March 9, 2017
Digital security tips for journalists: Protecting sources and yourself

Digital security tips for journalists: Protecting sources and yourself

NjxnCwcOl8March 9, 2017, , ,

Hackers are everywhere. This tip sheet offers free resources to help journalists protect their sources and themselves.

by David Trilling | March 9, 2017 

With hacking and other digital intrusions becoming a regular feature of life in the computer age, it’s more critical than ever for journalists to protect their sources. But for many, the tech world is intimidating. This tip sheet offers free resources for journalists of all digital-comfort levels as well as links to useful tutorials.

Whether you are concerned about eavesdropping by the National Security Agency, Russian agents or a nefarious corporate leviathan, nothing is 100 percent secure. If you are meeting a confidential source in person, someone who may be risking his or her safety by speaking with you, don’t bring your phone or laptop. A hacker could track you through your phone using GPS and cell-phone networks or turn on the microphone or camera – even, possibly, when you think the phone is off. Security wonks praise paranoia.

Instant communications: Of the many free instant messenger apps out there, Signal is widely used by rights activists and journalists. According to the Electronic Frontier Foundation (EFF), a digital and free-speech activist group:

Signal is an app available on both iOS and Android that offers strong encryption to protect both text messages and voice calls. This type of protection is called end-to-end encryption, which secures your communications in transit. Other apps, such as WhatsApp, have implemented underlying cryptography. But we believe Signal is the better option because it implements best practices for secure messaging. […]

Recently, a grand jury in the Eastern District of Virginia issued a subpoena to Open Whisper Systems, the maintainers of Signal. Because of the architecture of Signal, which limits the user metadata stored on the company’s servers, the only data they were able to provide was ‘the date and time a user registered with Signal and the last date of a user’s connectivity to the Signal service.’

On March 7, 2017, Wikileaks released documents that claim the C.I.A. has managed to hack Signal and other encrypted messaging programs on Android phones.

Encryption: Full-disk encryption scrambles your data so that even if the device (your laptop hard drive, for example) is stolen or seized, the material on your computer cannot be read without the password. So, you need a strong password. Apple and Windows offer built-in encryption, but it needs to be turned on. There are also third-party applications available. Here are some step-by-step instructions from the University of California at San Francisco and The Intercept.

Install an “HTTPS Everywhere” plug-in for your browser, which encrypts your traffic and makes your browsing more secure.

A popular way to encrypt email is the PGP protocol (“Pretty Good Privacy”), though some experts are starting to abandon it. For Columbia Journalism School, tech reporter Tiffany Hsu describes an alternative, known as OTR, in an excellent tip sheet that also discusses other encryption protocols:

This protocol, which stands for Off The Record, attaches to instant messaging programs and allows for confidential, encrypted and authenticated discussions. This is not the same thing as the off-the-record function available through Google Chat. OTR is built on a concept called perfect forward secrecy — it creates encryption keys throughout a conversation, making it impossible to retrieve old messages. It’s almost like having a face-to-face conversation. OTR only works if both chat participants have it enabled. Mac users can access OTR via Adium (download it here), while Windows users can get it via Pidgin (here).

Hsu also suggests that users “look for systems with true end-to-end protection, where the service provider can’t circumvent the shields. It’s also a good sign if the programming is open-source, so the developer community can identify and fix potential flaws.”

Finally, back up your data on an external, encrypted hard drive and store it somewhere (physically) safe.

Strong passwords and two-factor authentication: A number of services such as Google, Dropbox and Amazon support two-factor authentication (“2FA”), which requires users to complete an extra step to login. In addition to using a username and password, you’ll also inputa random, one-time code sent to a second device, like your cell phone. This makes it much harder for an unauthorized person to access your account.

Use strong passwords (the kind including symbols like $*&@!<) and don’t use them in more than one place. If it’s too hard to remember them all, consider using a password manager like 1Password or LastPass. But nothing is completely secure: Some experts suggest not using a manager for the most sensitive accounts, like your email and bank.

Searching safely: For the safest browsing experience you can use the free Tor browser. Tor conceals users’ online addresses, its makers say, “bouncing your communications around a distributed network of relays run by volunteers all around the world: it prevents somebody watching your Internet connection from learning what sites you visit, it prevents the sites you visit from learning your physical location” and it allows you to visit blocked websites. It does not need to be installed and can be opened from a flash disk. See this Lifehacker guide to getting the most out of Tor.

This interactive chart from EFF shows how Tor and HTTPS work. British blogger Paul Bradshaw has explained how governments snoop and why Tor is as important as ever.

Keep your software up-to-date: Software updates often fix bugs and holes that have only recently come to light. Matthew Green, a cryptographer at Johns Hopkins University, explains why mobile platforms (and their updates), rather than desktops, are generally safer.

Cover your webcam with a band aid or tape: Your webcam or videoconferencing equipment could be hacked. Don’t believe it? Read this story in The New York Times.

Helpful organizations:

Other resources from JR:

Journalist’s Resource spoke with cryptographer Bruce Schneier in 2016 about the hacking and cyberattacks that roiled that year’s presidential campaign. Schneier’s blog is also a useful resource.

ProPublica’s Julia Angwin — author of Dragnet Nation: A Quest for Privacy, Security and Freedom in a World of Relentless Surveillance — gave a comprehensive 2014 talk on her security tips here.

SOURCE: David Trilling 
MAIN IMAGE SOURCE: Unsplash/public domain

What Is A Transportation Security Officer?
What Is A Transportation Security Officer
An employee of the Transportation Security Administration (TSA) at an airport is referred to as a transportation security officer (sometimes ...
How To Become A Certified Security Officer?
How To Become A Certified Security Officer
When times are difficult, individuals have a tendency to turn to dishonest tactics to achieve what they want. This can ...
What Does A Chief Information Security Officer Do?
What Does A Chief Information Security Officer Do
The chief information security officer, or CISO, is an executive position at a senior level that is responsible for developing ...
What Does Homeland Security Officer Do?
What Does Homeland Security Officer Do
Homeland security experts in a wide variety of fields, such as emergency response, counter-terrorism, and cybersecurity, are tasked with the ...
Do Spouses Of Deceased Veterans Get Benefits?
Do Spouses Of Deceased Veterans Get Benefits?
Survivors of deceased military personnel and veterans are eligible for various benefits. Dependent Indemnity Compensation, a Death Gratuity payment, and ...
What Is Combat-Related Special Compensation?
What Is Combat-Related Special Compensation?
Combat-Related Special Compensation (CRSC) pays special compensation to retirees whose income has been reduced due to receiving disability compensation from ...
1 2 3 18
NE Guard is your go-to choice when it comes to the latest news regarding security. Our team has got you covered whether you're looking for physical or virtual safety.
Copyright © 2022 NE Guard. All Rights Reserved. Protection Status
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram