prior blog post do I dismiss Patterson's skills, credentials, or technical opinions.

My criticism of Norton's piece, in this respect, is not about the specific technical expert who is quoted as saying positive things about Cryptocat, but rather, the total lack of any dissenting quotes. If the rest of the security community were agnostic about the merits of Cryptocat, then it would perhaps be fine to quote a single technical expert who has positive things to say. In this case though, there are several technical experts who have deep concerns about the security of Cryptocat, experts whose research and views Wired has covered at length in the past.

As Singel has described it, I would have liked Norton to talk to a more more qualified expert, and to not print Patterson's opinions. That is not the case. I just think that a dissenting expert should be quoted too.

To summarize, the gender of the technical expert quoted saying positive things about Cryptocat has absolutely nothing at all to do with my belief that a responsible journalist would have spoken to, and quoted at least one technical expert who is critical of the tool. Even more so when the headline of the story is "This Cute Chat Site Could Save Your Life and Help Overthrow Your Government."

On the issue of privilege

In my blog post, I quoted from a few of Norton's recent tweets, in which she criticizes the crypto community, which she believes is filled with "privileged", "mostly rich 1st world white boys w/ no real problems who don't realize they only build tools [for] themselves."

After I published my blog post, Singel criticized me for quoting Norton's tweets, claiming that I was using "an outsider's critique of your boys club as a way to discredit them."

Although Singel clearly disagrees, I felt, and still feel that it is relevant to highlight the fact that Norton believes that the crypto community, and in particular, the critics of Cryptocat, are just privileged, paranoid geeks who have no real problems.

As I mentioned in my blog post, two of the most vocal critics of Cryptocat's web based chat app, Jake Appelbaum and Moxie Marlinspike, have faced pretty extreme real world problems of surveillance and government harassment.

After Appelbaum was outed by the press as as being associated with WikiLeaks, Twitter, Google and Sonic.net were forced to provide his communication records to the FBI as part of its investigation into WikiLeaks. At least one of Appelbaum's friends and colleagues has been forced to testify at a federal grand jury, and he has been repeatedly stopped at the border, harassed, and had digital devices seized by the authorities.

Likewise, for some time, Marlinspike was routinely stopped at the border by US authorities, had his laptop and phones searched, and in at least one case, was questioned by a US embassy official, who had a photo of Marlinspike at hand, before he could get on a plane back to the US.

While Appelbaum and Marlinspike have (thankfully) not been physically tortured by government agents, their paranoia and dedication towards improving the state of Internet security is by no means theoretical. Their concerns are legitimate, and their paranoia is justified.

On telling journalists to unplug

Singel's most vicious, yet totally unfair criticism relates to the two paragraphs that concluded my Cryptocat blog post:

Although human interest stories sell papers and lead to page clicks, the media needs to take some responsibility for its ignorant hyping of new security tools and services. When a PR person retained by a new hot security startup pitches you, consider approaching an independent security researcher or two for their thoughts. Even if it sounds great, please refrain from showering the tool with unqualified praise.

By all means, feel free to continue hyping the latest social-photo-geo-camera-dating app, but before you tell your readers that a new security tool will lead to the next Arab Spring or prevent the NSA from reading peoples' emails, step back, take a deep breath, and pull the power cord from your computer.

Singel states that the main point of my post "seemed to be to tell a woman to shut up and unplug from the net." He further twists my words by writing:
Moreover, Soghoian suggesting that if Quinn Norton ever wanted to write about about encryption tools in the future, she ought to "step back, take a deep breath, and pull the power cord from your computer" isn't just rude and obnoxious, it’s border-line sexist and an outright abuse of Soghoian's place in the computer security world."

The harsh words in my conclusion, which Singel quotes, were aimed at "the media." This of course includes Wired, but also many other journalists and news organizations who regularly publish stories on the latest new snake-oil product that uses "military-grade encryption."

In fact, the words "ignorant hyping" in the blog post's conclusion link to a recent New York Times article about Wickr, a new mobile app that the Times reveals will let "users transmit texts, photos and videos through secure and anonymous means previously reserved for the likes of the military and intelligence operatives."

(This is, of course, rubbish. There are no anonymity technologies that have been "reserved for the likes of the military and intelligence operatives.")

Finally, in support of his charge that I am sexist, Singel twists my words by stating that "Soghoian suggest[s] that if Quinn Norton ever wanted to write about about encryption tools in the future, she ought to 'step back, take a deep breath, and pull the power cord from your computer.'"

Let me be clear: Nowhere in my blog post do I tell Quinn that she should never again write about encryption tools. Instead, I warn journalists who are planning to write that "that a new security tool will lead to the next Arab Spring or prevent the NSA from reading peoples' emails." That is very different than "ever writing about encryption tools in the future."

Of course I want journalists to write about encryption, privacy, security and the importance of protecting data. I want users to be safe, and one of the best ways for them to discover and then adopt safe practices is by reading about them in the media.

(Strangely enough, Wired's chilling coverage this week of the devastating hack against Mike Mat Honan has been absolutely fantastic, offering a clear demonstration of how difficult it is for users to protect their data even when using tools and services created by billion dollar corporations.)

What I wish to avoid though, is news stories that hype technologies that simply cannot, and will not deliver what has been promised to users. By all means, please tell users about two-factor authentication, encrypted cloud backups with keys not known to providers, and VPN services. Just don't claim that these technologies will plunge the NSA into darkness or lead to the overthrow of authoritarian governments.

I do not hate female journalists

As an activist that uses media coverage to pressure companies to change their privacy invading practices, I regularly work with journalists around the world, feeding them stories, tips, and when they want them, quotes. In the more than six years that I have been working with the media (including Wired on countless occasions), never once has the gender of the reporter played any role in whether or not I went to them with a scoop, or returned their phone calls or emails.

The media are of course not equal in their understanding of technology or their willingness to dig deep into a tech issue. In my experience, gender plays absolutely no role in determining the quality of a tech journalist.

For example, of the entire news media, the What They Know team at the Wall Street Journal (Julia Angwin and Jennifer Valentino-DeVries) are by far the best in the business when it comes to covering privacy and security. They break major stories, do great investigative research, and routinely seek the confirmation of multiple technical experts in order to verify claims before they print them. On this beat, their coverage is first rate, and quite frankly, puts the New York Times, the Washington Post, Wired, Ars and others to shame. It is not surprising then, that when a great scoop lands in my lap, I take it to the WSJ first.

I judge, praise and criticize journalists on the tech beat based on the quality of their reporting, not by their gender. In this case, I criticized Quinn Norton's Wired story because it was deeply flawed, not because she is a woman. To claim otherwise is pure bullshit.