Digital security for journalists

A free press is a cornerstone of any democracy, with journalism playing an integral role in the transparency and debate that is so important to protecting and maintaining society. Increasingly, we are seeing journalists forced to comply with authoritarian government orders, and repressive regimes of secrecy and gagging designed to hamper the freedoms of the Third Estate.

As technology becomes an ever-present part of this dynamic, it is imperative that journalists have the knowledge and tools necessary to protect their work, as well as their sources and themselves. We’ve put together our top tips for journalists to ensure they are digitally-savvy and prepared for these new attacks.

1. Hide your digital tracks

In 2014, the Australian government approved the mandatory metadata retention scheme, forcing telecommunication companies to provide law enforcement with huge troves of data on every person in the country who accesses the internet.

Whilst this is limited to metadata (and not the content of communications), it can easily be re-identifiable information that can reveal sources, locations and other important details. Routing your online traffic through an offshore VPN provider provides a simple privacy curtain over your digital footprints.

You should also be aware of who is tracking you when you visit websites, and what information they are gleaning from you each time. Tools like Mozilla’s Facebook Container do exactly what the name suggests, whilst EFF’s Privacy Badger keeps a lid on various trackers across multiple sites.

You can go one step further if necessary and install the Tor browser, which uses the same routing technique to protect each and every connection you use to access the web.

2. Use encrypted communications

Sending and receiving an SMS uses Australian telecommunication networks, so they are captured by the metadata retention scheme. Go beyond this, and use an end-to-end encrypted service like Signal. This ensures that your messages cannot be intercepted in transit. There are others on the market (Apple’s iMessage, Facebook’s WhatsApp) but as at the time of writing this, Signal is the most secure.

Similarly, Skype is a bad choice when it comes to video communication – it’s owned by Microsoft, who Edward Snowden revealed were involved in huge dragnet surveillance operations with the NSA. A free, open-source alternative that boasts end-to-end encryption is Jitsi.

One note of caution: in 2018, the government passed legislation that gave wide-reaching powers to law enforcement that allow them to compel technology companies to break encrypted systems. There are also gag laws attached to this, meaning that we won’t know if and when this occurs. Once an encrypted system has been broken, by providing a backdoor to Australian police agents, it will be compromised for everyone. At the time of writing, it’s thought this hasn’t yet occurred, but it’s a distinct possibility that these systems will soon be compromised altogether.

3. Don’t use email

The systems we use for email are hideously outdated, clunky and riddled with security holes. It’s fine for everyday, innocuous use, but if there is even the remote possibility of sensitive information coming your way, do not get anyone to email you.

Even the advent of encrypted emails (such as using a PGP tool to create keys) is often complicated and open to mistakes. There’s a good reason that lots of media outlets are moving to secure file drop systems such as SecureDrop – because email is awful as a secure communication technique. Ditch email altogether if you think anyone is watching.

4. Be aware of real world threats just as much as digital ones

You’re far more likely to have a breach of security via a real-world encounter than from some Matrix-style hacker. It’s often as simple as someone watching as your type in a password whilst working away in a cafe. Apply your threat analysis to how you conduct business in the physical world.

  • Be aware of your surroundings, both before and after engaging sources.
  • Don’t work with your back to a window or mirror.
  • Apply a privacy screen protector to your device to make it difficult for others to see it.
  • Avoid being seperated from your devices (especially at a national border).
  • Cover your webcam and microphone when you’re not using it.
  • Don’t allow anyone to plug anything into your devices. Ever.

5. Strengthen your passwords

Get a password manager. It may seem counter-intuitive to collect all your passwords in one place with a single master key, but it is by far the most effective way of ensuring they don’t fall into the wrong hands.

Human error and our predilection towards simple pass-phrases is often the biggest cause of vulnerabilities when someone wants to guess your password. A password manager such as LastPass or KeePassXC can auto-generate complex passwords and encrypt them for your use across multiple services.

Go one step further and use two-factor authentication on any service that offers it. This ensures that not only do you require a password, but any would-be hacker also requires a physical device that only you carry in order to break in.

6. Protect your files

Your main defences should be common-sense ones that make it harder for anyone to remotely access your systems, or surveil you, or listen in on your work. But once someone has committed to grabbing your information, they will likely just seize your physical device as the easiest method.

Particularly if you are raided by a government law enforcement agency, it’s important that any digital files you hold are as secure as possible on your device. There are a range of options depending on your device and setup – for Windows use BitLocker, for Apple use FileVault or for an open-source alternative, check out VeraCrypt.

Don’t forget to encrypt ALL your devices – not just your laptop. You can easily encrypt your iPhone or other phone to ensure that if it is confiscated, you are making it difficult for anyone to access the information it holds.

If you are working on particularly sensitive material (eg leaked Government classified files), consider using an air-gapped standalone computer to house them, along with the above encryption protections.

7. Learn about the surveillance state

Knowledge is the key to any good defence, and when you’re on the front line of protecting freedoms, it’s important that you understand the playing field.

Australia now boasts some of the most invasive and repressive legislation in the developing world when it comes to violations of citizen’s privacy and freedom – in part due to our lack of a charter of rights. We’re also part of the Five Eyes Partnership, which allows the NSA in the USA and GCHQ in the UK (amongst others) to access Australian-collected data and analyse it within their own considerably larger intelligence operations. What happens here in Australia reaches far into the depths of Maryland and Gloucestershire.

It’s also worth being aware of differing laws across jurisdictions. It’s a relatively recent change to USA customs that any visitor is required to provide social media account details as part of a vetting process. But it’s also entirely possible for border guards to force the opening of devices to access information on them. Some have written about the lengths to which some journalists have had to go to protect their information when traversing US borders.

Be aware of the risks, the threats and the growing surveillance state – both here and abroad.

Above all else, remember that there is no silver bullet to good digital security – it is always a series of risk assessments, constantly updating tools and questions about credible threats.

Digital Rights Watch maintains a collection of digital security tools, guides and resources produced by experts around the world. In particular we highly recommend: