It is an extraordinarily difficult time to be a journalist. Nearly every month, the digital security landscape shifts--new surveillance concerns are unearthed and freshly drafted laws are introduced that seek to curb freedom of expression under the guise of national security.
Fortunately, technologists and activists from Silicon Valley to New York and Rio de Janeiro are sitting up and taking notice. The Electronic Frontier Foundation (EFF), the American Civil Liberties Union (ACLU) and others have filed lawsuits against the NSA over surveillance, while research centers like The Tow Center for Digital Journalism at the Graduate School of Journalism at Columbia University have hosted workshops where journalists can learn the basics of staying safe online. Even the Third Committee of the United Nations General Assembly is acknowledging the grave environment facing journalists and just passed by consensus a resolution on the safety of journalists and the issue of impunity.
These are all important steps, but much more needs to be done.
Fortunately, UNESCO--long a supporter of press freedom--is spearheading an effort to identify the threats facing online journalists around the globe in conjunction with the U.N. Plan of Action on the Safety of Journalists and the Issue of Impunity. As part of this effort, UNESCO-contracted researchers are fielding a global survey launched in November and ending December 31 to obtain insights into the threats facing online journalists and to ascertain the level of digital security awareness that journalists currently have. Take the survey here.
But journalists shouldn't wait for U.N. recommendations to start taking steps to be safer online.
At the 2013 Internet Governance Forum in Bali, Indonesia, this fall, I spoke about steps journalists can take now to be more secure, drawing on concepts Tow Center Fellow Jonathan Stray teaches in his Computational Journalism class at Columbia University. First, all journalists should create a "threat model" (essentially a risk management plan) which considers the following questions:
1. What do I want to keep secret? (Specify all the information that you want to remain secret--including notes, locations, identities, or networks.)
2. Who are your adversaries and what do they want to know? (Is your adversary interested in your source, your organization, or something else? You should list your potential adversaries and their interests.)
3. What can they do to find out? (Could they use legal means such as a subpoena or technological means like eavesdropping? Or, maybe they could exploit your social networks through social engineering tactics. List every way they could try to find out what you want to keep secret.)
4. What is the risk if they succeed? (Is your story blown? Will your source have legal problems? Or could someone get killed? Explain what happens if an adversary succeeds in breaking your security. What are the consequences and to whom? Which of these consequences are absolutely necessary to avoid?)
Once you answer these questions, you are in a position to design a security plan that reduces the risk your individual threat model laid out. To be as effective as possible, you should make sure your security plan specifies the technological tools you might need (i.e. PGP, TrueCrypt, password management system, etc.) and how to implement these tools. Your security plan is pointless if you don't know what tools to use or how to use them.
In addition to creating your individualized security plan, you should at the very least:
Use strong passwords. Unique passwords longer than 12 characters comprised of phrases not normally used together are harder to figure out. Longer passwords are better. Many experts suggest purposefully misspelling the words you use to make your passwords even harder to break, although be wary of simply adding a special character or two; it won't help.
Encrypt your drive(s) and/or individual files. Although you should never leave your computer unattended in an insecure location (i.e. Your hotel room), if someone does obtain possession of your computer , you can make it more difficult for them to read what's on it by encrypting your hard drive and/or individual files. If you have a Mac, switching on FileVault 2 is an easy and fast way to encrypt your hard drive. To encrypt individual folders or drives, using free, open-source software like TrueCrypt is a good choice. Using encryption may be illegal in some countries, or provide a presumption of wrongdoing, so make sure your threat model warrants encryption and know the laws of the countries in which you are travelling or living.
Enable two-factor authentication. Many companies, including Google, Facebook and Twitter use two-factor authentication, which adds an extra layer of protection to the log in process. Once you add two-step authentication to your Google account, a verification code is sent to your mobile device, which you must use to gain access to your account. This makes it harder for someone to get in, because they must know something you know (your password), and have access to something you have (your cell phone).
Use the HTTPS Everywhere add-on. Unfortunately, many sites still operate without SSL, which means your communications are not encrypted. An easy way to avoid working from an insecure site is to install the EFF/Tor browser extension, HTTPS Everywhere (available for Firefox and Chrome), which enables HTTPS protection for many sites. This encryption protects information you send to the site, such as your login information.
Use a Virtual Private Network and/or traffic anonymizer. Another tool you can use to be safer online is a Virtual Private Network (VPN), which secures your computer's Internet connection by encrypting the date you send and receive. VPNs don't protect against traffic analysis (a form of Internet surveillance), because they only hide the content and not the metadata (i.e. the size, source, destination, etc.). To help prevent traffic analysis, you should use a traffic anonymizer, such as Tor, which masks your IP address by bouncing your information across a distributed network of servers. As with encryption, some countries block VPNs, so make sure you know the laws of the country in which you are operating.
For more guides on technological tools to use to better secure your communications, check out CPJ's Information Security Guide, Frank Smyth's Digital Security Basics for Journalists, Freedom of the Press Foundation's encryption guide, Tactical Tech/Front Line Defenders' Security in-a-box, and EFF's Surveillance Self-Defense Project. All are excellent guides and geared toward the layperson.
Although no one will ever be 100 percent secure online, journalists can and should take steps right now to better protect their sources, their colleagues, and themselves. Digital security is only as strong as your weakest link. Don't let that be you.