Credit: Image by Moyan_Bren on Flickr. Some rights reserved
There are various risks journalists face when communicating via email, using WiFi or storing sensitive information on a computer.
Reporters, particularly investigative journalists, should not only be mindful about security, but they have a duty to protect their sources.
This feature contains advice from Brian Honan, an independent security consultant at Dublin-based BH Consulting, on ways to try and avoid suffering a hack of your computer, and how to take security steps to protect your sources. Investigative journalist Lyra McKee also shares some of her advice on keeping sources secret.
You might also be interested in this guide on 'how not to get your Twitter account hacked' and this podcast with 'online security advice for journalists'.
Risk 1: Communication
How do you know the person emailing you is who they say they are? "It's quite simple to set up an email address on the internet and to make it look like it comes from someone", says Honan.
You also need to consider how you communicate with a source.Sending information via email is like trying to send information through the ordinary postal system on the back of a postcard; anyone who comes across that postcard can read your informationBrian Honan
This will obviously depend on how sensitive the information is you are exchanging, but "people don't realise how open communication is on the internet", Honan says.
"The internet was never designed to be a secure means of communication, it was designed to share information."
And email is not secure. "It goes through various different networks, various different ISPs and anyone who has access to those networks and to those systems can, technically, read the content of your email.
"Sending information via email is like trying to send information through the ordinary postal system on the back of a postcard; anyone who comes across that postcard can read your information."
And the problem is not just confined to email. Care also needs to be taken when using Skype or another VOIP system, instant messaging and social media networks, such as Facebook, Twitter, Google+.
Solutions
When faced with verifying the sender of an email, there is some good old fashioned journalism to be done. You will need to cross-check sources and speak to the sender to verify the email source. Common sense can go a long way.
One technical solution to ensuring both the sender is who you think they are and also to keep the communication between you secure, is to encrypt your information.
Honan recommends using a PGP, encryption software from Symantec, and various open source options, such as OpenPGP.
He explains how a public key encryption system works for email. "Both the sender and intended recipients have an encryption key. You have two parts to your key: a public key and a private key. The private key is what you keep yourself and the public key is what you publish.
"If I wanted to send an email to you, I would go and look for your public key and encrypt my email using your public key. The only way that email can then be decrypted is by you entering in your private key. There's a match there to keep that information secure."
Once the relationship is established by swapping public keys, all communication is then encrypted. "The only way to break the encryption is for someone to get your private key. That means they have to gain access to your computer or you have to give it to someone."
Risk 2. Storing information securely
If you are working on a story, gathering information from various sources, how do you store the information securely? How do you ensure that your computer cannot be hacked?
Solutions
One solution put forward by investigative journalist Lyra McKee, is to not keep sensitive information, such as the names of sources, on your computer.
"You can't hack a notebook," says McKee, who is based in Northern Ireland.You can't hack a notebookLyra McKee
"Some sources are more sensitive than others, and the really sensitive names, you will not find them anywhere on my computer. You won't find details of people who are risking their livelihoods or their lives to talk to me."
You might decide to leave the names of sources in a notebook, but you will no doubt need to keep some sensitive information on your computer.
Honan advises encrypting your computer, particularly devices you carry round with you, such as laptops, tablets and smartphones, plus backup drives and USB keys, all of which can be easily lost or stolen.
"I won't say it is impossible, but once encrypted it is very difficult for someone to get that information," says Honan.
When encrypting your laptop he urges you to choose a strong, alphanumeric password. But remember, if you forget the password, you have lost the information on your device. "Do keep backups but keep the backups secure and encrypted," he advises.
Encryption is built into modern operating systems, such as iOS and Windows 7 and above, Honan says, "so it is a matter of just simply turning it on".
He also recommends free tool Truecrypt.org.
Encryption protects your computer while it is switched off or asleep, but also ensure you have good anti-virus software installed to protect your machine from being compromised when it is switched on, and a firewall.
"Most modern operating systems have a firewall built in, so just make sure it is turned on," Honan advises.
He also says you should ensure all software is up-to-date, which includes general software and browser updates.
If you are working with a lot of sensitive information, a good practice would be to spend time once a week making sure everything is updated and all your security measures are active, Honan advises.
Risk 3. WiFi
If you use a WiFi network in a cafe or hotel, be aware that your security could be compromised. "Your information is travelling over the wifi network in plain text," Honan says.
Solutions
Honan advises using a Virtual Private Network (VPN). "There are quite a few VPN services out there that for $50 or $100 a year. All your traffic on the internet is then encrypted and it cannot be accessed by anyone else on the same network."
But that advice comes with a word of warning. "Do be aware that certain VPN providers will surrender your logs and your activity to law enforcement or government agencies."
Honan also recommends free open source software Tor, which allows you to browse the internet anonymously.
By using Tor your personal IP address is hidden from both the site you are browsing and anyone monitoring your online movements.
For making voice calls over the internet, he recommends SilentCircle.
Risk 4: Crossing borders
Honan has one final piece of advice, which is relevant to journalists who are dealing with sensitive information and travelling.
"Crossing borders with a laptop can be an issue," he says, as a number of jurisdictions have the right to search your laptop without having to issue a search warrant.
Solutions
"Encryption is one way to protect your laptop," says Honan, "but you can be then asked to decrypt it at the border and if you refuse, you may be denied entry into the country."
He therefore suggests either keeping the sensitive information on an encrypted external hard disc, or storing it in the cloud.
"When you cross borders, you may just cross with a laptop with just the operating system on it and the applications you need, and then once you are in the jurisdiction, using Tor or your VPN, you can connect to your cloud provider and download the information."
Free daily newsletter
If you like our news and feature articles, you can sign up to receive our free daily (Mon-Fri) email newsletter (mobile friendly).
Related articles
- New investigative project helps resource-poor newsrooms report on health
- New global network investigates obstacles to climate action
- Investigating human trafficking, with ICIJ lead reporter Katie McQue
- What journalists can do to prevent and fight SLAPPs
- How to take your first steps into investigative journalism
