Investigative reporters face a two-fold challenge: surveillance software has become mind-bogglingly sophisticated; and funding is pouring in for development of new technologies. These new products are purchased gray market by governments that spy on their public – and their press.

Robert Guerra, a digital security expert at the Canada-based Citizen Lab, warns that most reporters aren’t even taking the most basic precautions.

“If you become known for investigative reporting, people can use digital tools to come after you and your data,” says Guerra, who for more than a decade has trained NGO staffers and journalists to securely manage relationships and data online. “Start with the principles. Know the risks. There are some simple things folks can do.”

Guerra suggests starting here:

  • If you travel to a country known for spying on the media, don’t rely on an email provider based there.
  • At home, use a secure provider – you can tell if your email is secured by looking for the “https” in the address bar. Gmail is secure by default, while Yahoo and Facebook settings can be adjusted. Why? If you use a free wireless network, anyone can tap into your screen with a simple and free software program. That’s a problem if you’re communicating with a source. It’s as if you were in a busy public place having a conversation with a confidential source, Guerra explained, “but you’re both screaming.”
  • Don’t assume your employer is protecting your account. Ask your technology desk about what precautions it takes, and consider getting a personal account from Google or Yahoo over which you have control.

If you have Gmail, everyone knows your User Name. So a hacker only needs your password. An obvious first step is using a more complex password. There are guides to creating stronger passwords listed below. Also, for more sensitive interactions, Gmail, Twitter, and Facebook have added an additional – optional – layer of protection – the two-factor login. When you activate the two-factor login, and enter your password, the account sends a text message to your phone, providing you a unique authentication code you must enter before accessing the account.

Establish multiple user accounts on your computer, including at least one user account in addition to the default administrator account. Making sure the second account has no administrative privileges, then use that login for your daily work. Then if malware tries to install automatically, the computer will alert you with a message requiring the administrator password.

  • Beware of suspicious attachments, keep your programs updated, and install a good antivirus program. Usually programs you buy will provide greater protection.
  • Watch for emails from groups or people you might know, but which seem slightly off – small grammar changes or odd punctuation.
  • Mac users, avoid being lulled into a false sense of security.
  • Outdated computers without security patches can put you on greater risk.

Make noise if your computer starts acting wacky. Reach out to one of the nonprofit groups dedicated to detecting and tracking attacks and training users. They include:

Tutorials and Tipsheets

There’s no shortage of guides to digital security. Many are overly complex and not terribly useful for working journalists. But there’s help out there, and it’s worth designating someone on your team, in your newsroom, or at your nonprofit to take the lead in ensuring that your work is protected. Here are some resources:

Security in a Box offers a series of video tutorials on simple ways to maintain a low online profile. Available in French, Spanish, Italian, Portuguese, Russian, Arabic, Armenian, Croatian, Ukrainian, Serbian, Albanian, Bosnian.

The Committee to Protect Journalists addresses cyber security as part of its Journalism Security Guide.

Reporters Without Borders also has published an Online Survival Kit, available in five languages.

Digital First Aid Kit is a guide published by a dozen media-related NGOs, including Free Press Unlimited, Freedom House, Global Voices, and Internews.

Surveillance Self-Defense provides a basic guide to protecting your data. It also has a few other tips and tutorials on keeping your data safe:

  • Proper use of passwords: Choose strong passwords using Diceware, avoid reusing passwords, consider using an encrypted virtual safe or password manager, avoid giving easily found answers for security questions, using two-factor authentication passwords. If you write passwords on a piece of paper in your wallet, make sure to add dummy characters before and after real passwords, and don’t clearly label accounts. Don’t use the same password for multiple accounts. And change the passwords regularly.
  • You should not destroy evidence, but you can maintain a retention policy in which you routinely purge your files. Make sure the policy is written and followed by everyone. “It’s your best defense against a subpoena — they can’t get it if you don’t have it.”
  • Basics of data protection: Require logins for accounts and screensavers. Make your passwords strong. Make sure you trust your systems administrator.
  • Data encryption:Governments can get around password-protected data. But well-encrypted data is more difficult. SSD offers another basic guide to how encryption works
  • Protection from malware: Use anti-virus software, keep your security patches updated and avoid clicking on suspicious links and files.

Eva Galperin of the Electronic Frontier Foundation via the U.S. Public Broadcasting Service provides this tip sheet for Best Practices. A few key points include:

  • Skype isn’t as secure as you might think. Governments can track your movements. Instead, consider using Google Hangouts
  • Text messaging is insecure and not encrypted.
  • Instant message with Pidginor Adium (Mac OSX)

Steve Doig, a professor at Arizona State University in the U.S. provides these tips in his presentation Spycraft: Keeping Your Sources Private (PowerPoint):

  • Search the web with IXQuick, which doesn’t save your IP address or search terms.
  • Disguise your caller ID with SpoofCard. This works for international calls as well.
  • Buy no-contract cell phones with cash.
  • Encrypt communications:
    • Pretty Good Privacy is strong and an industry standard.
    • Spam Mimic encrypts messages in spam-like email
    • Clean out deleted files for good using Webroot Window Washer
    • When obtaining leaked documents from a government source, beware of invisible watermarks.

The London-based Centre for Investigative Journalism has an 80-page handbook, Information Security for Journalists, full of tips and techniques.

The UNESCO report Building Digital Safety for Journalismoutlines 12 specific digital threats “including illegal or arbitrary digital surveillance, location tracking, and software and hardware exploits without the knowledge of the target”. It provides tips on how to keep your data and yourself safe.