Investigative journalists like the members of ICIJ are facing growing concerns about security. Our members often work with leaks or other materials requiring protection of sources, collaborate across borders with colleagues at risk for their physical safety, and communicate with devices and services open to surveillance or attack. And that’s not to mention the growing revelations of surveillance and hacking by the U.S. National Security Agency and its allies – such as efforts to infiltrate and destroy the reputations of “hacktivists” and other targets unrelated to counterterrorism. For journalists, the ease and low cost of communicating and sharing via e-mail, instant messaging, file sharing tools and cell phones have weighed in favor of convenience versus security. But if your reporting puts you at risk, and you need to protect your data, your sources and your stories, you can take steps to gain security savvy and reduce vulnerability.
Last week at a conference in Baltimore that broke attendance records for the National Institute for Computer Assisted Reporting (NICAR), questions about digital security sent me to sessions on surveillance, safety, privacy and anonymity and between-session conversations on security threats and solutions.
Speakers at NICAR included Jonathan Stray and Susan McGregor (Columbia Journalism School), Jennifer Valentino-DeVries (Wall Street Journal), Josh Meyer (Medill National Security Journalism Initiative) Chris Doten (National Democratic Institute), Kelley Misata (Tor Project) and Gary Price (infoDocket.com).
Here are some of the basics I learned from the experts at NICAR.
- Protect your identity and data with better and safer passwords or 2-step verification – you log in with password and then confirm with a verification number sent to your phone.
- Phishing – tricking a user to visit a site to enter personal information and passwords or download malware – is the most common attack. So check any link you receive in e-mail: read the URL and underlying html, don’t click on it!
- Spear phishing – Personalized message targeting attempted by researching your information or impersonating your friends or colleagues – is growing. You may think you know the sender but it can be a hoax.
- The weakest link: everyone in your newsroom or collaboration must use safe practices to prevent phishing attacks on others in a trusted group.
- Encrypt everything. Make it a habit. If you use encryption all the time for communications and data, and encourage or demand it from colleagues and sources, then content will be protected and encryption can become normal behavior for journalists and the industry.
- PGP is encryption for e-mail. OTR is Off The Record encryption for messaging, which is used by chat programs like Pidgin (PC), Adium (Mac) and CryptoCat (web based). Google “off the record” chat is NOT Off The Record (OTR).
- Encryption is not anonymity. Encryption protects content but not the identity of the sender and recipient. To anonymize communication traffic and web browsing, go to the Tor Project, learn about the Tor network and download Tor software.
- Having the Tor software on your computer indicates you are using anonymous communications. If this puts you at risk, you can instead use Tails – Tor on a USB stick, which leaves no trace. Find out at https://www.torproject.org.
- Protect your data on physical devices. What if your laptop is stolen? Your USB drive? Your cell phone? What about your address book? Encrypt everything. Secure your passwords.
- Your cell phone is a location device. It holds all your contacts. Think about security. Know where your data is and take steps to protect it.