Dangerous information ... now what?

Imagine opening your inbox to find an anonymous email from someone offering to share important, sensitive documents of international significance with you. The source, and the information, requires the highest level of protection.

What do you do?

This manual is designed to instruct journalists and media organisations on how to practise information security in the digital age, protecting your work, your sources, and your communications at a variety of risk levels.

Information security, or ‘InfoSec’, is the practice of defending information from unauthorised access. The information at stake may include a news report you are working on and any associated files, the identity of your source(s), your communication with them, and at times, your own identity.

You don’t need to be an I.T. expert to practise InfoSec (although you will certainly learn a lot as you go along!). Using this manual, you could learn to send encrypted emails and documents from your own highly secure laptop within days!

Who poses a threat?

The Snowden revelations exposed the extraordinary abilities of certain government intelligence agencies to intercept communications and gain unauthorised access to data on almost any personal computer or electronic communication device in the world. This could pose an information security risk to investigative journalists working on stories concerning the interests of those governments, their agencies, and their private intelligence contractors.

Many states lack these sophisticated surveillance technologies – but all states do possess surveillance capabilities, some of which can be, and at times have been, used against journalists, with potentially severe consequences. Ethiopia, a less technologically advanced state, is alleged to have launched remote attacks against journalists stationed in US offices.

In the globalised age, some transnational corporations have greater wealth and power than many sovereign nation states. Correspondingly, some transnational corporations possess greater ‘security’ or surveillance capabilities than many nation states.

It is not only corporations, but sophisticated criminal organisations that have also been known to employ impressive surveillance technologies – and some criminal organisations may overlap with criminal elements in government. The Mexican army spent $350 million on surveillance tools between 2011-2012, and reportedly now possess technologies to collect text messages, phone calls and emails; to remotely automate audio recording on mobile phones; and even to detect movement through walls using radar technology. Also between 2011-2012, nine journalists were killed in Mexico in association with their work.

Unauthorised access to your data may entail its use, disclosure, disruption, modification, inspection, recording or destruction. You and your source could invoke legal or physical risks, and the information at the heart of your story could be compromised. In high-risk situations, InfoSec may be as important as wearing a bulletproof vest and travelling with bodyguards. However, because digital threats are invisible, complex and often undetectable they can be underestimated or overlooked.

Dragnet threats

You may also wish to protect yourself from ‘dragnet’ surveillance programs, led by the US National Security Agency (NSA) and the UK Government Communications Headquarters (GCHQ) and as of 2017 the Dutch Wet op de inlichtingen- en veiligheidsdiensten (Wiv). These are programs that collect and sometimes analyse the world’s online and telecommunication data - potentially enabling retroactive investigation. Even police forces in the UK have accessed stored communications data to identify hundreds of journalistic sources.

Practising InfoSec

As an effective journalist, you will find yourself disturbing a few hornets’ nests in the course of your career. Therefore, practising good InfoSec means normalising several permanent strategies that easily fit into your everyday work. It also means employing case-by-case protection strategies, as you will need to use stronger and more effortful InfoSec methods when working on sensitive topics, and with vulnerable sources.

The first step to practising good InfoSec is to be aware of the threats; the second is to be aware of your hardware and software vulnerabilities. Understanding how and why unauthorised access happens is the first step in learning how to protect yourself from it.

Legalities of tools (Cryptolaw)

Despite the fact that the pervasive surveillance of law-abiding citizens almost certainly contravenes international human rights laws, use of certain privacy tools can be illegal. Several of the privacy tools discussed in this handbook are cryptographic tools. This cryptography may be illegal, or require a license, in several countries including China, Cuba, Iran, Libya, Malaysia, North Korea, Singapore, Sudan, and Syria.

When entering some of these countries, you may need to declare any IOCCO inquiry into the use of Chapter 2 of Part 1 of the Regulation of Investigatory Powers Act (RIPA) to identify journalistic sources, 4 February 2015 encryption technology on your laptop. You should consider the legal implications of using cryptography and make informed decisions about where and when it is safe for you to do so. You can find out more about cryptography laws for each country here: www.cryptolaw.org.

In addition you should realise that encryption does not necessarily mean that governments or intelligence agencies cannot read what you do. For example in 2018, the Australian government adopted a new law that requires access to end-to-end encrypted communications if an intelligence agency so requires. This means literally that tech companies may be forced to backdoor their communication platforms. This will make us all safer online. In the UK mandatory backdooring of encryption is considered.

Threat modeling

There is a lot of information in this handbook about various possible threats, and measures that can be taken to defend against them. However, since attack technologies are always changing and much of their use is entirely secret, we rarely confidently know the exact threats; when, where and to whom they apply; or the efficacy of our defenses. Therefore, it is down to you to perform a personal risk assessment and design an appropriate defensive response during the course of reading this book.

You may also want to factor in practicalities – some users may compromise their InfoSec, whilst aware of the risks, to meet other practical demands in their work, whereas some users practice sophisticated InfoSec above their perceived need because they find it practically doable.

Basic questions

Some basic questions you may wish to ask yourself when threat modeling for your InfoSec strategies are:

  1. Who could your adversaries or potential attackers be?
  2. What tools might your potential attackers possess?
  3. How likely is your potential attacker to use their available tools against you?
  4. What risks could arise, for you and those you communicate/work with, from a targeted attack?
  5. What risks arise from passive surveillance? How extensive are the tools used in passive surveillance?
  6. What defence strategies are practical, safe, and effective in light of your evaluated risks?
  7. What defence strategies are practical, safe, effective, and instructable for my sources and colleagues, in light of their evaluated risks and/or the risks incurred by our communication?

Keep yourself informed

The threats will change with time – but so too will the technologies available to protect journalists and citizens. So, it is important to understand InfoSec in theory, and to always continue learning about InfoSec in practice.