A Digital Security Primer

Investigative reporters face a two-fold challenge: surveillance software has become mind-bogglingly sophisticated; and funding is pouring in for development of new technologies. These new products are purchased gray market by governments that spy on their public – and their press.

Robert Guerra, a digital security expert at the Canada-based Citizen Lab, warns that most reporters aren’t even taking the most basic precautions.

“If you become known for investigative reporting, people can use digital tools to come after you and your data,” says Guerra, who for more than a decade has trained NGO staffers and journalists to securely manage relationships and data online. “Start with the principles. Know the risks. There are some simple things folks can do.”

Guerra suggests starting here:

Email

• If you travel to a country known for spying on the media, don’t rely on an email provider based there.
• At home, use a secure provider – you can tell if your email is secured by looking for the “https” in the address bar. Gmail is secure by default, while Yahoo and Facebook settings can be adjusted. Why? If you use a free wireless network, anyone can tap into your screen with a simple and free software program. That’s a problem if you’re communicating with a source. It’s as if you were in a busy public place having a conversation with a confidential source, Guerra explained, “but you’re both screaming.”
• Don’t assume your employer is protecting your account. Ask your technology desk about what precautions it takes, and consider getting a personal account from Google or Yahoo over which you have control.

Passwords and the Two-Factor Login

If you have Gmail, everyone knows your User Name. So a hacker only needs your password. An obvious first step is using a more complex password. There are guides to creating stronger passwords listed below. Also, for more sensitive interactions, Gmail, Twitter, and Facebook have added an additional – optional – layer of protection – the two-factor login. When you activate the two-factor login, and enter your password, the account sends a text message to your phone, providing you a unique authentication code you must enter before accessing the account.

Log In Settings

Establish multiple user accounts on your computer, including at least one user account in addition to the default administrator account. Making sure the second account has no administrative privileges, then use that login for your daily work. Then if malware tries to install automatically, the computer will alert you with a message requiring the administrator password.

MalWare

• Beware of suspicious attachments, keep your programs updated, and install a good antivirus program. Usually programs you buy will provide greater protection.
• Watch for emails from groups or people you might know, but which seem slightly off – small grammar changes or odd punctuation.
• Mac users, avoid being lulled into a false sense of security.
• Outdated computers without security patches can put you on greater risk.

When Something Goes Wrong

Make noise if your computer starts acting wacky. Reach out to one of the nonprofit groups dedicated to detecting and tracking attacks and training users. They include:

• The Committee to Protect Journalists, based in New York, which advocates on behalf of reporters around the world and fields requests for assistance.
• Reporters Without Borders, based in Paris, which does similar advocacy as CPJ.
• The Citizen Lab at the University of Toronto, which researches Internet security and human rights.

——————————————————————————————————-

Tutorials and Tipsheets

Security in a Box offers a series of video tutorials on simple ways to maintain a low online profile. Available in French, Spanish, Italian, Portuguese, Russian, Arabic, Armenian, Croatian, Ukrainian, Serbian, Albanian, Bosnian.

The Committee to Protect Journalists addresses cyber security as part of its Journalism Security Guide.

Surveillance Self-Defense provides a practical five-point guide to protecting yourself and your information:

• Develop a data retention and destruction policy: You should not destroy evidence, but you can maintain a retention policy in which you routinely purge your files. Make sure the policy if written and followed by everyone. “It’s your best defense against a subpoena — they can’t get it if you don’t have it.”
• Basics of data protection: Require logins for accounts and screensavers. Make your passwords strong. Make sure you trust your systems administrator.
• Proper use of passwords: Can’t remember a lengthy password? Consider an encrypted virtual safe or carry the password on a piece of paper in your wallet. In case your wallet is stolen make sure to add dummy characters before and after real passwords, and don’t clearly label accounts. Don’t use the same password for multiple accounts. And change the passwords regularly.
• Data encryption: Governments can get around password-protected data. But well-encrypted data is more difficult. SSD offers another basic guide to how encryption works
• Protection from malware: Avoid Microsoft products.

Eva Galperin of the Electronic Frontier Foundation via the U.S. Public Broadcasting Service provides this tip sheet for Best Practices. A few key points include:

• Skype isn’t as secure as you might think. Governments can track your movements. Instead, consider using Google Hangouts
• Text messaging is insecure and not encrypted.
• Instant message with Pidgin or Adium (Mac OSX)

Steve Doig, a professor at Arizona State University in the U.S. provides these tips in his presentation Spycraft: Keeping Your Sources Private (Powerpoint):

• Search the web with IXQuick, which doesn’t save your IP address or search terms.
• Disguise your caller ID with SpoofCard. This works for international calls as well.
• Buy no-contract cell phones with cash.
• Encrypt communications:
  • Pretty Good Privacy is strong and an industry standard.
  • Spam Mimic encrypts messages in spam-like email
  • Clean out deleted files for good using Webroot Window Washer
  • When obtaining leaked documents from a government source, beware of invisible watermarks.

Microsoft offers this four-point checklist to creating a stronger password:

• Do not use the same password for multiple accounts.
• Do not include personal identifiers or full words.
• Make it at least eight characters long.
• Use a random mix of uppercase and lowercase letters, numbers, and symbols.

Kate Willson is news advisor in the Student Media Department at Oregon State University, Corvalis, and a consultant to the Global Investigative Journalism Network. She is a former staff reporter for the International Consortium of Investigative Journalists, based in Washington, D.C.