Privacy experts Jillian C. York and Eva Galperin from the Electronic Frontier Foundation had good and bad news for journalists from around the world seeking to learn how to protect their data from potential security threats.
“The good news is that going to security training is better than not going,” Galperin told participants in a workshop on digital security and privacy at the International Press Institute (IPI)’s World Congress. “The bad news is that security training is often a failure.”
Galperin, a global policy analyst, said the problem with most security training workshops is that the tools and techniques introduced often end up being “things you’ll do later”, which never really materialise.
To remedy that issue, the presenters reserved time at the end of the session to walk participants through how to use the security tools of their choice step by step.
Before diving into the hands-on portion of the workshop, they explained the terminology relevant to digital security, as well as how to think about and assess one’s own digital security needs. One of the most important steps is threat modelling to help people determine the level of security needed for their data.
“The purpose of threat modelling is to make your life simpler and more manageable,” Galperin said, noting that it involves answering a series of important questions, such as:
-What do you want to protect?
-Who do you want to protect it from?
-How bad are the consequences if you fail to protect it?
-How much trouble are you willing to go to in order to protect it?
York went through the list of questions with participants, including a journalist who wanted to protect website discussion boards from government trolls who aim to disrupt threads by posting spam or inflammatory comments.
“Security isn’t just about you,” York stressed, noting that, for journalists, a breach of their data could endanger their entire network, including sources. In fact, she emphasised, a journalist’s sources are one of the assets they should most want to safeguard from potential adversaries.
Other threats to privacy in the digital sphere addressed at the workshop included account hijacking and the deletion or alteration of communications.
York and Galperin pointed out that because different adversaries have varying ability levels, different levels of security are required to protect data from a random hacker versus a large government agency. They also stressed the importance of risk assessment, calculating the likelihood of a given threat against a particular asset, and determining the level of security necessary based on that assessment.
“We know journalists are very brave people, but your sources might not be,” York said. “They might have taken the biggest risk of their life by talking to you.”
The pair recommended security tools journalists can use to protect their data, including Signal Private Messenger, a phone app that encrypts messages between users and allows them to verify one another’s identities. York and Galperin also discussed two-factor authentication, an additional layer of protection beyond a password that is offered by major sites like Facebook and Twitter. It helps protect against phishing attacks by sending a code to the user’s mobile phone.
The trainers further encouraged the use of a virtual private network (VPN), which helps mask Internet activities as well as potentially circumventing government censorship online by routing traffic through servers in different geographic locations. Free VPNs are available, but they come with additional risks since they push advertising that could potentially contain malware. York and Galperin urged participants to push their media organisations to set up a VPN for employees to use.
“You shouldn’t have to spend your own pocket money just to be safe,” Galperin said.