How Journalists Can Secure Their Digital Perimeter

Eva Galperin of the Electronic Frontier Foundation offers tips on how journalists can protect themselves and their sources. Photo: Dawn Garcia

Truism of the day: Your digital perimeter is not secure. You know that. The question for journalists is what can you do right now to strengthen it?

Are your editors and managing editors doing enough to help you? As my fellow Knight Fellow Melissa Chan, who was a correspondent in China, points out, companies are (finally) investing in physical security but putting relatively few resources into digital security.

Whether you’re protecting an anonymous source inside the Beltway or working in a conflict zone, you need to protect your data, emails, contacts, instant messages and other important information. Securing your digital perimeter security — call it SDP (secure digital perimeter) — is essential.

Protect yourself and your sources

You may feel that you have nothing, really, to hide. But your sources could, of course — especially if you work in conflict zones. Taking practical steps now might help save you and your sources from harassment, arrest — or worse.

Recall how British filmmaker Sean McAllister accidentally endangered the lives of activists he interviewed after Assad regime intelligence agents detained him and seized his laptop, mobile phone, cameras and film.

Fueled in part by the Syrian civil war, 2012 was one of the deadliest years on record for journalists: 121 news workers were killed worldwide last year, according to the Committee to Protect Journalists. Politics and war were the top motives for the slayings, according to CPJ.

“What’s at stake is not only your personal safety but the entire web of people who trust you with their information,” said Eva Galperin, the International Freedom of Expression Coordinator for the Electronic Frontier Foundation (EFF). And when you compromise that trust, your credibility is also badly damaged, she added. “Privacy and security do not work retroactively. You can’t take steps to protect yourself after you’ve been compromised.”

Assess the threat

Galperin visited the Knight Fellows recently, sharing with us some steps to take to assure your digital security. The first task, she said, is to assess the threat.

Examine what news assets and content need protecting. What are their vulnerabilities and what countermeasures exist? “Each person has to assess their own threat model by looking at what information you want to protect and who you want to protect it from,” Galperin said. Try to examine what’s vulnerable. And what are your adversaries’ capabilities? Check out EFF’s Surveillance Self-Defense guide or Border Search white paper.

Best Practices

When you know what’s important to protect, Galperin advises following any or all of these best practices:

• Lock everything down; don’t assume anything is protected. Are passwords stored directly on your laptop? How about names of sensitive sources? Change that. Now.
• Keep passwords strong and safe by using password sites such as Last Pass or 1Password to more securely log in and out of all your email and any password protected sites.
• Use two-step authorization in security settings for Google and any other services that offer it. Facebook has a two-factor authentication system called Login Approvals that prevents anyone from accessing your account even if they have your password.
• Use Skype with caution. Widely used to reach sources, especially in war and conflict zones, Skype is not as secure as many think. Galperin notes that metadata about Skype traffic is fairly easy to detect, and companies sell lots of hardware and devices to governments and agencies that can track what you’re doing with Skype. In China, Skype is monitored by the government, which engages in real-time filtering and blocking. Galperin recommends Google Hangouts as a viable alternative to Skype for users who are working under repressive regimes and in dangerous places, such as Syria.
• Beware of using weak passwords. You’ve heard this before, but are you following the advice? Check out these tips from Microsoft.
• Avoid using easily discovered recovery questions whose answers could be found in public data or on Facebook or other social media. So don’t use your mom’s real maiden name, your own name, street address or the high school you went to for passwords. Never use the same security questions or passwords for multiple accounts.
• Try to always use “https” protocol, which encrypts websites, on your browsers. Most sites on the web are accessed using the unencrypted “http,” which is susceptible to eavesdropping, and even to intermediaries that might set out to modify the pages a browser is fetching, Galperin said.
• Hushmail is a good combination with https. It’s a free, encrypted webmail service for setting up semi-anonymous email.
• For added protection, when possible, use the free Internet encryption tool Tor. The downsides: Tor can dramatically slow down connection speed, especially in countries where the net is already slow. And Tor is blocked in China and Iran.
• Instant messaging: Use OTR (Off The Record) instant messaging to be more secure. Galperin recommended Pidgin, a program that will talk to your friends over the MSN, Yahoo!, Google, Jabber, and AIM networks, and Adium, a program specifically for Mac OS X.
• Text messaging is highly insecure and text messaging services do not encrypt messages.

With news organizations still spotty on digital security, it’s best to protect yourself as much as you can.

“I think that’s starting to change, but we’re only in the beginning stages,” Galperin said. “It’s frustrating because this results in journalists putting sources at risk without possibly ever knowing it. The potential damage is enormous.”

In the meantime, you might even consider having a specialist do an audit of your system to make sure it’s as secure as possible.

So secure your digital perimeter, or SDP. ASAP.

More Reading

Data Security 101 for Journalists by Andrew Lih

Mobile Security Survival Guide Helps Journalists Understand Wireless Risks by Melissa Ulbricht

SaferMobile Helps Protect Your Cell Phone Data From Threats by Melissa Ulbricht

Eric Westervelt is a Knight Fellow at Stanford University. Westervelt had the sometimes frightening, yet always exhilarating experience of covering all three North African revolutions for National Public Radio in 2011. The assignments were a return to the place and the politics that first inspired him to become a journalist. On a break from Reed College in Portland, Ore., where he was majoring in American studies, he had sailed to Portugal on a three-masted schooner. His adventure continued by foot, train and hitchhiking through Morocco, Algeria, Tunisia and the Western Sahara. Ever curious, he talked to all kinds of people — and took notes. He landed in Tunisia just after a coup. In Algeria, he visited rebels challenging Morocco’s occupation of Western Sahara. He was even arrested and accused of spying. Now he knew he wanted to be a journalist. After graduating from Reed, he freelanced, then worked for New Hampshire Public Radio. In 1996, he moved to NPR, covering national security and the Pentagon. He was an NPR correspondent in Jerusalem before being named Berlin bureau chief in 2009.

This post originally appeared on the blog for the John S. Knight Journalism Fellowships at Stanford.