Why journalism needs information security
Philip Di Salvo is a Visiting Fellow at the London School of Economics and Political Science’s Department of Media and Communications and a post-doctoral researcher at Università della Svizzera italiana (USI)'s Institute of Media and Journalism. His areas of research are whistleblowing, investigative journalism, internet surveillance and the relationship between journalism and hacking.
Watch the video of Philip's talk
Why information security matters
- A 2020 report by Jennifer R. Henrichsen for The Tow Center for Digital Journalism found that journalists and management tended to view security reactively, being more likely to engage in relevant practices after a breach had already happened.
- Last year, a group of nonprofits and media organisations teamed up for the Pegasus Project, an investigation which revealed governments’ use of private spyware Pegasus to surveil journalists, activists and politicians.
- By the end of 2021, over 220 journalists had been identified as targeted or confirmed targets of state spying attacks using the spyware.
9 tips to take care of your digital safety
1. Take some time to evaluate your own security. “I think that all journalists should at least dedicate some of their resources and time to actively consider information security within their own working routines. And we should start stressing one point, which is to keep in mind that information security is very adaptable, and each and every individual journalist has different needs, and potential risks to respond to,” Philip said.
2. Try threat modelling. “Having a threat model approach means making an assessment of our adversaries, their capacities in terms of surveillance, the meters they may be using against us, and the resources they have. This should be the start of any discussion,” Philip said. The key point he stressed is that context is everything, and different journalists will have different needs, requiring a bespoke approach to digital safety.
3. Start with source protection. “Of course, source protection is a primary concern for everybody. Not only for advanced investigative reporters, but for every journalist and I can tell that for every source, there is an information security practice that can be adopted according to the risk scenarios where this has to be done,” Philip said.
4. Go back to basics. “Information security in most cases is basic digital hygiene,” Philip said. Despite the need for a tailored approach to digital security, some simple measures should be adopted by everyone. He highlighted using strong passwords to protect online accounts, software and other online services. Philip added that journalists can also be victims of online threats such as phishing, and advised to stop and think before clicking on any links in emails. Other practical tips he gave were to keep devices updated, to delete unused apps, to use disappearing messages when possible and to restart a device before a sensitive phone call. Something else to be aware of, Philip added, is if your data is automatically saved on a cloud, which opens it up to additional threats.
5. Use encryption tools. “Encryption means locking data and communication with a safer and stronger digital lock. And in some cases, making communication anonymous or not traceable by third parties. And I think this description really already applies quite nicely to the needs and the problems that journalists have to face in the digital context,” Philip said. Encryption software can be used for data in transit or when it is stored on a device. For communication, Philip advises using the encrypted digital messaging service Signal. Another tool he recommends for communicating with whistleblowers is SecureDrop.
6. Don’t assume you won’t be targeted. “If you are a journalist covering non-sensitive topics, within a general purpose publication, you may think, ‘I don't need to adopt anything,’ but that could make you the weak link, and the first line of attack to get to your colleagues who are actually working on sensitive topics,” Philip said. You may not face the greatest threat, but every journalist faces some digital security threat.
7. Use multiple devices. “If the threat model of a journalist is really dealing with very sensitive sources, the suggestion I got, reporting again on research results that I've been gathering the past few weeks, is to use multiple devices. So that if you need to talk with your Snowden, for instance, have a phone which only does that,” Philip said. This way, if your personal phone is compromised, the conversations with your super-sensitive source will still be safe.
8. Beware of security fatigue. “This also leads to what is usually called security fatigue, like, ‘There is nothing I can do, there is no protection. It is better to throw away all the technology and forget about it,’ which is very dangerous. But actually, there is in most of the cases, something that can be done, there is a line of defence, there are responses available out there, there is software that can be used.”
9. If you’re a newsroom leader or journalism teacher, make this a priority. “I think we haven’t pivoted to security yet, but we should,” Philip said. Despite a growing awareness of digital security over the past decade, many newsrooms are still only relying on what Jennifer Henrichsen calls ‘security champions’, or journalists who happen to have a particular interest in information security who bring this issue to their colleagues’ attention. Another issue is within journalism education, which Philip said does not tend to formally include information security.
The bottom line
Information security is becoming increasingly essential for journalists around the world. While most of us will probably not be targeted with Pegasus spyware, we all face a threat of some level from a variety of possible attacks. Every journalist should take the time to evaluate their own information security practices, and if they don’t have any, today is a good day to start. There are measures to be taken to protect ourselves, our sources, and our colleagues. Newsroom leaders and educators have a particular responsibility to make digital security awareness a fixture in their newsrooms or classrooms. Information security can no longer be an afterthought and must be recognised as a crucial element of modern journalism.
If you want to know more...
- Read Philip’s books, Leaks. Whistleblowing e hacking nell'età senza segreti (in Italian) and Digital Whistleblowing Platforms in Journalism
- Read Information Security Essentials by Susan E. McGregor
- Read the Global Investigative Journalism Network’s digital security guide