How to Start Taking Digital Security More Seriously
Any journalist can be a target, no matter their role. It’s time to take more steps toward security.
I really do think twice before sending a snarky tweet these days. Whether it’s organized harassment, doxxing, or any other variety of trolling, digital attacks against journalists feel more high-stakes than ever—especially for women and women of color. As naturally sarcastic person and a woman of color myself, I often find myself thinking: is this the thing that’s going to set them off? (*them being the unknown, masked mob of Twitter trolls) Is this the day I’m going to get doxxed?
Two years ago, I joined a team of journalists and security experts, convened by OpenNews to write and begin building The Field Guide to Security Training in the Newsroom. This resource was meant to be a curriculum for any newsroom who wanted to train its journalists on digital security topics like email phishing attacks or using more secure means of communications with sources.
The lessons in the curriculum can help your newsroom colleagues get better at security, and they’re also a chance for you to raise awareness in your company. Coming up with a plan ahead of time is way better than responding to a breach after the fact.
Remember: just by committing any act of journalism, you are worthy of a data breach. You may be thinking, “well I only have a small Twitter following, no one is going to notice and target me,” but in the current climate, any story has the potential to go viral and bring unexpected attention to the news organization that published it, as well as the individual journalist behind the byline.
Still not convinced? Read on from Martin Shelton, a digital security expert who works with journalists and has written extensively on these topics: Journalists, You Are Worthy of a Data Breach.
I spoke with a range of folks whose work takes place at this intersection of the internet and journalism, and I asked them what newsrooms can be doing better, both to support their staff and freelance journalists online. Larger news institutions have started to staff up their digital security teams and offer training to help their reporters minimize the damage, should they become the target of one of these attacks.
Neena Kapur, senior information security analyst, New York Times
Kristen Kozinski, training manager, information security, New York Times
Kapur and Kozinski lead a program for training journalists in digital security at The New York Times. Earlier this year, they brought their show on the road, presenting at NICAR19. Their trick: dox yourself before you get attacked so you know what personal information is easily findable about yourself.
“If a doxxer is having a hard time finding your information, they may change targets,” said Kapur.
Their presentation is a 90-minute workshop that sends participants away with “homework”: doxxing themselves. Another tip is to gather your colleagues for lunch (a “Dox and Lox” was suggested) and encourage them to take an hour or two to work through the exercises.
“It’s just as important to us that freelancers are taken care of,” said Kozinski. Their team plans to make their resources available to freelancers in the future, and both said they have worked with freelance journalists on security questions. “If a freelancer reaches out to us, we are committed to helping that individual,” said Kapur.
Martin Shelton, security researcher who works with journalists
Shelton, who has written extensive guides for journalists who want to dive into secure communications with sources, setting up tiplines, and more, said doxxing yourself is just the first step. The next step is to pay to remove that information from the web – but who should pay for that? Newsrooms, said Shelton. “I think it’s a very realistic occupational hazard, especially in the context of politically sensitive reporting.”
Next, Shelton says newsrooms need to be taking stock of their technical infrastructure and thinking about all of the ways data travel in and out of the newsroom, in order to identify potential weaknesses and ways to lock down information.
But, if he could get all journalists to adopt a single piece of advice, Shelton echoes Kapur and Kazinski: Multi-Factor Authentication, often known as Two-Factor or 2FA. That paired with strong password management are the “low hanging fruit” in terms of steps newsrooms and journalists can take.
“We’re also seeing newsrooms increasingly with these tenuous relationships with their journalists,” said Shelton. “Anyone could be a freelancer at any time.” Which means it’s important for individuals to take steps to secure their online data and accounts, in addition to the steps taken and plans made by newsrooms.
One tip that may feel unsexy or easy to overlook is updating device software, Shelton said. “I don’t think people take security updates nearly seriously enough.”
Chris Grant, editor in chief of Polygon
At Vox Media, editors are trying to proactively identify stories that might trigger an online attack against one of their journalists, said Grant, whose experience covering Gamergate led him to informally coordinate digital security strategy across the Vox properties.
“Getting sucker punched is often more traumatic than being in the fight,” he said. “Being prepared is better than being surprised.” This means editors may review a quick privacy checklist with a reporter before a story gets published.
Grant said it’s incumbent upon the newsrooms to make sure journalists can continue to do their work without fearing for their safety.
Grant even lobbied Vox Media leadership for additional resources. “We’ve done a good job, but the problem isn’t getting better, it’s getting worse,” he said. “We’re seeing more harassment, more abuse, more targeted dog-piling.” As a result, the company is hiring a digital security expert. But he recognizes that isn’t a financial reality for all news organizations.
“The only real way that this is going to work is if all these newsrooms consider this a collective work together. To help not only identify threats, but identify and share best practices.”
Amanda Hickman, director of the Freelance Futures initiative at AIR
Hickman led the work that we did for the The Field Guide to Security Training in the Newsroom two years ago. She continues to work with journalists and technologists on a number of topics, including digital security.
She says reusing passwords, or having 7–8 variations of the same password, is one of the worst digital security practices in place. “I think a lot of people assume that nobody’s looking,” she said. “It’s sort of like, do I really need to lock my door, is there really someone walking down the street checking doors?”
Hickman acknowledges that the advice out there for password management can feel overwhelming. “It’s really easy to be like, ‘Ugh this is hard to get right all the time, so I’m just not going to try anything,’” she said. It’s more important for journalists to take some steps toward protecting their online privacy and strengthening their passwords practice, than to get the entire digital security setup “perfect.”
She has specifically been working with more freelance journalists lately—who have different security risks and needs than a journalist in a permanent, full-time position with a newsroom.
Newsrooms should be cognizant of how they make their resources (training, support, etc) available to their freelance writers. For example, if a newsroom is hosting a brown bag lunch on digital security topics, they could invite their freelancers to join in person or remotely. Another tip from Hickman is to ensure that commissioning editors, those working directly with freelancers, are aware of the resources that may be offered to the freelancer if the online mobs come for that individual.
A Few More Resources
Whether you’re a freelancer, a reporter in a newsroom, or a newsroom leader, I hope you take something away from this piece: a way to strengthen your personal digital security practice, an idea to bring new training to your staff, or questions to ask your leadership team about digital security.
Below, we’ve included several resources for journalists that have been compiled by many smart folks. This list is by no means exhaustive or complete, but I hope it’s a good starting place.