Journalists are being strongly urged to protect their communications and information from growing threats.
Yet several studies show that most journalists, despite believing the danger is real, are not adopting basic protections.
To help promote digital security, GIJN has assembled this guide to resource materials on the subject.
“You can never say that anybody is 100 percent secure,” said Trevor Timm, Executive Director of the Freedom of the Press Foundation in an PDNPulse interview. “But there are many basic steps that anybody can take that can make them more secure than 90 or 95 percent of internet users, and that really goes a long way.”
We begin with summary recommendations by Robert Guerra, a digital security expert at the Canada-based Citizen Lab, who warns that most reporters aren’t even taking the most basic precautions.
“If you become known for investigative reporting, people can use digital tools to come after you and your data,” says Guerra, who for more than a decade has trained NGO staffers and journalists to securely manage relationships and data online. “Start with the principles. Know the risks. There are some simple things folks can do.”
Guerra suggests starting here:
- If you travel to a country known for spying on the media, don’t rely on an email provider based there.
- At home, use a secure provider – you can tell if your email is secured by looking for the “https” in the address bar. Gmail is secure by default, while Yahoo and Facebook settings can be adjusted. Why? If you use a free wireless network, anyone can tap into your screen with a simple and free software program. That’s a problem if you’re communicating with a source. It’s as if you were in a busy public place having a conversation with a confidential source, Guerra explained, “but you’re both screaming.”
- Don’t assume your employer is protecting your account. Ask your technology desk about what precautions it takes, and consider getting a personal account from Google or Yahoo over which you have control.
Passwords and the Two-Factor Login
If you have Gmail, everyone knows your User Name. So a hacker only needs your password. An obvious first step is using a more complex password. There are guides to creating stronger passwords listed below. Also, for more sensitive interactions, Gmail, Twitter, and Facebook have added an additional – optional – layer of protection – the two-factor login. When you activate the two-factor login, and enter your password, the account sends a text message to your phone, providing you a unique authentication code you must enter before accessing the account.
Log In Settings
Establish multiple user accounts on your computer, including at least one user account in addition to the default administrator account. Making sure the second account has no administrative privileges, then use that login for your daily work. Then if malware tries to install automatically, the computer will alert you with a message requiring the administrator password.
- Beware of suspicious attachments, keep your programs updated, and install a good antivirus program. Usually programs you buy will provide greater protection.
- Watch for emails from groups or people you might know, but which seem slightly off – small grammar changes or odd punctuation.
- Mac users, avoid being lulled into a false sense of security.
- Outdated computers without security patches can put you on greater risk.
When Something Goes Wrong
Make noise if your computer starts acting wacky. Reach out to one of the nonprofit groups dedicated to detecting and tracking attacks and training users. They include:
- Access Now runs a 24/7 Digital Security Helpline available in seven languages.
- The Committee to Protect Journalists, based in New York, advocates on behalf of reporters around the world and fields requests for assistance.
- Reporters Without Borders, based in Paris, does similar advocacy as CPJ.
- The Citizen Lab at the University of Toronto, researches Internet security and human rights.
Tutorials and Tipsheets
There’s no shortage of guides to digital security. Many are overly complex and not terribly useful for working journalists. But there’s help out there, and it’s worth designating someone on your team, in your newsroom, or at your nonprofit to take the lead in ensuring that your work is protected. Here are some resources:
The August 2017 edition of Current Digital Security Resources was pulled together by Martin Shelton, who begins by noting that “even the richest digital security resources become quickly out-of-date.” Shelton is also the author of an article about one of the most common bits of defensive advice, using two-factor authentication. Another piece of his covers how reporters can prepare for malicious software.
Surveillance Self-Defense from the Electronic Frontier Foundation provides lots of information, including a seven-step “security starter pack.” Among the suggestions:
- Proper use of passwords: Choose strong passwords using Diceware, avoid reusing passwords, consider using an encrypted virtual safe or password manager, avoid giving easily found answers for security questions, using two-factor authentication passwords. If you write passwords on a piece of paper in your wallet, make sure to add dummy characters before and after real passwords, and don’t clearly label accounts. Don’t use the same password for multiple accounts. And change the passwords regularly.
- You should not destroy evidence, but you can maintain a retention policy in which you routinely purge your files. Make sure the policy is written and followed by everyone. “It’s your best defense against a subpoena — they can’t get it if you don’t have it.”
- Basics of data protection: Require logins for accounts and screensavers. Make your passwords strong. Make sure you trust your systems administrator.
- Data encryption: Governments can get around password-protected data. But well-encrypted data is more difficult. SSD offers another basic guide to how encryption works
- Protection from malware: Use anti-virus software, keep your security patches updated and avoid clicking on suspicious links and files.
Eva Galperin of the Electronic Frontier Foundation via the U.S. Public Broadcasting Service provides this tip sheet of best practices. A few key points include:
- Skype isn’t as secure as you might think. Governments can track your movements. Instead, consider using Google Hangouts
- Text messaging is insecure and not encrypted.
- Instant message with Pidgin or Adium (Mac OSX)
Steve Doig, a professor at Arizona State University in the U.S. provides these tips in his presentation Spycraft: Keeping Your Sources Private (Powerpoint):
- Search the web with IXQuick, which doesn’t save your IP address or search terms.
- Disguise your caller ID with SpoofCard. This works for international calls as well.
- Buy no-contract cell phones with cash.
- Encrypt communications:
A Surveillance Self-Defense Checklist from The Intercept describes basic, intermediate and advanced steps to take.
Micah Lee of The Intercept wrote Surveillance Self-Defense Against The Trump Administration warning that a steady expansion of executive power in the United States means, “Those preparing for the long fight ahead must protect themselves, even if doing so can be technically complicated.”
Journalists In Distress: Securing Your Digital Life was prepared by Canadian Journalists for Freedom of Expression. It is offered in French and Arabic.
Cyber Security for Journalists: Tips and Tools for Securing Your Communications. Notes (in French) from participants in a training course sponsored by he European Federation of Journalists (EFJ) and the European Trade Union Institute (ETUI) facilitated by an expert in digital security, Dmitri Vitaliev.
Ce Kit de Survie Numérique The Digital Security Kit (in French) from Reporters Without Borders.
Privacidade para Jornalistas (Privacy for Journalists) is the Brazilian version of an Australian site developed by journalist Raphael Hernandes. It includes guides and tools such as one on “threat analysis.” His five basic tips are summarized in article about the site in the Knight Center Journalism in the Americas blog (Spanish) (Portuguese):
- Encryption of HD and flash drives – Encryption places a password on hard drives and USB devices, which protect sources and personal files in case the equipment is lost or stolen.
- Two-Step Authentication – Used for online banking access, it can be configured in your email and social networks. Login is done with something you know (your password) and something you have (a code sent to your smartphone, for example). This avoids problems even if you have compromised passwords.
- Signal – Application available for encrypted message smartphones. If the cell phone is intercepted, no one can understand what was written there.
- Sync.com – Free cloud storage system. It uses the zero-knowledge protocol, meaning it stores information but does not know what is being stored. As a rule, the websites we use commonly scan the files and pass reports to the authorities. Sync is encrypted and more secure, very simple to use.
- PGP – Pretty Good Privacy acronym. It’s a way to encrypt emails. Like a kind of chest, but with two keys: one to lock and the other to unlock. You give the key that locks the chest so people can send you files and messages. But only you have the keys to unlock the content.
Privacy for Journalists is a site in Australia run by CryptoAustralia. New topics are addressed in a blog, such as Storing Files Privately in the Cloud, Choosing a Safe Search Engine and Encrypt your USB Drives on Windows.
And, of course, a podcast. The Storyful Podcast: Digital Security – How Journalists and Activists Can Be Protected Online. Host and journalist Della Kilroy is joined by Storyful journalists Jenny Hauser and Eoghan Sweeney, along with special guest security experts Andrew Anderson, Executive Director with Frontline Defenders, and Holly Kilroy, co-founder of Security First.
Kaveh Waddel in The Atlantic addresses How Can Journalists Protect Themselves During a Trump Administration? Among other things, he suggests using password manager software to generate complex passwords.
“Every January, I do a digital tune-up…,” wrote Julia Angwin of ProPublica as she introduced her nine suggestions. “This year, the task feels particularly urgent as we face a world with unprecedented threats to our digital safety.”
Eleven steps are recommended by Aimee O’Driscoll for Comparitech. “These range from simply utilizing common sense to employing some of the most up-to-date technologies, and involve tactics such as encrypting communications and avoiding popular platforms. While some of these methods may seem like a lot of extra work, when combined together, they can greatly reduce the risk of information being discovered by prying eyes.”
Noting that “the tech world is intimidating,” David Trilling created a tip sheet “for journalists of all digital-comfort levels as well as links to useful tutorials.” Published by Journalist’s Resource of Harvard’s Shorenstein Center on Media, Politics and Public Policy.
An extensive collection of links on digital security was prepared by DW Akademie, the Germany organization for international media development.
An article offering five tips was done by the The Ugandan Hub for Investigative Media, which trains journalists on digital security with support from DW Akademie.
Anti-Phishing and Email Hygiene is discussed by The Freedom of Press Foundation.
Eight Prevention Tips to Secure Your Mobile Phone are described in an infographic by The Freedom of Press Foundation. Also interesting is an interview with Harlo Holmes, Director of Newsroom Digital Security at Freedom of the Press Foundation, who says, “Every day is a new bowl of scorpions.”
The Digital First Aid Kit “offers a set of self-diagnostic tools for human rights defenders, bloggers, activists and journalists facing attacks themselves, as well as providing guidelines for digital first responders to assist a person under threat.” It was produced by the Digital Defenders Partnership and more than a dozen NGOs.
The Source offers Security for Journalists, Part One: The Basics by Jonathan Stray. And a second installment, Security for Journalists, Part Two: Threat Modeling.
Protecting Your Sources When Releasing Sensitive Documents by Ted Han and Quinn Norton is subtitled, “Scrub metadata, redact information properly, search for microdots & more.”
The Rory Peck Trust offers 25 videos and instructional articles on a variety of digital security topics, including: How can I use social networks safely? and How can I keep a file from revealing my personal details?
The International Consortium of Investigative Journalists has a Power Point on Security Tools for Investigative Journalists.
The Journalist’s Toolbox by the Society for Professional Journalists links to many resources.
Security in a Box offers a series of video tutorials on simple ways to maintain a low online profile. Available in French, Spanish, Italian, Portuguese, Russian, Arabic, Armenian, Croatian, Ukrainian, Serbian, Albanian, Bosnian.
A comment on CPJ’s advice of crossing borders was offered by Robert Graham of Errata Security.
Reporters Without Borders has published an Online Survival Kit, available in five languages.
Digital First Aid Kit is a guide created by a dozen media-related NGOs, including Free Press Unlimited, Freedom House, Global Voices, and Internews.
The London-based Centre for Investigative Journalism has an 80-page handbook, Information Security for Journalists, full of tips and techniques.
The UNESCO report Building Digital Safety for Journalism, outlines 12 specific digital threats “including illegal or arbitrary digital surveillance, location tracking, and software and hardware exploits without the knowledge of the target”. It provides tips on how to keep your data and yourself safe.