Journalists are being strongly urged to protect their communications and information from growing threats.
Yet several studies show that most journalists, despite believing the danger is real, are not adopting basic protections.
The Rory Peck Foundation issued a Digital Security Guide aimed at freelancers, stressing that “even taking small, simple steps can make a huge difference.”
To help promote digital security, GIJN has assembled this guide to resource materials on the subject.
“You can never say that anybody is 100 percent secure,” said Trevor Timm, Executive Director of the Freedom of the Press Foundation, in an PDNPulse interview. “But there are many basic steps that anybody can take that can make them more secure than 90 or 95 percent of internet users, and that really goes a long way.”
We begin with summary recommendations by Robert Guerra, a digital security expert at the Canada-based Citizen Lab, who warns that most reporters aren’t even taking the most basic precautions.
“If you become known for investigative reporting, people can use digital tools to come after you and your data,” says Guerra, who for more than a decade has trained NGO staffers and journalists to securely manage relationships and data online. “Start with the principles. Know the risks. There are some simple things folks can do.”
Guerra suggests starting here:
- If you travel to a country known for spying on the media, don’t rely on an email provider based there.
- At home, use a secure provider – you can tell if your email is secured by looking for the “https” in the address bar. Gmail is secure by default, while Yahoo and Facebook settings can be adjusted. Why? If you use a free wireless network, anyone can tap into your screen with a simple and free software program. That’s a problem if you’re communicating with a source. It’s as if you were in a busy public place having a conversation with a confidential source, Guerra explained, “but you’re both screaming.”
- Don’t assume your employer is protecting your account. Ask your technology desk about what precautions it takes, and consider getting a personal account from Google or Yahoo over which you have control.
Passwords and the Two-Factor Login
If you have Gmail, everyone knows your User Name. So a hacker only needs your password. An obvious first step is using a more complex password. There are guides to creating stronger passwords listed below. Also, for more sensitive interactions, Gmail, Twitter, and Facebook have added an additional – optional – layer of protection – the two-factor login. When you activate the two-factor login, and enter your password, the account sends a text message to your phone, providing you a unique authentication code you must enter before accessing the account.
Log In Settings
Establish multiple user accounts on your computer, including at least one user account in addition to the default administrator account. Making sure the second account has no administrative privileges, then use that login for your daily work. Then if malware tries to install automatically, the computer will alert you with a message requiring the administrator password.
- Beware of suspicious attachments, keep your programs updated, and install a good antivirus program. Usually programs you buy will provide greater protection.
- Watch for emails from groups or people you might know, but which seem slightly off – small grammar changes or odd punctuation.
- Mac users, avoid being lulled into a false sense of security.
- Outdated computers without security patches can put you on greater risk.
Guerra describes some useful specific tools here (English and Spanish).
When Something Goes Wrong
Make noise if your computer starts acting wacky. Reach out to one of the nonprofit groups dedicated to detecting and tracking attacks and training users. They include:
- Access Now runs a 24/7 Digital Security Helpline available in seven languages.
- The Committee to Protect Journalists, based in New York, advocates on behalf of reporters around the world and fields requests for assistance.
- Reporters Without Borders, based in Paris, does similar advocacy as CPJ.
- The Citizen Lab at the University of Toronto, researches Internet security and human rights.
Tutorials and Tipsheets
There’s no shortage of guides to digital security. Many are overly complex and not terribly useful for working journalists. But there’s help out there, and it’s worth designating someone on your team, in your newsroom, or at your nonprofit to take the lead in ensuring that your work is protected. Here are some resources:
A Cheat Sheet for Open Source Digital Security Options done for GIJN in 2019 by Katarina Sabados, a freelance journalist and researcher with the Organized Crime and Corruption Reporting Project (OCCRP).
The Field Guide to Security Training is a curriculum hosted by OpenNews, a team that helps developers, designers, and data analysts convene and collaborate on open journalism projects, and BuzzFeed Open Lab, an arts and technology fellowship program at BuzzFeed News.
4 Digital Security Tips Every Journalist Needs to Know At the Uncovering Asia 2018 conference in Seoul, Chris Walker, a digital security expert from the Tactical Technology Collective, shared key tips that journalists can implement today to protect themselves, their sources and their story.
The August 2017 edition of Current Digital Security Resources was pulled together by Martin Shelton, who begins by noting that “even the richest digital security resources become quickly out-of-date.” Shelton is also the author of an article about one of the most common bits of defensive advice, using two-factor authentication. Another piece of his covers how reporters can prepare for malicious software.
Surveillance Self-Defense from the Electronic Frontier Foundation provides lots of information, including a seven-step “security starter pack.” Among the suggestions:
- Proper use of passwords: Choose strong passwords using Diceware, avoid reusing passwords, consider using an encrypted virtual safe or password manager, avoid giving easily found answers for security questions, using two-factor authentication passwords. If you write passwords on a piece of paper in your wallet, make sure to add dummy characters before and after real passwords, and don’t clearly label accounts. Don’t use the same password for multiple accounts. And change the passwords regularly.
- You should not destroy evidence, but you can maintain a retention policy in which you routinely purge your files. Make sure the policy is written and followed by everyone. “It’s your best defense against a subpoena — they can’t get it if you don’t have it.”
- Basics of data protection: Require logins for accounts and screensavers. Make your passwords strong. Make sure you trust your systems administrator.
- Data encryption: Governments can get around password-protected data. But well-encrypted data is more difficult. SSD offers another basic guide to how encryption works
- Protection from malware: Use anti-virus software, keep your security patches updated and avoid clicking on suspicious links and files.
Eva Galperin of the Electronic Frontier Foundation via the U.S. Public Broadcasting Service provides this tip sheet of best practices. A few key points include:
- Skype isn’t as secure as you might think. Governments can track your movements. Instead, consider using Google Hangouts
- Text messaging is insecure and not encrypted.
The Wired Guide to Digital Security, from the magazine Wired.
Myanmar: The Digital Security Guide for Journalists: a simple, accessible tool (2017) to help journalists protect their communications and digital devices against hacking, surveillance and other forms of digital harassment. It was prepared by the Centre for Law and Democracy (CLD) in collaboration with International Media Support (IMS), FOJO Media Institute and the Myanmar Press Council (MPC). Digital Security Guide [English] Digital Security Guide [Burmese]
Steve Doig, a professor at Arizona State University in the U.S. provides these tips in his presentation Spycraft: Keeping Your Sources Private (Powerpoint):
- Search the web with IXQuick, which doesn’t save your IP address or search terms.
- Disguise your caller ID with SpoofCard. This works for international calls as well.
- Buy no-contract cell phones with cash.
- Encrypt communications:
The Tactical Technology Collective has published and updated Security in-a-Box for human rights defenders and journalists. It includes a How-to Booklet covering 11 areas, Hands-on Guides focusing on specific freeware or open source software tools and a Mobile Security section.
A Surveillance Self-Defense Checklist from The Intercept describes basic, intermediate and advanced steps to take.
Micah Lee of The Intercept wrote Surveillance Self-Defense Against The Trump Administration warning that a steady expansion of executive power in the United States means, “Those preparing for the long fight ahead must protect themselves, even if doing so can be technically complicated.”
Journalists In Distress: Securing Your Digital Life was prepared by Canadian Journalists for Freedom of Expression. It is offered in French and Arabic.
Cyber Security for Journalists: Tips and Tools for Securing Your Communications. Notes (in French) from participants in a training course sponsored by he European Federation of Journalists (EFJ) and the European Trade Union Institute (ETUI) facilitated by an expert in digital security, Dmitri Vitaliev.
Instant Messaging: Many experts recommend using Signal or WhatsApp. See article on Signal from Journalism.co.uk. Bonus, a First Draft article on using WhatApp for news gathering. The Mozilla secure file sharing service is a great way to receive files from people who are not comfortable with or in a position to encrypt files themselves or send them through e.g. Signal.
Ce Kit de Survie Numérique The Digital Security Kit (in French) from Reporters Without Borders.
Privacidade para Jornalistas (Privacy for Journalists) is the Brazilian version of an Australian site developed by journalist Raphael Hernandes. It includes guides and tools such as one on “threat analysis.” His five basic tips are summarized in article about the site in the Knight Center Journalism in the Americas blog (Spanish) (Portuguese):
- Encryption of HD and flash drives – Encryption places a password on hard drives and USB devices, which protect sources and personal files in case the equipment is lost or stolen.
- Two-Step Authentication – Used for online banking access, it can be configured in your email and social networks. Login is done with something you know (your password) and something you have (a code sent to your smartphone, for example). This avoids problems even if you have compromised passwords.
- Signal – Application available for encrypted message smartphones. If the cell phone is intercepted, no one can understand what was written there.
- Sync.com – Free cloud storage system. It uses the zero-knowledge protocol, meaning it stores information but does not know what is being stored. As a rule, the websites we use commonly scan the files and pass reports to the authorities. Sync is encrypted and more secure, very simple to use.
- PGP – Pretty Good Privacy acronym. It’s a way to encrypt emails. Like a kind of chest, but with two keys: one to lock and the other to unlock. You give the key that locks the chest so people can send you files and messages. But only you have the keys to unlock the content.
Privacy for Journalists is a site in Australia run by CryptoAustralia. New topics are addressed in a blog, such as Storing Files Privately in the Cloud, Choosing a Safe Search Engine and Encrypt your USB Drives on Windows.
How to Stop Apps From Tracking Your Location A December 2018 New York Times article by Jennifer Valentino-DeVries and Natasha Singer. They recommend changing settings, noting that their information applies primarily to the United States.
And, of course, a podcast. The Storyful Podcast: Digital Security – How Journalists and Activists Can Be Protected Online. Host and journalist Della Kilroy is joined by Storyful journalists Jenny Hauser and Eoghan Sweeney, along with special guest security experts Andrew Anderson, Executive Director with Frontline Defenders, and Holly Kilroy, co-founder of Security First.
Kaveh Waddel in The Atlantic addresses How Can Journalists Protect Themselves During a Trump Administration? Among other things, he suggests using password manager software to generate complex passwords.
“Every January, I do a digital tune-up…,” wrote Julia Angwin of ProPublica as she introduced her nine suggestions. “This year, the task feels particularly urgent as we face a world with unprecedented threats to our digital safety.”
Eleven steps are recommended by Aimee O’Driscoll for Comparitech. “These range from simply utilizing common sense to employing some of the most up-to-date technologies, and involve tactics such as encrypting communications and avoiding popular platforms. While some of these methods may seem like a lot of extra work, when combined together, they can greatly reduce the risk of information being discovered by prying eyes.”
Noting that “the tech world is intimidating,” David Trilling created a tip sheet “for journalists of all digital-comfort levels as well as links to useful tutorials.” Published by Journalist’s Resource of Harvard’s Shorenstein Center on Media, Politics and Public Policy.
An extensive collection of links on digital security was prepared by DW Akademie, the Germany organization for international media development.
An article offering five tips was done by the The Ugandan Hub for Investigative Media, which trains journalists on digital security with support from DW Akademie.
Anti-Phishing and Email Hygiene is discussed by The Freedom of Press Foundation.
Eight Prevention Tips to Secure Your Mobile Phone are described in an infographic by The Freedom of Press Foundation. Also interesting is an interview with Harlo Holmes, Director of Newsroom Digital Security at Freedom of the Press Foundation, who says, “Every day is a new bowl of scorpions.”
The Digital First Aid Kit “offers a set of self-diagnostic tools for human rights defenders, bloggers, activists and journalists facing attacks themselves, as well as providing guidelines for digital first responders to assist a person under threat.” It was produced by the Digital Defenders Partnership and more than a dozen NGOs.
The Source offers Security for Journalists, Part One: The Basics by Jonathan Stray. And a second installment, Security for Journalists, Part Two: Threat Modeling.
Protecting Your Sources When Releasing Sensitive Documents by Ted Han and Quinn Norton is subtitled, “Scrub metadata, redact information properly, search for microdots & more.”
Digital Security For Freelancers, by the Rory Peck Trust, covers a variety of digital security topics.
The International Consortium of Investigative Journalists has a Power Point on Security Tools for Investigative Journalists.
The Journalist’s Toolbox by the Society for Professional Journalists links to many resources.
Security in a Box offers a series of video tutorials on simple ways to maintain a low online profile. Available in French, Spanish, Italian, Portuguese, Russian, Arabic, Armenian, Croatian, Ukrainian, Serbian, Albanian, Bosnian.
A comment on CPJ’s advice of crossing borders was offered by Robert Graham of Errata Security.
Reporters Without Borders has published an Online Survival Kit, available in five languages.
Digital First Aid Kit is a guide created by a dozen media-related NGOs, including Free Press Unlimited, Freedom House, Global Voices, and Internews.
The London-based Centre for Investigative Journalism has an 80-page handbook, Information Security for Journalists, full of tips and techniques.
The UNESCO report Building Digital Safety for Journalism, outlines 12 specific digital threats “including illegal or arbitrary digital surveillance, location tracking, and software and hardware exploits without the knowledge of the target”. It provides tips on how to keep your data and yourself safe. Also available in: Español.
Facebook has Safety Tips for Journalists in 20 languages.
Guide to Privacy Resources 2019 This guide is a comprehensive listing of free privacy applications, tools and services that users may implement across multiple devices. Compiled by Marcus P. Zillman for LLRX (Law and Technology Resources for Legal Professionals).
The Motherboard Guide to Not Getting Hacked This is Motherboard’s comprehensive guide to digital security. Also covers mobile security.
Cybersecurity for journalists and the news media, a resource by Stephen Cobb of the security company ESET. Websites and resources listed.
Secure communications basics for journalists, written in 2017 by Gabor Szathmari covers scrubbing metadata from documents, instant messaging and sharing files, and secure communication.
Best Practices for Conducting Risky Research and Protecting Yourself from Online Harassment, published by Data&Society in 2016 is designed for academic researchers, but contains good advice and lists of other resources.