In a meeting of journalists last year, many of whom work with sources in sensitive places like Iran and Syria, one editor said she knew how to keep her sources safe. When pressed, she detailed a strong understanding of traditional safety methods, but — to the horror of security experts in the room — also described talking to sources over Skype and web-based email.
Journalists are usually trained in traditional methods to keep sources safe, but are often oblivious when it comes to the risk of talking to someone over the Internet.
Insecurities
Last summer, as part of its Surveillance Inc. series, the Wall Street Journal published a piece describing how, when Egyptian activists had raided the headquarters of Amn Al Dowla, the state security agency, they uncovered a secret memo about interception of Skype calls. For years — assuming Skype to be safer than email — many human rights organizations had promoted its use, suggesting to activists (as one Freedom House employee stated to the Journal) to use Skype “as much as possible.”
The platform’s problems are not limited to Egypt: In 2008, TOM-Skype, the Chinese version of Skype promoted by Chinese company TOM Online, was found by Canadian researchers to have been logging records of millions of users. More recently, a fake encryption tool likely built by Syrian government supporters — and aimed at Skype — was found to install remote access tools onto a user’s computer, compromising their security. And in the United States, the indictment of file-sharing platform MegaUpload (whose founder was indicted on piracy charges) revealed that the FBI had somehow accessed records of the founder’s Skype calls.
But it isn’t just Skype that presents potential trouble for journalists communicating with individuals in insecure places: A recent guide on information security from the Committee to Protect Journalists (CPJ) addresses a range of issues, from weak passwords to the use of malware to subvert sensitive reporting.
Understanding Risk
The key to keeping sources safe doesn’t lie entirely in using the newest, flashiest tools, but in understanding your (or your source’s) risks and addressing them with the right solutions. As CPJ Internet Advocacy Coordinator Danny O’Brien writes: “Ask yourself: What information should I protect? What data is valuable to me or a potential adversary?”
After making an assessment, writes O’Brien, the next step is to figure out from whom you are defending the sensitive information. For some, it could be an authoritarian government (like Hosni Mubarak’s Egypt), for others a democratic one, and for others still, non-governmental actors (think: Mexican drug cartels or the Syrian Electronic Army).
Once risk has been assessed, the solutions range from the most basic — such as utilizing secure passwords and not leaving your equipment unattended — to the more complex, such as using anonymizing programs like Tor. At the same time, while risk differs greatly from person to person and place to place, there are a few fairly basic, concrete steps any journalist can take to improve his or her online safety.
Staying Safe: Where to Learn
In a recent post for CPJ’s Journalist Security Blog, Eva Galperin writes about four basic measures journalists can take when communicating with sources in one of the most extremely surveilled environments of the world: Syria. Her advice, though specific to that environment, also includes some of the most basic recommendations to be made to journalists.
For journalists seeking to learn more, there are fortunately numerous resources available online. In addition to CPJ’s guide, MobileActive has published a guide to help journalists understand the risks inherent in mobile technology. Below are a list of additional resources that should prove useful to journalists hoping to learn more about how to keep themselves — and their sources — safe:
- The Electronic Frontier Foundation’s Surveillance Self-Defense guide
- The Tactical Technology Collective’s Security in a Box toolkit
- Access’ guide to mitigating distributed denial-of-service attacks
- HTTPS Everywhere – developed by EFF and the Tor Project
- The Tor Project – a tool for protecting oneself against surveillance
- The Guardian Project – tools for mobile security and safety
Jillian C. York is the director of International Freedom of Expression at the Electronic Frontier Foundation. She writes regularly about free expression, politics, and the Internet, with particular focus on the Arab world. She is on the Board of Directors of Global Voices Online, and has written for a variety of publications, including Al Jazeera, The Atlantic, The Guardian, Foreign Policy, and Bloomberg.