NICOLE KOBIE Journalists, it’s time to stop being jerks about security.
Security is hard enough without confusing advice from all directions. We can do better
Talking about security isn’t easy. It’s a complicated subject, understood fully by few, that’s worth a lot of money and affects everyone.
Not a week goes by without a major hack, dangerous-sounding flaw, or security headlines that need deciphering by millions of people who lack technical skills. In the past few weeks, normal people — those who don’t read PC Pro for fun — have had to grapple with the benefits and limitations of VPNs (to protect against ISP and government snooping), ponder the implications of a zero-day vulnerability uncovered in Word, and decide whether to change passwords after a leak at Wonga.
The advice given by the mainstream media varies in quality and content. Consider the recent uproar in the US after ISPs were given the legal ability to sell customer data without first asking permission. A deluge of privacy advice flooded every website and newspaper, mostly centring on VPNs, deeming them either perfect solutions or dangerous to depend on. How could an average person unpick these conflicting arguments? With such confusion, they’re more likely to tap out and ignore it all.
It’s no wonder journalists get confused. Whenever there’s a high-profile hack, my email is flooded with “comment” from security firms desperate to be mentioned in print. For example, at the time of writing, notorious payday loan firm Wonga had just
admitted that criminals accessed data it held on 245,000 customers in the UK. I have dozens of responses in my inbox: one notes that it’s alarming that bank details are in criminals’ hands — no kidding — and another says we need better data protection laws. There’s nothing useful here to act upon, and that’s no surprise, as the companies looking to get coverage off the back of other people’s misery have no more insight into how the hack happened than the rest of us.
Journalists are equally guilty of blowing security stories out of proportion, bigging up the seriousness of a threat to make it sound more exciting and get readers’ attention. One recent example is from The
Guardian, which reported an apparent vulnerability in WhatsApp’s encryption. Without going into too much detail, there is a way that hackers could in theory nab a message sent from one WhatsApp user to another, but it’s difficult to do, it has limited impact, and you can set the messaging app to alert you if the situation it requires happens.
As several researchers told me at the time, the only people who need worry are those at risk of being under state-level surveillance — and such spies have many more effective techniques to get your data. However, one source told me the overblown story had led some activists to stop trusting WhatsApp and go back to SMS, a much less secure system.
This confusion keeps people insecure – useful for hackers, criminals and security services, but dangerous for everyone else.
So consider this a plea for help, to my fellow journalists, security researchers, antivirus makers — and you. Journalists, take the time to talk to independent experts and not just companies looking for their names in print to please their PR staff. Researchers, understand that no story a journalist writes can include every fact you tell us, so focus on practical, useful advice. Antivirus makers and the rest of the security industry, try to put people before your bottom line. Not everything is a marketing opportunity.
As readers of PC Pro, odds are you’re the best at security of all the people you know. If a friend needs your expertise, help them — even if it’s to tell them they needn’t worry about this month’s headline-making hack or help them choose a strong password and flip on two-factor authentication.
Security is complicated by its very nature. We can simplify it by giving easy, practical advice, rather than using hacks and attacks to market products and push forward our careers. The security industry — researchers, industry, journalists — should have one goal: keeping people safe. Anything else is helping the other side.