Over the past year, I’ve been increasingly asked to speak about computer security for journalists–specifically, how reporters can avoid surveillance by governments and help protect their sources.
Unfortunately, many people seem to think there’s some kind of magic bullet that will protect reporter-source conversations, and that all our problems would be solved if reporters could simply learn to use encryption. But encryption isn’t as magic bullet; there’s much more to source protection than encrypted email.
If you’re here thinking you’re going to find an easy solution–or any particular solution at all, really–I’m sorry. I don’t have one.
But I’ve been speaking about this subject enough now that I have a few tips and tools I’d like to put together in one place.
(1) Some Initial Concepts
Before you even start trying to understand complicated technical tools, you need to know about a few concepts. The most important of these is called “threat modeling,” a way in which you can outline the things you’re trying to protect, as well as the most likely threats against them. Jonathan Stray, who works at the intersection of computer science and journalism, has made some good presentations on the concept. You can find one of them here: http://vimeo.com/87957065.
I also find it helpful to think about examples of journalist communications gone awry. Often, journalists and other non-technical people aren’t even aware of the ways in which their data can get out. As I outline in this presentation for Investigative Reporters and Editors, you can study cases such as the investigation of James Rosen’s source to get ideas about how easy it is for investigators to obtain data.
Finally, you should think about something called “operational security,” in addition to technical tools. This post, by a hacker called the grugq, should give you some idea of how important, and how difficult, it is to maintain operational security. It’s not as easy as setting up PGP email and calling it a day.
(2) Basic Tools
Although I think it’s impossible to make yourself 100% secure, there are steps you can take today that will help you reduce your “attack surface.” I think it’s great for journalists to take these steps simply to promote security in newsrooms overall. Plus, developing even a basic understanding of technology and computer security will benefit you should you ever need to use more advanced tactics to protect your work.
You’ll be ahead of the pack if you simply use a reputable antivirus and make sure all your computer programs are updated regularly. (I don’t think I can recommend any antivirus in particular, but I use Sophos on my Mac, and we have McAfee on our work computers.) You also should take advantage of any security measures your IT staff already provides; if your company has a VPN, I’d suggest using it instead of logging in to a hotel network, for example.
I recently gave a presentation at the 2014 NICAR conference (for the National Institute for Computer Assisted Reporting) in which I outlined some basic tools that you can start trying out in your newsroom today, including password systems and Tor, the online anonymity tool.
(3) More Advanced Tools
Finally, I have written up some instructions for my favorite encrypted communication tool, OTR messaging. You can find them here. And you can check out my earlier post on PGP encryption for email and other text here.
Please feel free to contact me or ask questions in the comments.