The International Center for Journalists (ICFJ) is connecting journalists with health experts and newsroom leaders through a webinar series on COVID-19. The series is part of our ICFJ Global Health Crisis Reporting Forum — a project with our International Journalists’ Network (IJNet).
In today’s digital world, safety isn’t just a physical concern for journalists. Increasingly, emails, social media accounts and sources are at risk from bad actors operating on the internet.
During a recent ICFJ Health Crisis Reporting Forum webinar, Harlo Holmes, chief information officer and director of digital security at the Freedom of the Press Foundation, offered key tips that journalists can follow to protect themselves digitally.
Below, we cover her top advice from the session.
Assess your level of risk
Depending on what topic you are reporting on, different kinds of actors might be interested in accessing your emails, sources and more. When thinking about upgrading your digital security, Holmes suggested first thinking about your personal risk assessment: “Who is the adversary that concerns you?”
Adversaries — the organizations and individuals intending to hack you — come in a variety of forms. Some are known as “front door” — law enforcement or intelligence services, who often require subpoenas or warrants to carry out digital surveillance or access attempts. Others are “back door,” such as solo hackers attempting to steal an individual’s identity or account details. Some, like corporations, use both methods.
When considering who is most likely to target you, it’s important to also look at the amount of time, resources and expertise they might have, and prepare accordingly. Law enforcement, for example, often have plenty of time and resources, but don’t always have the highest level of technical expertise. A solo hacker, on the other hand, may be technically savvy, but might decide to cut their losses if it costs them too much time and resources to carry out a breach.
Holmes cautioned that not everyone should see themselves as a target of law enforcement or intelligence agencies. While digital security is important for all journalists, it often isn’t worth spending the time and money on higher security measures if you’re unlikely to be targeted in the first place.
Know your assets
Identifying what assets you have that someone might intend to access is just as important as knowing who may be trying to hack you. For Holmes, structuring these into tiers helps with this process. Information such as your casual contacts, social media posts or browsing history might not be as important as information like your passwords, secure communications with sources or sensitive documents.
To determine what tier your assets fall under, Holmes suggested asking yourself a series of questions that can help assess which require more security than others:
What is important to your own work versus what is important for collaborative group work?
What assets are safe and/or necessary to travel with?
What is personally important to you as opposed to important for your work?
Above all else, Holmes added, journalists should ask themselves: What would present the greatest issue if you lost it forever, and how much of a hit would you take if this were to happen?
With this information in mind, you can begin to set up precautions against digital attacks.
Account security and encryption
While not every hack or act of digital surveillance can be prevented, journalists have a variety of tools at their disposal to make these incidents more difficult for adversaries to carry out. The two most effective are password managers and two-factor authentication.
Password managers store passwords for future use and syncing across devices. They are best protected by a long passphrase of several unconnected words. The reason for this is simple: while a basic eight-digit password using letters and numbers can be compromised in hours, it would take decades, or even centuries, to hack an eight-word passphrase. Passphrases can often be better memorized than passwords and have the benefit of being entirely unique.
Two-factor authentication, meanwhile, helps set up another layer of security. This can come in a variety of forms, from apps and SMS codes to external hardware. Holmes suggested staying away from SMS verification, a frequently used method that nevertheless can be bypassed by someone impersonating you. For instance, they can change your verification number to their own and turn your two-factor authentication against you.
The safest method, Holmes suggested, is a hardware token. Inserted directly into a USB slot on your computer, these tokens prevent anyone from accessing your accounts on that device or virtually, unless they have the physical token.
If using a software key like Google Authenticator, Holmes cautioned to save the “seed” or backup code in your password manager. This prevents you from being permanently shut out of your accounts if you lose access to the authenticator, for instance, if you lose a device, which can be just as big an issue as being locked out of your accounts by an adversary.
Finally, for journalists interested in keeping their communications from being surveilled, Holmes recommended using only encrypted websites, signified by the https:// or lock symbol on the browser. While adversaries surveilling you can still see metadata, such as what websites you visit, they can’t access the actual content you send via email, SMS or other means on these networks when properly encrypted.
Although website encryption is now common across Western countries, others — such as many in Africa, or Japan — are still largely unencrypted. Journalists in these countries should keep a close eye on what websites they are using for communication.
Do your homework
As a wrap-up, Holmes recommended a homework assignment for all journalists: sign up to https://haveibeenpwned.com/, a site that notifies you via email if any of the software or websites you used have had their data breached. While this might be scary, it is also one of the best early-warning systems to see if your data has been leaked, so you can then act accordingly.
If a data breach does occur on websites you use, Holmes stressed that it is the company’s fault, not yours.
A hacker who can access your password might be able to enter your bank account or Twitter from there, especially if you use similar passwords. Receiving a notification that this has occurred can allow you to act first and prevent “higher tier” assets from being compromised.
With this information in hand, journalists should be just that much more prepared to protect themselves digitally from whomever might be trying to gain access to their information, protecting both themselves and their sources in the process.