How journalists can protect their digital information

Avoid risk by securing electronic devices

Joel Simon, head of the Committee to Protect Journalists, writes about the safety of journalists for CJR.

In the upcoming movie Rosewater, which tells the story of the 2009 arrest journalist Maziar Bahari, a laptop sits on the table during the interrogation session and serves as a source of unending information for his captors, from personnel contacts to Facebook “likes.” The movie, the directorial debut of Jon Stewart, opens next week.

Some of the information extracted from the computer is almost comical. In one scene, Rosewater, played with chilling intensity by the Danish actor Kim Bodhia, grills Bahari (Gael Garcia Bernal) on his association with Anton Chekhov, whom Rosewater assumes to be Zionist spy. “Who is he?” Rosewater rails at Bahari. “Tell me. You indicated an interest in him on Facebook.”

But the implications are not at all funny. In fact, the standard email and social media account contains the kind of information that interrogators used to pull out fingernails to get—your friends; your colleagues; your associations; you private opinions; your political beliefs.

Bahari, who is from Iran but lived in London, had returned home to cover the 2009 presidential elections for Newsweek and Britain’s Channel 4. He was arrested and falsely accused of espionage as part of the elaborate Iranian government plot to blame the post-election protests on outside agitators. I worked closely with Newsweek and Bahari’s wife Paola to support an international campaign that eventually won his release. But it wasn’t until I met Bahari in New York in November 2009 and had the chance to speak with him at length about his interrogation that I fully grasped the implications.

Much has been made of the role of social media in fomenting the Green Revolution that followed Iran’s 2009 presidential election. But there has been much less attention paid to the way that Iranian authorities used social networks to reverse engineer the protest movement, surreptitiously populating Facebook and using passwords extracted by force to establish connections and relationships.

For me, the Bahari case was an object lesson in the limitations of using technology to confront autocratic regimes. It also served as a wake-up call to journalists about the importance of safeguarding electronic information. Later this year, CPJ will update its 2012 Journalist Security Guide with a more detailed section on information security.

The situation has only grown more urgent since Bahari’s interrogation. In many parts of the world, government interrogators confiscate all electronic equipment from journalists and others that they capture and immediately demand passwords. So do non-state actors, ranging from drug traffickers in Mexico to militant groups in Syria. Interrogators from the Islamic State, which has brutally kidnapped dozens of journalists, “seized their laptops, cellphones and cameras and demanded the passwords to their accounts,” according to the October 25 account by Rukmini Callimachi in The New York Times.

There are of course other less vicious methods for obtaining information than pulling people off the streets—hacking operations, or the use of sophisticated software to implant malware, copy hard drives, and monitor communication.

While repressive governments and militant groups pose the most direct threat, you don’t have to work in a police state or war zone to worry about information security. The NSA’s surveillance programs have given US authorities access to a huge portion of all global internet traffic, including the correspondence of journalists. US journalists have some legal protections, but international journalists do not. In fact, a former NSA official told me recently that communications between a Pakistani journalist and her sensitive sources, for example, is precisely the kind of the intelligence the spy agencies are looking for.

Journalists have become completely dependent on their electronic devices to do their work, manage their communications, and transmit material to their newsrooms. What can they do to protect themselves? Based on interviews with security experts, working journalists, and CPJ staff, here is some basic advice:

  • Start with the knowledge that in most instances protecting your information is a function of common sense and does not require technological prowess.
  • Approach information security in the same way you approach physical security. This means starting with a risk assessment and an emergency plan. For example, if you are concerned that you might be hauled and interrogated and made to surrender your password, you might use encrypted communication to send all sensitive information outside the country or wipe all contacts from your computer. You might even choose to do your reporting the old-fashioned way, using a notepad and a pen.
  • Consider the worst-case scenario and make sure key people know what to do if something goes wrong. If you are detained do you want your editor to arrange for your email account to be shut down and your Facebook profile to be removed? That could make sense in some instances, but not if you’ve created a separate email account with innocuous information that you plan to make available to authorities in order to assuage their suspicion.
  • Good information security is a process that involves not just reporters, but editors and other support staff. Of course news organizations should provide proper training and support, but they also need to manage expectations. Editors who review and monitor personal security should do the same with information security. There are many instances in which filing the field greatly increases the risk to reporters and their sources.
  • Encryption is vital but is not a panacea. Standards and capabilities are constantly evolving, and strategies that were once thought to be safe have recently been revealed to be ineffective. In some countries the use of encryption can actually attract the attention of the intelligence services. In at least one country (Pakistan) the use of encryption is illegal.
  • Protecting information involves not only managing technology but advocating for reasonable limits on government’s ability to access electronic communication. That is why CPJ launched the Right to Report campaign, which calls on the US government to prohibit the hacking and surveillance of media organizations; limit aggressive whistleblower prosecutions that have ensnared journalists; and prevent the harassment of journalists at the US border.

At a discussion I moderated in an advance screening of Rosewater, I asked Bahari if his experience in prison has led him to believe that the Iranian government was winning its war against information. Bahari said no. It’s true that repression is rising along with controls on the internet. But Bahari believes that social networks and communications technologies ultimately make censorship impossible. This may be true, but governments around the world understand that in order to retain power they must control information. Unless journalists take aggressive action to protect their data they will face risk to themselves and their sources.

Joel Simon is a CJR columnist and the executive director of the Committee to Protect Journalists. His second book, The New Censorship: Inside the Global Battle for Media Freedom, was published by Columbia University Press in November 2014.