In this article, digital security experts share with Reporters Without Borders (RSF) a checklist for journalists to protect themselves and their sources against surveillance and digital attacks.
Cybersecurity is a critical concern for journalists working on sensitive issues, as they are at heightened risk of having their electronic devices hacked or their communications monitored. It is essential for journalists to be aware of the digital vulnerabilities they face and to take proactive steps to protect themselves from surveillance and digital attacks. In this article, digital security experts share a checklist on how reporters can safeguard their data and communications.
- Understand the threats. In the backdrop of the fast-paced evolution of technology and artificial intelligence, journalists can’t but closely follow the latest developments in cybersecurity in order to better understand and prevent the digital attacks they may face, such as stolen credentials, impersonation, hacks, and data leaks.
- Regularly check and update your devices. Journalists should regularly conduct antivirus scans, clean and update their electronic devices. Cybersecurity experts also recommend using external services to verify that devices have not been compromised, such as apps monitoring network traffic, task managers programmes that provide information about the processes and applications running on a computer.
- Always use a VPN. Journalists should always have a VPN (Virtual Personal Network) switched on. To ensure optimal privacy and security, they should carefully choose which VPN to use by identifying the VPN’s company owner, the jurisdiction under which it operates, and by reviewing its core security features and ethical practices.
- Encrypt your hard disks. Encryption is vital for the protection of sensitive data, as it makes it unreadable to outside parties who do not possess the password. Cybersecurity experts recommend journalists to fully encrypt their electronic devices and backups in order to counter malwares or prepare in the event of physical thefts.
- Use encrypted communication channels. End-to-end encryption (E2EE) further encrypts data while in transit on the Internet. Journalists should use E2EE messaging apps such as Signal, Wire, or WhatsApp, to safeguard their communication. The tab below compares different messaging apps in terms of security and jurisdictions:
Source: https://www.securemessagingapps.com
- Only install vetted apps. When using mobile devices and apps, it is crucial to only install apps from official app stores. Journalists should regularly check app permissions on all their devices to prevent their data from being transferred to third parties.
- Separate devices when using suspicious apps. If reporters have to use apps from national companies that may collect and share users’ data, such as Vkontakte in Russia or WeChat in China, they should consider using a separate device with no sensitive information on it.
- Use strong, unique passwords. Strong password combinations are essential for protecting devices and sensitive information. Journalists should avoid using the same password for multiple accounts, avoid saving passwords in browsers or memos, and refrain from using personal information as passwords. Using a password manager can also provide additional security measures, including end-to-end encryption and sharing capabilities with colleagues.
- Set up two-factor authentication. Two-factor authentication (2FA) provides an additional layer of protection beyond passwords. Different forms of 2FA include SMS, voice calls, email, security keys, and authenticator apps. Journalists reporting should consider using authenticator apps such as Raivo for iOS and Aegis Authenticator for Android.
- Be aware of phishing and malwares. Journalists should always be careful when clicking on links from unknown sources, opening email attachments, downloading unlicensed software, visiting potentially compromised websites, or plugging USB devices. These are commonly used methods to install malware on a device.
This article is based on a training session for journalists and press freedom defenders previously organised by RSF in March 2023.
