Information security means defending your data, from research notes to the confidential details of your contacts, from basic details of your itinerary to audio and video files. It means protecting data that is private to you, as well as protecting the privacy of communication between you and your colleagues or sources. If you are working in the field, the digital files on your computer might be the most precious item you carry. Losing them can derail a story or, worse, put you or a source at risk.
The volume and sophistication of attacks on journalists’ digital data is increasing at an alarming rate. In China, foreign correspondents have seen their personal computers infected with surveillance software that was concealed as attachments to carefully fabricated emails. Authorities in countries from Ethiopia to Colombia have accessed reporters’ telephone, email, and text conversations. Government players aren’t the only ones who use digital surveillance and sabotage; large criminal organizations increasingly exploit high-tech opportunities. Opportunistic or “patriotic” computer criminals also target journalists working with valuable or controversial data.
In the end, though, good information security is rarely about fending off sophisticated cyberattacks and Hollywood-style hackers. It’s about understanding the motives and capabilities of those who might want to attack you, and developing consistent habits based on those assessments.
Information security poses unique challenges. It’s hard, for one, to detect an attack on your data. If someone steals your wallet, you’ll know it. If someone successfully copies your hard drive (say by scanning it while you wait in another room at a customs checkpoint) you may never know. Second, the damage caused by the leak of your personal data is usually impossible to undo. Once information is known to your attackers, you can’t get it back. Finally, information technology systems are notoriously complex and constantly changing. Not even the smartest technologists know the function of every program on their computers, or how the interaction between that software and Internet sites may be exploited. Even if you’re not an expert on bulletproof vests, you have some idea of their protective features and their limits. Computer security protection is much harder to comprehend intuitively.
What does this mean? Your emphasis should be on simplicity. There’s no point in surrounding yourself with computer security that you don’t use, or that fails to address a weaker link elsewhere. Take advantage of what you know well: the people who are most likely to take offense or otherwise target your work, and what they may be seeking to obtain or disrupt. Use that knowledge to determine what you need to protect and how.
Ask yourself: What information should I protect? What data is valuable to me or a potential adversary? It might not be what you think of at first. Many journalists feel that what they are doing is largely transparent, and that they have nothing to hide. But think about the dangers to sources if the information they have provided to you was more widely known. What may seem innocuous personal information to you might be incriminatory to others. For instance, access to your Israeli contact information when covering a story in an Arab country (and vice versa) can cause problems for all concerned. Even information you have previously freely shared online could trip you up in another context. Undoing previously released information is difficult, but you may want to sanitize your Facebook or other social network pages or heighten your privacy settings before embarking on a trip or a new assignment.
Once you have written a list of potentially valuable data, ask another question: From whom are you defending this information? It’s easy to imagine some Orwellian surveillance department poring over your every email. In repressive nations such as Iran, that can indeed be the case. More often, though, journalists make enemies in a specific part of an administration or with a specific person such as a local police chief or corrupt government official. Do they have access to sophisticated surveillance equipment? Or are they more likely to have someone kick down your door and steal your laptop? When thinking of potential attackers, consider the possibility of attack by their supporters or sympathizers. In many cases documented by CPJ, the attacks are not directly perpetrated by governments or political parties, but by unconnected, “patriotic” troublemakers who perceive opposition or foreign media as legitimate targets.
Once you have a list of your potential attackers and what they might want, you can take specific technical steps to protect yourself. The suggestions here are intended to give you broad guidance for information security. Remember, though, that detailed technical suggestions can quickly become outdated. If in doubt, check CPJ’s own updated advice on its website.
Phone-tapping is probably the most familiar form of surveillance practiced against journalists. Those working in restrictive countries can cite numerous examples of such surveillance. But journalists now employ a wider range of communication tools, including text messages, emails, instant messages, social networking websites, and audio and video chat software. So, too, have their adversaries expanded their array of weapons.
More groups now have the power to conduct spying. Historically, access to third-party communications was restricted to those with access to telephone records and equipment, either through formal relationships or through corrupt employees. These days, the capability to tap your computer or phone has been decentralized and privatized. That power is potentially in the hands of a far wider group: People sharing your wireless network at a cybercafé can snoop on your instant messages; freelance hackers can break into your email account.
Despite the growth in these threats, several tactics can reduce the risk of communications being intercepted by even the most technologically sophisticated attackers.
When you’re in contact with someone, a third party can access two pieces of valuable information: To whom you’re speaking, and what you’re saying. Modern communication tools can leak a few other bits of information. If you’re carrying a mobile phone or connecting a laptop to the Internet, making a call or checking your email can leak your position and, thus, allow someone to track your movements. Some software, like instant messenger clients or social networking sites, can also reveal who else you know through contact or friend lists.
Telephone conversations are easy to tap if your attacker has access to the right people or systems at the telephone company. This includes mobile phones. Text messages are particularly easy to intercept since an attacker doesn’t need to have a person listening in and transcribing the calls; the messages are so small that they can be logged en masse and examined later. CPJ has documented cases in which authorities have presented journalists with logs of text messages as an implied threat or as evidence of antistate activity.
Consider using prearranged codes that are agreed upon “out of band”—that is, not via a channel suspected to be insecure. Pass a message via personal contacts, or use code words in your message. If you are concerned about authorities monitoring your calls, try to obtain a phone that is not linked to your name. Buying a cheap, prepaid local phone with cash is one method. Many countries require ID to buy a phone, but you may be able to purchase a phone and connection from an existing user. Remember, though, that your contacts are as likely to be the targets of interception as you are; if they are not using their own precautions, your first call to them could reveal your new number.
Mobile telephones report their location constantly to the telephone company when they’re turned on, and phone companies often keep logs of this data, particularly in repressive regimes. Phones can be used as surveillance devices, too, even when apparently turned off. If you are concerned about intense levels of monitoring, you should consider whether the convenience of carrying a phone is worth the risks of tracking. Many journalists remove the batteries from their phones on occasion to prevent detection, but you should be aware that turning off a phone before arriving at a destination can itself serve as a red flag.
While telephone audio is still used for many conversations, the Internet is the growing medium for personal communication. Unlike the centralized phone system with its fixed routes for communication, the Internet is a decentralized system with many potential paths for private conversations.
The Internet conveys data long distances by passing the information through many intermediate computers, much like a bucket brigade passes water from one end of a line to the other. Frequently, data travel both ways over this chain in a form that can be intercepted by the owners of the devices that the data passes through. Unless the data is protected technically or with enforced legal restrictions, your Internet provider can record and monitor your communications, as can the phone company, Internet destinations such as Facebook, local providers such as the cybercafé or hotel where you are connecting, or even other Internet users on the same local network. Vulnerable data includes email traffic, instant messages, and websites you visit or into which you enter data.
Software can prevent these bystanders from reading your email or identifying the websites you visit. Encryption programs can scramble your messages so that only an intended recipient can decode them. You can choose encryption software designed for specific uses (such as email and instant messaging), or you can adopt methods that encrypt all of your Internet traffic.
The gold standard for encryption is “public key cryptography,” which allows you to communicate with others without having to share a prearranged password or secret code. The most common versions of public key cryptography for email are the open-source GNU Privacy Guard, or GPG, and Symantec’s Pretty Good Privacy, or PGP. They are compatible with each other.
Public key cryptography systems have a steep learning curve for non-technical users. But if used correctly by all correspondents, they can help prevent surveillance even from technologically sophisticated states such as the United States and China that have deep access to the Internet infrastructure. Many email programs, such as Outlook, Thunderbird, and Apple Mail, have additional software, or plug-ins, that support GPG/PGP; human rights and media organizations will sometimes offer instructional classes in using them.
GPG and PGP are used infrequently outside of vulnerable groups. Therefore, their use may itself be a red flag to authorities and could conceivably attract unwanted attention. You may want to use more generally available tools, although these will not have the same high level of protection. If you are willing to allow one or two trusted intermediaries to have access to your communications, hosted Web mail services can provide limited protection. Services such as Google’s Gmail or Riseup.net use “transport layer security,” or TLS/SSL. That means that while the companies running the services can read your email (Google does it to send targeted advertising), other intermediaries transporting the data to and from these companies cannot.
To ensure that the service you use protects your communications from other intermediaries, check the Web address at the top of your browser: If it starts with “https://” —as opposed to “http://” —your communications are at least partially encrypted, and therefore better able to evade surveillance. Services such as Twitter, Facebook, and Microsoft’s Hotmail now provide this as a free but optional security feature. You may have to search their online documentation to learn how to enable it.
If you are working under a repressive regime known to have access to communication providers, consider using a provider of encrypted Web mail that is based in another country without economic or political ties to your location. You may wish to encourage correspondents to use an email account on the same service when talking to you. There is little point in carefully encrypting your side of a conversation if your correspondent is reading the email insecurely.
Although TLS encryption protects messages passing over the Internet, attackers may try to obtain your archive of previous messages. They might do this by installing software on your computer or that of your correspondents, or by breaking into your Web mail provider. This makes it important to protect your own computer and the passwords of any Web mail services you use. (See sections below on Defending Your Data and Protecting External Data.)
Instant messaging—real-time chats using software such as MSN Messenger, Yahoo! Messenger, AIM, and Facebook Chat—are as vulnerable to interception as email. Very few chat programs provide protective encryption. Governments such as Iran and China make a practice of intercepting instant messages, CPJ research shows. The messaging equivalent to PGP and GPG is Off-The-Record (OTR) Messaging, which can be used in combination with most instant messaging software. As with PGP/GPG, OTR requires that both sides of a conversation have the technical skill to install and learn new applications. Many journalists use Skype for sensitive audio calls and instant messaging. Skype encrypts its communications but keeps its methods secret, so it is difficult to know the level of protection and whether it will be effective into the future. Use Skype in preference to unencrypted message systems, but use with caution.
Rather than use separate pieces of software to selectively encrypt parts of your online communications, you may wish to simply encrypt it all. One way to do this is to use a virtual private network (VPN) service. A VPN encrypts and sends all Internet data to and from your computer via a dedicated computer elsewhere on the Internet, called a VPN server. When configured correctly, a VPN will secure all of your communications from local interception. If you are employed by a media organization, your employer may well use a VPN to allow remote users access to the company’s internal networks. Alternatively, some commercial services allow individuals to rent access to a VPN server on a monthly basis.
As seen by the rest of the Internet, you appear to be accessing the Web and other Internet services from your VPN server, not your actual location. That means it can hide your current whereabouts and bypass local censorship systems. VPNs do not encrypt every stage of your data’s travels online. Because your final destination may not understand encrypted data, your information and requests emerge from the VPN server in an unencrypted state. That means you have to trust that the operators of your VPN server—and intermediaries between them and the sites and services you visit—are not themselves maliciously monitoring your communications. If you’re defending yourself against a local adversary, such as the government, the VPN server of the service you select should be in another jurisdiction.
An alternative to a commercial VPN is the free anonymizing service Tor. Tor protects its users’ traffic by encrypting and shuffling the data through several volunteer-run servers before it finally exits onto the wider Internet. Tor is worth considering if you want to be untraceable online, although it can be slow and may be blocked or difficult to access in some countries.
Modern laptops and smartphones can hold vast amounts of data, but using that capability poses serious risks. If your computer or phone is stolen or destroyed, you can permanently lose a large amount of sensitive information.
While everyone who owns a modern computer or phone faces this risk, you should consider the possibility that attackers may target you to obstruct your work or take retaliatory actions. Attackers can seize your equipment to obtain private data. Or they may seek to infect your computer with malicious software so that attackers have remote access to your files and all your communications.
If you are traveling into a dangerous situation, consider using a separate laptop or simple phone that carries minimal information. Consider keeping your confidential information on a USB flash drive (a small storage device you can plug into your laptop), which is easier to hide and protect. Carry the flash drive hidden on your person and separate from your laptop. USB flash drives are offered in a wide range of disguises, such as house keys or Lego pieces. Additionally, you may want to back up vital documents from your laptop onto a flash drive so that you have a copy if you lose control of your computer.
Make sure your computer is switched off when you leave your work area. Even in a newsroom, be alert to people peering over your shoulder when you sign in or read your messages. Do not use public computers in cybercafés or hotels for confidential conversations or to access your USB drive. And don’t enter passwords into public computers.
Always configure your laptop or phone so that a PIN or password is needed to unlock it. You should understand, however, that determined data thieves are often able to bypass these access controls. Local file encryption software such as Windows’ BitLocker, MacOS FileVault, or the independent TrueCrypt project will allow you to set password protections on specific files, your entire account, or even the whole drive. Data encrypted in this way is unreadable even by someone with complete control over your laptop. The same software can be used with USB flash drives. Be sure to pick a strong password. (See section on Choosing a Strong Password.)
Smartphones are a challenge to protect because of their complexity. You may wish to investigate dedicated local encryption programs. The activism group MobileActive has useful guides for protecting mobile devices.
Governments and criminals are increasingly using targeted delivery of malicious software, or malware, to attack perceived enemies such as independent journalists. Taking advantage of bugs in popular software, malware remotely and invisibly installs itself on computers; the malware can then record your keystrokes, watch your screen, or even upload local files to remote Internet sites. It can be delivered via fake but convincing email attachments, and even ordinary-looking websites. Don’t click on attachments or links sent by email, even from colleagues, without considering the possibility that the mail may be a customized fake using personal details that an attacker gleaned online. Use antivirus software, and keep it up to date; it will be able to detect all but the most sophisticated targeted attacks. (If you use Windows, both Microsoft and Avast provide free basic antivirus utilities.) If you suspect that your computer might have been infected, most employers and independent technicians will be able to wipe the machine and reinstall your software so the malware is removed. Be sure to make a backup of any data before this process begins, and work with the expert to ensure that the data you copy is not harboring the malware.
Remote backups, where your local files are regularly copied to a remote server, are generally a good idea. They are another way to protect your information should you lose access to your local machine. Be sure that the data being sent is encrypted along the way, and that access to the backups is controlled. (See section on Protecting External Data.)
If you expect situations in which your computer may be seized or inspected—at border crossings, for example—you may wish to remove confidential information. This is not simply a matter of deleting the file or dragging it to the trash. It is often relatively simple to recover files that have been deleted via a computer’s usual methods. If you want your data to be truly unrecoverable, you need to use additional software specifically designed to securely remove data. Either use your computer’s “secure delete” feature, if it has one, or download in advance third-party software such as the free Windows program Eraser.
Not all the information you keep on your computer or smartphone is kept locally. You may store data “in the cloud” on sites such as Google Documents, on Web mail services such as Gmail or Yahoo, or on hosted social networking services such as Facebook. If you are concerned about access to private information, you should consider the security of external data, too.
Internet companies do hand over private data in response to government demands when they are required by local law or have close economic or political ties to authorities. However, access to cloud-stored data is as often obtained through deceit as through due process. Your attackers may obtain your log-in or password, or otherwise masquerade as you to obtain access. Choose your passwords and security questions carefully to prevent this. Always use an encrypted connection, provided by either the Internet service via “https” or your own software. (See section on Choosing a Strong Password.)
Don’t simply protect private online data; consider what you’re revealing in publicly available online venues. Social networking sites often err on the side of telling everyone everything you tell them. It’s worth regularly treating yourself as the target of some investigative journalism. See how much you can dig up on your own movements by searching the Web, and how that public information might be misused by those who wish to interfere with your work.
Strong password protection is by far the best general security you can give your data. But choosing an unbeatable password is harder than it sounds. Many people are shocked to discover that their ingenious choice is actually among the most popular passwords. Software allows attackers to generate millions of the most likely passwords and then rapidly test them against a password-protected device or service. Traditional choices for a secure password—a simple dictionary word and a number, for instance, or a word with key letters replaced with punctuation marks—will fall prey to these attacks if they are too short.
Opt instead for a “pass phrase,” a unique quote or saying that’s longer than the average eight-character password, mixed with random punctuation. Pick a sentence from a favorite (but obscure) author, or some nonsense phrase that will stick in your mind. Mix lowercase and capital letters. The longer the password, the more likely it can resist automated methods to crack it. A good way to construct a strong, memorable pass phrase using just a pair of ordinary die is described at www.diceware.com.
If you use a lot of passwords, consider a password manager—software that will generate unique passwords and store them securely under a single pass phrase. Make sure that single pass phrase is a strong one. Be aware of the answers you give for the “security questions” (such as “What is your mother’s maiden name?”) that websites use to confirm your identity if you do forget your password. Honest answers to many security questions are publicly discoverable facts that a determined adversary can easily find. Instead, give fictional answers that, like your pass phrase, no one knows but you. Do not use the same passwords or security question answers for multiple accounts on different websites or services.
Finally, understand that there is always one way that attackers can obtain your password: They can directly threaten you with physical harm. If you fear this may be a possibility, consider ways in which you can hide the existence of the data or device you are password-protecting, rather than trust that you will never hand over the password. One possibility is to maintain at least one account that contains largely innocent information, whose password you can divulge quickly. Software like TrueCrypt offers this as a built-in feature.
Increasing security is never perfect, and it always has trade-offs. Only you can determine the balance between efficiently conducting your work and protecting against attacks on your data. When considering solutions, be honest about your capabilities and don’t impose impossible security protocols on yourself. Encrypting your email, securely deleting files, and using long passwords won’t help if, realistically, you won’t follow those habits in the field. Think instead about fundamental steps that you will actually do. If you are more worried about technical attacks than physical seizure, for example, consider writing notes in a paper notebook instead of a Word document.
If you are facing sophisticated technical attacks, the best approach may be simple and minimal. Only you can judge the pros and cons. It’s not a “cybercrime” to keep your long passwords written down on a note in a safe place. At least if somebody steals that, you’ll know it’s time to change them. Just don’t put those passwords on a post-it note stuck to your office wall.