Offensive security is a technical problem, but defensive security is a political problem. Nowhere is this maxim clearer than the realm of journalist security.
Journalism is one of the cornerstones of our democracy possible, but today journalists face constant digital threats to their ability to do their jobs as a watchdog for government and industry. Worse, journalists don't tend to be the most tech-savvy people in the world, and they struggle to defend themselves. When journalists can't fulfill their role as the Fourth Estate, society as a whole suffers.
Defending journalists--and, by extension, our constitutional form of government--requires journalists to do their due diligence by using best-of-breed security tools, but it also means understanding that in the face of targeted attacks by nation-state actors, journalists must pursue political solutions, not just "download a magic encryption app" technical solution.
With that in mind, here are eight security tips for journalists.
1. Use Signal
Encryption hipsters are rolling their eyes, but a surprising number of journalists still haven't heard of Signal. Opting out of mass surveillance is the first step in a journey of a thousand miles. There's no longer any excuse for not encrypting your texts or voice calls. Signal makes it easy for non-technical journalists to encrypt all those things (or most of them, anyway). Available for iOS and Android, Signal is, at the time of this writing, the most usable and secure form of end-to-end encryption available.
2. Use Tor
"Use Signal, use Tor" is cliché at this point, but it's the beginning of any conversation about journalist security. End-to-end encryption does not hide whom you're talking to, when you're talking to them, how long you're talking to them, or even the geo-spatial coordinates where you and your phone are located at the time of contact. Known (unhelpfully) as "metadata," this activity information is as useful to an adversary as the actual content of an encrypted message. Is a government employee messaging you, a journalist, on Signal? It doesn't take a genius to guess what might be going on.
Anonymizing that activity information is therefore critical, and Tor is, at the time of this writing, the best anonymity software available today. Optimized for web traffic, Tor bounces your browsing session through three proxies. Tor supports only TCP traffic and can be used to proxy other services as well.
Tor has gotten a bad name because criminals also use Tor to obscure their online web browsing, but Tor is a clear case of a dual use technology. The only way for journalists and whistleblowers to take advantage of Tor's anonymity features to do good things is if criminals are also able to use Tor to do bad things. Attacks on Tor that scream "Four Horsemen of the Infocalypse" are therefore attacks on journalists' ability to do their jobs.
Use Tor for all your sensitive research. Tools based on Tor, like OnionShare and Ricochet, may also be right for your use case. OnionShare makes it easy to share large files over Tor, and Ricochet offers encrypted chat over Tor.
3. Don't use PGP
Pretty Good Privacy (PGP), and its free software implementation, GnuPGP, is a hot usability mess. Unless you're doing hard-core national security reporting, or you're a software developer signing code, the drawbacks outweigh the benefits of using PGP. Even expert users make mistakes when using PGP, which can easily put a source--or journalists themselves--in danger. Worse, PGP does not enjoy Perfect Forward Secrecy (PFS), which means key compromise gives an attacker the ability to read any and all emails previously encrypted with that key.
4. Don't use email
Email is garbage and needs to die in a fire. Email was originally developed for academics to message each other on mainframes in the ‘70s. Do you still listen to eight-track tapes? Have you even *seen* an eight-track tape? That's how old email is. We're stuck with it for legacy reasons, but email is suitable for little more than newsletters and spam at this point, and certainly not for anything sensitive.
5. Deploy Transport Layer Security (TLS) on your news org's website
Adversarial journalism is about publishing so that people can read it, and today that means publishing on the web. Publishing without HTTPS, which uses TLS, means there is no guarantee that what you publish is what the reader will actually see, as recent reporting from the Citizen Lab makes clear. A malicious adversary can hijack an unencrypted web browsing session.
Further, the right to read anonymously is fundamental to democracy. Neither your ISP nor the government nor anyone else should know what news articles you're reading, when you're reading them, or how long you spend reading them. HTTPS obscures which articles on any given news site a reader is browsing, limiting the damage.
6. Learn how the internet works
No, really. How can you threat-model if you don't understand how the threats work or what is possible? We instinctively understand physical threats in meatspace, but threats in the cyber domain are unintuitive and seem abstract, distant, unreal. Learn how attacks work, what they can accomplish, and how to respond.
Bits and bytes traversing silicon are very different than ink on paper. Using the word "publishing" for the same activity in both domains distracts us from how different they are. Printing presses are a one-to-many broadcast medium with meatspace distribution channels. Disrupting that broadcast is not impossible--dictators have successfully done so--but the nature of the technology makes that kind of censorship very difficult.
Online "publishing," however, involves a one-to-one real-time communication channel. My device connects to your server on TCP port 80 (or hopefully port 443). That session can be easily monitored or disrupted.
Censorship looks very different on the cyber domain, where targeted gaslighting for power and profit is cheap and effective. Attacking or threatening journalists too often succeeds. Because "publishing" online is so much cheaper than pressing ink to paper, it becomes trivial to engage in signal-to-noise ratio attacks that drown out the truth. Disinformation attacks that involve publishing deliberate half-truths make the reading public doubt the reality of what's being reported.
This fundamental difference between the two technologies tilts power away from journalists. That's why it's important we stop talking about "freedom of the press." The printing press is obsolete, replaced by the internet. Stop acting like the internet has the same affordances as a printing press. The enemies of journalism--and democracy--will happily grant you the right to press ink to paper if you grant them complete, totalitarian control over the internet. Solving the journalist security problem requires more than just "download this app, you're cool."
7. Think like an attacker
Once you know what is possible, think about what a ruthless attacker might do to shut down your reporting. Hack your phone and live mic your conversations? Maybe it's time to remove the cameras and mics from your smartphone. Hack your laptop? Maybe it's time to get geeky and install Qubes. Track your geospatial coordinates in real time? Maybe it's time to buy a Faraday pouch--or better yet, leave your smartphone at home. Mass surveil every bit of unencrypted communication you generate, including metadata, and correlate that with others' digital profiles using machine learning? Now we reach the limit of technical solutions and begin to see the need for political solutions.
8. Stop thinking you're going to go cloak-and-dagger with spies and win
Glenn Greenwald played PGP footsie with the NSA and won--but that ain't going to happen again. Journalists cannot win a technical showdown with nation-state adversaries on the cyber domain. Not against the NSA, or the FSB, or Unit 8200, or GCHQ, or the Chinese, or anyone else. If they want you, they are going to get you.
This is not cause for despair. Journalists as a class suck at solving technical problems, but we excel at solving political problems. We must fight on terrain of our own choosing--on the battlefield of public opinion--where we excel at the blood sport of exposing corruption, demanding reform, and ending political careers.
On the cyber domain, the best defense is a good offense. Sharpen your pencils--and attack.