This article originally appeared on Navigator, GroundTruth’s newsletter for early-career journalists. You can subscribe to Navigator here.
Protecting your data and devices is now a basic requirement for journalists, whether from cyber criminals or governments.
There was the recent massive phishing scheme, using a bogus Google Doc invite, that spread through news organizations and other organization’s emails. Phishing, an untargeted blast, is the most common method used to access people’s accounts.
Spear-phishing targets an individual or an organization, crafting a message with the hope that the person will take the bait and infect their devices. A particularly scary example of spear-phishing came out last month, with reports that the Mexican government used “advanced spyware” to trace journalists (and others) investigating corruption. Falling prey to these attempts means your information will become compromised and your sources’ information will too. And this could have very real consequences.
We spoke with Tom Lowenthal, staff technologist at the Committee to Protect Journalists, who worked on the tech safety chapter of CPJ’s Journalist Safety Guide. Tom provided these baseline precautions every journalist should take to protect their devices and their communications.
NOTE: If you are planning a reporting trip to an area known to be hostile to journalists or if you’re expecting to obtain sensitive information or work on a sensitive story, you should do a risk assessment which includes a digital security assessment. Every situation will have its individual needs and you should consult with security experts to come up with a plan that is right for you.
Protect your accounts
If you use the same password on multiple sites, it takes only a matter of minutes for a cyber criminal to hack your other accounts once one has been breached.
1. Use a password manager
“Stop storing every password in your head,” Lowenthal says. “Every journalist should use a password manager.” If you use a password manager, the only thing you have to memorize is one master passphrase to access the password manager. It creates a unique password for each of your accounts and will auto-fill those in.
2. Use two factor authentication whenever possible
The least secure kind of two-factor authentication is the one you’re probably most familiar with — where a website sends you a text with a number code. The second best kind, Lowenthal says, is a code generator app which you install on your phone. It works offline, which is good for reporters who are working in places without cellular coverage. But the best is a security key, which looks like a thumb drive and you just insert into the USB port of your laptop. “There is no way an account can be phished,” Lowenthal says of security key-protected accounts.
Protect your devices from malware
“Securing devices is critical, because if you’re not in control of the device you’re using, there is no other security device that is useful,” Lowenthal says. “It doesn’t matter how good your login security is, or if you use two-factor authentication.”
1. Update your software
“This is the single best defense against malware,” Lowenthal says. Software updates should be automatic. And if they are not, install them as soon as they become available. Lowenthal also recommends minimizing the amount of software you use, as each piece of software is an access point. “Avoid pieces of software that you don’t need,” Lowenthal advises.
2. Secure your web browser
Chrome is the safest web browser, Lowenthal says, and you can further fortify Chrome with the add-on HTTPS Everywhere. Lowenthal also recommends installing the uBlock Origin ad blocker (“The most common vector for drive-by malware is advertising”) and Privacy Badger, which identifies if you’re being tracked online, and attempts to block it.
3. Use secure equipment
Lowenthal says Android devices generally do not get software updates, and are automatically vulnerable once you take them out of the package as a result. If you do use an Android smartphone, be sure to enable encryption in your security settings.
Lowenthal recommends using an iPhone, which he calls “the state of the art in secure mobile devices.” Encryption is the default and iPhones regularly receive software updates. As for laptops, Lowenthal says Chromebooks are the most secure because they only run Chrome and have no other software.
Finally, whatever your equipment, Lowenthal says secure your devices with a robust passcode — an 11 digit numeric code for your iPhone — and a robust passphrase to access your computer. And be sure your devices automatically lock after a short period of inactivity.
Protect your communications
There are two things you’re protecting when you’re protecting your communications, Lowenthal says: the content of the conversation and the activity records (the parties in a conversation and when the conversation takes place.)
1. Do not use email for sensitive communications
“If you want to have a secure conversation, email is not a good place to have it,” Lowenthal says.
2. Use Signal for texted conversations and voicecalls
Lowenthal recommends using Signal, which he calls “top of the line.” It’s an app that you can install on your phone (Android and iPhone) and on your desktop. The app encrypts your conversations, and Lowenthal says it maintains almost no activity record of them.
3. VPNs can be hit or miss
Virtual Private Networks (VPN) create an encrypted connection with the internet, and they prevent your Internet Service Provider (ISP) from seeing your browsing activities.
Lowenthal says VPNs are kind of a catch-22 — they are the only way to protect all of your web browsing, but “there are very few reputable VPNs. Many are terrible.” Lowenthal suggested Freedome, Tunnelbear, Vyper and uProxy as possible VPNs to try out.
Lowenthal warns that if you do use a VPN, it will cost money. “If you’re not paying for a VPN, it’s probably not worth using a VPN at all.”
Further resources
- Surveillance Self-Defense guide from the Electronic Frontier Foundation
- Technology Security from the Committee to Protect Journalists
This article originally appeared on Navigator, GroundTruth’s newsletter for early-career journalists. You can subscribe to Navigator here.
