What do you do when you know, going into your project, that it’s a losing battle — one that journalists will not win?
My yearlong mission as a Stanford Knight Journalism Fellow is to try to come up with solutions to improve journalists’ digital security. The project was born from personal experience: As a correspondent based in China, I regularly received phishing emails — messages carrying links or attachments meant to offload spyware to my computer.
There was the case of the phony Facebook friend confirmation in the post-Arab Spring period, meant to lure journalists interested in reaching out to supposed Chinese political activists. The hoax message, I later learned, had possible links to cyber criminal operators in Beijing.
Hackers once delivered payloads to dozens of us, taking advantage of an Adobe Flash vulnerability discovered only one or two days earlier, and before most of us would have updated our software with a patch. The individual or group had acted quickly.
I even received a bespoke phishing message. My best guess is that the hackers monitored my Twitter account to determine my location and the story I was working on, before delivering an email they believed would hook me.
Alone against the hackers
These episodes left me and my peers in China with a great sense of vulnerability. I realized that most of our computers were insecure and easy for hackers to go after.
But when hackers regularly bamboozle the IT departments of multinational corporations and digital corporate espionage is rife, part of my challenge now is to determine how a non-technical and lone player like myself can maximize my utility in this online battle.
An early clue came from a conversation with Rebecca MacKinnon, one of the first people I reached out to this academic year. Rebecca had once been CNN’s China correspondent before launching a second career online. She is the author of “Consent of the Networked: The Worldwide Struggle for Internet Freedom.”
“News organizations have spent millions of dollars training their journalists on physical security. Yet, to my knowledge, they have not spent many resources on digital security,” she said.
It’s easy for news organizations to understand mortal peril and the dangers of conflict zones. It’s far more difficult for them to see the urgency of online security. Digital damage, after all, is inflicted silently.
Frank Smyth is founder of Global Journalist Security, an organization working to equip reporters with complete security training, including a digital component. We met as fellow panelists at a digital security presentation in San Francisco in September.
“When somebody breaks into your home, there’s usually a sign that the home has been breached and something’s been taken,” said Smyth. “When you’re dealing with electronic information and communications, there may be no signal whatsoever.”
We treat the online world differently
The problem Smyth points to is not exclusive to reporters. People simply treat the online world differently. We share photos on Facebook we’d never share with strangers in person. And we don’t secure our computers the same way we secure our other possessions.
It’s difficult to accept the digital universe as a second reality: We simply haven’t transferred our behaviors in our actual lives to be consistent with behaviors in our digital lives.
My best example of this is the failure of many reporters to adopt two-step authentication when logging into Gmail. It’s a simple procedure. It’s the digital equivalent of having a second lock on your door. Those who do use it generally do so because they have already had their emails compromised. But in my opinion, ex post facto prevention is too little, too late.
At this point in my project, I believe half my challenge will be to convince reporters and news organizations to make digital security a priority. Many may agree, but few have followed up in a systemic, comprehensive, deliberate manner. The other half of the challenge will be to convince everyone to modify habits. What must we do to convince more people to keep their anti-virus software updated and to use Google’s two-step authentication?
Both these challenges come before we even touch on any of the actual technical options and solutions out there.
For those interested in getting started on good digital housekeeping, start with the Committee to Protect Journalists’ information security primer. Tactical Technology Collective and Front Line also have security in-a-box.
Melissa Chan is a Knight Fellow at Stanford University. Chan mostly hoped to visit her aging grandmother in Hong Kong after receiving a master’s degree in comparative politics from the London School of Economics in 2005. But she had also applied for several internships, and ended up with one at CNN. Her first reports were about citizens protesting China’s growing political interference in Hong Kong. Reporting, she found, gave her a sense of social contribution and a personally valuable degree of reflection. Chan had gotten her first taste of journalism in 2003, working as an assistant to the executive producer of ABC’s World News Tonight after getting a history degree from Yale. In 2007, she began working as a reporter for Al Jazeera English and in 2009 was named its China correspondent. She covered the Olympics and earthquakes. She exposed Hepatitis B discrimination on college campuses and illegal “black jails.” And in May 2012, with no explanation from China, she became the first accredited foreign correspondent to be expelled from the country in 14 years.
This post originally appeared on the blog for the John S. Knight Journalism Fellowships at Stanford.
The John S. Knight Fellowships at Stanford University fosters journalistic innovation, entrepreneurship and leadership. Each year, 20 individuals from around the world get the resources to pursue their ideas for improving journalism.