Truism of the day: Your digital perimeter is not secure. You know that. The question for journalists is what can you do right now to strengthen it?
Are your editors and managing editors doing enough to help you? As my fellow Knight Melissa Chan, who was a correspondent in China, points out, companies are (finally) investing in physical security but putting relatively few resources into digital security.
Whether you’re protecting an anonymous source inside the Beltway or working in a conflict zone, you need to protect your data, emails, contacts, instant messages and other important information. Securing your digital perimeter security – call it SDP (secure digital perimeter) – is essential.
Protect yourself and your sources
You may feel that you have nothing, really, to hide. But your sources could, of course – especially if you work in conflict zones. Taking practical steps now might help save you and your sources from harassment, arrest – or worse.
Recall how British filmmaker Sean McAllister accidentally endangered the lives of activists he interviewed after Assad regime intelligence agents detained him and seized his laptop, mobile phone, cameras and film.
Fueled in part by the Syrian civil war, 2012 was one of the deadliest years on record for journalists: 121 news workers were killed worldwide last year, according to the Committee to Protect Journalists. Politics and war were the top motives for the slayings, according to CPJ.
“What’s at stake is not only your personal safety but the entire web of people who trust you with their information,” said Eva Galperin, the International Freedom of Expression Coordinator for the Electronic Frontier Foundation (EFF). And when you compromise that trust, your credibility is also badly damaged, she added. “Privacy and security do not work retroactively. You can’t take steps to protect yourself after you’ve been compromised.”
Assess the threat
Galperin visited the Knight Fellows recently, sharing with us some steps to take to assure your digital security. The first task, she said, is to assess the threat.
Examine what news assets and content need protecting. What are their vulnerabilities and what countermeasures exist? “Each person has to assess their own threat model by looking at what information you want to protect and who you want to protect it from,” Galperin said. Try to examine what’s vulnerable. And what are your adversaries’ capabilities? Check out EFF’s Surveillance Self-Defense guide or Border Search white paper.
When you know what’s important to protect, Galperin advises following any or all of these best practices:
- Lock everything down; don’t assume anything is protected. Are passwords stored directly on your laptop? How about names of sensitive sources? Change that. Now.
- Keep passwords strong and safe by using password sites such as Last Pass or 1Password to more securely log in and out of all your email and any password protected sites.
- Use two-step authorization in security settings for Google and any other services that offer it. Facebook has a two-factor authentication system called Login Approvals that prevents anyone from accessing your account even if they have your password.
- Use Skype with caution. Widely used to reach sources, especially in war and conflict zones, Skype is not as secure as many think. Galperin notes that metadata about Skype traffic is fairly easy to detect, and companies sell lots of hardware and devices to governments and agencies that can track what you’re doing with Skype. In China, Skype is monitored by the government, which engages in real-time filtering and blocking. Galperin recommends Google Hangouts as a viable alternative to Skype for users who are working under repressive regimes and in dangerous places, such as Syria.
- Beware of using weak passwords. You’ve heard this before, but are you following the advice? Check out these tips from Microsoft.
- Avoid using easily discovered recovery questions whose answers could be found in public data or on Facebook or other social media. So don’t use your mom’s real maiden name, your own name, street address or the high school you went to for passwords. Never use the same security questions or passwords for multiple accounts.
- Try to always use “https” protocol, which encrypts websites, on your browsers. Most sites on the web are accessed using the unencrypted “http,” which is susceptible to eavesdropping, and even to intermediaries that might set out to modify the pages a browser is fetching, Galperin said.
- Hushmail is a good combination with https. It’s a free, encrypted webmail service for setting up semi-anonymous email.
- For added protection, when possible, use the free Internet encryption tool Tor. The downsides: Tor can dramatically slow down connection speed, especially in countries where the net is already slow. And Tor is blocked in China and Iran.
- Instant messaging: Use OTR (Off The Record) instant messaging to be more secure. Galperin recommended Pidgin, a program that will talk to your friends over the MSN, Yahoo!, Google, Jabber, and AIM networks, and Adium, a program specifically for Mac OS X.
- Text messaging is highly insecure and text messaging services do not encrypt messages.
With news organizations still spotty on digital security, it’s best to protect yourself as much as you can.
“I think that’s starting to change, but we’re only in the beginning stages,” Galperin said. “It’s frustrating because this results in journalists putting sources at risk without possibly ever knowing it. The potential damage is enormous.”
In the meantime, you might even consider having a specialist do an audit of your system to make sure it’s as secure as possible.
So secure your digital perimeter – SDP. ASAP.