By Stefanie Phillips, RSJ ’18 firstname.lastname@example.org
This year, an article in the Columbia Journalism Review explored how basic cyber security intelligence has become “essential” for all journalists. But based on data collected by the Citizen Lab, most journalism schools are still not doing enough to prepare young journalists for online dangers that threaten to expose their sources and colleagues.
We sat down with RSJ data journalism professor and CBC senior developer of news interactives, William Wolfe-Wylie, to compile a list of 10 things every journalist needs to know about cyber security.
Wolfe-Wylie said cyber security is particularly important for journalists because they are public figures who tend to be “rocking the boat,” which often makes them targets for hackers.
“They’re targets of people who disagree with their coverage. They’re targets of people who are in positions of power. They’re targets of people who want a heads up on what tomorrow’s news is going to be. They’re targets of rivals,” he said. “But none of those things are particularly unique to journalists. … These same techniques apply to the vast majority of humanity. Journalists, as members of the vast majority of humanity, get to be concerned about it.”
Here are Wolf-Wylie’s ten tips:
1. Practice threat measuring
The most important thing journalists can do is start thinking like hackers. He encourages journalists to ask themselves, “What information would a hacker want to know?” Threat-measuring also includes evaluating the risk of being hacked by: thinking about the information and sources you’re dealing with; asking who would want to access that information; and understanding how far they would go to get it. “Depending on what information they want, you have to decide if you’re okay with them getting it,” he said.
2. Understand what data sites are surveilling
Wolfe-Wylie said beyond the surface of information we see on public sites like Twitter, Instagram and Facebook is a library of metadata, background data that provides detailed descriptions about how you use those services. He said the main thing to remember when you feed data into these sites is that some of your data will be available publicly (depending on your privacy settings), making you subject to surveillance. In some cases, the security of those sites can be breached. In fact, breaches happen quite frequently. Wolfe-Wylie said knowing that you might be being watched and understanding how it happens is good practice for everyone online. “Some people will make the call that they are fine with being spied on … but others will want to take measures to protect themselves,” he said.
3. Protect your passwords
4. Always use two-factor authentication
Using a password manager is only the starting point. Wolfe-Wylie recommends journalists use two-factor authentication for two reasons; to add another layer of protection and to be notified when someone else is logging into your account.
5. Turn on ad-blocker when possible
“I hate telling this to journalists,” he said, but it’s important because ads can be the first point of access for hackers.
6. Use a VPN when on public WiFi
Wolfe-Wylie said journalists are especially vulnerable when they’re on public WiFi. “If you’re ever on public wifi … be on a VPN. It prevents people from snooping into what your browsing,” he said.
7. HTTPS everywhere
This browser extension is a free service that automatically makes websites more secure by using a secure HTTPS connection instead of just a HTTP one. Put simply, this service prevents people from snooping on you while you’re browsing on public WiFis.
8. Turn off devices
When crossing international borders and you want to protect your information, or if you have an inkling that you might be the target of a police raid, turning off your phone is the first line of defence against the authorities. “When I have my phone unlocked, it is wide open,” said Wolfe-Wylie. “You plug in your police device or your surveillance device and you can download everything on my phone. But if I turn off my device, then the whole device is encrypted and you can’t get anything off of it. It’s a brick as far as they’re concerned.”
9. Use a passcode or password, instead of finger or face verification
Wolfe-Wylie said the second line of defence against authorities is turning off finger and face verification on your devices and using a passcode instead. “With a passcode the [device] remains encrypted,” he said. “You can refuse to give a passcode and that is protected under the [Charter of Rights and Freedoms], you can refuse to divulge information. They can ask you for your passcode as much as they want but you don’t have to give that to them. Protecting your face from them and protecting your thumb from them are harder to do.”
10. Leave devices at home
If you think you can prevent your device from spying on you, think again, because it’s basically impossible. So when you need to protect your source’s identity, Wolfe-Wylie explains it simply, “just leave [the devices] at home.” He says to meet sources without tapping cards on transit systems, bringing phones in your pockets or wearing watches on your wrist. If it is digital, it can be tracked. “Use an old-fashioned pen and paper to take notes (and) an old-fashioned tape machine, if absolutely necessary.”