For twenty-first century journalists, maintaining the privacy, security and authenticity of their digital communications with sources is both essential and complex. Though many of the tools that enhance security and privacy are well-known by name – GPG for encrypted email, Adium and Pidgin for encrypted chat, Tor for anonymous web browsing – knowing how and when to uses these applications remains an ongoing challenge. To help address these issues, the Tow Center for Digital Journalism organized an intensive educational workshop around digital security practices in late November. Over the course of the weekend, two dozen journalists, journalism students and researchers worked with digital security trainers, computer scientists and legal experts to explore and address the unique legal and technical understandings that journalists need in order to preserve their work and communicate safely with their sources in a digital world. Though the lessons of the weekend were many, below are a few of the top takeaways from the weekend.
Encrypting all of your data and communications won’t happen overnight, but there is good reason to make it a habit. First and foremost: practice makes perfect. If you use encrypted chat clients all the time, it will be simple – and just as fast – to use with one with a source should the need arise. Second, encryption offers strong protection for the contents of your files, emails and chat sessions. If you encrypt your computer and your phone, you can feel confident that even if something happens to your devices, your data will be extremely difficult for others to access. Likewise, while encryption won’t hide who you’re communicating with over email, it will obscure what was said. Finally, using encryption normalizes it for you, your colleagues, and the industry as a whole. If journalists in general communicate securely, it can provide reassurance to sources that you can better protect them, as well as make it difficult for even government actors to gain access to your information without your knowledge.
Your Devices Are Always Communicating
Most of us like the fact that our laptops discover and connect to wireless internet access points automatically, especially at places like our homes and offices. But the information that our computers send out into the world isn’t limited to the webpages we request or files we download. When your wifi is on, your computer is constantly sending out beacon signals in order to locate wireless access points. Part of that beacon is the so-called “mac address” of your computer, as well as your “remembered” networks. On an unencrypted wifi network, this could be used to connect your physical computer to your web activity, or even to deduce places you’ve recently visited. Be mindful of this when naming a home wireless network, and consider clearing your list of “preferred networks” when you travel. Smartphones with wifi on will behave similarly, so leave the wifi off to protect your information (and your battery life!) when out and about.
Digital Security is Physical, Too
Digital security – both for your data and your communications – isn’t all digital. Keep physical track of your devices at all times; the same few minutes you need to order coffee is all that’s needed to duplicate an unencrypted computer or install malware via USB. Likewise, keep in mind that there are instances when offline communication methods are inherently more secure than digital means. Postal mail, for example, is more difficult to search than email, and has much stronger legal protections.
The convenience and efficiency of all-in-one service providers is hard to beat. At the same time, conducting all of your communications in one place also means that anyone who gains access to that service will be able to quickly triangulate information about your sources and stories. Using a variety of communication platforms reduces this risk, and also gives you at-hand alternatives should one of them become unavailable. By using different applications for chat, email, internet phone calls and the like, you make it much more difficult for anyone to create a comprehensive picture of your communications. Perhaps as importantly, trying out and offering feedback on less common tools also gives you the opportunity to provide feedback to their creators, thereby improving the usability – and viability – of alternatives to big-name applications services.
While the above is only a cursory look at principles of digital security, we encourage anyone looking for additional information or specific recommendations to check out resources like Security In A Box or Encryption Works. And also keep an eye out for the Tow Center’s comprehensive white paper on digital security and privacy for journalism, which will be published in the coming months.
Susan McGregor is the Assistant Director of the Tow Center.