Below are notes and links from the 23 Feb 2017 panel on Cybersecurity for Journalists at Indiana University. More information on the panel can be found here..
You can also view the panel’s introductory slides(Powerpoint).
Install Signal Private Messenger by Open Whisper Systems on your smartphone. It is available for Android in the Google Play Store and for iPhone in the iTunes Store. I realize that it asks for a lot of permissions, which can be scary. The Open Whisper Systems team made the choice to support as much messenger functionality as possible, so that vulnerable users wouldn’t go to less-safe apps because they couldn’t get behaviors they were used to, such as taking photos or videos from the app. You can safely deny whatever permissions you won’t use and the app will handle it gracefully.
Get started on this list of 17 do-able cybersecurity steps. My cohort Craig Jackson and I put it together for CACR’s 2016 Cybersecurity Summit, an event targeted at a primarily non-technical audience. As mentioned in the Journalism panel and at the Summit, it’s not practical to become resistant to all possible attacks. Instead, we take a risk management approach: what is the lowest-cost (in terms of effort and money), highest-return set of changes one can make, gaining as much security as possible without derailing one’s life?
Implement as much of the Basic Cybersecurity above as you can manage, and encourage your loved ones to do the same.
Choose an individual journalist, if you can, or at least a news organization, who have successfully broken a big story in the past without revealing an important source who wished to remain anonymous: without being deeply in touch with the journalism community or skilled at operational security, this is your best bet. Get first contact right, and ask for direction in retaining anonymity thereafter.
Implement the Basic Cybersecurity recommendations above.
DO NOT use a mainstream internet provider, such as Gmail, Hotmail, etc. When these services answer law enforcement requests, it’s generally through an automated system: they don’t know if they are giving up protected communications such as from a journalist, an attourney, or just anyone. Ideally, you use a mail server that belongs to a news organization. If you can’t do that, get a paid email account through a reputable provider such as Proton Mail, NeoMailbox, or FastMail.
Read this guide(PDF) from the Centre for Investigative Journalism. While not perfect, it does a pretty good job of covering tech you should know about, including concepts like secure erasures and email encryption.
If at all possible, you or your news organization should set up a “secure drop” by which non-technical sources can anonymously and securely send you information by internet without having much in the way of infrastructure to do so. You’ll need a security analyst or engineer’s help to do this, but it’s worth it.
Learn a bit about operational security. Cybersecurity matters, but a lot of organizations are still better at good old-fashioned surveillance than they are at cracking into computer systems. Both matter.
Consider that if you are or are likely to be working with high-risk stories, you need to have a hacker on hand to help you navigate the technical and operational details of protecting your work. I do this, and if you aren’t local enough to Indiana, I have worked with others around the world who do similar.
I use the term “Journalism Cohorts” to encompass researchers, publishers, and others who support journalists and work with them on an ongoing basis. Unlike journalists, you are unlikely to directly contact high-value, sensitive sources. Like journalists, your activities can easily give away what stories are being worked on. You work closely with journalists and may be exposed to information about their work that shouldn’t be shared.
For the most part, the recommendations for Journalists apply to you, too.
Consider that you are in a position to be a smokescreen. It’s useful that multiple journalists usually share the same editor, researcher, and so on. Order books for one another, pass things around, buy anonymously with cash when you can. Obfuscation can be a powerful aid in keeping a story quiet. Avoid Kindle books or Adobe Digital Editions (ebook library loans and DRMed PDFs) because their use ends up in marketing databases that are easy to purchase – no one needs a warrant to find out what you are reading. While that marketing data is de-identified, re-identifying it is frighteningly easy.