Cybersecurity for journalists: making a dangerous profession safer
Freedom of the press is under threat - in 2018 alone, dozens of reporters were murdered and hundreds imprisoned around the world.
These past few years have seen activists, journalists, and news bloggers demonized by the President of the United States and persecuted by authoritarian governments. State-sponsored hackers are working hard to handle opposition to the status quo and spyware companies are hacking reporters just to impress their clients.
With all that, being unconcerned with cybersecurity as a journalist is no longer a viable option. Whether you’re a reporter in Turkey or an investigative journalist in the UK, being hacked or having your data seized is no longer a distant possibility.
Moreover, it’s not necessarily you who might be in danger. If your work involves communicating with sources that provide you with any kind of sensitive information, these contacts might be threatened as well. Which is why learning how to protect both yourself and your sources online should be your top priority this year.
And that’s what we’re here to assist you with. To help you stay safe online, we’ve compiled a list of privacy tools and good practices that should aid you in forming your own cyber defense strategy. While there’s no easy “one size fits all” technical solution to the digital dangers of being a journalist in 2019, there’s plenty of options to pick and choose from according to your actual needs.
With that in mind, here are our cybersecurity tips for journalists.
First and foremost, take a long and hard look at your everyday browsing habits.
Merely visiting a website you thought was secure can expose you to a middlebox attack by a repressive government that redirects you to malicious versions of such websites.
Say you’re a resident of Egypt in need of an anti-malware app. You go to the official website of the service, but unbeknownst to you, you’re instantly redirected to an exact replica of the download page, with the only difference being the antivirus app setup file that has been injected with malicious code. The code whitelists any government surveillance software on your computer as safe and then installs its own virus onto your hard drive.
There are a few ways you could prevent something like this from happening, but using the right tools is a good start. You could start by getting the HTTPS Everywhere browser extension, which forces your browser to visit secure HTTPS versions of websites you visit. This should prevent any man-in-the-middle attack you may otherwise fall prey to.
While this won’t be a 100% foolproof solution against sneaking malicious code into your computer, it’s a good first step at protecting your browsing from the most obvious threats.
Finally, download JonDoFox - it will clear your cookies automatically. Sure, you could do it all yourself, but we all know how difficult it can be to remember.
While it’s true that you can make your Firefox or Chrome experience fairly private and secure, they’re certainly not the best you can do for yourself. For complete safety, you should consider using Tor. Despite the controversies, possible vulnerabilities, and bans by authoritarian governments, Tor is still one of the most solid and reliable tools for online privacy and anonymity. Perhaps most importantly - it’s completely free.
When you use the Tor browser, all your traffic is redirected through a network of volunteer relays. Data is encrypted at each stage, making your communications very difficult to monitor and trace. An individual relay never knows the full path of your data and can’t compromise you.
Vilified by every single repressive government, Tor is still listed as the best (and only) web browser by the Electronic Privacy Information Center and used by journalists, bloggers, and dissidents the world over. There’s really just one real caveat - speed.
Note: if you’re an average run-of-the-mill food blogger in West Virginia, installing Tor might sound like overkill, not to mention its bad rap as “the dark web criminal’s browser.” However, if you’re researching something particularly sensitive such as ISIS communication methods or underground clown fighting for your next groundbreaking article, you’ll probably click at least one link that might raise a red flag or two in certain intelligence communities. To avoid that, you’ll need anonymity features no browser apart from Tor can offer.
3. Use strong passwords
What constitutes a secure password is a topic fraught with misinformation, so let’s settle this once and for all. Breaking complicated 12 character passwords such as “K;lp&$Wnf90-“ is difficult, but not nearly as difficult as you would think. Memorizing them, however, is a different matter altogether.
For the longest time, we had been taught to create passwords that are difficult for humans to remember, but quite easy for computers to guess. The easiest solution to this issue is to use passphrases. Here’s an example: “Thisisthenumber1unhackablepassphrase!”
This sample passphrase contains both lowercase and uppercase letters, a number, and a special character. What’s even better, it’s 37 characters long and it would take a random password generator about 5 sexdecillion (5 followed by 51 zeros) years to crack. And the best part – it’s a piece of cake to remember and should keep you away from the dangerous practice of keeping your passwords on paper notes or unencrypted text files, which is anathema for a cybersecurity-minded journalist.
Yet that’s just one way to go about it - enter the password manager. These are special tools that store all your passwords in one super-secure, encrypted vault. Whenever you need to enter your credentials for an account, it’s just one click away.
Last but not least, use 2-factor authentication (2FA) – it will provide an additional layer of protection for your online accounts.
When using 2FA, typing a passphrase to sign into an account is no longer enough: you’ll have to provide a second piece of information – usually a temporary code or biometric delivered by your smartphone, ensuring that whoever tries to access your account will have to have your mobile device on hand.
Be sure to enable 2-factor authentication everywhere you can, but if you’re a journalist, enabling it at least on your email is practically mandatory. There are many 2FA options to choose from, with Authy and Duo Mobile being some of the most highly recommended.
Moreover, these cloud storage services are owned by multi-national corporations that have to comply with government requests and hand over your data in case of a warrant.
While SpiderOak has been praised by Edward Snowden as a secure and privacy-friendly Dropbox alternative, its hefty price tag may be an issue for the more price-sensitive journalist.
Alternatively, the peer-to-peer file sharing app OnionShare is free and lets you share files directly with your sources, without any middlemen involved.
Each time you transfer a file, OnionShare builds a temporary, password-protected, and separate website just for it. No one can access this file unless they have both the URL and password for it. Having both these things, you can get to the website, which will open a P2P connection between you and the recipient. After the download has finished, the website can be removed and all trace of the transfer erased.
OnionShare’s only “downside” is that you can only use it via the Tor browser.
Note: if you’re a source or a whistleblower looking to drop a bombshell, SecureDrop is an open-source anonymous file submission system designed just for you. Used by 50+ newsrooms around the world, SecureDrop will help you safely and anonymously send documents to any news organization that has it installed.
5. Encrypt your hard drive
While you’re certainly more likely to compromise your files in transit, there are other ways you can get in trouble. Therefore, do yourself a favor and perform full disk encryption on every computer you own.
Hard drive encryption is an essential part of any journalist’s cybersecurity toolkit. Although an encrypted disk won’t make your desktop any harder to attack over a network, if your laptop or hard-drive gets stolen, hackers will have little issue accessing your files.
Again, leaving your data unencrypted may not be an issue if you're covering the upcoming repertoire of your local circus troupe. If you’re carrying valuable business secrets or information that can cause real problems with the governments, then encrypting your hard drive is paramount.
For full disk encryption, we recommend using VeraCrypt, a free tool that is available for Windows, MacOS, and Linux operating systems.
VeraCrypt supports five encryption algorithms, including the industry-favorite Advanced Encryption Standard (AES), and can hide encrypted containers (or virtual volumes) within other disk volumes on your computer.
6. Use a VPN
If you’re a journalist, using a Virtual Private Network (VPN) should be a no-brainer – not only for your own cybersecurity but for accessing government-restricted and geo-blocked content as well.
Let’s start with the former. A VPN is an app that routes your internet connection through a secure server (or a couple) in a remote location of your choice, anonymizing your IP address and encrypting your traffic in the process. This makes it much more difficult for your friendly neighborhood online surveillance system to track your online activities and trace your connection back to your device.
Yet there’s more to VPNs than encryption and privacy - there’s also the ability to unblock restricted content. This is true in the case of online censorship, because you’re contacting VPN IP addresses, rather than IPs of blocked services. It’s also true for geo-blocking: by connecting through a VPN server in some other country, you appear to be a resident of that country. Both are useful for a journalist or anyone else who relies on getting information from various sources across the world.
However, not all VPNs are created equal. While some are “merely” selling your data to marketing companies, others can actually be state-sponsored spyware apps in disguise or just be legally required to provide your data to intelligence agencies due to their jurisdiction.
Which is why as a journalist, you should only use a VPN that is not only technically secure but also has a strict no-logs policy and is not based in China or any of the 14 Eyes countries, such as ExpressVPN or NordVPN. Alternatively, there's Google's Outline – a do-it-yourself pseudo-VPN that the company created specifically for journalists.
7. Secure your email
Email is still one of the most important means of communication. This is particularly true for journalists who communicate with sources and publications every day. Therefore, finding a secure and private email service is very important.
The big providers of email (Google, Yahoo, Microsoft, and others) are convenient to use but usually come with lots of privacy issues. Firstly, all of these companies have been victims of massive data breaches over the years, not to mention other privacy scandals. Secondly, none of these email providers offer end-to-end encryption - the only surefire way to ensure the privacy of your email communications.
Fortunately, there are secure alternatives to these less than privacy-minded email providers. Two of these are Kolab Now and ProtonMail – email services built on open-source code and based in privacy-friendly Switzerland.
While ProtonMail offers email encryption by default, Kolab Now does not – which is why, in case of choosing Kolab Now, you should use an email encryption extension for your browser.
If you want to push your email anonymity even further, you can use the “dead drop” technique. Used by secretive teenagers and clandestine dissidents alike, a dead drop is, simply put, an unsent message left in the Drafts folder of a webmail client that acts as a live document.
By providing your source with the username and passphrase of a webmail account, you can exchange messages or attachments without actually sending anything to each other. While not strictly foolproof, the dead drop technique can help you minimize some traces of your traffic.
8. Use private messaging apps
Our previous warning about trusting the big corporations with your data also applies to the messaging apps you use to communicate with your sources and colleagues.
Using popular organizational chats like Slack, Skype, or Google Hangouts should be out of the question due to logging, security vulnerabilities, and possible backdoors.
That’s why we’re glad there are apps like Telegram or Signal. While the latter looks like your ordinary chat and VoIP call app, Signal is built for privacy by design: your messages and calls are subject to end-to-end encryption, preventing hackers from intercepting your communications, and even preventing the messaging service itself from spying on you.
And if you turn on Signal’s self-destruct feature that allows you to automatically delete your conversations after a set amount of time, even having your device in the wrong hands might not yield the attacker any valuable data.
While many other messaging apps such as the Facebook-owned (oops!) WhatsApp offer end-to-end decryption as well, they still have access to your metadata, which means they know who you were in contact with and when. As a privacy-focused app, Signal neither collects nor stores any metadata – even if the authorities try to strongarm Signal into handing over your comms, they’ll come up empty-handed.
9. Use private search engines
Whenever you google something on the internet, everything you type into the search bar is stored on Google’s servers, including your IP address – even if you don’t have a Google account. This means that your browsing activities can be reconstructed and linked back to you.
Let’s just assume you don’t want that to happen.
Thankfully, there are quite a few private search companies in the industry - ones that don’t log your IP address, search queries, or other potentially sensitive data. The most prominent of these is probably DuckDuckGo – a search engine that doesn’t collect your data yet is able to provide an advanced online search experience.
While your search results may be different than those offered by Bing or Google, it’s a small price to pay for keeping your browsing secure.
If you don’t find DuckDuckGo to your liking, there are other alternatives - try StartPage or Disconnect Search, for example.
Note: back in January 2018, DuckDuckGo launched their Privacy Browser app for Android and iOS that’s also available as a Chrome extension. It’s built around the DuckDuckGo search engine and gives each website you visit a grade based on its privacy practices, as well as shows you which web trackers it blocked from monitoring your browsing activity. While not strictly essential for a journalist, this DDG app can be a useful little utility tool if you want to keep track of how you’re being tracked by seemingly innocuous websites.
10. Secure your OS
Now that we’ve introduced you to such state-of-the-art cybersecurity tools as Tor, Signal, and OnionShare, what about securing your entire operating system? Well, we’ve got that covered as well.
Tails OS (aka The Amnesiac Incognito Live System) is the probably most popular Linux distro among privacy and cybersecurity enthusiasts, including journalists and dissidents.
Practically speaking, Tails is a Linux-based operating system you can run from a USB drive or an SD card – it will only load into your device’s RAM, leaving no trace of its (or your) activities on your hard drive once you’re done using it. Naturally, you can also use Tails in a “persistent” mode where you can partition off a part of your USB drive to encrypt and store your files persistently.
One of Tails’ major advantages is that it’s much more secure than the usual operating systems such as Windows or MacOS, which can be much more easily compromised to steal your data.
As was the case with Tor, using Tails as your main OS won’t be necessary unless you want to go full cybersecurity nerd or you feel that whatever you’re writing about might land you in hot water, whether metaphorically or literally.
11. Educate your sources
So you have everything secured on your end - time to get to work, right? Well, yes and no.
It would be an oversight to forget that communication is a two-way street. Securing information on your end is just the beginning because your sources and other people you communicate with should also protect themselves.
With all this in mind, make sure to also relay these tips to your sources. If they’re not privy to anything you’ve learned about cybersecurity for journalists from this article. Once the other party makes a mistake, your whole relationship might be compromised.
Never assume your partners know as much about cybersecurity as you do. Often, they will not, and it may be you who suffers the consequences.
Since you don’t want that to happen, make sure you never forget to educate your sources about cybersecurity.
12. Finally, curb your enthusiasm
While it’s great that you just went over a list of cybersecurity tips on the internet, don’t think you can 100% reliably secure yourself against every possible threat in the digital world, especially as a journalist in 2019.
These tips will help, but don’t get complacent - you’re adversaries certainly won’t. One tip that we haven’t mentioned until this point is the need to always keep your software up-to-date. Various vulnerabilities in the software you use can seriously compromise your privacy on the net. And even then - keep your eyes peeled for news in the industry.
Investigative journalism is a dangerous profession. It always has been. Which is why the best journalists never allow themselves to be lulled into a false sense of security. Because they know it’s not cybersec tricks that will ultimately save them – it’s their stories. Stories that start revolutions and end regimes.