Session notes from the Investigative Practice Series
Chair: Silkie Carlo
Director, Big Brother Watch
Technology journalist at Vice’s Motherboard
Infosec Trainer and Nextcloud
Director, Reckon Digital
Information security is now an established weapon in the fight to keep journalists and their sources safe, but are we in danger of encouraging people to rely on technology that they might not fully understand, thus putting them at greater risk? Are we losing sight of the traditional way in which journalists keep their sources safe - by being unpredictable, and by using our wits as much as our smartphones?
In this seminar, Investigative Practice identified ways to combine the old and new in journalist operational security, as well as how best to advise whistleblowers who might want to send journalists and media outlets their stories.
"It is more important to understand the underlying concepts than the tools themselves."
A combination of old and new technology can be used to keep information safe. Tor and Signal are effective tools, but often journalists are unaware of how they work and what they are doing. Likewise, due to a lack of expertise, if a journalist is hacked, they are unlikely to identify what malware is being used. As such, rather than focusing on what apps and operating systems are available, we should focus on what these technologies are doing. In doing so, it will not only enable journalists to use such tools more effectively but also make them more receptive to how those tools may change in the future.
There are various concepts that are worth understanding:
- Compartmentation: separating information into distinct cells - e.g. using a specific laptop to access leaked information, that you don't connect to any accounts linked to you, or ideally don't connect to the internet at all.
- Concealment: encrypting communications via PGP or Signal
- Cover and Counter: The process of creating superfluous information to distract from what you want to hide - for example, by arranging a fake encounter whilst the real encounter occurs elsewhere.
"Many media outlets are yet to understand that that they need to hire IT staff who can work with operational security in mind."
News outlets may be reluctant to trust journalists or to acknowledge the need for an infosec expert, which can cause problems. For instance, Marie Gutbub recounted an example of a German journalist who used PGP when doing a story involving local activists. The in-house IT assistant refused to give him admin rights or let him use his company address on his private computer. This is a case where the outlet should have trusted the journalist’s understanding or referred to a specialist.
There are not many workarounds for this, especially if you are unable to use a private computer, but journalists can use non-work email addresses for communicating with sources and then use private computers, though that can cause problems with compartmentalisation. In some cases, journalists should buy a separate computer for this purpose, though this obviously also has cost implications.
However, the better method to counter this problem is probably to push back against restrictive IT policies in your newsroom and start an argument (or ideally, a discussion) with your editors about the benefits of either allowing some admin rights to journalists on work machines, some flexibility over using organisational email addresses on personal laptops, or teaching IT staff about the importance of information security for the purposes of source protection. This method has the added advantage of helping your colleagues and other journalists that come to the newsroom after you, and hopefully starting to change the newsroom culture more generally.
"Transparency means making the inner mechanisms of technology more visible."
On the one hand, digital technologies can be very convenient and helpful but on the other hand, they may add a layer of opacity. There is an argument for trying to make these technologies more transparent, to improve the users’ experience of applications and tools. This may also include broadening knowledge about the infrastructure of certain applications, making algorithms and machine learning easier to understand, for instance. That said, as digital citizens, we should work to further our own understandings of technology; through workshops, events, training days and reaching out to experts.
At the moment, journalists often tend to seek out training when they are covering a story that demands secure communication lines. There needs to be a conceptual shift that has to happen earlier on in the process so that this knowledge gathering is taken as a pre-emptive measure rather than used as a last resort.
To achieve this conceptual shift, it’s essential for training in information security to take place in journalism schools. Catching future journalists at the point where they are at their most open to learning new tools and acquiring new skillsets. Journalists who are currently working are generally too busy and overwhelmed with the work and other skills and tools they feel they need to learn.
On the level of editors, one of the most effective ways of explaining the need for information security tools and skills for their journalists is as a cost-saving exercise. This argument works on two levels, partly because the majority of the software taught is open-source and therefore largely cost-free aside from the time and training requirements to implement and use it effectively, but also as insurance against the major risks of having poor security infrastructure and compromising both the data and the sources of the journalists in their newsroom.
Q Could we operate without any technology tools at all given how insecure technology often is?
A We can, but in today’s world we would massively handicap ourselves if we avoid digital technology entirely. There is of course a similar danger of handicapping ourselves unnecessarily by placing too much importance on only ever using the most secure versions of digital technology.
Journalists tend to think that their story (and sometimes themselves) are more important than they actually are. On the majority of stories tools like Signal or Tor aren’t strictly necessary. Far more important in general practice are basic security measures like two-factor authentication on your accounts and using strong passwords.
The most critical process in this regard though, is threat modelling. Anyone considering information security needs to go through an assessment to identify what it is that requires protection, who to protect it from and what their surveillance capabilities are likely to be. Without thinking this through, journalists are in danger of placing their information security needs in the wrong place of a spectrum between user-friendly but insecure tools, and tools with better security but higher technical requirements.
There is also a danger in training journalists about information security without placing enough importance on threat modelling that we perpetuate ‘security nihilism’ in which subjects start to feel overwhelmed by the range of security vulnerabilities and end up feeling defeatist about securing their communications leaving the training actually counter-productive.
Q There is a risk of being red-flagged simply because of the use of certain tools like PGP or Signal, which is especially compounded when working with people across international borders. In certain national contexts this presents a bigger targeting risk than communicating about sensitive issues through unencrypted means. Can we safely advise others we work with to upgrade their security tools, essentially assuming a better knowledge of their threat model than they have themselves?
A It’s certainly true that use of certain tools can cause trouble for people in certain countries and it’s always best to assume that they know what their targeting risks are better than you. The security of the source should always be of primary importance, which in some cases means killing the story if need be or taking a step back until a safer and more secure path of communication can be established. It may also mean seeking the expertise of lawyers and specialists.
There is some cause for positivity here though, with the increasing ubiquity of end-to-end encryption as in tools like Whatsapp. The more people who are communicating with end-to-end encryption, even with non-open-source software, the less likely authorities are to see this as evidence for suspicion.
Carlo summarised the recommendations from the discussion:
- It’s important for us to increase our understanding of technologies, attend events and workshops, creating a network of technology experts around us that we can fall back on.
- Media outlets have to realise that IT staff should know the importance of source protection, or trust their journalists with admin access on workplace computers.
- Having conferences such as the Logan Symposium where there are dedicated workshops on security are great for raising awareness of the issue.
- Teach journalists the basics of security whilst they’re still at journalist school when they're more likely be in the mindset to learn, unlike working journalists who have little time.
- Create a pincer movement to target the people who are learning journalism and also the editors to ensure their journalists are equipped enough to be secure.
- Sell the importance of information security to editors through the idea that it is going to save them money in the long run.
In general people should look for open-source software, so that the code is available for independent audit. There are also resources and software available for guidance when conferences and training workshops are inaccessible:
- InfosecBytes CIJ video tutorials for main security tools.
- Little Snitch Can be used to monitor apps, preventing or permitting them to connect to attached networks through advanced rules.
- Security First produce Umbrella, a digital security handbook in a secure open-source app for Android and iOS.
- Security without borders Updates and briefings on hacking and information security.
- National Cyber Security Centre These UK government security guides do actually contain some useful security advice to protect yourself from low-level attacks (though obviously if you’re investigating the security services, you may want to use more secure tools).
This discussion was part of the Investigative Practice series at the Logan Symposium, Oct 2018