Lesson

Understanding the dynamics of Digital Security

Digital security is vital in protecting journalists and news organizations hacking, digital attacks and censorship. Cyber and digital attacks on journalists are increasing but there are ways of defeating them or at least minimizing risks.

For example, some security precautions:

  •         Taking SIM cards and batteries out of phones stops that phone revealing your whereabouts
  •         Learn how to store your information. Putting information in a USB device; keeping pictures in your camera until it is safe to download. Also, it is important to clear out all your devices before going on assignment and replace SD cards. Store anything sensitive on a remote hard drive or USB drive.
  •         Do not let your digital devices out of sight and do not leave them unattended in hotel rooms. Secure your phones, laptops and tablets by turning off geotagging and GPS location and switch to airplane mode.
  •         The best advice is to be honest with yourself and assess your own capabilities. If you are worried you are not able to protect yourself against digital attacks, you may wish to consider using a paper notebook rather than a laptop when carrying out a sensitive interview, for example.
  •         Technology is increasingly complex; consequently, it is best to embrace simplicity by resorting to a small number of easy-to-use tools, techniques, and habits. Complex systems are hard to understand and often involve procedures that can be forgotten when in complex situations.
  •         Stay alert and focus on the people who are most likely to wish to steal your work or otherwise disrupt you digitally. How far are they likely to go? How good and effective are they? That should give you a good idea how far you need to go to protect your work.

Once you have thought about who might wish to disrupt your work, what they might do, and how well they might do it, you can start planning the technical measures you will use to confound their plans. Here are some issues to consider

  1. Backups

Remote backups, in which your local files are regularly copied to a remote server, are generally a good idea. They are another way to protect your information should you lose access to your local machine. Be sure that the data being sent are encrypted along the way, and that access to the backups is controlled.

Remote Data

Not all the information you keep on your computer or smartphone is kept locally. You may store data “in the cloud” on sites such as Dropbox or Google Documents, on Web mail services such as Gmail or Yahoo, or on hosted social

networking services such as Facebook. If you are concerned about access to private information, you should consider the security of external data, too.

Model Course on Safety of Journalists Internet companies do hand over private data in response to government demands when they are required by local law or have close economic or political ties to authorities. However, access to cloud-stored data is as often obtained through deceit as through due process. Your attackers may obtain your log-in or password, or otherwise masquerade as you to obtain access. Choose your passwords and security questions carefully to prevent this. Always use an encrypted connection, provided by either the Internet service via “https” or your own software.

Don’t simply protect private online data; consider what you’re revealing in publicly available online venues. Social networking sites often err on the side of telling everyone everything you tell them. It’s worth regularly treating yourself as the target of some investigative journalism. See how much you can dig up on your own movements by searching the Web, and how that public information might be misused by those who wish to interfere with your work.

Choosing a Strong Password

Strong password protection is by far the best general security you can give your data. But choosing an unbeatable password is harder than it sounds. Many people are shocked to discover that their clever choice is actually among the most popular passwords. By studying large databases of passwords, attackers can compile vast lists of possible passwords sorted from the most likely to the outright improbable.

These lists include tweaks and modifications, like replacing letters with similarlooking numbers or symbols, adding numbers or punctuation to the beginning or end of words, or stringing a few words together. Software allows attackers to rapidly test them against password-protected devices or services. Traditional password choices quickly succumb to these attacks.

Attackers can obtain your password by threatening you with harm. Consider maintaining an account that contains innocuous information, whose password you can divulge under duress. Consider using a passphrase instead of a password.

One way to pick a passphrase is to think of an obscure quotation or saying which others are unlikely to associate with you. You can either use the whole phrase as your password, or abbreviate it as suggested by security expert Bruce Schneier to create a truly random-looking series of symbols. For instance:

Virtual Private Network

If you wish a more sophisticated system so as to by-pass local censorship, there is the Virtual Private Network, or VPN. This encrypts and sends all Internet data to and from your computer via a dedicated computer elsewhere on the Internet, called a VPN server. When configured correctly, a VPN will secure all of your communications from local interception. If you are employed by a media organization, your employer may well use a VPN to allow remote users access to the company’s internal networks. Alternatively, some commercial services allow individuals to rent access to a VPN server on a monthly basis.

From the perspective of the rest of the Internet, you appear to be accessing the Web and other Internet services from your VPN server, not your actual location.

That means it can hide your current whereabouts and bypass local censorship systems. VPNs do not encrypt every stage of your data’s travels online. Because your final destination may not understand encrypted data, your information and requests emerge from the VPN server in an unencrypted state.

The operators of your VPN server, and intermediaries between the operator and the sites and services you visit, still have the ability to monitor your communications. If you’re defending yourself against a local adversary, such as the government, the VPN server you select should be in another jurisdiction.

There are of course, more sophisticated systems, such as Tor, and new ones emerging all the time.