What journalists need to know about digital security
Journalism has always had a complex relationship with the internet. While the digital realm represents an incomparable tool for accessing information and circulating the news, the internet has also necessitated rapid shifts in the way journalism works and does business.
The need for journalists to understand and integrate digital security practices into everyday life is one of those major changes. Digisec is the protection of your digital footprint (including files and personal information) from surveillance, hackers and other bad actors. This is especially important for journalists who are often public figures with high profiles that have key personal information such as phone numbers, emails and open social media accounts readily available online.
UNESCO published an extensive report on the increasing digital security threats for journalists, highlighting 12 specific danger areas that also included larger issues of network security for media organizations. Some key examples the report offered to indicate how media producers are impacted at the individual level were “journalists’ movements being exposed through cell phone-linked geolocation data, their personal lives being visible on social media, and their communications meta-data being mined.”
Each of these are easy enough to address and combat through simple tweaks to digital behavior and social media account settings, but journalists are often unaware of those practices and the concept of digisec is rarely taught in schools. This can lead to a big gap in the skills needed to practice digital safety, especially for those working outside the resources and knowledge access of large news institutions. The UNESCO report emphasized the importance of spreading general awareness about the need for digisec practices as the first step to normalizing digital safety among journalists.
Mari Galicer, a Digital Security Advisor for PEN America and IWMF, says there are four main areas of concern that she teaches journalists to be aware of and actively prep their digital profiles to address:
- Digital safety when talking with sources and colleagues
- Digital safety and security when doing online research
- General physical device and data safety
- Online harassment and doxxing
Securing data and devices
Understanding how to protect the identities of sources has always been an integral component of journalistic practice but media professionals are often less knowledgeable about the added element of acquiring, storing, and accessing sensitive data in various digital forms (i.e. documents, photos and audio or video files). Galicer encourages media workers to cultivate a clear idea of what kind of risk profile they have for compromised devices, which can include cell phones, smart watches, laptops, and other tools that connect to WiFi or cell service such as cameras.
TIP: Think about the different digital touchpoints any of your devices may have when they connect to the internet in public spaces.
- Are you using unprotected WiFi networks that don’t require passwords to access? These are much easier to hack.
- Are you using encrypted messaging services such as Signal to connect with sources or share sensitive information, documents, or data among colleagues?
- When working with Google Docs or other files stored online, are you consistently managing who has access and edit capabilities?
It can be difficult to keep up with the complexities of the digital environment and how available data might be used to target journalists or sources. For example, police have been increasingly using photos and videos published by visual journalists to identify and criminalize human rights activists and protestors. To avoid having journalistic work co-opted for police surveillance or the inadvertent offering of information about sources that may put them in danger, be conscientious about your metadata.
TIP: If you are in the home or other private personal space of a source or collaborator who might be targeted, turn off location data on your phone and camera equipment.
Many of these data security considerations also apply to protecting journalists from surveillance by the state and other bad actors. American Civil Liberties Union (ACLU) and Human Rights Watch (HRW) detailed the implications of increasing U.S. government surveillance of journalists in a 2014 joint report. Journalists around the world are increasingly having to contend with being surveilled by their own governments as well as surveillance and interference in their reporting by foreign governments.
One thing to keep in mind to combat these potential dangers is how your search history and other online research practices might be tracked by malicious parties. You want to limit who has access to knowledge of both your physical and digital movements, practices, and conversations.
TIP: Encrypt and protect all the data on your devices: (computer, phone, etc.) so that no one besides you can access anything on it. If you’re crossing a border to report in a country with a potentially hostile government, make sure to change all digital devices to be password-protected rather than secured using facial or fingerprint recognition. Police and border patrol can easily unlock your phone using your thumbprint or face, but won’t necessarily be able to bypass a password.
TIP: Galicer says something she wishes all journalists would do is use password managers and multi factor authentication across all platforms. There are many authenticator app options but keep in mind that SMS (text-based 2FA apps that use your cell phone number) have some inherent safety issues.
Password managers and 2FA are relatively simple daily practices that can help protect against what Galicer calls a “whole host of abuse that can come at folks who are doing their work online.” Bad actors are emboldened by the relative anonymity of the digital sphere, using it to find and publicly circulate the private information of journalists, a practice known as doxxing. Journalists who are doxxed can have their identities stolen or be inundated by death threats and phishing attempts, among other wide-ranging impacts.
TIP: To combat this danger, Galicer recommends learning how to “dox yourself” or track down all the personal information about you that’s available online. You can then use tools like DeleteMe and other data privacy options to facilitate removing your personal info from data broker websites that are sharing and selling your info online.
TIP: Another relatively quick digisec fix is to perform a social media audit. This entails updating your privacy settings for each of your accounts and assessing how much personal info you might be giving away via your posts, comments and likes. Are you showing where you live, who your children are, what stores or cafes you frequent, what your car looks like or any similar identifying data that could build a physical profile of you from your digital footprint? Consider separating personal accounts from professional accounts so that you can make the personal private while maintaining an accessible public profile as a journalist.
“Digital safety and security should be holistic and practiced over time,” says Galicer. “It’s all a spectrum of safety so doing small things is still a marked improvement toward lowering your risk profile.”
There are so many incredible digisec resources out there for journalists and media organizations, it would be hard to round them all up. The Global Investigative Journalism Network (GJIN) has a massive database of digital security guides, training and other helpful information.
- PEN America & IWMF offer a series of brief tips called Digital Safety Snacks
- Online Violence Response Hub: This is helpful for when you’re experiencing harassment or have already been compromised online.
- PEN America Online Harassment Field Manual
- Access Now has a great hotline, digital security helpline for crisis scenarios
- Freedom of the Press Foundation: Thinks about press freedom and safety around more technical topics like digisec.
- Electronic Frontier Foundation: Advocates for all types of digital protections and has resources for community organizers, human rights defenders, trainers, and journalists.
- IJNET: Digital security do’s and don’ts for journalists [QUICK TIPS]
- Committee to Protect Journalists (CPJ): Digital Safety Kit [GUIDELINES]
- Global Investigative Journalism Network (GJIN): Digital Security [RESOURCE LIST]
- ICFJ: Strengthening Digital Security for Journalists and Civil Society Advocates in Asia Pacific [TRAININGS]
As part of my work on the Journalism Source of Safety (J-SoS) tool, I am surveying journalists to better understand what kinds of safety resources are still needed in a crowded field of information. Please take this very brief (5 min) survey to share your experiences with safety training and access to safety resources.
I am also offering weekly listening sessions so that journalists can connect with me directly to talk about their experiences with professional hazards, safety concerns and risk management needs. If you’re interested in talking about any element of safety and security for visual journalists, please schedule a meeting with me here.
I have put together a list of readings and an accessible google drive of resources that will be continuously updated over the course of this project and beyond. Please email firstname.lastname@example.org if you have any suggestions for guides, checklists, reports, templates or anything else to add to these living resources.