Only universal technical security will keep journalists safe
By Tom Lowenthal, CPJ Staff Technologist
Journalism is an information field — its practice is based on communication with sources, compiling and analyzing information and data, and then publishing and sharing the results. Like most members of modern society, journalists rely on mobile phones, laptops, email, instant messages, and online service providers to conduct their work, but journalism is heavily impacted by technology trends.
Being heavy users of modern information and communications tools has the obvious benefits that come with expedient and efficient technology. Reliance on these tools also exposes journalists to other sorts of threats that we might associate more closely with spies and espionage than with the Fourth Estate.
- Video: On the front line of news gathering
- Infographic: Price of Protection
- Infographic: Physical Safety
- Infographic: Psychological Safety
According to Communities @ Risk, a 2014 report from the Citizen Lab, an interdisciplinary research laboratory based at the University of Toronto’s Munk School of Global Affairs, journalists and other civil society actors are subject to persistent bombardment by targeted digital attacks. These attacks, perpetrated by governments and non-state actors, are conducted across international borders. Their goals are varied: to surveil and obtain access to journalists’ work-product before publication, facilitating the pre-emptive development of a counter narrative; to compromise the identities of journalists’ sources and intimidate, coerce, or discredit them; and to deny journalists the ability to conduct vital work by disrupting their operations, making their resources harder to access, and their work more dangerous.
Unlike traditional assaults on press freedom and the safety of journalists, computer-mediated attacks are incredibly difficult to identify and confirm. CPJ’s traditional research and reporting tactics simply do not have the capacity to verify suspected attacks of this type. Unlike physical attacks on journalists, which have all the characteristic visibility and violence of warfare, technical attacks are best understood as a form of espionage — where deniability, uncertainty, and confusion are not just symptoms, but intended outcomes.
This uncertainty makes mitigation particularly challenging. When the nature of the threat is fluid and nebulous, planning a response can descend into a myriad possible tactics and countermeasures. There are some accessible tactics which bolster anyone’s information security: encrypted storage and communication; strong, unique passwords stored in password managers; multi-factor authentication wherever possible; immediate automatic updates; and selecting defensively written software. These steps bolster security at little cost. But none are absolute defenses; each only raises an attack’s cost and risk of detection. They keep out low-level attackers, and act as a disincentive for higher-level threats, but don’t prevent sophisticated attacks outright.
These basic countermeasures are easy to teach and simple to implement. The challenge is communicating the limits of their effectiveness. Since no simple steps are watertight, it’s important for journalists assessing risk to themselves and to their sources to understand what their standard precautions will and won’t protect, and what vulnerabilities still remain. To talk candidly because of a false expectation of privacy can be dangerous.
Online threats also lack physical attacks’ dependence on materiel and logistics. A first attack may be costly, but conducting that same attack on a different target can be done in moments and at little additional cost. The silence and repeatability of certain attacks mean that this manner of covert compromise can be conducted on a scale far beyond physically attacking or detaining journalists.
Because modern information and communications tools are easy to use and complex to secure, contemporary reporting faces surveillance and espionage challenges that would have been implausible under previous technical paradigms. Reporters’ training and experience rarely prepares them for these risks. Since current tools are so simple to use, it’s easier than ever to take up the practice of journalism without understanding the professional standards that protect journalists, or knowing the risks involved.
Advanced counter-surveillance requires extensive training in a variety of technical and espionage-related skills, time-consuming procedures, and often also requires purchasing and carrying expensive and bulky additional equipment. All of this overhead weighs against the need for journalists to work quickly, communicate easily, and file immediately. Whenever journalists try to go head-to-head with spies, the professionals have the home-field advantage.
News websites are subject to traffic floods (distributed denial-of-service) and other types of attacks from hackers-for-hire presumed to be working for governments wanting to silence critical outlets. There are increasingly accessible countermeasures to such attacks. Commercial service provider CloudFlare and pro-bono Project Shield from Jigsaw (formerly Google Ideas) offer accessible protections against traffic floods and other off-the-shelf attacks.
Because of the covert nature of technical attacks, it is difficult to identify a credible causal link between an attack and a journalist who’s been compromised, such as by arrest or death. Physical attacks following technical surveillance can destroy evidence of the surveillance. With increased reliance on vulnerable technology for mission-critical tasks, disrupting technical tools alone can compromise a journalist’s safety. Any injuries resulting from failure to secure digital information are barely distinguishable from accidents.
The only effective long-term solution is to increase the robustness of popular tools that everyone relies upon. Journalists need to be able to trust that their critical technology is working only for them, and not subject to insidious outside control or surveillance. The only viable path demands increasing computer-security across the board and ensuring that everyday communications tools are resistant to interception and surveillance. Extra training and specialist tools might provide a temporary stop-gap, but universal security is the only successful end-game to protect journalists from these technical threats.
[EDITOR'S NOTE. An earlier version of this web report included an infographic that was removed on February 23, 2017.]