-
Notifications
You must be signed in to change notification settings - Fork 1
1.1 Getting Started
Objective: Understanding Threats to Your Digital Security (Read time: ~TK minutes.)
The axiom of journalists is often "trust, but verify"; or, "if your mother says she loves you, check it out." For the purposes of investigative journalism and conflict correspondence, we should take the "zero trust architecture" (ZTA) approach to our work.
These models and examples are meant to help you (very briefly) recognize threats before moving into implementation so that you're prepared to understand how each change seeks to address any gaps in the security of yourself, your sources, and your work. Ideally, over time, you'd find it natural (almost comfortable, if not intuitive) to make these practices second-nature for safer communication and reporting.
[todo] brief write-up on advance planning with editors, and redundancies
One final note: these measures can help prevent, at the very least mitigate, law enforcement and intelligence agencies from snooping your work, but these are not the finite methods to doing so. They are merely the foundation. The single-point of failure is always being human.
There are four major tiers of threat modelling, as described by Cupwire^1. The below summarize the scenarios regularly encountered by journalists and the requisite digital and operational security practices.
- Protection from casual snooping: friends, family, and petty theft
- Protection from corporations: personal data collection online that could lead to compromising your address, telephone numbers, reporting plans, or loved ones.
- Protection against targeted, non-government attacks: denial-of-service campaigns limiting your access to "phone home," cyber-stalking or doxxing campaigns, non-state-actor threats.
- Protection from federal governments and intelligence agencies: complex disinformation campaigns, location and sourcing tracking
"A journalist may want to protect their sources from harm or retaliation, therefore their threat model will include ways to avoid location tracking, encrypt or otherwise protect the uncensored information they receive from their source, and other similar information that might reveal who their source is or allow others to track them to their source."^2
Considering the above levels of threats, there are many attacks which cross all four. Conducting thorough risk assessments ahead of any assignment is paramount to good personal and digital security. The steps in this guide will help prevent a wide breadth of them.
[TODO] include detailed write up on each threat level and small workflow changes to mitigate (these will be expanded in later sections)
A Quick Note for Newsrooms and Journalists Who Rely on Google Workspace
This guide assumes you're forced to rely on Google Suite. Google is safe and getting better, but it's tracking processes are of great concern. Apple shows similar signs of faults that could compromise journalists. Meta has already shown an inability, or unwillingness, to protect those who use their platforms for reporting and communicating with sources. A large part of the threat modelling in this guide is prefaced on the assumption that you're moving to partition your work and personal lives.