As technology further advances, so does the potential for cyber threats and hacks. Whether journalists are reporting from war zones, crime-ridden countries, or within national borders, they are often at risk of digital surveillance from those who want to silence their voices.
In recent years, media coverage of digital security and the public awareness of it have increased. Bill C-59, for instance, sparked a discussion on cyber safety. The Liberal security bill gives Canadian electronic spies—part of the Communications Security Establishment—power to conduct cyber attacks against foreign governments and people. This is a first in the CSE’s post-war history, according to the Toronto Star.
While Canadian electronic spies are given power for purposes of public security, the treatment toward national security journalists in Canada and foreign correspondents by protective governments is called into question.
“Journalism is printing what someone else does not want printed,” renowned author George Orwell said. It’s a saying often used by national security and cybersecurity reporter J.M. Porup. Porup, a former computer programmer, is currently based in Toronto.
“It’s about preventing someone from preventing you from doing your job,” he said, referring to the importance of cybersecurity for journalists. “These people will work to prevent your voice from being heard.”
Bill C-59 is currently under review by the House of Commons’ national security committee. On Dec. 18, The Citizen Lab—an interdisciplinary research organization that covers law, technology, and security—and the Canadian Internet Policy and Public Interest Clinic released an analysis of the bill, which raised several red flags.
While C-59 focuses on foreign governments and citizens, it also authorizes the CSE to “acquire, use, analyze, retain, or disclose” any publicly available information. This category includes anything published, broadcasted, or accessible on a global information infrastructure. Accessible information includes what can be public upon request, by subscription, or by purchase. For most people, information that needs to be bought is often not viewed as public.
With the CSE having access to “public” information, people’s digital security is called into question—including journalists’.
But before thinking about online self-defence, Porup said everyone must acknowledge that it’s not only a digital issue. Technology’s advancements led to digital lives and physical lives moulding into one—people constantly carry their phones, computers, and other trackable devices. If a person is targeted digitally, his or her life may also be under threat.
“It used to be that we lived in the real world and then we went online. Now, we live online and go into the real world,” he said. “There is a merger of online and real world.”
One example is Marie Colvin, an American war correspondent whose communications were intercepted while she was reporting on civilian casualties in Syria. She was tracked, targeted, and killed through artillery fire in 2012 by Syrian military officers.
Duncan Pike, a co-director at CJFE, organized a cyber security workshop at the end of October in light of the increasing cases of government and organization surveillance against journalists and advocates.
“This is increasingly an issue that I think everyone needs to take seriously,” Pike said. “Canadian journalists do not take the measures they need to properly ensure their digital security is protected.”
Sometimes the resources aren’t there for journalists to learn what tools to access and how to properly equip themselves, Pike added, saying that it’s “heavily important that this gap is filled.”
The workshop discussed “threat modelling,” which means identifying who to be scared of and who’s likely to cause harm. As a crime reporter in Mexico, the threat is the Mexican mafia, Porup said, whereas an unethical spy agency is the threat to a political journalist writing about corruption.
In order to properly defend oneself, Porup said, journalists should fully understand how computers and the internet work, and what threats make journalists vulnerable.
Many journalists are aware of the dangers of messaging or calling someone on unencrypted databases, which is why the apps Signal and WhatsApp—which ensure there is no third-party access—are growing. Tor is also a popular software used to protect data against network surveillance and traffic analysis.
Journalists may use safe apps and programs, but they can only mitigate the threats—not fully avoid them. People can remove the camera and microphone from phones, and use a pouch that blocks signals going in and out of phones—but it’s not a realistic way to live. “Even Edward Snowden can’t solve these problems,” Porup added.
For journalists, a big issue around the need of education of threats is lack of time. When reporting in a war zone or under a tight deadline, journalists don’t have time to research the latest updates and technological tools. This is why, Porup said, more newsrooms like The New York Times are hiring specialized in-house experts. The Times hired Runa Sandvik as its director of information security in March 2016.
“It’s impossible for everybody to be a security expert,” he said. “It’s unrealistic to expect everyone in a newsroom to be experts in this arcane field of knowledge that they have no training or experience in.”
Everyone has a niche expertise or level of experience, Porup said, and Christopher Parsons—a research associate at the Citizen Lab and one of the authors of the analysis, as well as the managing director of the Telecom Transparency Project—focused his work on third-party access to telecommunications data. He said the safest way for foreign correspondents to keep their data safe is to leave no trail.
Intelligence services need to consider their threat-model when reporting abroad. To avoid being tracked, cautious reporters won’t write down the names of their sources, locations, or keep any recordings easily accessible. If they do keep data, it should be heavily protected. This is an extreme tactic for more vulnerable journalists, but danger level of their threat-model determines whether it’s necessary.
The extremity of digital security awareness changes as reporting becomes more sophisticated and high-risk, but Parsons said it all depends on the country a person is reporting in and the nature of the coverage.
Another factor that puts journalists at risk is their ignorance to their own vulnerability. Parsons said a lot of hackers target individuals who aren’t expecting to be hacked in order to access data from someone who is higher up in an organization.
“There is a perception quite often that ‘I’m not important enough to be targeted,’” Parsons said. “You might be targeted because you’re an entry point into the organization.”
In order to be on-guard to email phishing, Parsons said that people should always fact-check emails before clicking on any attachments. If it is necessary to look at a document, view it on Google Docs preview instead of downloading it as a Word document, which infects software, he added.
Smartphones and computers should be constantly updated.
“Be mindful,” he said, adding that it’s important for journalists to slow down their processes, and think about what they’re clicking or how secure they’re being.