[Cryptography] Ranking what draws surveillance attention

[Douglas Lucas]

Hi cryptography list,

This is another enduser-generated question, as I'm a freelance int'l.
investigative journalist, not a cryptographer. As far as I know, there's
no great way to make a ranking that thoroughly accounts for all
pertinent environmental factors, all pertinent changes in social
systems, and so on, but I'm still wondering if hypothetical rankings can
be discussed. Rankings of what kind of internet transmissions draw
attention from threat actors (whether governments, organized crime,
rival activists, or a rando with a gadget hoping to swip SSN numbers or
something as a small-time crook). There are also overlaps with
(self-)censorship. For example, while we usually canonically imagine a
news entity trying to pass around a .7z of diplomatic cables, and
wanting to avoid surveillance by keeping the cables on air-gapped
devices, we could also imagine a simpler situation, say a first
responder trying to talk someone off a ledge, and the first responder
infers that the wailing dude on the ledge is upset about his dog's death
(which the wailing dude might not even fully realize), so the first
responder self-censors that topic for a while for the greater good of
getting the guy down off the ledge with more lighthearted topics such as
sports: some topics are more/less dangerous than others. While the first
responder analogy might seem silly in the face of international
journalism, just imagine journalists wanting to correspond 1v1 with
typically unencrypted friends, family, love interests, colleagues, or
what have you, and not knowing which topic(s) to avoid (if any: it used
to be argued among some activists that cryptography is a waste of time
and just for show, and what is needed is people in the streets).

All that said, here are some things that could be ranked for their
relative ability to draw the attention of threat actors:

If someone (journalist, civil servant, civil society member, or other)
states loudly that they are...

Protecting sources
Protecting methods
National security
Ongoing investigation
Personal privacy
Personal dignity
Receiving money (e.g., PayPal transactions)
Giving away money (e.g., same, whether to a Specially Designated Global
Terrorist, NPR, or a friend on the other side of town)
Gaining fame
Undercutting someone else's fame
Tricking people
Helping people
Thanking someon
Apologizing to someone
...

Then stating aloud as a motivation which of these things are more likely
to pull attention from bad actors than others? "Can't say," an email
subject line might shout, "because source protection." It is perhaps a
ridiculous question when autocrats can kill most anybody with the touch
of a button but is also simultaneously distracted by the next crisis or
child put in front of them. Also context counts - I used to turn
revelations from the 5 million-plus leaked Stratfor emails into news
stories, and that required me to "surveil" (obviously not in real time)
this cache of millions of emails, and I saw in so doing that it is
surprisingly hard to make a meaningful narrative out of a pile of emails
without what someone on this email list (I forget who, apologies)
described as "relevance indicators." But then, being a journalist is
like being a walking relevance indicator, and it is hard to imagine
during fascism's rise that one is not endangering oneself and others
with every keystroke, every keystroke that might also be providing the
world security simultaneously. The generic advice (which a decade ago
emanated beratingly from Omidyar-funded realms) is Use Signal Use Tor,
in other words, berate everyone you know to use cryptography, ignoring
CA problems, moderators, the fact that protocols end up being sold off,
and that the big dude dick-waving contest of who's favorite encryption
software is the best, isn't particulary motivating to feminist activists
having to listen to it in small group environments such as Food Not
Bombs meetings and who just use metaphors anyway to hint and wink what
they mean, rather than trusting in aes256. For the record, I am in favor
of both -- indirectness and cryptography -- but I am trying to ask my
above question in the context of a world where many of my interlocuters
(right or wrong) feel they have good reason to not use ciphertext (e.g.,
can't afford a new phone and this is the one Grandpa gave me whose
memory inspires me to fight fascism and I can't install any new apps on
it...).

Sorry for the lack of clarity in such a wide-ranging question, but it's
a curious matter to me. Citing security risks as someone's reason for,
say, not thanking someone or whatever else, might be valid sometimes, a
lie other times, or both certain times, and I wonder if there is a way
to bring some facticity to the "Security risks!" reason given by
everyone from friends to news orgs to governments, assuming cleartext
transmissions, perhaps even without metaphors/analogies being used to
cloud the meaning self-protectively (or to baffle others into
submission, etc.).

Douglas

===

Other
===