A journalist researching a story about a sensitive document that puts his local government in a bad light worries authorities will snoop on his computer, so he uses sophisticated encryption tools to store and email the document. But then, he picks up his home phone and talks openly about the story with his editor. Perhaps it has not crossed his mind that the people most interested in keeping that sensitive document a secret don’t have the capability to get in his email, but that they can easily tap his phone.
This is a hypothetical example, but it is the kind of mistake that journalists regularly make when considering their security plans. Sometimes we feel the need to use tools against threats we don’t actually face, while ignoring risks that are more likely.
The increasing amount of work journalists do in the digital realm makes it critical that we protect our activities. In the old days we could just put our documents in a locked file cabinet and conduct our conversations face to face to avoid eavesdropping.
Today, there is a wide variety of threats out there, and each type of threat requires a different protective measure in response. On the Journalists at Risk map that tracks attacks against the press in Mexico, we have documented several cases of hacking, Denial of Service attacks, and theft of computers and mobile devices that can compromise a journalist’s information. Not to mention that there are probably many cases of reporters and editors having their phones tapped without their knowledge.
Today, a digital security plan is essential for journalists, but the specifics of each plan will vary because it depends on assessing the particular risks each person faces. In the workshops I conduct with Mexican journalists as part of my ICFJ Knight International Journalism Fellowship, I hear a lot about the different threats journalists face in the digital world. One important aspect of the training is to make participants aware that the tools that are best for them may not be the best ones for their colleagues.
Formulating your personal plan for digital security begins by establishing your own likely risks. For that, you need to know who or what might be a threat to you, what their capabilities and intentions are, how willing they are to attack you and finally, what your own vulnerabilities and strengths are.
Here are five questions that will help you decide which tools or techniques you should be using:
1. What activities or information do you need to protect?
There are many digital activities that merit protection, such as communication (emails, messages, phone calls); storage (either in a cloud or on a device); web browsing; social networking; using location-aware tools and devices; and saving passwords.
To make these activities safer, you should take certain actions all the time: Always use antivirus software, strong passwords and strict privacy settings. That will protect 90 percent of what you do online. You can save other methods, such as secure communications or storage, for something specific like a sensitive story.
2. Who wants to attack you?
The most immediate threat for journalists comes from their sources or the subjects the journalists cover, but there may also be unknown attackers interested in their activities or information.
3. Who has both the will and the ability to do harm?
A person interested in knowing a journalist’s digital activities might have a great will to obtain that information but not be capable of doing it. Conversely, there may be people or entities with great capabilities but that couldn’t care less about what the journalist is up to. However, keep in mind that someone with low capability but great will might work to improve his tools for hacking or eavesdropping, or that someone with low will but great capabilities might later develop the desire to tap into a journalist’s digital activity.
4. Where are your vulnerabilities? How are you interacting in the digital world?
What email service do you use, and how secure is it? Do you store data in encrypted or unsecured cloud services or devices? Is your phone’s GPS function always on so that everyone knows where you are? Keep in mind that whether or not you should activate your GPS depends on your situation. Most of the time, you are more secure if you leave it off, but in some cases, like working in a dangerous environment, it can help keep track of your whereabouts in case something happens and loved ones need to search for you.
Do you post information about your private life in social networks? If so, who can view that? How protected are your mobile devices? If someone stole your mobile phone, for example, how easy would it be for them to get information from it?
5. What are your strengths, and what tools are you already using to lower your vulnerabilities?
Knowing the vast array of digital security tools that are available can help journalists turn weaknesses into strengths.
There are dozens of tools available to improve our digital security but they all depend on whether they attend to our needs, and the only way to find out is to have our personal risk evaluation to know exactly what we’re looking for.