3 Technology Security


Information Security: With Former CPJ Internet Advocacy Coordinator Danny O’Brien


In the course of reporting, you use technical tools all the time—a laptop on which to write articles and do online research; mobile devices to make calls and send email; cameras for photography; and recorders for interviews. These may be combined into one device which does many tasks. These devices contain a wealth of information necessary to your reporting.

This section is about secure use of these tools. This means protecting your information: ensuring you do not lose materials crucial to a story, and keeping confidential information private. It also means ensuring that these tools work when you need them—even if someone is trying to interrupt their use.

If you are working in the field, digital files might be the most precious items you carry. Losing notes or materials like photos and videos can derail a story. Letting your contacts list or itinerary fall into the wrong hands can put you or a source at risk. Allowing your tools to be confiscated, destroyed, or interrupted can prevent you from pursuing a story at all.

Digital attacks on journalists continue to increase in both quantity and sophistication. In China, foreign correspondents have seen their personal computers infected with surveillance software that was concealed as attachments to carefully fabricated emails. Authorities in countries from Ethiopia to Colombia have accessed reporters’ telephone, email, and text conversations. Government players are not the only ones who use digital surveillance and sabotage; large criminal organizations increasingly exploit high-tech opportunities. Opportunistic or “patriotic” computer criminals also target journalists working with valuable or controversial data.

In the end, good information security is rarely about fending off sophisticated attacks and Hollywood-style hackers. It’s about understanding what you have to protect and the motives and capabilities of those who might want to disrupt your work, then developing consistent habits based on those assessments.

Planning for safety

What to protect

What things do you want to protect and what do you want to protect them from? The things you want to protect are assets; things that could go wrong are risks. For now, don't worry about who might attack you or how they might do it—instead, think only about assets and risks.

There are usually three risks you might think about:

  1. Loss. When your hard drive dies, your phone gets smashed, or you lose your camera's data card.
  2. Disclosure. Someone learns something that you would prefer to keep private.
  3. Interruption. Your network connection stops working, you can't send an email, or your phone doesn't have a signal.

When considering what you want to protect, imagine what's important to you to get your job done or to an adversary who wishes to disrupt your work. This may not be obvious, so it's worth careful reflection. Even if your work is largely transparent, there are still tools you rely on and material that should remain private.

Reuters Consider whether the information that sources have given you could put them in danger if disclosed. Some things may seem innocuous in one context, but present a danger in another. Access to your Israeli contact information when covering a story in an Arab country (or vice versa) can cause problems for all concerned. Even personal and travel-related information you've previously shared online could trip you up in another context.

Some assets are clear. You probably don't want to lose or disclose the files on your computer and mobile devices, and temporary interruptions would disrupt your work. Some assets are more ephemeral. You (and your sources) would probably prefer that your current location and location history not be disclosed. Likewise regarding a list of the people you communicate with and when, or a list of the sites you visit online while researching a story.

You also rely on technical resources to work effectively. How much would your work be disrupted by interruption to your email or to your ability to make phone calls or research on the Web, or even interruption of your network access entirely? It's worth making note of online services you rely on. Do you work on your notes, email, documents, and so on in a Web browser; how disruptive would an interruption of your access to those services be?

If you find it hard to keep track of all the tools, data, and resources you rely on, it may be useful to keep a journal of what you use over the course of a week.

Understanding the Threat

Now that you know what you might want to keep safe, it is worth putting a name or face to the ominous “they” who might want to compromise these assets.

Some threats are benign or environmental. Laptop hard drives sometimes die; without regular backup, that data is lost. Some threats come from a malicious actor—a government agent who copies your hard drive at the border, or a private detective who follows you around. It's important to consider both types of threats, but the effects are the same: the actor threatens the integrity of one of your assets.

When trying to enumerate malicious actors, it's important to consider their motivations. Who might want to disrupt your reporting or identify your source? Perhaps they wish to view non-public information you possess. Perhaps a threat isn't interested in you specifically. If a country censors the local Internet connection, that may interrupt your ability to communicate and research while you're there.

It's easy to think of an Orwellian surveillance state analyzing every digital breadcrumb. However, this is not the only threat you may face. Other actors may present much more urgent threats. You may be at greater risk from a specific part of an administration or a specific person such as a local police chief or corrupt government official. Do they have access to sophisticated surveillance equipment or are they more likely to have someone kick down your door and steal your laptop?

Also consider the possibility of attack by supporters or sympathizers of those who dislike your reporting. In many cases documented by CPJ, attacks are not directly perpetrated by governments or political parties, but by unconnected, “patriotic” troublemakers who perceive opposition or foreign media as legitimate targets.

Making a Plan

Technology security has some distinct foibles. It can be very hard to know when someone has rifled through your data. If someone steals your wallet or ransacks your hotel room, you are likely to notice. If someone makes a copy of your laptop's hard drive while you are out of your hotel room having dinner, you may never notice. The harm can be impossible to undo. Once your data has been lost, or someone has learned a secret, you can't get it back.

This is exacerbated by the fact that technology systems are complex, made up of many different parts that are always changing. Not even the smartest and most meticulous technologists can know the workings of every program on their computers, let alone how they interact with other software on the network and where those interactions could be exploited. Even if you’re not an expert on bulletproof vests, you can understand basically what they do and how. Computer security is much harder to comprehend intuitively. Real-world analogies rarely paint a full picture.

This means that your emphasis should be on simplicity. A small number of easy-to-use tools, techniques, and habits are always safest. Complex systems are hard to understand; involved procedures can fall by the wayside when tasks are urgent. Sometimes, effort spent fortifying one activity is unnecessary when there's a simple weak link elsewhere.

Focus on the people who are most likely to wish to interrupt your work, the lengths they may go to do so, and how proficient and effective they are likely to be. Use that knowledge to plan how to protect your work.

Once you have thought about who might wish to disrupt your work, what they might do, and how well they might do it, you can start planning the technical measures you will use to confound their plans. The rest of these suggestions are broad guidance about information security. Detailed technical advice can become out of date quickly, especially if a new vulnerability is discovered in a piece of technology.

Protecting Communications

Communication is the bread and butter of most journalism. When you talk to someone—whether by email, text message, instant chat, telephone, or any of the many other communications services available—you may wish to keep private various details of your conversation. In general, the two most important facts about a conversation are *who* you are talking to and *what* you are saying.

The tools you use may keep track of (and potentially reveal) other details too. Use of a mobile telephone reveals your location to the telephone company and anyone the phone company chooses to reveal this to—potentially including the police or government. Using a communication tool that stores a list of contacts may reveal that list to the service provider (and anyone the provider tells). Information about past conversations (like a phone bill with call times and lengths) can reveal information about communication habits and routines and this may be enough to suspect who was talking or reveal some of what was said, especially when combined with other information.

In cases where it is very important that the identity of a source remain secret, you may have to take somewhat inconvenient steps to avoid leaving a trail that leads back to him or her.

Even when you have a good idea about your adversaries' interests and capabilities, it may be difficult to imagine how they might piece together lots of little pieces of information about your communications to reveal a larger picture. In cases where it is very important that the identity of a source remain secret, you may have to take somewhat inconvenient steps to avoid leaving a trail that leads back to him or her.

It may once have been the case that these capabilities were only available to the very sophisticated or those with deep pockets. Some capabilities are still reserved for the government or police, but many of these tools can be bought cheaply. Professional investigators have access to a powerful menu of attacks and are not always ethical in their use.

Mobile devices

Phone-tapping is one of the most familiar forms of surveillance practiced against journalists. Whenever you make a phone call, the phone company has the ability both to see whom you are calling and to listen to the content of your call. Text messages are even easier to intercept because they are small and easy to store without expensive recording equipment. CPJ has documented cases in which authorities have presented journalists with logs of text messages as an implied threat or as evidence of alleged anti-state activity.

You can mitigate some of this threat by using tools like Signal and Redphone to encrypt calls and TextSecure for text messages. It is normally prudent to assume that these tools hide only the content of conversations—not the participants, timing, your various locations, or other details.

Phones and SIM cards have unique serial numbers and both numbers are reported to the phone company whenever the phone is on. Simply moving your SIM to another phone or keeping the same phone and changing SIMs won't conceal much from a phone company since they can just compare these two serial numbers.

When you carry a mobile phone, it constantly connects to cell towers around you so that incoming calls can be routed to the right tower and reach you. This also leaves a trail of which towers you have been near, providing the phone company with a good record of where your phone has been. Removing the battery prevents this, but be aware of the trail potentially left by several people removing the batteries from their phones just before converging on a meeting. It may be more sensible to remove the battery before departure or to leave the device behind.

You can mitigate some risk by purchasing a prepaid mobile phone anonymously with cash and disposing of it after use. This is sometimes called a “burner” phone. If identification is required to purchase a phone, consider buying a second-hand phone from an existing user. The approach is not foolproof—if you carry around both a burner and a regular phone, or your burner is at your home at night and your office during the day, a careful analysis of phone-company records may reveal that the telephone is yours. Unless your contacts are also using burner phones and careful precautions, your first calls to others' existing numbers may reveal your new number. Some sophisticated analysis may be able to use call records to identify networks—groups of phones that call and message each other in the same way—and this may give you away even if everyone in the group switches burner phones at the same time.

In addition to tracking devices, mobile phones can be used as remote listening devices. Turning a phone off doesn't guarantee that it can't be used this way: for most devices, “off” is really just a very low-power mode. The only way to be sure that a phone isn't eavesdropping is to remove the battery or leave it behind.

Internet connections

If you are using the wireless connection at a public place, others on the same network may be able to snoop on your Web browsing, email, instant messages, what you type into websites, and anything else you do online. If you are at a hotel or similar location, that institution also has the opportunity to snoop on these things. If you are using a private Internet connection (and have secured your wireless network), only your Internet service provider (ISP) knows what you are doing online.

You can hide this information from snoops and ISPs by using a virtual private network (VPN). A VPN encrypts and sends all Internet data to and from your computer via a dedicated computer elsewhere on the Internet, called a VPN server. When configured correctly, a VPN will secure all of your communications from local interception. If you are employed by a media organization, your employer may well use a VPN to allow remote users access to the company’s internal networks. Alternatively, some commercial services allow individuals to rent access to a VPN server on a monthly basis.

From the perspective of the rest of the Internet, you appear to be accessing the Web and other Internet services from your VPN server, not your actual location. That means it can hide your current whereabouts and bypass local censorship systems. VPNs do not encrypt every stage of your data’s travels online. Because your final destination may not understand encrypted data, your information and requests emerge from the VPN server in an unencrypted state. The operators of your VPN server, and intermediaries between the operator and the sites and services you visit, still have the ability to monitor your communications. If you’re defending yourself against a local adversary, such as the government, the VPN server you select should be in another jurisdiction.

An even more sophisticated alternative to a commercial VPN is the free anonymizing service Tor. Tor protects network traffic by encrypting and shuffling the data through several volunteer-run servers before it finally exits onto the wider Internet. The easiest way to use Tor is with the Tor Browser—an anonymous browser pre-configured to use Tor. You can also use Tails—a live operating system that sends all network traffic over Tor.

Many responsible websites protect you by encrypting your communications with them. You can tell whether your connection to a website is encrypted by looking at the address bar in your browser. If the address starts with “https://” rather than “http://” and there is a lock icon next to it, then your connection is encrypted. A snooper will know which site you're visiting but not which page on the site you are visiting or any information you enter. This is especially important for any website you log in to—otherwise an eavesdropper could snoop on your password and log in as you.

A browser add-on called HTTPs-everywhere helps ensure that you use a secure connection wherever possible, but some sites and services don't offer a secure connection. Whenever you browse a site that isn't protected with HTTPs, there's the possibility that an attacker might take the opportunity to inject malware into the page and infect your computer. If you are concerned about this, HTTPs-everywhere has an option to completely disable insecure HTTP—but beware that there are some sites you simply won't be able to read if you do this.

Email and instant messages

Software can encrypt your messages, scrambling them so that only the intended recipient has the ability to decode them. You can choose encryption software designed for specific uses (such as email and instant messaging) and you can adopt methods that encrypt all of your Internet traffic.

The gold standards for email encryption are GNU Privacy Guard (GPG), which is free, open-source software, and Symantec’s Pretty Good Privacy (PGP). They are compatible with each other. Unfortunately, GPG/PGP have a steep learning curve and are difficult to use. If used correctly by all correspondents, they provide a high level of security for the content of your messages, but do not hide who you are or who you are talking to. Many email programs such as Outlook, Thunderbird, and Apple Mail have additional software or add-ons that support GPG/PGP; human rights and media organizations will sometimes offer instructional classes in using them.

If you are working under a repressive regime known to have access to communication providers, consider using an email provider that is based in another country without economic or political ties to your location. You may wish to encourage correspondents to use an email account on the same service when talking to you. There is little point in carefully encrypting your side of a conversation if your correspondent is reading the email insecurely.

When one email service sends a message to another service, there's an opportunity for interception. Some services use encryption when sending messages onward; others don't. If sender and recipient are on the same service, this step is avoided. You can learn more about which services support server-to-server encryption in Google's email transparency report. You can also check a particular service at https://starttls.info. You may wish to check whether your recipient's email provider supports server-to-server encryption before emailing that person. If not, it may be valuable to consider using GPG/PGP or using a different tool to communicate.

Although server-to-server encryption can protect messages passing over the Internet, attackers may try to obtain your archive of previous messages. They might do this by installing software on your computer or that of your correspondents, or by breaking into your email provider. This makes it important to protect your own computer and the passwords of any email services you use. (See sections below on Defending Your Data and Protecting External Data.)

Instant messaging tools like Google Hangout, Skype, Facebook Messenger, Kik, WhatsApp, Viber, and so on can be as vulnerable to interception as email. Many chat programs use encryption to ensure that only the participants and the service provider can read messages or see who is communicating. Some services, such as CryptoCat, use an even safer approach in which only a chat's participants can read messages, but this is less common. Some service providers are willing to hand over chat logs when asked; others are not. Instant message services and their practices are constantly changing, so it's important to be aware of your provider's current practices. The messaging equivalent to PGP and GPG is Off-The-Record (OTR) Messaging, which can be used in combination with most instant messaging software. As with PGP/GPG, OTR requires that both sides of a conversation have the technical skill to install and learn new applications.

Tradecraft

There are many different ways to surveil and intercept electronic communication. When personal safety depends on the security of communications or the anonymity of a source, it may be sensible to dispense with them altogether.

Consider arranging codes “out of band”—that is, not via a channel suspected to be insecure. If you can meet someone in person or have a trustworthy intermediary, you can take that opportunity to arrange certain pre-agreed messages that you can then use online if needed.

Defending Your Data

AP Smartphones, tablets, and laptops can hold vast amounts of data and access to many valuable tools. On the other hand, losing or destroying your phone or computers may mean that you lose a large amount of important information. This also makes phones and computers attractive targets for anyone who wants access to all your work and correspondence, or for someone who wants to disrupt your work. An adversary might simply steal your device or attempt to destroy it, or they may try to infect it with malicious software that provides remote access to your files and all your communications. It is therefore important to protect information in two ways: ensure that it cannot be destroyed, and ensure that it cannot be stolen.

The simplest way to protect materials from destruction or disclosure is to keep them out of harm's way. If you are planning to travel to a riskier environment, consider leaving sensitive information behind and using a separate laptop or simple phone that carries minimal information. It may also be valuable to change passwords to email or social media accounts to something that you cannot remember, and leaving these with a trusted friend or colleague. This will mean that you cannot give up those passwords even if asked. This is not always feasible, but when appropriate, keeping materials and passwords away from a risky environment is one of the safest tools you have.

If you expect situations in which your computer may be seized or inspected—a border crossing or a checkpoint—you may wish to remove confidential information. This is not simply a matter of deleting the file or dragging it to the trash. It is often relatively simple to recover files that have been deleted via a computer’s usual methods. If you want your data to be truly unrecoverable, you need to use additional software specifically designed to securely remove data. Either use your computer’s “secure delete” feature, if it has one, or download in advance third-party software for this purpose.

Confidentiality and encryption

You should always encrypt your computer. Windows’ BitLocker, MacOS FileVault, or the independent TrueCrypt allow you to secure your entire laptop or user account, which is much safer than just trying to protect individual files. Android and iOS devices also have encryption features that can be turned on in the settings. It is important to pick a strong passphrase for encryption. The only thing keeping your data safe is the passphrase, and someone who confiscates your device can use a computer to very quickly guess many possible passphrases.

Lock your computer's screen and use a PIN (not just a swipe pattern) on your mobile device. Although neither of these will stop a determined attacker, they protect you from casual snooping. Make sure to switch off or hibernate (not just suspend) your computer when you leave your work area or you think you may be searched, such as when crossing a border, as this will force an attacker to contend with encryption that is very difficult to attack—rather than a locked screen, which is easier.

It may be useful to keep your confidential information on a USB flash drive, which is easier to carry, hide, and protect. You should, of course, make sure to encrypt removable drives too. Compared with a laptop or even a smartphone, it is easier to carry a flash drive hidden on your person. Additionally, you may want to back up vital documents from your laptop onto a flash drive so that you have a copy if you lose control of your computer.

Even in a newsroom, be alert to people peering over your shoulder when you sign in or read your messages. If you have a particularly dedicated adversary, a hidden camera may serve the same function. Never use public computers in cybercafés or hotels for confidential conversations or to access your USB drive. And don’t enter passwords into public computers.

Malware

Smartphones are a challenge to protect because of their complexity and the rich access that applications, or apps, can get to all sorts of information on the device. Many apps are funded by advertising which depend on gathering information about their users—a lot like surveillance. You can go some way toward protecting yourself by using different devices for work and for personal purposes and only installing a bare minimum of apps on your work device. Never root or jailbreak your device, bypassing the manufacturer's software restrictions, and do not enable installation of software from outside the bundled app store or marketplace.

Don’t click on attachments or links sent by email, even from colleagues, without considering the possibility that the mail may be a customized fake using personal details that an attacker gleaned online.

Governments, criminals, and private actors routinely use targeted delivery of malicious software, or malware, to attack perceived enemies such as independent journalists. Taking advantage of bugs in popular software, malware remotely and invisibly installs itself on computers and can then record your keystrokes, watch your screen, or even upload local files to the attacker. It can be delivered via fake but convincing email attachments and even ordinary-looking websites. Don’t click on attachments or links sent by email, even from colleagues, without considering the possibility that the mail may be a customized fake using personal details that an attacker gleaned online. Use antivirus software on your computer, and keep it up to date; it will be able to detect all but the most sophisticated attacks. If you use Windows, both Microsoft Security Essentials and Avast provide free basic antivirus utilities. If you suspect that your computer might have been infected, most employers and independent technicians will be able to wipe the machine and reinstall your software so the malware is removed. Be sure to make a backup of any data before this process begins, and work with the expert to ensure that the data you copy is not harboring the malware.

Backups

Remote backups, in which your local files are regularly copied to a remote server, are generally a good idea. They are another way to protect your information should you lose access to your local machine. Be sure that the data being sent is encrypted along the way, and that access to the backups is controlled. (See section on Protecting External Data.) SpiderOak is a service that will automatically synchronize files securely—and keep an encrypted copy with the service provider. Crashplan is an encrypted backup tool that runs automatically on your computer and uploads backups securely. The most important thing with backups is that they happen automatically, whether you do anything or not. Life can get busy and distracting and it's best for backups to be seamless and not to require your attention, or they won't happen.

Remote Data

Not all the information you keep on your computer or smartphone is kept locally. You may store data “in the cloud” on sites such as Google Documents, on Web mail services such as Gmail or Yahoo, or on hosted social networking services such as Facebook. If you are concerned about access to private information, you should consider the security of external data, too.

Internet companies do hand over private data in response to government demands when they are required by local law or have close economic or political ties to authorities. However, access to cloud-stored data is as often obtained through deceit as through due process. Your attackers may obtain your log-in or password, or otherwise masquerade as you to obtain access. Choose your passwords and security questions carefully to prevent this. Always use an encrypted connection, provided by either the Internet service via “https” or your own software.

Don’t simply protect private online data; consider what you’re revealing in publicly available online venues. Social networking sites often err on the side of telling everyone everything you tell them. It’s worth regularly treating yourself as the target of some investigative journalism. See how much you can dig up on your own movements by searching the Web, and how that public information might be misused by those who wish to interfere with your work.

 

Choosing a Strong Password

Strong password protection is by far the best general security you can give your data. But choosing an unbeatable password is harder than it sounds. Many people are shocked to discover that their ingenious choice is actually among the most popular passwords. By studying large databases of passwords, attackers can compile vast lists of possible passwords sorted from the most likely to the outright improbable. These lists include tweaks and modifications, like replacing letters with similar-looking numbers or symbols, adding numbers or punctuation to the beginning or end of words, or stringing a few words together. Software allows attackers to rapidly test them against a password-protected device or service. Traditional password choices quickly succumb to these attacks.

Attackers can obtain your password by threatening you with harm. Consider maintaining an account that contains innocuous information, whose password you can divulge under duress. Consider using a passphrase instead of a password. One way to pick a passphrase is to think of an obscure quotation or saying which others are unlikely to associate with you. You can either use the whole phrase as your password, or abbreviate it as suggested by security expert Bruce Schneier to create a truly random-looking series of symbols. For instance:

* WIw7,mstmsritt... = When I was seven, my sister threw my stuffed rabbit in the toilet.
* Wow...doestcst = Wow, does that couch smell terrible.
* Ltime@go-inag~faaa! = Long time ago in a galaxy not far away at all.
* uTVM,TPw55:utvm,tpwstillsecure = Until this very moment, these passwords were still secure.

This approach relies on you to pick a sufficiently obscure phrase and to abbreviate it safely. Another approach is to pick a sequence of words truly at random. You can do this easily using a pair of ordinary dice and the list of words at http://www.diceware.com. Seven or eight words picked this way will create a strong password, but the longer the password, the more likely it is to resist an automated attack. Mentally assembling these words into a humorous story or picture can make such passwords easy to remember.

If you use a lot of passwords, consider a password manager—software that will generate unique passwords and store them securely under a single passphrase. Make sure that single passphrase is a strong one. Be aware of the answers you give for the “security questions” (such as “What is your mother’s maiden name?”) that websites use to confirm your identity if you do forget your password. Honest answers to many security questions are publicly discoverable facts that a determined adversary can easily find. Instead, give fictional answers that, like your passphrase, no one knows but you. Do not use the same passwords or security question answers for multiple accounts on different websites or services.

Finally, understand that there is always one way that attackers can obtain your password: They can directly threaten you with physical harm. If you fear this may be a possibility, consider ways in which you can hide the existence of the data or device you are password-protecting, rather than trust that you will never hand over the password. One possibility is to maintain at least one account that contains largely benign information, whose password you can divulge quickly. Software like TrueCrypt offers this as a built-in feature. This approach relies on giving a convincing performance and the account's contents being convincing.

Conclusion

Security is never perfect and always involves trade-offs. Only you can determine the balance between efficiently conducting your work and protecting against attacks. When considering solutions, be honest about your capabilities and don’t impose impossible security protocols on yourself. Encrypting your email, securely deleting files, and using long passwords won’t help if, realistically, you won’t follow those habits in the field. Think instead about fundamental steps that you will actually do. If you are more worried about technical attacks than physical seizure, for example, consider writing notes in a paper notebook instead of a Word document.

If you are facing sophisticated technical attacks, the best approach may be simple and minimal. Only you can judge the pros and cons. It’s not a “cybercrime” to keep your long passwords written down on a note in a safe place. At least if somebody steals that, you’ll know it’s time to change them. Just don’t put those passwords on a Post-it note stuck to your office wall.

 


Next Chapter: 4. Armed Conflict

Text Size
A   A   A
Article Tools

   

Print Print

Share Share

More On
Journalist Security Guide

Table of Contents

2. Assessing and Responding to Risk

4. Armed Conflict

 



Journalist Security Guide » Jump to: