The workshop had ended, but the attendees stayed glued to their seats and their laptop computers. For a few more minutes, nobody wanted to leave the room. “You scared the hell out of everyone, " one participant told me, "so now we’re all changing our privacy settings on Facebook.”
My fellow trainers and I had just finished a two-day workshop on digital and mobile security for journalists and bloggers with 16 journalists from Mexico City and the cities of Querétaro and Puebla, and the participants all seemed to have recognized the need to adopt safety measures in their browsing, messaging, e-mail and social media activities.
After leading several such workshops as part of my ICFJ Knight Fellowship, I’ve realized that many journalists start out a bit skeptical about the need for digital security. Our pre-course surveys usually show that they are doing little to protect their information and their devices.
But suddenly, they hit on a particular flaw that at first makes them worry, and then makes them act, as they become aware that there are those who might seek to harm them or compromise their work by learning about their activities.
A few weeks ago during a similar workshop in Ciudad Juarez, in northern Mexico, we showed 19 local journalists how to test their password strength using a website that can guess how much time it would take a computer to crack your password. They share their results, most of them ranging from 20 years to a billion years, with the class. When one of them said “30 seconds,” the room burst out in laughter, but the importance of maintaining good digital security was not lost on anyone.
The workshops have focused on how journalists can develop personal protection plans for their digital communications (e-mail, telephone and messages), web browsing, data storage and use of social networks. We help them carry out risk evaluations to assess what type of attack they are most susceptible to, or what type of attacker is more likely to target them.
When talking to journalists about digital security, here are some key approaches that make our workshops more effective. These approaches are also useful for newsrooms and savvy reporters who want to convince others to adopt better security measures:
- Don’t tell each journalist what his or her risks are, because every case is different. It’s better to show them how to carry a personal risk evaluation to detect potential threats, vulnerabilities and strengths and determine if the tools they currently use are unsafe.
- Show them how to tailor their precautions so they don’t waste time protecting themselves against threats they don’t face or ignoring the dangers most likely to come their way.
- Present a wide variety of tools for digital security in several areas (web browsing, e-mail and messaging services, encryption, firewalls and anti-virus, secure data storage) so they can pick the ones that best suit them.
- Be paranoid, but not too paranoid. Some security measures are for general and permanent use, but others are for specific cases, to be used sparingly, so learn when to use them. In other words, you probably don't have to use Hushmail (a private email service) to contact your parents.
- "Use common sense. Security tools won't work if journalists are careless in the way they move or exchange information. Do really want to post personal information on social media for all to see? Or do you adjust your privacy settings? If you receive a confidential document, should you share it with your editor through an email account that could be hacked? And if you use encrypted email, how do you make sure your editor doesn't compromise it?"
- Evangelize, and encourage participants to share the tools with colleagues so that they, too, will adopt security habits. It’s no use if a reporter shares sensitive material over secure means with another reporter, if the recipient then handles the material in the open.
The courses are based on the Digital and Mobile Security Manual for Journalists and Bloggers (in Spanish) written by former ICFJ Knight Fellow Jorge Luis Sierra, who now directs the program. The manual, which is being translated into English and Arabic, has become a popular guide for journalists seeking to add layers of protection to their work.
The key partners in developing these workshops have been local journalists' networks in several Mexican cities, such as the Red de Periodistas de Juárez, Periodistas de a Pie in Mexico City or the Colegio de Periodistas de Chiapas, where we held a course at the end of September. One exciting feature is that each of these networks has among them an instructor trained at a seminar sponsored by Freedom House and ICFJ with the aim to “embed” a qualified trainer among local journalist groups. And these networks have begun to share their expertise amongst themselves. For instance, a trainer from Chiapas was at the Ciudad Juárez workshop and two trainers from Periodistas de a Pie will hold a course for journalists in the city of Cuernavaca.
At some of our workshops at universities in Mexico City, such as the Universidad Iberoamericana at the Center for Economic Research and Teaching (CIDE) we’ve also had the support of SocialTic, an organization that promotes the use of technology in social initiatives. One of its founders, Juan Manuel Casanueva, is a new ICFJ Knight Fellow who is developing civic engagement labs in Mexico.
As we expand the network, our aim is to extend awareness of digital security among Mexican journalists so they won’t be caught off guard the next time somebody wants to snoop.