In our hyper-connected era, struggles for power increasingly take place in the digital realm. Hence, the digital lives of journalists who try to denounce injustice have increasingly become the target of cyber attacks, organised on behalf of powerful players under scrutiny.
A proper digital hygiene therefore has become an essential part of the 21st century journalist’s métier. On the 2017 EIJC & Dataharvest conference, cyber security experts Aslak Ransby and Freja Wedenborg shared their knowledge with investigative journalists to help them protect their online research and communicate with sources without leaving traces.
As journalists, we sometimes do not want to reveal what online searches we carry out and which websites we visit. We therefore need to be aware of the security provisions offered by a website we visit. A URL starting with “https://” and a green lock showing up in the address bar of the browser signal the use the HTTPS protocol that prevents intruders who’ve tapped into our internet connection to overhear the information transferred between our computer and the visited website.
However, the use of HTTPS does not prohibit the storage of data on your computer and on the server of the website you visit. The latter still gets your fingerprint in the form of an IP address, your country, browser version, operating system and screen size. In some cases only this limited information suffices to trace you. Ransby therefore suggests the use of the TOR-browser. Its technology offers close to complete anonymity by channeling the data transfer through an array of three servers between which this fingerprint gets lost, making it incredibly hard for the other side to determine who requested the information provided by their servers.
In other cases we want to protect our confidential conversations, with a source for example. Increasingly, investigative journalists nowadays enable their email program to use the PGP-protocol. This method involves strong end-to-end encryption and can be considered a trustworthy means to communicate. However, installing it requires some effort and technical skills from both communication partners, which in some cases forms an insurmountable barrier.
A more user-friendly solution is offered by the open-source application Signal, which can be installed on smartphones but also has a browser extension. It offers a highly secure platform for instant messaging and file transfers as it does not store any unencrypted data outside of the program and reduces its digital fingerprint to the bare minimum.
And what about Whatsapp or Facebook messenger? Don’t these popular platforms also promise end-to-end encryption through a ‘private conversation’ option? “Private conversations are surely a lot more secure than open conversations,” says Wedenborgs, “but the devil is in the metadata. Those commercial services store way too much information about the exchanges themselves, thereby undermining the level of anonymity.”
As easy to set up as Signal might be, in some situations installing new software is simply not an option; for example when a source does not have the required user privileges or when he or she uses older hardware. In such cases, we might want to fall back on these less secure options. According to Wedenborg and Ransby it all depends on the risk assessment: “Making sure that a manager in a small enterprise does not find out about an employee’s leak to a journalist, is different from dealing with sources that are potentially followed by national intelligence services.”
With secure HTTPS connections having become more widely adopted by web interfaces where information is exchanged, a rise in the number of attempts to break into these devices has been observed over the past years. A notorious practice is ‘fishing’, where parties with malign intentions first present themselves as trustworthy in order to convince you to take actions that give them access to your confidential spheres. A journalist might for instance receive an email with spyware disguised as document with a promising title related to his or her area of research. Or, likewise, one might receive a false invitation to share documents with source through a cloud service with a modified URL-link leading to a fake login page that steals the entered credentials.
But what if we do receive an email with documents or web links from potential sources? The very last thing we want is to dismiss a real whistleblower! Ransby: “A good advice is to avoid opening distrusted documents on your personal computer. One could reserve a spare desktop without any sensitive data stored on it, for that purpose only. Or, alternatively, open such a file in a web application, such as Google Drive. In order to cause any harm, a virus would first have to install itself on the cloud server – and that, is a different kettle of fish.”
Ransby and Wedenborg also remind us that it is key to maintain an everyday security habit: “Do not wait for the red alert!” Also, we should never forget that digital security is always a collective effort. “Protection is only as strong as your network’s weakest link. “So convince those you communicate with to take action!” Finally, Wedenborgs introduces us to the concept of ‘solidarity encryption’: Privacy as a human right can only be upheld in the digital age in as far as the use of encryption becomes mainstream. “Compare it to the offline world: Don’t we find it normal that the bulk of our written communication does not come on postcards, but in envelopes instead?”
by Christaan Colen, Creative Commons License