Protecting your digital security: The layers of risk that journalists face

This column originally appeared in Navigator, GroundTruth’s newsletter for early-career journalists. Subscribe here:

Get the latest reporting opportunities and advice

Journalism today is produced almost entirely in the digital sphere. Reporters record and conduct interviews on smartphones, reach contacts through messaging apps, research through various search engines and store their work on the cloud or connected devices. This past year of remote newsrooms and Zoom interviews has only accelerated this trend.

The shift to digital work has spurred efficiency, but it has also created new sources of risk that journalists need to be aware of and protected from. Digital devices are vulnerable to hacks, breaches and losses that physical copies of data are not.

These dangers became apparent in the stories breaking this weekend about Pegasus spyware, a powerful surveillance technology sold to governments. Though marketed as a tool to fight terrorism, Pegasus is being used to hack the phones of prominent journalists, activists, politicians and others in multiple countries.

For this edition of Navigator, we asked Chris Post, photojournalist for WFMZ-TV 69News in eastern Pennsylvania and safety trainer for journalists, about essential steps that journalists can take today to strengthen their digital security.

When it comes to dealing with digital security threats like Pegasus, Post thinks being proactive in precautionary measures is most important. Journalists should be extra careful to not click on suspicious links, files or emails, and should invest in antivirus protection for devices. For free protection against viruses, he suggests

However, no antivirus will offer you complete protection. Against these threats you’ll always be at a disadvantage: “Agencies that are sponsored by state governments have unlimited resources and invest a lot of money and time into finding ways to create access through a virus or some sort of spyware program from certain peoples devices,” Post said. “The other thing to consider is, and this may very well be the future of those types of attacks on electronic devices, is if your device starts acting funny, you may need to consider not using it.”

While these may seem like extreme circumstances, Post sees situations like Pegasus as a possible trend in the future, which makes taking steps to protect your digital security even more pressing.

“This is not just for us to protect the work that we are invested in,” Post said in a training session for Report for the World corps members in late June. “This is also to protect our sources, the people that we are interviewing, those folks that have taken on an incredible amount of risk to tell their story and maybe put their lives, their families, in jeopardy in telling their story to you.”

Digital security goes hand-in-hand with physical security

A case like the Pegasus spyware hack involved advanced techniques to gain control of the victims’ smartphones and access their data undetected. Although it is important to protect against attacks like those, Post advises to also focus on the physical threats to your data, which might expose your work to less sophisticated criminals that could sell it online or ask for a ransom.

“When you start in your immediate area, you’re looking at situations where it may not be somebody hacking your computer, it may be somebody physically stealing a hard drive,” Post said in a phone interview. “What ends up happening is a crime of opportunity, where it could be physical theft, but it’s actually a loss of a huge amount of data.”

Because reporters operate openly, would-be thieves have an abundance of opportunities to strike, if the journalist is not careful. Post drives a car marked with the name of the TV station he works for, and parks it every day in the alley behind his house. Sometimes, people leave news tips under his windshield. “They obviously know who I am and know where I live,” he said. “So, I’m very aware to not leave anything inside my news car that has any sort of data on it.”

This overlap is why Post recommends thinking of digital security in levels, starting with assessing potential risks in your immediate area and gradually expanding to broader networks. By securing your physical surroundings, you protect your digital space as well.

It is important for journalists to consider the dangers to digital security that exist in the world outside of the office. Can someone walk into your office space? Reach your phone or computer from a window? Tap into your Internet access point?

These are all essential questions to consider, Post said. “The easiest way for me to steal the work that you are working on is to steal your laptop or your phone, or to take something off your desk.”

For Post, digital security begins in your personal workspace. Making sure the doors are locked, the windows are closed and your laptop is secured to your desk with a locked cable are easy steps towards protection. Ensuring that you’re not giving thieves easy access to your devices should be part of your routine.

Overall, this means “from a physical and digital standpoint, making sure that you secure your workspace and avoid working in areas where your work can be observed or where your work is in a public venue,” Post said.

Displaying data or personal information on items like dry erase boards or sticky notes within your office can also make your work public, allowing it to be seen and stolen without someone actually entering your space.

“This is the transition from physical security to digital security,” Post said. “Are you posting or displaying things that give people a clue as to what you’re working on, and maybe cause suspicion or vulnerabilities?”

And part of setting up a protected digital environment means being constantly mindful of who you trust and include in your physical environment, in your human network and neighborhood, to prevent breaks in confidentiality or additional threats, Post added.

Beyond the physical: protecting your digital space 

To secure your digital space, Post suggests taking a hard look at your digital life and start cleaning up loose ends to protect your various accounts on different sites, applications and devices.

“You should really think about what information is stored in your account, and what consequences could come up for you, for your family, for your sources, if your account is breached,” he said.

Post recommends deleting old accounts and messages, not plugging into public chargers, and watching out for phishing scams (emails tricking you into giving sensitive information). While these measures seem simple, Post believes they are still important to emphasize because people often neglect the basics, thinking a security breach will never happen to them.

According to Post, the two most common mistakes that journalists make in digital security are not using complicated and unique passwords, and not enabling two-factor authentication.

“People in general, as much as journalists, don’t understand the risks associated with digital security, and they lack the technology understanding to be able to set up and create a secure environment digitally,” he said.

Two ways to protect your digital security across layers: Encryption and VPN

Regardless of the measures taken to protect yourself, Post recommends adopting two “helpful habits”: backing up data to protect against loss, and encrypting data to protect against misuse or abuse. Encryption ties the physical and digital aspects of the layers of security together.

“The idea behind [encryption] is that if somebody were to get your computer, or they were to steal that external hard drive, whatever data on there is going to be useless to them,” Post said. “They’ll never be able to get to it because that drive is encrypted…it’s basically a brick.”

Laptops and smartphones have “native encryption,” the ability to encrypt your entire device, built into them – you just have to turn it on through your device’s settings. Encrypting the entire device will take time, so Post especially recommends turning on encryption after buying a new device.

Other encryption sources include Bitlocker for Windows users, FileVault for Mac users, and Veracrypt for external hard drives. To send encrypted messages, Post recommends using WhatsApp or Signal. For encrypted email, try ProtonMail or Mailvelope.

In some countries, journalists could be imprisoned for having encrypted devices. Post recommends researching the laws in countries where you are living or working first. Also, remember that encryption works as long as your device is not compromised. If hackers gained access to your device, as it happened with the Pegasus spyware, they likely will have access to your encryption software.

Encryption protects already collected and stored data, but to secure your internet while researching, Post recommends using a virtual private network (VPN). His go-to providers are ExpressVPN or TunnelBear.

“VPN basically creates an encrypted tunnel between your device and the internet, and it pops out of the ground at any location that you pick,” Post said. “So it’s making a tunnel for internet traffic to flow through that hides your location.”

This allows users to appear to be in a different location than where they actually are. “That makes it a little bit trickier for Internet service providers, for governmental agencies, for any people that you are investigating, to find out who’s looking at them,” said Post.

This can be essential for investigative work, and any research that requires a low level of anonymity, such as looking into terrorist or white supremacy groups.

“There are always loopholes”

Technology is constantly updating, and so are threats to digital security – and methods to protect yourself. That’s why Post stressed that journalists need to be up-to-date on digital security news, calling his tips “great preventative medicine” but “not a complete cure.”

“And I don’t think there is going to be a complete cure, ever, because as technology evolves, so will the human energy to crack those [defenses],” he said.

Post recommends regularly consulting The Committee to Protect Journalists’ safety guide, Rory Peck Trust’s Digital Risk Assessment and the Journalist’s Toolbox from the Society of Professional Journalists to stay updated on digital security tools and tips.