Investigative reporters face a two-fold challenge: surveillance software has become mind-bogglingly sophisticated; and funding is pouring in for development of new technologies. These new products are purchased on the gray market by governments that spy on their public and their press.
Robert Guerra, a Canadian based digital security expert, warns that most reporters aren’t even taking the most basic precautions.
“If you become known for investigative reporting, people can use digital tools to come after you and your data,” says Guerra, who for more than a decade has trained NGO staffers and journalists to securely manage relationships and data online. “Start with the principles. Know the risks.”
Guerra suggests starting here:
At home, use “https” so that your web browsing traffic is encrypted. If you don’t, it’s as if you were in a busy public place having a conversation with a confidential source, Guerra explains, “but you’re both screaming.” Install the Electronic Frontier Foundation (EFF)’s HTTPS Everywhere extension in your browser so that your connection defaults to a secure connection “https” where possible.
Don’t Assume Your Employer is Protecting Your Account
Ask your technology desk about what precautions it takes, and consider getting a
personal account from Google, Yahoo or RiseUp over which you have control.
Passwords and the Two-Factor Login
It is recommended that you activate an additional layer of protection – the two-factor login present in many online services today. When you activate the two-factor login, you will need to enter your password and a unique authentication code that can be generated via a mobile app or sent via text message.
Login Settings
Establish multiple user accounts on your computer, including at least one in addition to the default administrator account. Making sure the second account has no administrative privileges, then use that login for your daily work. If malware tries to install automatically, the computer will alert you with a message requiring the administrator password.
Malware
Beware of suspicious attachments, keep your programs updated, and install a good antivirus program or malware scanner such as Detekt.
If possible, avoid opening attachments on your computer. Instead use online editors such as Google Docs to view and edit documents.
Watch for emails from groups or people you might know, but which seem slightly off – small grammar changes or odd punctuation.
Outdated computers without the latest security patches will put you on greater risk.
When Something Goes Wrong
- Make noise if your computer starts acting wacky. Reach out to one of the nonprofit groups dedicated to detecting and tracking attacks and training users:
- The Committee to Protect Journalists, based in New York, advocates on behalf of reporters around the world and fields requests for assistance.
- Reporters Without Borders, based in Paris, does similar advocacy as CPJ.
- The Electronic Frontier Foundation, based in San Francisco, advocates for digital rights.
- The Citizen Lab at the University of Toronto researches Internet security and human rights.
Tutorials And Tipsheets
There’s no shortage of guides to digital security. Many are overly complex and not terribly useful for working journalists. But there’s help out there, and it’s worth designating someone on your team, in your newsroom, or at your nonprofit to take the lead in ensuring that your work is protected.
Some resources:
- Security in a Box offers a series of video tutorials on simple ways to maintain a low online profile. Available in many languages.
- The Committee to Protect Journalists addresses cyber security as part of its Journalism Security Guide.
- Reporters Without Borders also has published an Online Survival Kit, available in five languages.
- Digital First Aid Kit is a guide published by a dozen media-related NGOs, including Free Press Unlimited, Freedom House, Global Voices, and Internews.
Surveillance Self-Defense Provides A Practical Five-Point Guide To Protecting Yourself And Your Information:
- 1. Develop a data retention and destruction policy: You should not destroy evidence, but you can maintain a retention policy in which
you routinely purge your files. Make sure the policy is written and followed by everyone. - 2. Basics of data protection: Require logins for accounts and screensavers. Make your passwords strong. Make sure you trust your systems
administrator. - 3. Proper use of passwords: Don’t use the same password for multiple accounts. And change the passwords regularly. Can’t remember a lengthy
password? Consider an encrypted password manager such as 1Password or Keypass. - 4. Data encryption: Governments can get around password-protected data. But well-encrypted data is more difficult.
- 5. Protection from malware: Avoid opening attachments and PDF documents on your computer.
Eva Galperin of the EFF provides this tip sheet for Best Practices. Key points:
- Skype isn’t as secure as you might think. Instead you should use a more secure, peer- to-peer service such as Talky.io or meet.jit.si.
- SMS messaging is not secure and not encrypted. If you have a smart phone, use a secure chat tool such as Redphone, Signal, Threema or Silent Circle.
- Instant message with Pidgin or Adium (Mac OSX)
Steve Doig, a professor at Arizona State University, provides these tips in his presentation Spycraft: Keeping Your Sources Private
(Powerpoint):
- 1.Search the web with IXQuick, which doesn’t save your IP address or search terms.
- 2. Disguise your caller ID with SpoofCard. This works for international calls as well.
- 3. Buy no-contract cell phones with cash.
- 4. Encrypt communications:
- Pretty Good Privacy is strong and an industry standard.
- Spam Mimic encrypts messages in spam-like email.
- Clean out deleted files for good using Webroot Window Washer.
- When obtaining leaked documents from a government source, beware of invisible watermarks.
- The London-based Centre for Investigative Journalism has an 80-page handbook, Information Security for Journalists, full of the latest tips and techniques.