A Lebanese journalist uses her mobile phone as she wears a medical mask and gloves at Rafik Hariri University Hospital in Beirut, Lebanon, on February 22, 2020. (AP/Bilal Hussein)
A Lebanese journalist uses her mobile phone as she wears a medical mask and gloves at Rafik Hariri University Hospital in Beirut, Lebanon, on February 22, 2020. (AP/Bilal Hussein)

CPJ Safety Advisory: Digital security during the COVID-19 pandemic

The current global health situation has seen changes to the way journalists do their job, with an increasing number working from home instead of an office. This is creating digital security issues for journalists and media outlets who still need to work during the coronavirus outbreak.

Journalists working from home may be using personal devices to do research, speak with sources, and download documents. The inability to have face-to-face meetings has caused many media organizations to adopt online conferencing services, often unaware of what they are giving up in terms of privacy and security.

Journalists who are reporting on the spread of COVID-19 are also at risk of being exposed to malware and scams as criminals target people with misinformation and sophisticated phishing campaigns linked to the virus. These are more of a threat to journalists working without tech support, or using personal devices that have not been secured; personal information could also be at risk if devices in the home are exposed to malware.

Secure your remote office

● Update your devices, including your phone, to the latest operating system. Updates often fix known vulnerabilities in the software that attackers could try to exploit. Configure your devices to update automatically.

● Update apps and browsers to the latest available version.

● Use a password manager to create long, unique passwords and secure your online accounts. Turn on two-factor authentication for all accounts wherever possible.

● Think about where you are storing your documents, especially if you are working on sensitive issues. Create a system for storing work while you are working from home so that you will be able to find it easily when you return to the office. Avoid downloading and storing documents on an ad hoc basis, or on multiple devices.

● Back up your data and research on a regular basis to avoid losing work. Create more than one copy—for example, back up your work to an external hard drive as well as saving it on your computer. If possible, protect your backup with a password, and store it away from your regular workstation.

● Use a virtual private network (VPN) if you are concerned about your internet service provider seeing your online activity, especially if you are carrying out sensitive research. Be aware that a VPN service may also record your internet activity, so research the best VPN service for you, depending on your location and your level of risk.

● Lock all your devices with a PIN or password to deter people from accessing them. Avoid sharing devices you use for work with other members of your household.

● Ensure that your home Wi-Fi is protected with a password.

Communicate more securely

Be aware that online communication services are often collecting personal data on you and the people that you are speaking with. This data can be sold, handed over to governments, or if the company does not secure the data properly, breached by criminals.

● Do an internet search on any online communication service you plan to use. Check for security vulnerabilities, privacy concerns, or if the company has suffered any data breaches. If possible, see if the company has been subpoenaed by a government and review what information the service handed over.

● Review the service’s privacy policy to see what they do with your data, how they store it, and how long they keep it.

● Check to see whether the service uses end-to-end encryption. Research the law in your country with regards to using encrypted communications methods.

● Be aware of your own risk profile, and that of the people you wish to speak with. If you or anyone you communicate with is likely to be a target of a government or of an adversary with sophisticated technology, consider whether using these services could put you at risk.

● Back up anything important contained in messaging apps regularly, and delete anything inessential.

● Be aware that many messaging apps store a copy of your messages, including photos and documents, either in a cloud account or on your device. Signal, the end-to-end encrypted messaging service, allows users to delete messages after a certain time set by the user.

● If you are working with low internet bandwidth and need to speak with more than one person at the same time, consider using end-to-end encrypted chat or voice messages instead of video conferencing.

Secure research, phishing, and COVID-19

● Do a regular internet search for common scams and misinformation about COVID-19. This will help you be more informed about documented attacks, including those that are less obvious and more sophisticated.

● Try and use one device for researching COVID-19. This will help limit exposure to malware.

● Avoid clicking on links or downloading documents about COVID-19 on your phone. The small screen makes it difficult to properly analyze the source.

● Think carefully before clicking or downloading information about COVID-19. Consider the source and whether it is reputable.

● Go directly to the source of the information instead of downloading documents sent to you via email, through SMS, or messaging apps. Look up the author of the information online to verify their identity and expertise.

● Research the authors of unexpected messages or requests to take action and verify their identity. Reach out to them directly to confirm they sent the message if possible.

● Use advanced search strategies, such as Boolean search methods, to look up information and confirm the source.

● Be aware that websites from legitimate sources should be encrypted. You can check this by looking for https and a padlock icon at the start of the URL, or web address, in your browser. This means that traffic between you and the site is encrypted.

● Be wary of information about COVID-19 shared in group chats on WhatsApp and other messaging services. There is a lot of misinformation being passed around and some of it may also contain malware.

For more information, consult CPJ’s Digital Safety Kit, also in Español, Français, Русский, and در فارسی. CPJ’s safety advisory on covering the coronavirus outbreak is available in multiple languages.