Shields Up: You Are Worthy of a Data Breach
No more modesty—your data is an attractive target, no matter how boring you think you are
Learning about journalists’ security habits is a bit like being a relationship counselor, and the press certainly has a complex relationship with security breaches. I often hear reporters say, “I’m not important! No one would want to hack me.” And to that I say, hey, give yourself some credit! Your work is important, and your data is absolutely interesting to adversaries.
Your work has real political consequence, and a lot of people and institutions are interested in the information you have. For newsrooms, an adversary may include thieves, hackers, and sometimes even other newsrooms that want to scoop you. Some of you get extra attention from more well-resourced adversaries for your reporting, including government agencies and law enforcement groups.
You know what’s the biggest security threat to journalists? Modesty.
Stop Being Modest
Let’s look at the reasons you might not think you need to worry about your information security.
“I’m not so worried about myself. I’m more worried about my sources,” you say.It’s okay! I want to reassure you that you are personally worthy of a data breach.
We all know the journalistic trope of the defiant reporter in court who would sooner go to jail than identify a source.
The good news is that most reporters don’t end up in court. The bad news is, without strong data hygiene, your data can tell the whole story on your behalf.
If you would go to jail to protect your sources, why wouldn’t you put in a little effort to protect the files and conversations you share with them? Increasingly, how journalists choose to communicate, how journalists choose to store data, and how journalists choose to secure devices are the decisions necessary for defending sources. You can only protect your sources if you protect yourself.
“But my stories and sources aren’t sensitive,” you say.Again, It’s okay! I want to reassure you that you’re still worthy of a data breach.
It’s true that some reporting beats are more likely than others to pursue highly sensitive stories, or to be in contact with sensitive sources. It’s also true that you don’t need to be a national security reporter to be interesting to attackers. At a minimum, your access is interesting.
Every reporter has elevated access to information. Newsrooms routinely connect with sprawling networks of sources, colleagues, and competitors.
They also stockpile datasets for stories like it’s going out of style.
You may have access to internal cloud storage (e.g., via Dropbox), internal communications (e.g., email, Slack), internal documentation, as well as login credentials for external accounts (e.g., Twitter). Taken together, newsrooms are remarkable information hubs. Perhaps that’s why news organizations are among the most targeted institutions in the world for digital attacks.
No one wants their Twitter account to get hacked. Just ask the Associated Press, which apparently crashed the Dow after hackers caused a ruckus on Twitter.
Because many security breaches affect everyone in the organization, newsroom security should be thought of as a collective practice. We need to think about newsroom security in terms of defending each other, and not any one individual.
So don’t be so modest! If you work in a newsroom, you are almost certainly worthy of a data breach. I hope you feel better.
With that in mind, it’s worthwhile to learn about how data breaches happen, as well as defenses.
Your Data Matters—Know How It Will Be Intercepted
There are a couple of common ways U.S. journalists are likely to have their conversations compromised: court orders and intrusions.
Journalists should know that third parties hosting their data—any social media service, cloud-based file storage company, and chat provider—can be compelled to share their data with courts. For example, in Hulk Hogan’s suit with Gawker in 2016, which ultimately brought the company down, the court requested Gawker’s internal chat logs.
That led to the awkward situation where their Executive Editor John Cook had to explain to lawyers why employees were sharing images and joking about Hulk Hogan’s “anatomy.”
If you’re going to use services provided by companies that can read your data, be cautious about what you share. Quinn Norton put it best:
Don’t ever say anything on Slack you don’t want read aloud in front of a 72-year-old Alabama judge in federal court.
This is a pretty good reason to use end-to-end encryption, meaning no one but you and your conversational partners can unscramble your encrypted message. It’s getting pretty easy; consider trying out Signal for small-to-medium sized group chats. For those looking for a conservative, end-to-end encrypted Slack alternative, consider checking out Semaphor. Likewise, consider using “zero-knowledge” cloud providers (e.g., SpiderOak). Zero-knowledge simply means that the provider can’t read your data.
Once more, you’re more interesting than you think.
Even when the content of the conversation isn’t available, our conversations produce metadata—information about who spoke to whom, when, and for how long. For example, in 2013 the Justice Department seized phone logs of Associated Press reporters with a subpoena to the phone company, without notice to the AP. And unfortunately metadata can be enough to convict someone. For instance, a former CIA officer, Jeffrey Sterling, allegedly spoke to James Risen of the New York Times for a story on a botched operation to undermine the Iranian nuclear program.
Risen refused to identify his source, but today Sterling is in prison. His prosecution and conviction relied on metadata—not the content of his phone calls.
Most of the communication tools we use in the newsroom are not built to protect metadata. If you’re interested in learning more about practical source protection, including some metadata-resistant options, read Quinn Norton’s excellent guide.
Consider whether to move your most sensitive conversations to more secure channels, especially those you wouldn’t want read in front of a 72-year-old Alabama judge in federal court.
When we think about data intrusions, it’s easy to imagine three-letter agencies and sophisticated hacks, but you’re more likely to run into a small number of techniques that anyone with a little know-how can use to take over online accounts and devices.
Attackers typically exploit a combination of weak passwords, forged phishing pages intended to steal your login credentials, and malicious email attachments and links.
Learn to Focus Your Defenses
We can be paralyzed when thinking about so many security concerns.
Instead, focus on responding to specific threats to specific information you intend to protect. Before setting up defensive tools and practices, think about these questions:
- What kind of information do you want to protect?
- Who do you want to protect it from?
- What are their capabilities? What resources (e.g., financial, legal, technical) do they have?
- How likely do you think that is?
- How much effort are you willing to put into protecting it?
Security professionals call this approach threat modeling.
Threat modeling is a helpful way to narrow your focus and to come up with appropriate defenses. For example, if you are concerned about a government gathering your internal chats, their capabilities (e.g., lawyer armies, intelligence work, deep pockets) are very different than the capabilities of a smaller attacker (e.g., intrusion attempts with fake login pages). Plan accordingly.
Defensive tools and practices always change, but knowing how to think strategically about defense is a lifelong skill.
Regardless of your threat model, reporters should be aware of some basics. Most of us try to avoid doing more work than we need to, and attackers are the same. With little cost to yourself, you can make attacks much more expensive with some simple tools and techniques.
- Keep your devices and software updated. Security researchers and hackers find holes in software every single day, and most software updates include valuable security patches.
- Use long, random passwords to isolate inevitable account breaches. Password managers (e.g., 1Password, LastPass) make this easier. Read a guide on how to get started. Password managers can also help you speed up logins by letting you automatically fill out credentials in online forms.
- You also want to use two-factor authentication (2FA), which makes logins more secure by requiring users to provide a second piece of information to log in. The second piece of information is typically a short code sent to a mobile device using an app like Google Authenticator. Check out Two Factor Auth, a long list of popular websites supporting 2FA.
- Learn about how to identify phishing links to fake websites that trick you into entering your real credentials. (Using a password manager with auto-fill will prevent you from automatically filling logins in fake phishing pages.)
- Some of the most common files we interact with every day (e.g., PDFs and Microsoft Office documents) are great at delivering malware. Avoid downloading or launching suspicious sources. To avoid launching shifty documents on your personal computer, consider opening them in Google Drive instead.
- Don’t put the USB you found in the parking lot in your primary computer. Instead, an inexpensive Chromebook can help you reformat USB devices much more safely.
- To keep communications from being easily intercepted, you want to use end-to-end encryption whenever possible. To get started, consider using Signal for iPhone and Android to secure messages, so third parties cannot read them. Consider encouraging colleagues and sources to use it as well. (Pro tip: Telling people “This is the easiest way to reach me,” goes a long way.)
Read more about how to arrange newsroom security basics here.
Demand More of Your Newsroom
There’s a lot we can do on our own, but newsroom security is a team sport. Consider asking for support from your news organization, and encourage your colleagues to do the same.
One of the most important things journalists can do is talk to colleagues about data retention policies. If your newsroom doesn’t have a policy outlining when and how to delete your most sensitive data, why not? Likewise, you can personally choose to occasionally purge old, unneeded messages and files. For example, Signal allows you to make messages disappear with a pre-set amount of time, ranging from seconds to days. Just like we practice personal hygiene, we can minimize the impact of a breach by practicing good data hygiene.
What kind of help does your newsroom offer? Does your newsroom require two-factor authentication on all of your important internal accounts? Do they ask you to use short, or non-random passwords?
The truth is that few widespread security changes really happen without at least one person who actively pushes the newsroom forward. Consider being that person, and see how many colleagues will follow your lead.
Don’t be so modest; you’re more important than you think.
Martin Shelton is a user researcher working with at-risk groups and the press on digital security hygiene.