Reporters are navigating a more treacherous environment than any time in recent memory, and despite a plethora of digital tools to keep them safe – many are failing to adopt new strategies.
The press’s enemies have been boosted by U.S. President Donald Trump, who has lodged almost daily attacks against journalists, and many have followed his lead. Wealthy private interests have launched their own crusades: a private firm was hired to undermine New Yorker reporter Jane Mayer’s reporting on Koch Industries, and Harvey Weinstein offered big bucks to a military-grade surveillance firm to spy on reporters and their sources breaking the story of his sexual harassment.
[Journalists] frequently disregard their sense of insecurity even when they feel unsafe in public or cyberspace.
These threats are compounded by increasingly potent hacking tools falling into the hands of governments around the world and, in some cases, hackers serving government interests. This makes personal cybersecurity an essential first line of defense for reporters everywhere.
Yet many journalists are failing to utilize some of the most basic tools to keep them and their sources safe from digital attack. A recent study by the Canadian Journalists for Free Expression found that some of the most at-risk journalists “frequently disregard their sense of insecurity even when they feel unsafe in public or cyberspace.”
So what can journalists (and citizens) do to better protect themselves online? Here are five security tools that have emerged as among the most commonly recommended for reporters and news organizations as well as their sources.
Phone calls and digital messaging often comprise the bulk of a journalist’s workday. But conventional lines of communication can leave the contents of conversations vulnerable to hacking. And, even if someone is not able to intercept to the contents of these chats, a hacker can still access extensive archives of related metadata, including who you talked to and when.
But there are an increasing number of options to help you communicate securely with a high degree of confidence.
As we settle into 2018, the app Signal — possibly you’ve already heard of it – is a clear favorite for secure voice calls and messaging between journalists, their editors, and sometimes their civil servant sources.
“Everyone is really enthusiastic about Signal,” said Harlo Holmes, director of newsroom digital security with the Freedom of the Press Foundation. “Right now it’s the state of the art in terms of encrypted communication.”
To the user, Signal looks and operates like a traditional chat app, and also allows you to avoid expensive international call and text fees. But Signal also offers what’s called end-to-end encryption, meaning communications can only be deciphered on the physical devices of the communicating users. Even if a government tried to compel the group of developers that administers Signal to turn over your communications, it couldn’t provide information: Signal simply has no ability to figure out exactly what you’re doing on its platform.
An increasing number of digital platforms are using end-to-end encryption, but some popular products differ from Signal in one key way: While some of these firms may not be able to access the content of your communications, they can often access valuable metadata that may reveal who you were communicating with and when. These apps also may allow users to inadvertently send messages without end-to-end encryption.
To learn more about Signal, Holmes recommends checking out the foundation’s page on Security Planner, a project of University of Toronto’s Citizen Lab.
A large portion of our lives are often stored on our laptops and the messaging platforms, social media sites and work portals they access. For journalists, this can mean a lot of sensitive material, including leaked documents, identities of sources and unpublished story drafts.
Bill Budington a security engineer at the Electronic Frontier Foundation, a group dedicated to digital privacy, points to the particularly risky situation of crossing a border and recommends a series of products and measures journalists and others can adopt to keep files safe in the most at-risk circumstances.
His first tip: When most under threat, ditch your primary laptop or smartphone completely. If you have a burner phone or a cheap netbook that doesn’t contain sensitive data, bring this secondary device along instead while traveling.
But when burner devices aren’t an option, Budington says, “the most powerful thing” a person can do to keep devices safe at a border-crossing is to make sure the hard drive is fully encrypted beforehand – helping to ensure that only those with the device’s passphrase will be able to access its files. This step is also among the easiest – for Mac iOS and some Windows users, it can be as simple as clicking a few buttons to activate built-in encryption programs.
Even with an encrypted hard drive, hackers can attempt to “brute-force” a password, potentially gaining access to the encrypted data. (In many jurisdictions, courts and law enforcement agencies can try to compel you to turn over your password under threat of punishment, including incarceration.) An open-source program called VeraCrypt can add an additional layer of encryption, so that, even if hackers get access to your hard drive, they then must enter what amounts to a highly-fortified folder to gain access to your most sensitive information.
Yet even the most highly secured hard drive will provide little help in protecting your data when you inevitably need to transfer a sensitive document to someone else via the internet. Some of the most prominent file-sharing programs, such as Google Drive and Dropbox, do not provide what Budington calls “client-side” encryption by default.
“For cloud storage, the most important feature for secure storage is for the program you’re using to encrypt files locally on your own machine before they are uploaded to the cloud servers,” Budington told the International Consortium of Investigative Journalists (ICIJ). There are some services that provide local encryption prior to upload – Budington recommends SpiderOak, the Keybase filesystem, tresorit and Jungle Disk.
You can learn more about device security and document storage by watching a security talk Budington gave in December.
As hackers become more sophisticated, maintaining strong and up-to-date passwords that aren’t reused across different services is a must. But for reporters who use numerous online services and databases, this can become burdensome: Memorizing a series of complex and ever-changing passwords isn’t feasible and storing them in your computer or email makes them prone to fall into the hands of hackers.
Chris Walker, Digital Security Advisor at the Tactical Technology Collective, a cyber security initiative based in Berlin, recommends solving this problem with an encrypted password manager, which can both generate and store your passwords for you.
“Writing down your passwords and keeping them all in one place might not sound like a good idea at first,” Walker says, but he assures that with the right password manager, users will be more secure with fewer hassles. These apps can both generate stronger passwords and remember them for you.
Walker recommends one tool in particular: KeePassXC, a system he describes as highly secure. “It is well maintained, free and open-source software that relies on well understood, standards-based encryption to protect your passwords,” Walker says. “It is also quite simple. It does not try to store your data online or sync between multiple devices. This simplicity helps protect KeePassXC from many potential avenues of attack.”
But Walker is quick to point out that even the most well-managed passwords must be used, when possible, alongside two-factor authentication – an extra layer of security that most often requires users to enter a temporary code that is only accessible from a personal device, usually a cell phone, in addition to their passwords . The idea is that, even if hackers have cracked your password, they still must somehow get their hands on a physical device that only you carry.
This is a basic step that should be used whenever you need to log in to an online service – including email portals, Twitter, Facebook, bank accounts and wherever else you use passwords to protect and to prevent hackers obtaining sensitive information.
One problem with this: The text messages containing these codes can be intercepted. This year may also see a growing adoption of a new sort of two-factor authentication that security engineers believe may be safer than receiving a code on your iPhone: Google is now offering to provide people at high risk of surveillance a program that requires users deploy two physical authenticator keys as a final step for unlocking an account. The devices can fit on a keychain and use USB or bluetooth technology to communicate with your computer and smartphone.
Runa Sandvik, the senior director of information security at The New York Times, is a fan of Google’s new initiative, known as the Advanced Protection Program. “I think the Advanced Protection Program (APP) is a great option for at-risk users,” Sandvik told ICIJ. “I have, personally, used APP for a few months and see no reason not to turn it on.”
For more information on Google’s APP and its physical security key, the New York Times has a good article on it and you can also visit the Google’s website. (Unfortunately, this feature isn’t free – each key costs about $20.)
Over the past several years, new technology known widely by the brand-named Slack has pervaded American office culture. It’s part chat, part email, highly distracting and can archive everything you say and all the documents you upload. Slack has been criticized for its lack of full encryption, and, last year, a web security researcher discovered that a vulnerability in Slack’s code would allow hackers to gain access to millions of users’ private conversations – a particularly sensitive potential exposure for some, given that Slack’s private channels are infamous for encouraging fierce workplace gossip.
Slack does not offer end-to-end encryption, so the contents of your communications may be retrievable if the firm receives an order from, say, an intelligence agency or law enforcement office. Martin Shelton, a data security researcher who works with at-risk groups, says that, although Slack may be the most user-friendly service of its kind, organizations seeking a higher level of security have other options. Semaphor, designed by the tech security firm SpiderOak, is a prominent alternative to Slack. Shelton recommends it as a “nice choice for an end-to-end encrypted chat,” but notes that its “user experience is a little clunky.”
Shelton also points to Mattermost, another potentially appealing chat application for organizations on perhaps the more established side. Like Signal, Mattermost’s code is open source, meaning that anyone can inspect its architecture for vulnerabilities.
“This is great, because it’s regularly audited by security researchers,” Shelton says. “You can also host it on your own server, so you know where your data is located.” Shelton notes that this last feature can, however, mean a bit more work. “News institutions will need administrators who know what they’re doing to maintain the server,” Shelton says.
As the Electronic Frontier Foundation reminds us, good data security is a process, not just a series of products. The tools above only offer a start. Some commonly used digital security products that didn’t make the list also include email encryption – which can be a pain to set up but can ensure your encrypted emails are all but impenetrable – as well as secure and private web browsing with Tor and DuckDuckGo.
For more tools and a more detailed explanation of how to use them, take a look at the Electronic Frontier Foundation’s Surveillance Self-Defense project and the Citizen Lab’s SecurityPlanner.org. Threats to journalists may be building, but, luckily, so are our defenses against them.