BRUSSELS - As new technologies have taken root in national and transnational journalism globally, cyberattacks and digital threats have become two of the most pressing risks for journalists. How are we as a journalistic organisation minimising those risks for the people we work with?

How we are putting the journalist’s digital safety first

Ever since Journalismfund.eu was founded in 1998 (as the Pascal Decroos Fund) the interests of journalists, as opposed to those of media organisations or publishing platforms, have been at the heart of everything we do. Journalists and journalism networks increasingly rely on digital communication and data processing for their work. In order to keep ensuring journalists’ safety in this ever more digitalised environment, we have implemented several thorough changes in our digital security etiquette over the last few years with the help of Berlin-based IT consultant and trainer Benedikt Hebeisen.

Secure application platforms

Our application platforms all make use of the https protocol, which means communication to and from the server is encrypted and cannot be read even if intercepted. The data is stored on a server hosted by one of the most reliable hosting companies in Belgium.

No Google Drive

In order for our juries to decide whether or not a story gets funded, and for us to offer funded stories the necessary support, we need certain data from applying journalists. It is important for us to be in full control of that data, not only to be in compliance with the GDPR legislation but also to make sure that we know what exactly happens with it. After all, the stories our grantees are researching often deal with (highly) sensitive issues. The question of where to store our data is one that we had been struggling with for several years.

We used to rely on Google Drive for file sharing and even though it worked well, it basically meant that we put our and our journalists’ data in the hands of an American company without knowing what it did with that data. We have now switched to the European Nextcloud, where we share our files internally on a secure server that we own ourselves. In Hebeisen’s words: “It is essential for a journalistic organisation that the people you work with trust you and can be sure that you deal with the information they share with you in a confidential and safe way.”

Privacy is key

Transparency is one of our main values. We communicate as transparently as possible about our funding, the journalists we work with, the projects we support and the way we work. We do, however, realise that total transparency can sometimes be at odds with privacy and safety. When journalists indicate that their safety is at risk due to their involvement in a project, we listen. In such cases, we make exceptions to our rule of transparency and allow the journalist in question to publish under a pseudonym or anonymously.

PGP encrypted emailing

We offer journalists the possibility to contact us through PGP, an encryption programme for email communication. Hebeisen says about emailing that “anything you wouldn’t write on a postcard, you shouldn’t write in an unencrypted email either”. In regular email communication, your connection might be encrypted, but the person or company who owns the email server or anyone else who gets access to the server can still read the contents of your mail. That is not the case with PGP-encrypted emails, which only the sender and the receiver can read. So should your mail fall into the wrong hands, it will still be unreadable.

Internal digital security guidelines

A clear cybersecurity policy is indispensable for any organisation, let alone one working with journalists. Hebeisen helped us set up guidelines for our team members. In his view, the most urgent digital threats at the moment are accounts being hacked and hijacked and lost or stolen hardware. For both of these threats, the solution comes down to password hygiene. Advice from Hebeisen that the Journalismfund.eu team now lives by: use strong passwords (that are long and contain different kinds of characters), never use the same password for different accounts, and wherever possible, try to make use of two-factor authentication.

Two-factor authentication means that even if your password is hacked or your device gets stolen, people still won’t be able to access your accounts because having the password isn’t enough to log in; you need a second factor, too, for example, an app on your mobile device, a USB key or a token generated by another piece of hardware.

We will keep assessing our digital security policy in order to guarantee the safety of our journalists and grantees.

Author: Raf Njotea