Seven digital security habits that journalists should adopt
RSF’s tips for journalists to protect online communications
Cyber-surveillance is a bigger threat than ever. New forms of censorship are emerging, implemented by troll armies paid by authoritarian regimes. They include double switch, in which a journalist’s online account is taken over in order to disseminate fake news, smear the journalist, and censor independently reported news and information.
In response to these new threats, RSF recommends additional vigilance. This includes adopting both simple tools and good habits. The following recommendations are not meant to be exhaustive or to offer tools that will completely eliminate the dangers of surveillance or of someone taking over your accounts. Technology evolves quickly and today’s advice may not be relevant tomorrow.
1 - Make mistrust your motto
- Avoid prying eyes
- Don’t work with your back to a window.
- When travelling by train or plane, put a privacy filter over your laptop screen to limit lateral vision.
- Avoid being separated from your equipment.
- Get a webcam cover.
- Don’t download any files or click on any links sent to you from unknown sources. Personalized phishing attacks are very common.
- Carefully check the email address or online presence of anyone who shares a link with you. If in doubt, verify the sender’s identity with other contacts or by using a search engine.
- Always research tools and the context in which they are used.
2 - Passwords: secure your connections
- Use passwords to protect your online activity.
- Use a pass phrase rather than a password.
- When creating a pass phrase, use digits and letters in upper and lowercase to create a sequence that is relatively complex but easy to remember, rather than a more abstract sequence of digits and special characters.
- Use a different pass phrase for each online service.
- Use a password manager such as LastPass, which is available as an extension for Firefox, Chrome and Safari. You can use it to store all your pass phrases.
- When in doubt, check the strength of your pass phrase here.
- If possible, use “two-step verification” to protect your email account. When it is set up, your email cannot be accessed without entering the different code that is sent each time by SMS to your mobile phone. Without your mobile phone, no one can get into your email account. Whenever you connect to Gmail, remember to click on the “Details” link at the lower right of the page. It opens a window that shows all recent connections to your account and will allow you to identify suspicious activity. Note: criminal organization and hackers in the pay of a government may have the ability to intercept these SMS messages and thereby take over the accounts of targeted journalists.
- As a journalist, you should segment your digital activities and use several email addresses: a personal one, a professional one, one for online purchases and so on.
- Remember to disconnect whenever an online operation is finished.
3 - Protect yourself from cyber-attack
- Online attacks, whether aimed at taking over an account or smearing a journalist’s reputation, have the same objective: to discredit the messenger in order to kill the message.
- Check social network confidentiality rules and clean up your profiles, keeping in mind that doxxing, the aggressive use of personal details found online – especially on social networks – is increasingly employed in harassment campaigns against journalists.
- Use an antivirus AND an anti-malware such as Malwarebytes.
- Activate your firewall.
- Keep your operating system (Windows, macOS, etc.) up to date.
- A media outlet should ideally have several administrators whose profiles are not directly linked with the media in order to maintain access to its website even when the profile of one of the administrators is blocked.
4 - Delete your digital tracks
- Use Namecheckr to check your online presence.
- Remember to disconnect after checking your email, Facebook account or Twitter account.
- Erase your browsing history.
- Never save a password in the browser of a public computer. If you have saved one by mistake, erase the browsing history when you finish working.
- Delete cookies. The way to delete this kind of data varies from browser to browser. A good way to avoid making any mistakes is to use the private browsing mode in Firefox or Chrome.
- at an advanced level, you can use Tails
5 - Encrypt your access to online services
- Use encrypted messaging apps such as Signal (while keeping up-to-date of any reports about vulnerabilities in these apps).
- FlowCrypt is a Chrome and Mozilla extension that enables end-to-end encryption of email.
- Privnote and ZeroBin are websites that allow you to send someone a link to an encrypted message that self-destructs after being read.
- To talk to your sources via the Internet use apps such as Jitsi Meet, a free and fully encrypted Skype equivalent.
6 - Secure your browsing
- Install a VPN in order to encrypt your Internet connections.
- Install the Tor Browser, which allows you to browse anonymously.
7 - In a hostile environment, don’t let your phone become your worst enemy
- Don’t put your contacts’ real names in your phone’s contacts list. Assign them numbers or pseudonyms so that others (the police, armed groups, and so on) cannot get the details of your network of contacts if they ever seize your phone or SIM card.
- Take spare SIM cards with you whenever you think your SIM card might be confiscated (at demonstrations, border crossings, checkpoints and the like). If you ever have to get rid of a SIM card, try to destroy it physically.
- Lock your phone with a password if it has this feature. Change the default PIN of your SIM cards and lock them with this code.
- Consider turning on your phone’s flight mode in situations in which the security forces might target people with mobile phones (at demonstrations, during an uprising, or whenever a crackdown is possible). The authorities could later demand the call or SMS records or phone data of any individual at a given location at a given time in order to carry out mass arrests.
- Turn off geolocation in your apps unless you need to use it. If you are using your mobile phone to stream video live, turn off the GPS and geolocation functions.
- If your phone uses the Android operating system, software for encrypting your browsing, chats, texts and voice messages is available from the Guardian Project and Signal. When using your phone to go online, use the HTTPS Everywhere extension.