In this article, a digital security expert gives advice to journalists on how to keep their information safe when reporting in authoritarian regimes.
Journalists reporting in authoritarian regimes face an increased number of digital security threats. In this article, a digital security expert, who asked to remain anonymous for safety reasons, gives advice on how journalists can keep their information safe online despite heavy state surveillance.
1/ Regularly assess the threats
- What type of information/data on a journalist’s devices needs to be protected?
- Who, or which organisation, do they need to protect themselves against?
- How likely are they to be targeted?
- What is the worst case scenario if their devices are compromised?
2/ Refrain from using devices and services the regime may have access to
In authoritarian regimes, authorities often have unfettered, legal access to any data processed by national companies as well as foreign companies operating within the country’s borders. Many electronic devices (e.g. Huawei phones), software (e.g. VKontakte, WeChat), and network services (e.g. Yandex, Baidu) operating from authoritarian countries have set up “backdoors” that can collect users’ data.
3/ Whenever possible, use services providing end-to-end encryption
- For network connection (e.g. Virtual Private Networks (VPNs), or the Tor network);
- For messaging (e.g. Signal, ProtonMail and Tutanota);
- For online search (e.g. Mojeek or MetaGer).
4/ Learn how to set up and update digital devices
Journalists should be able to determine which features to disable to protect themselves (tracking, personalised ads, geolocalisation, browser history, cookies) depending on their assessment of the regime’s technical ability to monitor them. Keeping operating systems and applications up-to-date, especially antivirus programmes, will greatly contribute to reducing security vulnerabilities, but journalists should be aware that device settings may be reset after an update. It is also advised that they conduct background checks on the ownership and trustability of applications and websites they use.
5/ Delete sensitive data or back it up on isolated drives
In order to protect themselves and their sources from the intrusion of authoritarian regimes, journalists should always delete from their devices the data they collected while working on past articles. If they want to back up their collected information, they should do it on a separate device that is not connected to the internet.
6/ Refrain from using smartphones
As smartphones are the hardest device to fully secure, journalists working on sensitive issues should only use them for calls and text messages, and, when not in use, leave them in a Faraday cage that blocks radio signals. Law enforcement agencies can easily triangulate the signals emitted by a smartphone and find its physical location, especially when connected to a Wi-Fi hotspot, an unencrypted internet connection, or when using geolocalisation (GPS). It is also very difficult to completely erase data from smartphones, therefore each application once downloaded increases the risk to its owner’s security.
7/ Carry burner phones
As authoritarian regimes’ authorities may confiscate journalists’ electronic devices and tamper with them, or use intimidation to get login information, journalists are advised to carry one or more decoy devices with no sensitive information on them, so they can be handed over to the authorities when needed.
8/ Create multiple digital identities
A connection may be made between identities through matching passwords, search queries, locations, and online behaviour. To avoid their personal identity being disclosed, journalists should use different devices, apps and accounts for personal and professional purposes. Likewise, journalists can use different identities (including email and social media accounts) for reporting on different topics, so that authorities cannot access all their work data at once in case one of their accounts is compromised.
9/ Carefully manage inbox
Regularly cleaning their email inbox is essential for journalists, as authorities cannot obtain information that no longer exists. Journalists should never use the “reply” feature, as response emails generally include the entire message history, and should agree beforehand with their sources and colleagues to only send new emails each time. Journalists should also be cautious about suspicious emails from unknown senders that could lead to remote installation of Pegasus-type malware and viruses on their devices.
This article is based on a previously held training session for journalists and press freedom defenders organised by RSF.