Cybersecurity and digital privacy are major concerns for today’s journalists. As more journalists work remotely, the amount of time we spend online continues to grow. With online threats becoming more prevalent and sophisticated, we must understand how our data might be compromised and what to do to protect it. This is especially the case for investigative journalists who face more significant digital security threats given the sensitive information they handle. But the digital footprints we leave behind don’t just impact us professionally. Not adhering to digital hygiene best practises can also compromise us and our contacts personally. The good news is a tremendous amount of digital security resources, tools and information exist online to help safeguard you and your data.
Are you doing enough to protect your data?
To help you brush up on your digital security knowledge, we caught up with eight cybersecurity and privacy professionals to crowdsource their best tips for managing your data more securely. Read the edited Q&A below with our panel. Topics include:
- The biggest threat to internet privacy for journalists.
- Genuinely investigate anonymously online.
- Aspect of privacy for media professionals to safeguard.
- Keeping your personal information secure using cloud storage and sharing.
- Must-have privacy tools for journalists.
- Advice for media professionals to protect their sources and information.
- Balance the promotion of their work with their online privacy and safety.
- Naiara Bellio, Maldita Tecnología’s coordinator
- Chris Dufour, an independent consultant in digital privacy, security and disinformation research
- Valentin Franck, software developer at Tutanota
- Nicola Nye, chief of staff at Fastmail
- Sasha Ockenden, communications coordinator at Tactical Tech
- Laura Tich, information security practitioner and co-founder of SheHacks_KE
- Henk Van Ess, a journalist specialising in open source research, social media filtering, and privacy
- Viktor Vecsei, communications officer at IVPN
1. What is the biggest threat for journalists when it comes to internet privacy?
Viktor Vecsei (IVPN): The biggest threats journalists face vary – it depends on which country they live in, issues they focus on and the type of adversaries they might face. Each person’s situation is unique. At least basic levels of privacy protection measures must be in place to avoid personal threats from readers disagreeing with their mission, harassment by government officials or getting targeted with disinformation campaigns. Two distinct areas are important to consider: protecting their identity when doing investigative work or research and protecting their personal privacy when publishing materials and disseminating them on social media. Each requires different tools and techniques and they need to consider how, what and when they access and share to minimise threats.
Sasha Ockenden (Tactical Tech): We are all immersed in technology and data – and the pandemic has only exacerbated this. The major privacy issue for all of us, including journalists, is how to compartmentalise our private and professional activities, and make sure that the tools we use for one do not affect the other. For journalists in particular, given the potential consequences of sensitive information being exposed, it is more important than ever to understand how data is collected, stored and (ab)used. The fast-changing nature of online tools and platforms, and the ways they are regulated in and across different jurisdictions, can make it hard to keep on top of. This is especially the case for those who consider themselves less tech-savvy. Tactical Tech’s Data Detox Kit provides clear suggestions and concrete steps to keep control of all aspects of your online life, make more informed choices and change your digital habits in ways that suit your private and professional lives.
Chris Dufour (Digital security consultant): There is no single "big threat" in terms of a specific piece of malware, hacking technique, or attacker. That's the threat: the internet is iteratively changing and evolving daily, sometimes hourly. As such, it can be virtually impossible to fully secure oneself, and even if you could, there are corollary vulnerabilities in the form of those around you and the information they share about you: your family, friends, coworkers. I believe the biggest threat is the individual's degree of skill and time spent securing themselves against the attack and undue influence.
Valentin Franck (Tutanota): There are several threats to privacy in today’s internet. Journalists are affected by those in particular because they are more likely to hold sensitive information than the regular internet user. First of all, large parts of the internet are tracked by private companies with the primary objective of user profiling in order to sell targeted advertisements. The amount of information gathered by those companies is enormous. The exposed position of journalists and the fact that they can be multipliers means that it is interesting to learn about and shape their thinking and interests for a wide range of actors. Also, state actors might force private companies to help gather information on a person of interest.
Let's get you started.
This is Data Privacy Day 2021 and at DataJournalism.com you can enjoy free and discounted products when you sign up as a member. We are proud to bring you new offerings added to our goodie partners: a 1-year free subscription with Tutanota and a 6-month free secure VPN subscription with IVPN. This is in addition to our existing privacy-related partners who have generously created offers for our community: 1Password, Fastmail and Flokinet.
There are no tools or services that can guarantee total anonymity.
2. Can journalists genuinely do their work anonymously online?
Viktor Vecsei (IVPN): Complete anonymity is hard to attain online – no single tool or technique can give you that 100% protection. To achieve protection and gain peace of mind, journalists need to accept this premise and target the best level of anonymity in every situation. A combination of tools that require no personally identifiable information to get started – such as secure and encrypted messaging, Tor or a trusted VPN service, no-logs email provider – can give them a reasonable edge against detection by unwanted eyes and ears. Journalists need to keep their threat model in mind (what’s the worst that can happen? what capabilities do my adversaries have?) when deciding on the toolkit they use to mask their identity when working with sensitive information. In straightforward cases, a simple checklist of basic errors one should avoid to get tracked down could be enough. In situations where their lives could be at stake, they need to invest time and resources into proper security preparations to protect their anonymity to the highest extent possible.
Laura Tich (SheHacks_KE): There are no tools or services that can guarantee total anonymity. Total anonymity would mean not just hiding your online persona but also your device and the services you’re accessing. To achieve even a bit of anonymity, you would need to put a lot of measures in place. For example; using an avatar instead of your real identity, using a VPN to encrypt your connection and hide your IP address, changing your Mac address to mask your device etc. By putting these measures in place, you can achieve some level of anonymity and make it difficult to track your identity. It is however important to note that services such as VPNs are not impenetrable and they can still be compromised. Always do your research before using some of the privacy and security tools available.
Sasha Ockenden (Tactical Tech): Total anonymity is difficult, if not impossible, to achieve: we see it above all as an ongoing process which can be achieved to a certain level for a certain length of time. Journalists for whom anonymity is particularly important can use tools like the Tor browser to mask their identity online. Put simply, Tor separates the information that identifies your computer from the web pages that you are accessing. You can find a more detailed guide to using Tor on different operating systems in Security in a Box here.
Valentin Franck (Tutanota): As far as we know, tools like Tor provide good anonymity that give even powerful agencies like the National Security Agency a hard nut to crack. While there are known technical deanonymisation attacks against Tor, those are hard to carry out in the real world.
3. What aspect of one's privacy should media professionals safeguard when working online?
Laura Tich (SheHacks_KE): Your Personally Identifiable Information (PII) is the most critical piece of data that needs to be safeguarded at all costs. This is mostly because, PII is who you are and once this data is out there, it leaves you open to a lot of various attacks from identity theft to access to your personal accounts. It can also lead to attacks against the people close to you. As a journalist, you need to prioritise your needs by considering the following: the areas of your work that create additional risks, sensitive information which your adversaries may find useful and the impact certain attacks would have on you or your organisation. With this in mind, you will have an idea of what aspect of your online security you should prioritise.
Henk Van Ess (Journalist): Use the web as if your screen is 24 hrs a day, visible on a giant screen in the middle of your town. Would you still say: I have nothing to hide? Know at least your shadow. Minimise harm: this SEC-article from 2005 is still relevant after 16 years, as are these 16 tips.
Sasha Ockenden (Tactical Tech): There are numerous elements which media professionals should safeguard when working online, including their contacts, location data and digital habits. This applies to all devices and accounts they use, as well as the web pages they visit and the platforms they use to communicate. Equally, it is easy to overlook the importance of the digital practices of those you are working with and sources (who may often be even more vulnerable): if they are not safeguarding their data properly, your own privacy and security will be at risk, no matter what you do.
Nicola Nye (FastMail): When you're working, you want to have your information at your fingertips in an organised fashion so you can find what you need easily. You also want to make sure that the emails you're exchanging are kept private and won't be used by third parties to sell you things you don't need. It's worth finding an email provider, where usability isn't sacrificed for privacy. Keep your account safe from hackers by using two-factor authentication, build strong passwords you don't need to remember by using a password manager and register your login at haveibeenpwned.com to be notified if your account credentials have been leaked on another site.
Journalists are placing their safety in the hands of those running privacy protection services. Before use, always verify if the developers are trustworthy.
4. What are some suggested tactics for keeping your personal information secure when using online services such as cloud storage and file-sharing systems?
Laura Tich (SheHacks_KE): One of the ways you can keep your data safe is by ensuring that access is restricted to only you or if it’s a shared drive, only authorised people can access the files. Strong, complex passwords are important. Having multi-factor authentication will add an extra layer of security. This is important not just for cloud storage but your online accounts and devices as well. If for example, a hacker cracks your password, they would still need a code or a yubikey in order to access your file. Another way of protecting your cloud data is by checking your connected accounts and apps. In many scenarios, attackers may not try to directly access your cloud storage but they will leverage apps or accounts that are connected to your cloud account. If you are using a Google account, you can check your linked accounts here. Also, make sure your device is also protected. Store your physical devices safely and also have measures to prevent unauthorised access. In case your device is stolen, go to your cloud settings and deactivate that device.
Henk Van Ess (Journalist): The best way to protect your personal information and keep it secure is to not use those services in the first place. By not using those services. Law enforcement and hackers can try to unlock your data in the cloud. Build your own cloud server, a personal one, or get a pod.
Chris Dufour (Digital security consultant): The best method is don't use your personal information ANYWHERE. In almost every setting, there is no reason to share personal details about yourself anywhere online. Use false names, burner phone numbers, non-attributable email addresses, and VPNs whenever possible and always browse with a secure, privacy-oriented browser. If you're a journalist, your organisation should be investing in non-attributable tools and practices to protect your information. Need a secure Dropbox folder to share data? Great! Use your organisation's name and a non-attributable number for each user, not your own name. If your org is not investing in these things or has a security manager skilled enough to help you figure it out, petition your supervisors to hire a reputable digital security consultant to do it for you and train you to do it well in perpetuity.
Valentin Franck (Tutanota): It is advisable to get some information about a service, especially on what it does to protect the users’ privacy because there are huge differences between different services. This information is usually accessible in the privacy statement and if it is a secure service there will usually also be some explanation on how cryptography is used to enforce user privacy. It is recommended that journalists only use online services that provide end-to-end encryption. For instance, an end-to-end encrypted cloud service will only see that the user uploaded some data and who else has access to it. However, the only ones able to read or modify the contents of a file are those explicitly authorised. An alternative to using existing end-to-end encrypted online services is to host your own service. Of course, this requires some technical skill to be done securely, but there are a number of privacy-friendly self-hosted solutions. Nextcloud, for example, is a great cloud collaboration platform that cannot only be used for file storage and sharing but also to create polls and organise teams.
Journalists need end-to-end encrypted e-mail service to communicate with their contacts.
5. What are your must-have privacy tools for journalists?
Viktor Vecsei (IVPN): We recommend starting with the following checklist:
- Secure and anonymous file-sharing tool they can receive sensitive materials through without compromising the identity of their sources (e.g. OnionShare or SecureDrop
- Tor or VPN to hide their IP address and encrypt their connection
- Secure, encrypted email provider that offers the option of turning logs off (e.g. Tutanota or ProtonMail
- Encrypted messaging app that keeps and shares no data (and metadata) on your conversations (e.g. Signal)
- A password manager that helps with generating and managing secure, distinct passwords (e.g. KeePass or Bitwarden)
Journalists are placing their safety in the hands of those running privacy protection services. Before using any of them, one should always verify if the developers are trustworthy and follow information security best practices. The best approach is soliciting recommendations from knowledgeable sources they trust.
Chris Dufour (Digital security consultant): I always recommend using the following:
- A reliable VPN that has been well-reviewed by a third-party security researcher
- A hardened internet browser that allows you to turn off cookies and scripts when desired, multiple devices for different purposes or identities (e.g. a phone for work and a different phone for home life),
- A secure instant messaging app like Wire or Signal, a service like Abine that allows you to anonymise as much of your digital identity as possible (e.g. Blur out credit card details).
Sasha Ockenden (Tactical Tech): In addition to the tools outlined so far, we recommend using a secure, privacy-conscious browser such as Tor Browser, Firefox, Chromium or Brave, with the following add-ons: HTTPS Everywhere (which makes websites use a more secure connection) and uBlock Origin (which filters content). For instant messaging, such as with sources, we recommend Signal; for sending emails Thunderbird with Open PGP; and to keep track of passwords (e.g. for contact databases) a password manager such as KeePassXC. Given the challenges of working remotely and increasingly online, we have published an article called "Technology is Stupid" with recommended criteria on how to assess digital tools, and why some may be more appropriate to use than others depending on the context, including a comprehensive list of tools.
Valentin Franck (Tutanota): Most importantly, journalists need end-to-end encrypted e-mail service to communicate with their contacts. A messenger app with a focus on privacy and security is Signal. This tool also allows you to make end-to-end encrypted video calls. Tor browser allows anonymous investigations on the web. At the same time, Tor can help circumvent censorship in some countries. Another must-have is a password manager that enables you to use secure random passwords for all of your accounts, while you only have to memorise a single strong password to access the password manager.
If you want to go one step further you should probably make sure your device and operating systems are secure. You should use system encryption and lock your devices with secure passwords or even use specific operating systems like Tails, whose goal it is to protect your identity and data online and physically. For further recommendations see Security In a Box.
Be judicious about promising confidentiality. Keep secrets secret.
6. What advice would you give to media professionals to protect their sources of information? Are they responsible for guiding their sources on how to stay safe online?
Naiara Bellio (Maldita Tecnología): When communicating with confidential sources it is best to use multiple devices so you aren’t associated with a specific device. For example, there are investigative journalists that travel with more than one cell phone and at least two computers. One is their personal device, which probably carries a heavier digital footprint, and the other can be an encrypted device or one that runs an operating system like Linux. At the very least, it shouldn't have personal accounts linked for email, messaging services or social networks. Investigators and journalists also work with these kinds of devices when testing the GAFAM range (Google, Apple, Facebook, Amazon, Microsoft) when connecting devices and the use of their algorithms.
Sasha Ockenden (Tactical Tech): Media professionals absolutely have a responsibility to keep their sources safe, as the source is often the person most at risk. They will often expect you to have an understanding of how to keep the information they are providing secure before you interview them – and this is key to building trust with them. To start with, it should be agreed with sources whether encrypted communication is legally, technically and practically possible (without attracting unnecessary attention). Databases with contacts or sources should be password-protected and interview notes and recordings should be stored and shared safely as mentioned earlier. For more information, check out Exposing the Invisible: The Kit, which includes articles on "How to Manage Your Sources" and "Interviews: the Human Element of Your Investigation".
Laura Tich (SheHacks_KE): As a media professional, it is your responsibility to keep your sources safe. Some of the precautions you should take are as follows; try as much as possible to avoid direct contact with your source in cases where their lives are at risk if you need to contact them directly, use secure communication platforms such as Signal. Any files shared should be encrypted, se secure platforms for whistleblowers such as https://afrileaks.org/
Chris Dufour (Digital security consultant): Training, training, training. Professionals should establish an organisational training plan that they themselves employ. Part of that plan should address how to work with sources digitally, from initial contact to ongoing communication and file transfer. Try to keep things as "old school" as possible: meet in person, talk on the phone, take handwritten notes. Avoid putting sensitive documents or photos in places that can be hacked, especially when dealing with sources operating within repressive regimes whose security services do not offer the same respect for privacy as Europe.
Viktor Vecsei (IVPN): Journalists need to take responsibility for the safety of their sources by sharing simple best practices and guides before they start receiving sensitive information from them. Proper preparations are vital during a ‘getting to know each other’ period. They need to act with patience to avoid confusion and development of mistrust before moving on to the information exchange step of a cooperation. For this process they need to learn and verify the technical level and privacy awareness level of their source and do hand-holding to keep them from slipping up, compromising both parties.
Online security must be carefully nourished and updated day by day as your work changes. To communicate publicly is in and of itself a risk.
7. How can journalists balance a professional online presence with their digital privacy and safety?
Laura Tich (SheHacks_KE): Your safety comes first. Separate your personal life from your work life. For example, you can keep private social media accounts for your close family and friends and have a work account open to the public. Some challenges might be unavoidable; such as trolling and harassment, find out what actions you can take in such cases. Avoid posting aspects of your personal life that can lead to physical harm (e.g your location)
Chris Dufour (Digital security consultant): Journalists need more and better education and training on how to audit and manage their digital identities. This is not something that can be addressed once and then it's done. Online security must be carefully nourished and updated day by day as your work changes. To communicate publicly is in and of itself a risk, especially given the unknowns about who owns your data on social media services or what even constitutes your data. Your organisation should develop tested and auditable privacy protection principles for all its members so that there is clear delineation in how you report and promote your work publicly.
Nicola Nye (FastMail): An important step is to understand what security risks you need to protect yourself against. If you think your work might have made you a target to disgruntled individuals or organisations, then protecting yourself from doxing is worthwhile: scrub your personal information from social media and check what comes up if you search for yourself. Use different pseudonyms on different sites to make it harder for a doxxer to link up that @piratequeen on twitter is also @catspyjamas on instagram. Using different email aliases on each site you sign up to also help keep that information separated. If you don't want to share your regular email address with someone you're communicating with, use an alias, which makes it easy to block mail to that address in the future.
Sasha Ockenden (Tactical Tech): Ultimately, the safety of journalists, collaborators and sources has to be the top priority, particularly when investigating highly sensitive information or working in hostile environments. Another article, "Safety First", expands on this with suggestions for good practices, including risk assessment and mitigation. Of course, in reality, a journalist will sometimes have to balance various safety aspects with the need for efficiency in their pursuit of evidence. We call this the ‘Security Trade-off.’ When choosing tools, there may be a trade-off between what is useful, easy to use, or secure. The key is to understand the context you are in, and what you are gaining or giving up by using a particular tool. It is important to identify the points of greatest vulnerability, and at these points, it may make sense to invest in security over functionality or usability (e.g. if a device contains sensitive information entering a password every time, rather than having it saved automatically, in case of theft). Promoting the results of an investigation is important – but depending on the context, this can also be achieved under a pseudonym or indeed a whole separate digital identity, so that the personal details of journalists or others who might be at risk are not easily accessible to the outside world.
Recommended digital security resources
Make sure to check these guides, reports and resources:
- Surveillance Self-Defense by Electronic Frontier Foundation
- The Global Cyber Alliance's Cybersecurity Toolkit for Journalists
- The Rory Peck Foundation's Digital Security Guide
- First Draft’s training with Chris Dufour on Privacy and security tips for journalists
- Committee to Protect Journalists’ Journalist Security Guide
- Journalist’s Toolbox Digital Security Section
- Freedom of the Press Foundation's digital security training
- Practical Tips for Protecting Your Sources and Materials by the Digital Media Law Project
- Protecting Journalism Sources in the Digital Age, published by UNESCO
- Online Harassment of Journalists - Attack of the Trolls, by Reporters Without Borders
- Tactical Tech's Me and My Shadow project
- Tactical Tech's Exposing the Invisible: The Kit
- IVPN Privacy Guides on IVPN *An Evaluation of Online Security Guides for Journalists