More and more these days, the news is dominated by information that comes from “leaks”. This is a good thing for democracy—after all, information can’t be constrained if we are to live in a free society—but it puts the leakers who disseminate the information, and the journalists who report it, in danger.
It is imperative that journalists who deal with sensitive sources, information, or classified leaks, are able to protect the security of that information. But as we are firmly living in the age of leaks and hacks, it’s becoming necessary for any journalist to think about their infosec and data security as well. After all, it’s not just a journalist’s own security and privacy on the line, but that of their sources, colleagues, and informants as well. Negligence is no longer an option.
As one Medium blogger put it: “If you would go to jail to protect your sources, why wouldn’t you put in a little effort to protect the files and conversations you share with them? Increasingly, how journalists choose to communicate, how journalists choose to store data, and how journalists choose to secure devices are the decisions necessary for defending sources. You can only protect your sources if you protect yourself.”
Adequate infosec and data protection comes in two forms: for yourself as the journalist, and when securing your correspondence with sources.
Here are some notes for best practice:
The first basic of data security for journalists is to enable two factor authentication, and for the second step to be something other than your phone number. The rise of social engineering hacking means that it’s easier than ever for determined hackers to get access to your phone number, and thus access to your email account even if 2FA is on. Using a hardware-based method like Yubikey or Google’s authenticator app is much more secure. Also ensure your primary passwords are long and complicated, and use a password manager like 1Password or LastPass to ensure you can store them safely and easily.
Always be on alert for phishing attacks. While basic digital literacy may elude older technology users, as a journalist you have no excuse. Be wary and skeptical of every external attachment or link that is sent to you if a) you don’t know the sender, and b) the email seems slightly off or is formatted strangely. If you are unsure or worried about an attachment, download it in Google Drive (not onto your computer) to verify its validity first.
When it comes to talking to sources, insist on using a method that utilizes end to end encryption. While a court of law can’t compel you to divulge who your sources are, you don’t want a hacker to do that for you. Communications like email are much easier to intercept, so your best bet is an app like Signal which provides messaging that third parties, no matter what, are unable to read. But, as security expert Quinn Norton notes, be aware of the first-contact rule: “Signal and its ilk, Whatsapp, Wire, etc., are great for hiding what you say, but not always as great at hiding whom you’re saying it to. These tools are great for talking to colleagues, named sources, editors, etc., and I recommend that you use them for general communications. for anonymous sources, focus on communication methods that aren’t easily tracked or likely to be bound to legal identities.”
When it comes to leakers—or people who want to provide journalists with information but wish to remain anonymous—you need an infrastructure on which they can feel secure. The service SecureDrop is a good choice for a file submission platform, but as the point above notes, make sure initial point of contact is secured too.