Journalists everywhere need digital security skills more than ever; we will need them even more in the years to come.
International correspondents have been subject to well-crafted, spear-phishing attacks in Asia. Foreign correspondents in the Middle East have had their emails intercepted leading to potentially fatal consequences for their sources in Syria. Within the United States, journalists covering the intelligence beat have had their own email traffic with different sources cited in federal government subpoenas; the journalists themselves have also been served with federal subpoenas themselves and have become targets of criminal investigations.
News organizations of all kinds have been subject to massive denial-of-service attacks. Other outlets have been besieged by penetrating cyber-attacks designed to either steal information or corrupt it.
This introductory guide can direct journalists on where to get more information and how to start bringing themselves up to speed. The field of digital safety remains daunting. Learning the concepts and skills needed to protect information and sources demands a personal commitment of what journalists value most: their energy and time.
One day every J-school in the United States and beyond will probably offer a full, three-credit or fifteen-week course in digital safety, along with a few more advanced classes, too. In the meantime, this guide provides a very basic introduction to digital security for journalists.
One caveat: You can’t stop with this guide. The pace of technological innovation is only advancing, and intelligence services, criminal actors and other digital predators are constantly finding new ways to steal, copy or access other people’s information and communications. So even if a journalist were to master all the concepts and tools listed here, it will all be moot if the same journalist does not make a concerted effort to keep him or herself continuously updated about changing digital threats and protection methods.
Economies of scale for digital predators are dropping, too. One Russian software firm, using a reseller in Canada, now offers the kind of “black” software once out of reach to all but the most advanced intelligence agencies. For just $40, “Blackshades” spyware allows almost anyone with minimal technical skills the possibility to digitally eavesdrop on another person or entity’s computer or network.
For any journalist dealing with any sensitive information and sources, digital safety is becoming an increasingly integral part of the practice of good journalism.
One challenge of digital security is that it is often hard, if not impossible to know for sure whether your information or communications remain protected. Both denial-of-service attacks that can shut down a website and prankster attacks that corrupt its presentation, are obvious. But penetration attacks designed to steal or copy information are unlikely to leave behind any indication that the information has been compromised.
Journalists should understand the various risks, and realize that complete protection in a digital world is impossible. Understanding the potential vulnerabilities should encourage journalists to be careful how they manage information or communicate with sources. One thing journalists may take away from this guide is that some information, such as the names of sources, may simply be too sensitive to either store or communicate safely.
The Committee to Protect Journalists has a Journalist Security Guide of which I am the main author; the chapter on Information Security was written by my colleague Danny O’Brien, who is now with the Electronic Frontier Foundation. (O’Brien narrates the CPJ video clip below).
The CPJ Information Security chapter provides perhaps the best available succinct explanation of what journalists need to know about digital threats, and steps they should take toward operating more safely. Working journalists are encouraged to read the CPJ Information Security guidelines before continuing on to the points outlined below.
There are several things you can do to help protect your information and communications.
- Use only licensed software and keep it updated. Anyone who uses unlicensed software is vulnerable to digital penetration, as pirated or copied software will not receive the periodic security patches sent by manufacturers that are essential to keeping any computer operating system safe. In many less developed nations, the use of pirated software is the main way that journalists, human rights defenders and others put themselves at risk. (Microsoft has announced a “Unilateral license” for nonprofit groups and independent media in 12 select, Internet repressive nations that will become available in 2016.)
- Use good anti-virus and anti-spyware software on your devices whether it is purchased from a commercial vendor or downloaded from a freeware source. There are many options available. Read consumer reviews before you purchase or download the software.
- Never leave your laptop or mobile phone out of your sight in any potentially hostile environment. It would only take a matter of seconds for someone to install a spyware program such as a keystroke logger through a USB or other portal on your hardware. Once infected, your device and communications may give no indication that they have been compromised, even though everything done from that moment forward is electronically monitored. What does this mean for journalists and others in practice? Carrying physically smaller devices in a shoulder bag or backpack when traveling, and never leaving your computer or phone unattended, especially in places such as your hotel room.
- Use passwords or, better yet, passphrases that are both at least 12 keyboard characters long and that include multiple types of characters. Use different passwords for different applications, and make sure they are not algorithmic, or don’t build on or are related to one another like mysecretpassword1, mysecretpassword2. Instead use unique and complicated passphrases like, for instance, Ih2cJ@hoS2tatb, for, “I have to call John at home on Sunday to talk about the beach.” You may also wish to use a keychain program of some kind that you trust to store various passwords; however, you should both investigate the keychain’s privacy guidelines and level of security. (LastPass and 1Password are two such services).You should avoid using passwords or passphrases that could be guessed by someone reading, say, your Facebook profile. You should also regularly change your passwords or passphrases including the one you may use for a keychain. You may also wish to avoid writing down passwords as a backup precaution in any area within arm’s reach of your computer, as this is where anyone who may penetrate your workspace would look first.
- Be wary of any email attachments, and even odd-seeming links in even familiar looking email messages or Twitter. A phishing attack may look like an email from a friend, colleague or source encouraging you to try something by clicking on a link; the link itself could be programmed to download malware or spyware on your computer if you click on it. The same thing could conceivably occur in a link on Twitter. A spearphishing attack occurs when someone not only uses or appears to be using a friend’s account, but when they have also done enough electronic surveillance of your correspondence with the friend to impersonate not only the friend’s email account but also their parlance. Never hesitate to ask a question of the friend, or even call them, to confirm that the friend and not some imposter is behind the email.
There are many digital tools to choose from. Almost all experts strongly recommend becoming proficient in a number of different tools to better protect information and to make potential penetration more difficult.
Each tool has its own strengths and weaknesses when it comes to levels of protection. There are also ongoing debates among “Internet Freedom” –oriented technologists about the relative security vulnerabilities of many tools.
Journalists and others working in potentially hostile environments must learn to think through particular threat models. Or as much as may be known about the way a particular intelligence agency, or criminal syndicate or other hostile group conducts surveillance. In other words, journalists should research whatever information may be available about a group or group’s electronic capabilities.
A Mexican drug trafficking organization will have different capabilities than an Afghan insurgent group, for instance. Syrian government authorities will have different capabilities from the U.S. National Security Agency. Of course, even under the best of circumstances, the threat model that journalists may assign to any particular group will always be an educated guess. Moreover, journalists must be prepared to adjust any threat model over time as they gather more information about how a group electronically gathers information.
Yet, even with many variables remaining unknown, establishing a threat model using the best available information is an invaluable exercise, as it provides journalists and their sources with a framework upon which to adjust their communication methods and level of security accordingly.
This may mean using multiple forms of communication to break up and transmit sensitive information, such as keeping cell phone conversations short and cryptic, to give any entity that may be eavesdropping little to work with. Or sending only a contact’s nickname via email, and the same contact’s phone number via a different channel like a secure chat program. Or it may involve more far complicated options such as using an anonymous browsing tool in tandem with a generic email account and encryption software.
No doubt training and experience are more valuable than any information even the most attentive reader may be able to glean from this guide.
Moreover, mastering digital safety tools is hardly easy. In fact, some of the safest tools to use are also some of the hardest ones to operate. The website, Security in-a-Box (run by the Berlin-based Tactical Technology Collective and the Dublin-bases Frontline non-governmental organizations) is the best single source for descriptions of uses and operations of different digital tools. The descriptions of tools come with useful levels indicating difficulty of use: 1) Beginner, 2) Average, 3) Intermediate, 4) Experienced and 5) Advanced.
Journalists interested in learning how to use digital tools are encouraged to go directly to Security in-a-Box. Only some of the most well-known tools are outlined below.
Most but not all of the tools recommended by experts involve a free but often still licensed as well as regularly updated form of software built by volunteer, Internet Freedom activists. Open source software is software whose internal programming codes are revealed to others, allowing independent technologists to examine the program to ensure its security, or verify that the manufacturers did not build in any “back doors” to secretly allow access to the software and its traffic by intelligence agencies or other entities.
One essential tool involves no more than the click of a mouse. Secure Internet email can be achieved through use of https or Hypertext Transfer Protocol Secure at the start of one’s web or url or Uniform Resource Locator address when accessing an online email program. Using https is the easiest and safest way to maintain secure, encrypted communications, as long as both the sender and receiver are using https. Gmail has an option to turn on https always, which is recommended, and communications between two Gmails users each using https are (with exceptions described below) secure.
Moreover, the ubiquitous use of Gmail in most nations also makes it easy for users, especially users who may wish to establish Gmail accounts using pseudonyms, to blend in among other email traffic and use encryption without attracting attention. However, the technology giant Google that operates Gmail is a U.S.-based corporation subject to U.S. court subpoenas, so Gmail is not a good option for journalists covering U.S. national security matters.
Riseup is a secure email service built by Internet Freedom activists that is not subject to any court subpoenas. However, the use of Riseup itself or other similarly encrypted email services may act as a red flag to attract attention from intelligence agencies or criminal actors in many nations. Even if such hostile eavesdroppers are unable to read your emails, they will still know you are sending encrypted messages and could trace your ISP or Internet Service Provider address to try and identify you or your source, or at least from where one is physically accessing the Internet.
There are a number of secure, or relatively secure, Instant Messaging options. Internet Freedom activists recommend using Pidgin instant messaging software in combination with a plug-in program called Off-the-Record or OTR, which “ensures authenticated and secure communications,” according to Security in-a-Box. Pidgin and OTR are both open source software.
Another Instant Messaging program is Cryptocat. Easy to use, Cryptocat’s latest version operates as an Internet browser plug-in. Cryptocat has recently been audited and found to be secure by a number of independent technologists, although some technologists also point out that any browser-based chat program still has a number of inherent vulnerabilities including the possibility that Crypocat’s security and the confidentiality of discussions could be affected due to exploits targeting other areas of the browser.
Pretty Good Privacy or PGP along with the newer version of the same software model, GnuPG — also known as GPG — is encryption software for emails and files. Both PGP and GPG use cryptographic algorithms that are stronger than what Internet Freedom activists believe even the U.S. National Security Agency (under most circumstances) is capable of decoding. Although even the best digital software is still subject to spyware programs on infected computers that allow eavesdroppers to learn the passwords to access even encrypted emails and files.
Nether PGP nor GPG, however, are relatively easy to use. Moreover, users can sometimes find that both programs become rendered unusable after certain operating system software updates. Users who wish to continue using either PGP or GPG must then find a security patch online that is made by volunteers; the authenticity and security of the patch itself may be difficult to ascertain.
Thunderbird is open source software designed to manage or receive, send and store emails. When used with the add-on software Enigmail, users can interact with GPG encryption software to make it easier to encrypt email messages and files.
TrueCrypt is a file encryption service that Internet Freedom activists consider to be most secure. However, it takes some time and guidance to learn how to operate it. The advantage of TrueCrypt is that files cannot only be encrypted, they can also be made to look –at least at first glance—like large audio or video files that for some reason will not open as if the files were for one reason or another corrupted. A trained technologist, however, could always still discover the encrypted files.
TrueCrypt can also be used to encrypt one’s entire hard drive. (However, you would still want to bring your laptop, even with an encrypted drive, with you when traveling; if not, an attacker with physical access to your machine could still download a spyware program like a key stroke logger that could record, save and transmit the password to others, after you use it to decrypt your drive.)
Tor is an anonymity tool that allows you to access the Internet without leaving a digital trace. Tor hides your ISP address and bounces your Internet activity off a number of different secure servers in various nations to make it impossible for either government or criminal eavesdroppers to identify your physical location for accessing the Internet.
The main disadvantage of Tor is that it can slow down your Internet response time, but it can also provide you with an untraceable way of accessing the Internet. Whether used in combination with other tools like Riseup, or by itself, Tor is a most effective resource. Tor operates, albeit on a much larger scale, like a secure, Virtual Private Network or VPN. A VPN is an Intranet built among servers on the Internet to allow for a relatively secure space for people to communicate more securely.
Skype, the popular Voice over Internet Protocol telephony service now operated by Microsoft, is another potential tool, although one whose security is still actively debated by Internet Freedom technologists. Some experts maintain that Skype is so unsafe to use that it should not even appear in any digital security guide like this one. Others maintain that Skype is more secure than many other options, and that it can be used safely depending upon the threat model faced by particular users.
Many technologists distrust Skype because it is not open source software and Microsoft has not made its internal programming codes available for independent inspection. For years, one clear but only recently discovered vulnerability in Skype has allowed anyone to identify the Internet address of any user, although Microsoft in May 2013 finally released a patch to apparently fix the problem. (Many other tools along with operating systems have also been shown to have what at first were undetected vulnerabilities that have since been repaired.)
Technologists who advocate at least selective use of Skype point out that there is no evidence that Skype has been compromised “in line” or that its communications between users have been successfully breached, and that it is both a safer and easier option to use than many other tools including simply talking over either a wired telephone or cell phone.
The ongoing security issues surrounding Skype illustrate why journalists must educate themselves to make their own best decisions.
The first thing to know about mobile or cellular phones: a so-called “smart phone” is a very dumb phone to use in any potentially hostile environment. A smart phone may be convenient, but it serves as an automatic and easily accessible tracking device for intelligence, criminal or other actors. Instead a so-called “burner” or pre-paid mobile or cell phone is recommended in any areas where there is the possibility, if not likelihood of electronic surveillance.
There are a few other key points to keep in mind.
- Any mobile or cellular phone, even a pre-paid phone, is an automatic tracking device, as they all operate by connecting to nearby cell towers. Get in the habit of turning off your phone, or putting it in airplane mode if you are traveling to a sensitive area.
- Any handheld phone can also be targeted by electronic equipment to turn on its microphone to make it passive receiver or eavesdropping device –even if the phone is turned off. The only way to prevent this possibility is to remove the phone’s battery, which is impossible with smart phones like Apple iPhones. Journalists and their sources, or other groups who are meeting, however, should also be careful not to turn their phones off all at the same time as having a number of phones in close proximity turned off nearly simultaneously could itself alert monitoring authorities or others.
- The non-governmental organization Movements.org recommends a number of steps for anyone operating in a potentially hostile environment. Movements.org, The Engine Room and others experts recommend a number of basic measures:
- ✓ Use a pre-paid phone to remain anonymous. Using one with an https option (see “operate on https” below) is also recommended.
- ✓ Lock your phone with a password to prevent easy access.
- ✓ Avoid downloading any third-party applications, as they could allow or facilitate unauthorized access.
- ✓ Turn off any location tracking applications that may still be on the phone for programs like Twitter of Facebook, as they will help identify your location.
- ✓ Set your phone to operate on https browsing, if the option exists, so your connection is encrypted.
- ✓ Exercise caution when texting, as Standard SMS or Short Message Service text messages are among the most vulnerable communications; they can be easily read and searched by telecommunications personnel. (See other secure texting options below).
- ✓ Use nicknames or, better yet, pseudonyms for your contacts, to make identification of any sensitive sources more difficult.
- ✓ Frequently delete your call history and text messages received, to avoid review later if your phone is stolen, confiscated or examined.
There are even more matters to consider.
- SMS text messages can be encrypted so that the messages cannot be read. However, the use of encryption on a phone –like on a computer to send encrypted emails—can itself be a flag that could be users in danger. Any monitoring entities whether intelligence agents, criminals or others may not be able to read the messages, but they would easily observe which phones are sending encrypted messages. Options for encrypting messages on different types of mobile devices include CryptoSMS, Hushmail and PGP Mobile. (Hushmail and other providers may also be subject to U.S. subpoenas.) TextSecure is an encryption option for Android phones.
- If you have an Android phone, download and install Tor applications such as Orbot and Orweb from the Android Marketplace so you can browse the web safely, recommends Movements.org.
- Take precautions with your SIM card, or Subscriber Identity Module card, also recommends Movements.org. A SIM card is unique, removable card that identifies the user’s personal information, phone settings and SIM serial number to the mobile phone network. Pre-paid phones usually come with their own SIM card.
- If the SIM card is removable from the phone, keeping the phone, but changing the SIM card inside your phone is highly recommended in hostile environments.
- If you use your own SIM card, you should at least protect within a PIN lock.
- If you are not using a pre-paid phone, you should make sure that its operating software is updated to include any necessary security patches.
One tactical option called “beeping” is to use a phone to make a call, but hang up before the other party answers it. Movements.org suggests this technique as a way to signal to the other party that you want to reach them, and to communicate that they should call or email you back using another, already planned method.
Keeping abreast of changes in technology is essential. Journalists and others should be aware of detected or suspected changes in threat models in specific areas. They should also be aware of advances of mitigation software and methods around the globe.
Journalists and others should keep an eye out for relevant changes in technology. The best single source for information may be The Liberationtech Archives. Based on a listserv by the same name, it is hosted by the Center on Democracy, Development and the Rule of Law at Stanford University. The list is populated by Internet Freedom activists, and the conversations often include technical jargon. But by running a search of any particular software name or brand through the Liberationtech archives, one can quickly discern whether there is at least an active discussion about the security or vulnerabilities of the tool.