Journalists in Distress: Securing your digital life

Digital tools and platforms have become extremely important to journalists’ work, but this also means there is a growing number of tools and platforms that can work against journalists as means of surveillance, identification and harassment by States, non-State armed groups and private corporations. Protecting yourself can no longer mean just securing your physical safety; it must also include securing your digital safety—because any breaches to your online life also put your physical life at risk.

When journalists are persecuted for their work, they often seek help from one or several of the organizations around the world that operate emergency assistance programs specifically for them. If you find yourself in this precarious situation, it is important to be aware of the digital security risks that you face even when contacting these programs. Taking steps to eliminate or mitigate these risks will not only protect yourself during your search for help; it will also improve your digital security in the other professional and personal parts of your life.

The following resource offers information, tips and resources about practices that can be implemented by journalists to help them protect themselves from digital vulnerabilities that State and non-State actors can exploit. If you are thinking about contacting an emergency assistance program, making use of this resource will ensure you don’t put yourself at even greater risk. If you have already contacted an emergency assistance program or just want to learn easy, popular or important ways to secure your digital life, this resource will also increase your awareness of the risks associated with the digital tools and platforms you use.

What is the Internet

What is the Internet

The Internet is a pervasive component of our everyday lives. We rely on it constantly for our work and personal lives alike. But there are risks, threats and pitfalls aplenty in cyberspace. One way to begin safeguarding yourself against them is to understand how the Internet actually works.

The Internet is a global network of billions of electronic devices and a series of protocols. These protocols are sets of rules that machines all follow to complete tasks (like sending and receiving information). Protocols are like a language that all electronic devices must know; if they didn’t share one language, they wouldn’t be able to understand one another, identify one another and transmit data to one another.

This global network is created through physical cables (copper telephone wires, television cables, fiber optic cables, etc.), microwaves, radio waves and satellites. Data in the form of electrical signals, which today often take ‘binary digital’ form, is transmitted across this vast infrastructure. Everything you do on the Internet is ‘data’, from the moment you connect to each click you make and letter you type.

The World Wide Web (or the Web for short) is a collection of websites you can access through the Internet. The Web is not the Internet. Once you are connected to the Internet, you can access websites through an application called a web browser. The web browser is not itself the Internet or the Web; it is just used to display the websites out there.

When you type in a website URL or click on a search engine result, your device sends a request in the form of an electrical signal to a server. A server is a machine where websites are stored. When the request arrives at the server, it finds the website and sends the correct data back to your device. It knows which device is yours because it can identify your unique IP (Internet Protocol) address, a numerical label assigned to each device that is part of that global network that forms the Internet.

Individual people connect to the Internet by purchasing access from an Internet Service Provider (ISP). Depending on where you are in the world, your ISP either owns the physical cables, waves and satellites or purchases their own access to that infrastructure from multinational corporations who do own them. When you purchase Internet access from an ISP, they give you a physical machine called a router or a modem/router unit that plugs into an electrical outlet. These machines allow multiple devices to connect to the Internet either via Wi-Fi or Ethernet cables. When you connect to a public Wi-Fi network, you are connecting to the Internet via someone else’s router.

Tips for safely connecting to the Internet:

  • It’s always riskier to use a public Internet connection (at an Internet café, library, public Wi-Fi access point, etc.) than a private connection.
  • Connect to Wi-Fi networks that have WPA or WPAII (Wi-Fi Protected Access) security protocols. These types of connections are more secure than WEP (Wired Equivalent Privacy).
  • Public Wi-Fi networks can keep records of the devices accessing them. Using a VPN or Tor protects against this.
  • Turn off file sharing and Bluetooth on your devices.
  • In your phone and computer settings, disable your device from automatically joining networks or from remembering which networks you have joined. This will prevent your device from automatically reconnecting to a network again.
Mobile Network Risks

Mobile Network Risks

There are key differences between the infrastructure of mobile networks and the infrastructure of computers and the wired or wireless Internet. This can often make the data transmitted over mobile networks inherently insecure.

“Mobile networks are private networks run by commercial entities, which can be under the monopoly control of the government. The commercial entity (or government) has practically unlimited access to the information and communications of customers, as well as the ability to intercept calls, text messages, and to monitor the location of each device (and therefore its user).” – Security in-a-Box

Data that is transmitted to and from your phone, as well as stored on your phone, are vulnerable in different ways because you connect to mobile networks. And unlike computers, phones are also designed to give out information about their location.

  • Phone providers in most countries are legally obliged to keep records of all communications; sometimes a government has to obtain a warrant to access those records, but not always.
  • Voice and text messages are much easier to intercept using surveillance devices when they take place over mobile networks.
  • The records your phone keeps (call history, text messages sent and received, address book information, photos, video clips, text files) reveal a LOT about your life and can put both you and the people you know in danger. Sometimes it’s impossible to fully secure these records.
  • Mobile phones automatically and regularly tell the mobile network carrier/service provider where it is. In addition, many phones now have GPS (Global Positioning System) features; this GPS data can also be embedded in your photos, SMS and requests for Internet access.
  • Tip: iPhones are generally more secure than Android phones because they receive regular security updates while most Android phones do not.

Resources:

Security Round Up

Security Round Up

Trust your instincts. If you feel unsafe in a public space, leave. If you think your mobile phone or computer have been compromised, take action—whether that means throwing the device away or running security software to fix the problem. If you think your online activities are being monitored, take steps to mitigate the risks. Never disregard your sense of insecurity.

What steps can you take to improve your digital security?

  • Read, learn and educate yourself. Understand the risks you are exposed to when you use computers, mobile phones and the Internet.
  • Install security software programs that protect against intrusions and remove malware and viruses when your devices are compromised.
  • Use the web browser that best suits your needs, depending on whether you want to maximize security or privacy. Install add-ons that increase the security and privacy of your web browser.
  • Understand how to communicate as securely as possible in cyberspace. Email, instant messaging and VOIP, as well as social media can all be made more or less secure.
  • Hardware and software are the backbone of your digital security, but your own behaviours are just as important. Make sure you are using safe practices at all times.
  • Use a VPN (Virtual Private Network).
  • Make sure your devices are set to automatically install security updates.
  • Encryption makes everyone online safer. It’s important to know what it is and how to use it if possible.
  • Treat your communications with emergency assistance programs (and human rights organizations more generally) with the same digital security awareness and practices as you do the other aspects of your digital life.
  • Trust is paramount on the Internet. If you aren’t sure something or someone online is trustworthy, don’t open yourself up to the risk.
Web Browsers

Web Browsers

Web browsers have different levels of security and types of privacy settings for their users. Make sure you are using the browser that best fits your needs.

  • Use Google Chrome if you want to maximize your security but don’t mind if the company collects a lot of personal information about you.
  • Use Firefox if you want to maximize your privacy and are willing to sacrifice a bit of security.
  • Only use Safari if you are using an Apple product (iPhone, Mac, etc.).
  • Don’t use Internet Explorer if possible.
  • Try out an even more secure web browser: Dragon Internet Browser, Epic Privacy Browser, Tor Browser.

Comparing web browsers:

Browser Version Security Privacy
Chrome 53 The Best The Worst
Firefox 49 Okay The Best
Safari 10 Good Okay
Internet Explorer 11 The Worst Okay
Instant Messaging

Instant Messaging

WhatsApp is by far the most popular instant messaging tool being used by journalists, according to a survey of CJFE assistance recipients. 74 percent of respondents report using WhatsApp, followed by 29 percent using Skype’s direct messaging tool, and 9 percent each using Signal and Viber. So how can you maximize your security?

  • Don’t use Skype – Its parent company, Microsoft, and third-parties like governments can access Skype users’ data and communications relatively easily.
  • WhatsApp has end-to-end encryption, which is great. But even though WhatsApp can’t read the content of its users’ messages, they can still see who is sending a message to whom and when. They can record this ‘metadata’ and give it to governments.
  • WhatsApp also doesn’t have a great privacy policy. In summer 2016, the instant messaging service began sharing user information with its parent company, Facebook.
  • Signal has end-to-end encryption like WhatsApp but it has the added benefit of being open source. This means its code can be expected by experts to look for flaws and back doors in its security. Unlike WhatsApp, Signal doesn’t store any metadata.
  • Facebook Messenger’s Secret Conversations use the same encryption as Signal but only work on mobile phones.
  • Telegram is rarely a secure way to communicate.

Takeaway: If possible, use Signal instead of WhatsApp or Skype.

Resources:

  • How to use Signal on iOS (Apple products)
  • How to use Signal on Android (Google products)
Social Media

Social Media

Journalists in distress use social media both to do their work and to find help when they face dangers. Facebook is by far the most popular social networking site and while it is an indispensable tool for connecting journalists with their audiences and with organizations that can help them, there are also privacy risks associated with using it. In its quest to maximize profits and become a one-stop space for Internet users, Facebook’s shifting data-sharing practices indicate an overall decline in its attitude towards user privacy.

Using Facebook safely:

  • Make sure you’re familiar Facebook’s privacy and user data policies. You can also explore Facebook’s FAQ (Frequently Asked Questions) page on its collection and use of user data.
  • Customize your Facebook privacy settings to minimize your public footprint.
    Examples:
    1. There is a feature that allows you to become ‘invisible’ to search engines
    2. A feature can be selected to allow only your friends (or people you know) to find your Facebook account by your email or phone number;
    3. Another feature prevents Facebook from connecting your profile to other apps

Best practices for all your social media accounts:

  • Understand the default privacy settings on your accounts and know how to change them.
  • Use strong passwords.
  • Use separate accounts and identities depending on your activities on a social media site (journalism, activism, a specific campaign, personal networking, etc.).
  • Try to minimize your use of social media from public computers or public Wi-Fi networks. Make sure to delete your browser history and cache when you use public computers (at Internet cafés or libraries).
  • Always be careful about the information you share on social media. Minimize the personal information you share.
  • Accessing a social media website using “https://” is safer than using “http://” – It adds a layer of security to your Internet activity by encrypting the traffic from your web browser (Google Chrome, Mozilla Firefox, Safari, etc.) to the social media site you are on.
  • Many social media sites display your location if possible. Double-check that your location settings, whether on your mobile phone or your computer, are turned off.
  • Regularly check what applications are authorized to access your social media accounts and disable old and unused ones.

Learn more about using social media securely—Facebook and Instagram (owned by the same company), Twitter, YouTube, Flickr.

Internet Cafés

Internet Cafés

Sometimes the only way to access the Internet is to go to a café. But it’s important to remember that your anonymity, privacy and security are fundamentally compromised the moment you step foot into this type of public space.

Tips for mitigating your risk:

  • Find an Internet café where you don’t have to sign in or show ID to use a computer.
  • Bring your own computer to use if possible, especially when working with sensitive information.
  • Check to see if there are surveillance cameras pointed at the computer screens; if possible, avoid these.
  • Try to sit at a computer whose screen cannot be viewed by anyone without you knowing.
  • Make sure to clear the Internet browser history and cache before you leave.
  • Bring a USB that has programs you trust; this way you don’t have to rely on the software already installed on the computer. Security-in-a-box describes portable applications you can bring to Internet cafés to improve your security.
  • Trust your instincts; if you feel unsafe, leave.
Passwords

Passwords

Passwords are the first line of defense for any communication conducted and data stored on cyber devices (phones, computers, etc.). According to a survey of CJFE assistance recipients, almost 40 percent of journalists have passwords that are weak or probably weak. This indicates that journalists often know of the security risk their passwords pose, but have not taken steps to remove the risk.

You can strengthen your passwords fairly easily if you know what makes a strong password. It is important to remember that weak passwords can be cracked even more easily. The Committee to Protect Journalists explains how attackers can crack your passwords with little difficulty.

Here are some tips for choosing and maintaining strong passwords:

  • Personal passwords are easy to guess.
  • Passphrases are stronger than passwords. Passphrases that are six words or longer are considered to be very safe.
  • Choose an obscure statement or quotation that has meaning to you but won’t be easily linked to you by others. You can use the whole phrase or abbreviate it to create a series of letters and numbers.
    For example:
    “Why is it always so hot outside?” → WiiA50HO?
    “That toy tiger I had as a kid was the best!” → TtT1hadAak1Dwa5th3B!
  • Longer passphrases are better than shorter ones.
  • Combine letters (capital and lowercase), numbers, and symbols (!@#$%^).
  • Don’t reuse passphrases.
  • Don’t share your passphrases with anyone.
  • Change your passphrases every 90 days.
  • Be aware that using honest answers to security questions (used to verify your identity when you forget a password) can often be publicly available information (e.g. your mother’s maiden name, your father’s birthday, where you went to school, etc.).
  • Use a password manager software program to store your passphrases; they often generate strong passwords for you. But don’t forget to create a strong master passphrases to sign in to the program – otherwise all your passphrases can easily be compromised.
    Password manager software: KeePass, Password Safe
  • Use two-factor authentication (2FA) if it is available. You can check if your service provides this feature at the Two Factor Auth website.

Two-factor authentication is a simple feature that asks for more than just your password. It requires both "something you know" (like a password) and "something you have" (like your phone). After you enter your password, you'll get a second code sent to your phone, and only after you enter it will you get into your account. Think of it as entering a PIN number, then getting a retina scan, like you see in every spy movie ever made. It's a lot more secure than a password (which is very hackable), and keeps unwanted snoopers out of your online accounts.

Email

Email

Although email is an incredibly common and cost-efficient method of communication, it is important to remember that all of the information contained in your inbox, your sent folder and your address book are only as secure as your digital security practices.

There are a number of ways to make your email safer, starting with the email account(s) you use:

  • Switch to a more secure email service provider. For example, Google collects a lot of information about its Gmail users that could put you at risk. If you must use Gmail, read its privacy policy and understand the risks.
  • One email provider that offers more security is RiseUp; it does much more to protect the information stored on its servers.
  • Another email provider that offers more security is ProtonMail. It offers end-to-end encryption if you are sending an email to another ProtonMail account, which means it is to your benefit to recommend this email provider to your friends and family! Emails sent to recipients who do not have a ProtonMail account can also be encrypted with an added password that the recipient must know. Emails can also be set to self-destruct.
  • Consider setting up multiple email accounts and using one or more as a decoy. Setting up new email accounts will make it more difficult to identify and monitor you.
  • Make it difficult to link your identity to your email account(s).

Making your email safer is not just about using the most secure email accounts. It’s also about using smart behaviours that minimize your chances of being compromised:

  • Make sure you have a strong password protecting your account.
  • If possible, use two-factor authentication to add another layer of security. Learn more about passwords and two-factor authentication in the “Passwords” section of this guide.
  • Always access your email through HTTPS when you are on an Internet browser.
  • Don’t open emails with suspicious subject lines; they could contain viruses or malware.
  • Don’t open attachments from email addresses you don’t recognize; they could contain viruses or malware.
  • Regularly clean up the temporary files your email produces on your computer. Using CCleaner is one way to do this.
  • Delete your browser history and cache if you must access your email from a public computer.
  • Be careful about what types of information you put into writing and who you email.

***The most effective way to secure your email communications is to use public key encryption. In a survey of CJFE assistance recipients, only a quarter of respondents use encrypted email and 40 percent do not know what encrypted email is. Check out the “Encryption Basics” section of this guide for a quick tutorial.

There are two main ways of installing and using public key encryption, and Security-in-a-Box provides instructions for both:

  1. Thunderbird + Enigmail + OpenPGP for Windows
  2. GPG4USB for Windows – Email and File Encryption
Encryption Basics

Encryption Basics

Encryption is the most effective way to protect data. When data is encrypted, it is turned into a series of symbols called ‘ciphertext’ that by themselves have no meaning. Your unencrypted data is essentially scrambled, becoming unreadable; the only way to decrypt it is to have the correct encryption key (a password or other form of authentication).

You can encrypt a number of different things: hard drives, files and folders, emails, Internet communications.

Some devices have built-in encryption software that will encrypt your entire hard drive. Windows Pro (in contrast to Home) versions released after 2007 come with BitLocker and all Macs released after 2003 come with FileVault. You can also encrypt portable USBs (also called flash drives or thumb drives) using BitLocker and FileVault. The operating systems on more recent Android phones and iPhones come with built-in encryption. Check your devices to see if they come with an encryption feature you can turn on.

There are free and paid software programs you can download that will encrypt individual files or folders on your devices, as well as USBs. VeraCrypt is the most commonly recommended program; it is free and open source. Make sure you learn how to use it properly before installing, otherwise your data can be permanently corrupted.

Email is a particularly vulnerable mode of communication, but using encrypted email prevents the contents of your emails from being read by anyone except the intended recipient. Email encryption typically relies on a Public Key Infrastructure (PKI). PKI uses a combination of a private key (known only to you) and a public key (which you can make available publicly or only distribute to those you choose). You use a private key to encrypt an individual email and the recipient uses a public key to decrypt it. See the “Email” section of this guide for the two main ways of installing this type of email encryption.

Encryption has been integrated into a number of different parts of the Internet, increasing everyone’s security. Most notably, a technology called Secure Sockets Layer (SSL) is being used more and more to encrypt the connection between your device and websites and Internet services you visit. SSL has been built into most email services, for example. When you are connected to a website through SSL, the URL of the website will begin with HTTPS instead of HTTP. If you want to make sure you only connect to websites and Internet services using SSL, install the HTTPS Everywhere add-on.

SSL is not the same as end-to-end encryption. In other words, SSL encrypts your data when it is transmitted between your device and a website or Internet service. That website or Internet service can still read your data. End-to-end encryption, on the other hand, prevents even the website or Internet service from reading your data. For example, Gmail uses SSL but its parent company, Google, could still go in and read the content of your emails. WhatsApp and Signal use end-to-end encryption, however, which means their parent companies, Facebook and Open Whisper Systems, cannot go into your chats and read their content.

Software, Apps and Add-ons

Software, Apps and Add-ons

There are many software programs, applications and add-ons that can be used to improve your digital security. Explore the list below—and don’t limit yourself to these. Do some research to find the ones that best suit your needs. But remember, practicing safe behaviours online to mitigate the risks you are exposed to as a journalist and a general Internet user is just as important as using tools to increase your security. Many of the tools listed above are described in other sections of this guide.

Password managers:

Email providers:

Security software:

Encrypted instant messaging and/or VOIP:

Internet add-ons:

Internet browsers:

VPN providers:

Public key encryption for email:

Apps on Android:

The Authorities and You

The Authorities and You

In a survey of journalists who have received assistance from CJFE’s Journalists in Distress program, almost 90 percent of respondents report worrying that their Internet communications are being monitored all of the time or sometimes. The government from journalists’ home country and current country of residence (especially when they have fled into exile), intelligence or security agents and police officers are all potential threats. In addition, 30 percent of the journalists surveyed report that at least one of their devices has been taken by authorities and almost half of respondents report having a device stolen.

Your devices are the gateway to your life today. Whether you are crossing a border, going through a checkpoint or just out in public, there are precautions you can take to make it harder for authorities to gain physical access to your phone:

  • Make sure your computer and phone screens automatically lock when you are not using them.
  • Don’t use an easy-to-guess password that authorities can crack quickly if they temporarily take your device.
  • Keep your phone with you at all times. Lock up your computer when you can’t take it with you.
  • Avoid displaying your devices in public. Never leave them unattended.
  • Don’t forget to destroy your SIM card or hard drive if you throw a device away.
  • If possible, switch out your SIM card for a blank one when you take your phone through checkpoints or across borders.
  • If possible, don’t take devices that store your most sensitive information through checkpoints, across borders or otherwise into the presence of authorities.

These precautions will not stop authorities from forcing you to give them access to your devices. But they will ensure authorities can’t access your data simply because it is quick and easy for them to do so.

Applying for Assistance

Applying for Assistance

When you apply for help from human rights organizations that operate emergency assistance programs, you have to share personal information with them about your current situation. Doing this over the Internet—the most common and frequently the only way to communicate—opens you up to the risk of your sensitive information being intercepted.

Here are some ways to make sure you are as safe as possible when communicating with emergency assistance programs:

  • Don’t be afraid to withhold information until you are certain it is safe. In a recent survey of CJFE’s assistance recipients, 61 percent of respondents reported withholding information because of safety concerns.
  • Don’t be afraid to raise your digital security concerns and ask the staff to help accommodate you—that’s what they’re there for!
  • Use secure methods of submitting applications whenever possible.

For example, you can contact the Committee to Protect Journalists for help through SecureDrop. If you are a media worker reporting from the Syrian conflict, you can submit an application form that is sent encrypted to 12 organizations simultaneously.

  • If you don’t have a method of sending and receiving encrypted email (see the “Email” section of this guide for more information), ask the program staff if they can communicate with you over Signal, WhatsApp or another instant messaging tool that has built-in end-to-end encryption.
  • Be careful about posting public requests for assistance on an organization’s social media accounts (Facebook, Twitter, etc.).
  • Check out the rest of this guide and consider implementing tools and behaviours that will increase your security before contacting emergency assistance programs.
Learn More

Learn More

This CJFE resource is a great starting point…but there are a LOT of digital security risks out there and there are many ways to safeguard yourself against them. Luckily, there are many manuals, guides and tips available for journalists and human rights defenders who want to improve their physical and digital security.

Digital Security

Middle East and North Africa

Exiled Journalists

Reporting from Crisis Areas

Legal Aids