In 2019, a journalist not versed in cybersecurity is a sitting duck.
With dozens of reporters murdered and hundreds more imprisoned in the last year alone, freedom of the press across the world has been eroded to its lowest point in more than a decade.
Demonized as the “enemy of the people” by the current “Leader of the free world,” journalists, activists, and citizen bloggers are facing ever-increasing threats from authoritarian and democratic governments alike, with state-sponsored hackers targeting anyone daring to speak up, while spyware companies hack reporters just to impress their clients.
To be a cyber-defenseless journalist in this day and age is not only dangerous – it’s plainly foolish. Whether you’re a reporter in Turkey or an investigative journalist in the UK, being hacked or having your data seized is no longer a distant possibility. It might be only a matter of time.
Moreover, it’s not necessarily you who might be in danger. If your work involves communicating with sources that provide you with any kind of sensitive information, these contacts might be threatened as well. Which is why learning how to protect both yourself and your sources online should be your top priority this year.
And that’s what we’re here to assist you with. To help you stay safe online, we’ve compiled a list of privacy tools and good practices that should aid you in forming your own cyber defense strategy. While there’s no easy “one size fits all” technical solution to the digital dangers of being a journalist in 2019, there’s plenty of options to pick and choose from according to your actual needs.
With that in mind, here are our cybersecurity tips for journalists.
1. Secure your browsing – Chrome & Firefox
First and foremost, take a long and hard look at your everyday browsing habits.
Merely visiting a website you thought was secure can expose you to a middlebox attack by a repressive government that redirects you to malicious versions of such websites.
Let’s say you live in Egypt and want to download an antivirus program. You go to the official website of the service, but unbeknownst to you, you’re instantly redirected to an exact replica of the download page, with the only difference being the antivirus app setup file that has been injected with malicious code. The code whitelists any government surveillance software on your computer as safe and then installs its own virus onto your hard drive.
To avoid these types of threats, get the HTTPS Everywhere browser extension – a simple tool that helps prevent man-in-the-middle attacks and forces the websites you visit to use the secure HTTPS protocol.
While this won’t be a 100% foolproof solution against sneaking malicious code into your computer, it’s a good first step at protecting your browsing from the most obvious threats.
Then, get JonDoFox to automatically clear your cookies. While this is merely a convenient way to avoid doing this yourself, sometimes all it takes to lose your online anonymity is a single misstep, like forgetting to clear your cookies.
2. Secure your browsing – Tor
If you want to turn your browsing privacy and safety to up eleven, though, you’ll have to use Tor. Despite the numerous controversies, possible vulnerabilities, and bans by authoritarian governments, Tor is still one of the most solid and reliable tools for online privacy and anonymity.
The Tor browser operates by bouncing your connection around a global volunteer-run network of relays, making your communications more difficult to monitor and trace back to you.
Additionally, data on the Tor network is encrypted in layers that these relays peel in order to calculate where to send it next. This means that an individual relay never knows the full path to your data, making it difficult – but not impossible – to figure out what you’re accessing.
Successfully used by less than savory individuals and vilified by every single repressive government, Tor is still listed as the best (and only) web browser by the Electronic Privacy Information Center and used by journalists, bloggers, and dissidents the world over.
Note: if you’re an average run-of-the-mill food blogger in West Virginia, installing Tor might sound like overkill, not to mention its bad rap as “the dark web criminal’s browser.” However, if you’re researching something particularly sensitive such as ISIS communication methods or underground clown fighting for your next groundbreaking article, you’ll probably click at least one link that might raise a red flag or two in certain intelligence communities. To avoid that, you’ll need anonymity features no browser apart from Tor can offer.
3. Secure your passwords
In case you didn’t know, breaking regular complicated 12 character passwords such as “K;lp&$Wnf90-“ is actually a breeze. Unlike keeping such passwords memorized.
The easiest solution to this issue is to use passphrases. Here’s an example: “Thisisthenumber1unhackablepassphrase!”
This sample passphrase contains both lowercase and uppercase letters, a number, and a special character. What’s even better, it’s 37 characters long and it would take a random password generator about 5 sexdecillion (5 followed by 51 zeros) years to crack. And the best part – it’s a piece of cake to remember and should keep you away from the dangerous practice of keeping your passwords on paper notes or unencrypted text files, which is anathema for a cybersecurity-minded journalist.
If memory is not your strong suit, however, there’s no need to panic. Just be sure to use a password manager. A password manager is a special app that stores all your passwords in one secure place. All you have to do is memorize the passphrase you’ll use for the password manager itself.
And last but not least, use 2-factor authentication (2FA) – it will provide an additional layer of protection for your online accounts.
When using 2FA, typing a passphrase to sign into an account is no longer enough: you’ll have to provide a second piece of information – usually a temporary code or biometric delivered by your smartphone, ensuring that whoever tries to access your account will have to have your mobile device on hand.
Be sure to enable 2-factor authentication everywhere you can, but if you’re a journalist, enabling it at least on your email is practically mandatory. There are many 2FA options to choose from, with Authy and Duo Mobile being some of the most highly recommended.
4. Secure your data
Moreover, these cloud storage services are owned by multi-national corporations that have to comply with government requests and hand over your data in case of a warrant.
Alternatively, the peer-to-peer file sharing app OnionShare is free and lets you share files directly with your sources, without any middlemen involved.
Whenever you send a file, OnionShare creates a separate, temporary, and password-protected website for it. Only those you give the URL address and the password to are able to access the file stored on the website that, when opened, establishes a direct peer-to-peer connection between you and the intended recipient. Once the download is finished, you can remove the website, erasing any trace of the transfer in the process.
OnionShare’s only “downside” is that you can only use it via the Tor browser.
Note: if you’re a source or a whistleblower looking to drop a bombshell, SecureDrop is an open-source anonymous file submission system designed just for you. Used by 50+ newsrooms around the world, SecureDrop will help you safely and anonymously send documents to any news organization that has it installed.
5. Secure your hard drive
Once (or before – we don’t discriminate) you’ve chosen a secure file exchange service, do yourself a favor and perform full disk encryption on every computer you own.
Hard drive encryption is an essential part of any journalist’s cybersecurity toolkit. Although an encrypted disk won’t make your desktop any harder to attack over a network, unencrypted files can be read almost as soon as someone gets ahold of your device – after all, bypassing a Windows or MacOS login password is a matter of minutes.
Again, leaving your data unencrypted may not be an issue if you’re covering the upcoming repertoire of your local circus troupe. However, if you’re working with anything particularly sensitive, encrypting your hard drive should be a top priority in case your device gets seized or stolen.
For full disk encryption, we recommend using VeraCrypt, a free tool that is available for Windows, MacOS, and Linux operating systems.
VeraCrypt supports five encryption algorithms, including the industry-favorite Advanced Encryption Standard (AES), and can hide encrypted containers (or virtual volumes) within other disk volumes on your computer.
6. Secure your internet connection – use a VPN
If you’re a journalist, using a Virtual Private Network (VPN) should be a no-brainer – not only for your own cybersecurity but for accessing government-restricted and geo-blocked content as well.
Let’s start with the former. A VPN is an app that routes your internet connection through a secure server (or a couple) in a remote location of your choice, anonymizing your IP address and encrypting your traffic in the process. This makes it much more difficult for your friendly neighborhood online surveillance system to track your online activities and trace your connection back to your device.
What about accessing restricted content? As you probably know, quite a few governments around the world work to keep their online citizens away from the twin abominations of democracy and freedom of thought. One of the many methods they use to achieve this is by blocking access to certain websites for users from inside their respective countries. By routing your traffic through a server in another country, a VPN makes you a virtual citizen of Whereverville, allowing you to access restricted content as if you were a user from another, perhaps less repressive, state.
However, not all VPNs are created equal. While some are “merely” selling your data to marketing companies, others can actually be state-sponsored spyware apps in disguise or just be legally required to provide your data to intelligence agencies due to their jurisdiction.
Which is why as a journalist, you should only use a VPN that is not only technically secure but also has a strict no-logs policy and is not based in China or any of the 14 Eyes countries, such as ExpressVPN or NordVPN. Alternatively, there’s Google’s Outline – a do-it-yourself pseudo-VPN that the company created specifically for journalists.
7. Secure your email (or better yet – get rid of it entirely)
While the use of email is this day and age might sound somewhat old-fashioned and perhaps even obsolete, some journalists still prefer the good old inbox as a means of communication – after all, old habits tend to die hard.
That said, trusting the established tech giants with keys to your email is certainly not something a cybersecurity-savvy journalist would do. Needless to say, both Google and Microsoft will provide government agencies with your data without batting an eye, not to mention tracking you for their own marketing purposes.
Fortunately, there are secure alternatives to these less than privacy-minded email providers. Two of these are Kolab Now and ProtonMail – email services built on open-source code and based in privacy-friendly Switzerland.
While ProtonMail offers email encryption by default, Kolab Now does not – which is why, in case of choosing Kolab Now, you should use an email encryption extension for your browser.
If you want to push your email anonymity even further, you can use the “dead drop” technique. Used by secretive teenagers and clandestine dissidents alike, a dead drop is, simply put, an unsent message left in the Drafts folder of a webmail client that acts as a live document.
By providing your source with the username and passphrase of a webmail account, you can exchange messages or attachments without actually sending anything to each other. While not strictly foolproof, the dead drop technique can help you minimize some traces of your traffic.
8. Secure your messaging
Our previous warning about trusting the big corporations with your data also applies to the messaging apps you use to communicate with your sources and colleagues.
Using popular organizational chats like Slack, Skype, or Google Hangouts should be out of the question due to logging, security vulnerabilities, and possible backdoors.
And this is where Signal comes to the rescue. While it looks like your ordinary chat and VoIP call app, Signal is focused on protecting your privacy from the ground up. To start with, you get end-to-end encryption for your messages, texts, and even voice & video calls. This means that attackers cannot decrypt your communications remotely – they would have to obtain your device before attempting to decipher the data.
And if you turn on Signal’s self-destruct feature that allows you to automatically delete your conversations after a set amount of time, even having your device in the wrong hands might not yield the attacker any valuable data.
While many other messaging apps such as the Facebook-owned (oops!) WhatsApp offer end-to-end decryption as well, they still have access to your metadata, which means they know who you were in contact with and when. As a privacy-focused app, Signal neither collects nor stores any metadata – even if the authorities try to strongarm Signal into handing over your comms, they’ll come up empty-handed.
9. Secure your search
Whenever you google something on the internet, everything you type into the search bar is stored on Google’s servers, including your IP address – even if you don’t have a Google account. This means that your browsing activities can be reconstructed and linked back to you.
Let’s just assume you don’t want that to happen.
To search securely, you’ll have to use a privacy-focused search engine that doesn’t keep logs of your web search queries. Our recommendation is to use DuckDuckGo – a search engine that doesn’t collect or store your search queries or metadata anywhere.
While your search results may be different than those offered by Bing or Google, it’s a small price to pay for keeping your browsing secure.
Note: back in January 2018, DuckDuckGo launched their Privacy Browser app for Android and iOS that’s also available as a Chrome extension. It’s built around the DuckDuckGo search engine and gives each website you visit a grade based on its privacy practices, as well as shows you which web trackers it blocked from monitoring your browsing activity. While not strictly essential for a journalist, this DDG app can be a useful little utility tool if you want to keep track of how you’re being tracked by seemingly innocuous websites.
Check out our list of Best Private Search Engines.
10. Secure your operating system
Now that we’ve introduced you to such state-of-the-art cybersecurity tools as Tor, Signal, and OnionShare, what about securing your entire operating system? Well, we’ve got that covered as well.
Tails OS (aka The Amnesiac Incognito Live System) is the probably most popular Linux distro among privacy and cybersecurity enthusiasts, including journalists and dissidents.
Practically speaking, Tails is a Linux-based operating system you can run from a USB drive or an SD card – it will only load into your device’s RAM, leaving no trace of its (or your) activities on your hard drive once you’re done using it. Naturally, you can also use Tails in a “persistent” mode where you can partition off a part of your USB drive to encrypt and store your files persistently.
One of Tails’ major advantages is that it’s much more secure than the usual operating systems such as Windows or MacOS, which can be much more easily compromised to steal your data.
As was the case with Tor, using Tails as your main OS won’t be necessary unless you want to go full cybersecurity nerd or you feel that whatever you’re writing about might land you in hot water, whether metaphorically or literally.
11. Secure your sources
With all this in mind, make sure to also relay these tips to your sources. If they’re not privy to anything you’ve learned about cybersecurity for journalists from this article, it doesn’t matter how secure things are on your end. Once the other party makes a mistake, your whole relationship might be compromised.
After all, not every source knows how to become anonymous online or how to securely deliver sensitive information, which may result in them leaving a trace the size of bulldozer tracks on a narrow pathway.
Since you don’t want that to happen, make sure you never forget to educate your sources about cybersecurity.
12. Finally, secure your enthusiasm
While it’s great that you just went over a list of cybersecurity tips on the internet, don’t think you can 100% reliably secure yourself against every possible threat in the digital world, especially as a journalist in 2019.
Yes, these tips will certainly make you safer, but when a journalist or activist thinks they can go toe-to-toe against the entire intelligence apparatus of a world (or regional) power, they’re being delusional.
Investigative journalism is a dangerous profession. It always has been. Which is why the best journalists never allow themselves to be lulled into a false sense of security. Because they know it’s not cybersec tricks that will ultimately save them – it’s their stories. Stories that start revolutions and end regimes.