“Digital” security for journalists is intrinsically linked with information security, but the two are not necessarily the same. It’s important to understand information security to maximize digital security. Information security relates to all aspects of how you collect, manage, control, use and dispose of your data. It applies on paper as well as in digital format, but many of the principles are the same.
People make mistakes and journalists are no exception, with many being increasingly overworked and under-resourced. With many current tools, a lot of people feel that as security goes up, usability goes down. Having perfect security all the time is rare. So creating risk models to choose when to use various methods and tools is important. For example, communicating with a source about allegations of state torture might hold a very different risk (and possibly require higher levels of security) than collecting information about consumer complaints.
Experience tends to show that the best way to deal with this variance is to first set a good baseline of daily security (strong passwords, shredding, locking away information, etc.) and then follow a much stricter security regime when you need to — but be aware that a sudden change in your patterns may arouse interest from hostile threats. You should aim to minimize this problem by keeping your toolkit up to date — for example by logging in to your secure mail every few weeks.
Never forget that former Guardian columnist Glenn Greenwald nearly blew one of the biggest stories of the decade when he got too impatient to bother learning the security procedures he needed to communicate. Similarly, you should have multiple tools in your armory based on your risk model. One of the hardest things to do is communicate with your sources securely. Consider having a range of easier and possibly less secure methods (like meeting in a public place, “burner” mobile phones or CryptoCat) to make “first contact” with your source, then use these to help them shift to other more secure methods of communication if needed, like meeting in a safe house or using TextSecure or PGP.
Know Your Objectives
As a journalist, it is vital for you to consider the following questions to ensure information security.
- Why are you collecting information?
It’s vital to understand why you are collecting information as this helps shape the rest of your objectives, such as the time, costs and risks you are willing to take. These risks should include those of the people whom you are speaking to and gathering information about.
- What are you asking?
The nature of what you are asking or researching can often dramatically increase the risk to you or the people you are working with. Consider these risks and look for similar work done by others in your country or region. Build an understanding of what has happened to others who have worked on similar issues
- Who are you asking?
Spend time researching the backgrounds and dangers you may face or create for the people you are asking questions of. Many cases exist of journalists inadvertently endangering people they met or communicated with (physically and digitally). Google, LinkedIn, Maltego, etc. can all be very useful for building up an understanding of the people, area and issues you are dealing with.
- How do you plan on storing it? How long do you plan on keeping it?
There are a number of digital tools relevant to gathering and storing information (such as TAILS, TOR, PGP, etc.) but you must be able to use them effectively. This needs to be considered alongside your ability to protect that information. Notebooks are an essential tool of a journalist’s trade, but what if you are searched by police or at an airport? If your luggage might be subject to search when leaving a chokepoint like an airport, keep only information which you wouldn’t mind authorities viewing in your notebooks — and send the sensitive information to yourself using an appropriate encrypted method
- What laws are relevant to what you are doing?
Every country has laws which journalists may occasionally have to skirt when they are collecting information in the public interest. However, some states are increasingly using laws to harass and suppress the activities of journalists and human rights workers. They know that if they beat you up, it is likely to create more unwanted attention then if you are in court for months on end. Thus it is important to have sufficient knowledge of the laws in the areas you operate in — particularly as data-protection laws are becoming more widespread.
- How much information do you have to gather to achieve your objective?
It is often tempting to collect as much information as possible, but consider whether it is really necessary to do so, especially if the unnecessary information might risk yourself or your source. This means you reduce risks by gathering only the necessary information, instead of all information.
Need to Know
- Who really needs to know the information you are planning on collecting?
Many people overly focus on tools when thinking about security, but people are usually the biggest weakness. Insider threats (or to a lesser extent, “loose talk” and laziness) are one of the most common security breaches. Minimizing the number of people who know what you are planning on collecting is vital. Many people feel uncomfortable withholding information from friends and colleagues, but remember, you are not being rude — ultimately you are doing this to protect them, your sources and yourself.
- What level of access is needed, and when do they need it?
Mapping out the levels of access to the information you collect and strictly controlling access are vital in ensuring that people only have the information that they need to do their jobs (called the “need to know” principle). Understand that access to digital or physical information is often wider than just to one person (like an editor) but can include many others (editor’s assistant, legal department, IT systems administrator, secretary, office cleaner, security guard). You should choose your method of access control based on your risk model
- What is your ability to protect that information?
You must be honest with yourself and your sources when considering your ability to protect the information you are collecting. This relates to your risk model. You should select methods based on these considerations. For example, if you live in a state where you know you may be compelled by law to hand over email encryption keys, perhaps you should consider non-digital methods of meeting with sources. Similarly, if you are in a country with strong physical threats, then digital communication methods may be a better option — as long as you have the skills and training to employ them successfully.
- What is your responsibility to the person who you are collecting information from?
It is important to understand and communicate clearly to your source what you consider the limitations of your responsibility to them. Often sources have an exaggerated estimation of what you can do to help them. It is often seems difficult to risk losing the relationship by outlining what little you can often do to help them, but generally sources appreciate such honesty and trust you more when you do. It also allows them to plan for the appropriate level of risk.
Plan For Failure
The last few years have seen a shift in many countries’ tactics of disrupting the work of journalists and NGOs. Recognizing that direct attacks often result in public outcry, governments have taken to methods of disruption instead, believing that such methods will more easily “fly under the radar.” For example, stealing laptops, confiscating servers, burning down offices or launching spurious legal cases — can all disrupt journalists from doing their work. Thus it is important to prepare in advance with how to minimize these problems.
- How do you plan on running backups and ensuring redundancy?
Think about what is your most vital data (digital and physical) and what would happen if you lose it today. You should map out where this is stored and how often it is stored. Select the tools and methods that work best for you.
- Where to store these backups?
It’s important to have backups stored away from obvious locations like home or office. There is little point in making backups if confiscation, theft or fire occur and destroy your them. If you are backing up digital information, make sure you encrypt it first, then use an online service; ideally do it in a country outside your own which has strong media protection rules — such as Iceland, the Netherlands or Finland.
- What are the risks of release — of primary source material and also of the article itself?
Too often the fallout of publishing information is not considered enough — especially for the sources involved. Think about what identifiable details you are publishing. Following publication, you may come to greater attention from outside threats. Likely you do not need all of the information you stored in the creation of the publication anymore, so consider securely deleting or moving the information the information you needed to a safe place.
- Have plans in place for digital and physical response in the face of arrest or compromise — for you and your source.
Always assume your information security methods may be compromised. Encrypt, lock, backup and hide information. Arrange signals with trusted parties who will help you destroy compromising information if necessary. Tools such as “Darik’s Boot and Nuke” (Windows) or “LUKS Nuke Patch” (Linux) can be useful, but you need to understand how to use them in an emergency, while under pressure — physical destruction is also recommended. Identify lawyers, NGOs and friends who can help you and your source in advance of something like an arrest occurring. In some environments, safe houses and evacuation plans are a vital part of planning for failure.
Rory Byrne is the CEO and Founder of Security First. Security First, established in 2013, works to secure human rights defenders – simply and comprehensively. They are currently building “Umbrella,” an open source mobile tool to help journalists, activists and aid workers manage their security on the move – covering situations ranging from planning a secure physical meeting to sending an encrypted mail. Security First also trains high-risk journalists and human rights defenders in advanced security methods such as counter-surveillance, risk management, secure communications, source protection, preventing insider threats and dealing with arrests. Previously he helped establish the human rights organisation, Videre – the world leader in the gathering, verification and distribution of covert camera footage. His experience draws from over ten years in the human rights world, the military, UK Parliament and as a Certified Ethical Hacker. Follow him on Twitter at @roryireland. You can sign up for early access to Umbrella or learn more about training courses at www.secfirst.org.
JournoSec is a column aimed at helping journalists better under the security, privacy and anonymity challenges they currently face, and steps they can take to protect themselves. Managed by OpenITP Outreach Manager Sandra Ordonez, it brings together leading voices from the community behind open-source technologies that circumvent censorship and surveillance. For more information, follow @OpenITP. To become more involved, contact sandraordonez AT OpenITP DOT org.