Digital Security for Journalists
Forum of Caribbean Community Media Partners
November 26, 2015
Hilton Rose Hall Resort and Spa, Montego Bay, Jamaica
It is one of the ironies of the modern era that our greatest technological assets are presenting some of the world’s more intractable challenges. It is, of course, possible to take the argument back to the impact of the Industrial Revolution in Britain during the late 18th into the 19th centuries and the emergence of a consumer revolution there which, in turn, helped galvanise and fuel the trade in slaves across the Atlantic right here in our lands where production for consumption in the colonial motherland was the primary activity.
I often follow discussions on what we have been calling a process of globalisation and wonder sometimes if people understand the extent to which our societies in these former colonial outposts have been a part of the internationalising of production, commerce and trade. Depending on the history class you attended, globalisation has been a feature of our lives centuries before the World Trade Organisation received its mandate 20 years ago.
I make this point to indicate that however much we consider ourselves immune or distant from both the benefits and the challenges of what the planet, its people and its resources have to offer the world is very much in us to the full extent that we are in the world.
When in 2013, therefore, Edward Snowden left his job at the National Security Agency in the United States and released thousands of classified documents to journalists, notably Glenn Greenwald of the UK Guardian, the subject of those leaks ought to have aroused the interest of people everywhere, journalists in particular.
Greenwald’s stories lifted the tightly compressed veil from a massive effort by at least two countries – the US and the UK – to coordinate efforts in a mass surveillance exercise the true scope and nature of which continue to unfold. One disclosure of not more than a year ago, for example, is that the NSA has been in the habit of monitoring every single mobile phone call being made to and from The Bahamas.
Whether we consider him to be a whistle-blowing hero or a traitorous criminal, Edward Snowden’s leaks welcomed a gigantic elephant into the room where we assemble to discuss the delicate intersection of privacy rights and national security imperative.
We will not be able to arrive at any conclusions here today, but we can certainly explore a number of dilemmas that confront us as media practitioners at different levels.
We have engaged a task which embraces two different seemingly contrasting processes. For one, our media have an interest in the shaping of an environment in which there is free and open access to public information. In fact, with very few exceptions, it is desirable that all publicly-held information should be available for accessing by all citizens including journalists.
On the other hand, we have an equally compelling motivation to resist intrusion into the conduct of our own professional affairs as journalists and, indeed, as citizens. Internationally, there are now organisations that work on uncovering surveillance practices around the world, and advocate for strong privacy protections.
This came home to Trinidad and Tobago when the government changed hands in 2010 and it was revealed that for at least eight consecutive years, the authorities had been compiling files based on the telephone conversations of labour leaders, social activists and journalists. This was followed by the passage of legislation which closely resembles an emerging menu of laws in developing countries dealing with official interception of private communications including emails, text messages and phone calls.
In Trinidad and Tobago, the Interception of Communications Act prohibits such practices except in instances where there is a national security consideration or in instances where a crime punishable by 10 years or more in prison is involved. Within the first year of the new law, there were more than 250 reported interceptions – most of them linked to counter-narcotics investigations. We do not know how many convictions were achieved as a result. I suspect the figure would not be impressive. The state is not very efficient at prosecuting itself.
In Jamaica, a law bearing the same name has been in place since 2002 and was amended in 2011 to enable the authorities to disclose intercepted communications to other governments provided they meet set public interest stipulations. This followed the Manatt-Dudus Commission of Enquiry.
A closer look at this kind of measure merits another discussion at another time. But the point is being made that not all communications by citizens, among whom are our journalists, are, at law, subject to an absolute protection on the basis of the constitutional right to privacy.
But while governments are among the best resourced to execute such incursions into private communications, they are not the only ones. Both sophisticated international networks and petty cyber criminals are now known to be among the more prolific users of surveillance hardware and software in order to commit crimes including identity theft, cloning and other forms of fraud that are now known to contribute toward the commission of other crimes such as terrorism, the trade in narcotics and human trafficking.
Enter now the journalist. Not necessarily Greenwald with thousands of classified files courtesy Snowden, but perhaps an investigative journalist with the Jamaica Gleaner or Observer or Kaieteur News in Guyana or the Trinidad Guardian in possession of information that has the potential to shed light on the wrong-doing of public officials and thus help bring an end to corruption and other official malpractice.
Several challenges arise. For one, there is the question of protection of the source or sources of such information. There is no whistle-blowing legislation to protect people who wish to blow the cover on corporate or state malpractice, fraud and other wrong-doing in Caribbean Community countries with the exception of Jamaica with its Protected Disclosures Act which, of course, has to contend with the Official Secrets Act and its implications for disclosures related to information held by the state.
We have also witnessed a variety of legislative measures to address what our governments consider to be an exponential increase in criminal breaches online. It is understandable that the need to meet such a challenge through regulation is being treated as a matter requiring urgent attention, but there has so far been a tendency to legitimise official over-reach.
For example, Trinidad and Tobago’s longstanding attempt to introduce cyber-crimes legislation has been jeopardised by a fact common to other jurisdictions where new offences are being created in broad, uninformed terms that have the potential to capture otherwise innocuous online activities.
According to one analysis conducted by the Centre for Law and Democracy at the request of the ACM, there has also been a tendency to shift the onus unto users “to provide legal justification for activities which are only potentially harmful, instead of defining what is prohibited narrowly so as to capture only harmful activity.”
Much like the country’s Data Protection Act, a proposed cyber-crimes law in Trinidad and Tobago will have the impact of criminalising the otherwise innocent receipt of computer data by third parties, including journalists.
Similar challenges were experienced with respect to Grenada’s Electronic Crimes Act which essentially created an offence of “offensive” speech regardless of factual accuracy. The ACM joined with other organisations in condemning the law and arguing that the law could have had the effect of imposing a roadblock on information of public interest.
We have also argued that a public security justification for such laws ought to be precise and specific.
This might appear to be off the subject under discussion at this time, but it has a direct bearing on the ability of the authorities to legitimise incursions into both personal and corporate data sources. The threats to privacy and the integrity of journalistic data are thus, in this respect, subject to both open and surreptitious actions by the state.
So that, more or less, is the prevailing legislative environment and some trends in several countries. Some interception of private communication is permissible by the state under the law. Only in Jamaica is there a protection if the intercepted communication meets the standards set by the Protected Disclosures Act and the Official Secrets Act respectively.
The challenge now is how we operate within these parameters.
The irony is that the very technology that has become so useful to reporters in capturing and sifting information through digital means and has revolutionised the work of the investigative journalist, is what forms the basis for the development of surveillance software and other processes that provide access to the private information of media practitioners.
It is suggested that the rapid growth in the sophistication of such technologies owes much to a growing demand by governments to become more and more intrusive, often in pursuit of criminals but sometimes as part of an effort to gather information on the activities of political opponents and unfriendly states.
It has now become increasingly important for journalists and their news organisations to become more aware of the need to protect data and information and, very importantly, to protect their sources of news and information. Media development agencies are thus now working doubly hard to ensure that news organisations are equipped to counter an increasingly intense assault on the privacy of data and information received and stored by journalists and their organisations.
Awareness of this has in many instances impacted on the manner in which news sources now interact with journalists. In the case of Trinidad and Tobago, the 2010 disclosures led at least momentarily to a much greater degree of reticence by journalists and their sources when it came to the sharing of information. Freedom of the press was, in essence, under attack not through guns or official oppression but by the intangible tentacles of intrusive technology.
The challenge has also emerged at a time when newsroom operations in most of our territories in the region are beginning to shrink with declining investments in areas not deemed to be of urgent concern. There is virtually no investment in anti-surveillance software and few efforts made to promote greater awareness among our journalists of the need to address the increasingly prying eyes and ears of the state and also of criminal elements.
This leaves a heavy onus on individual journalists to ensure the integrity of the information they receive and disseminate is protected. This ought to be supplemented by media outfits ensuring that all technical requirements are in place once such information reaches their networks. This can include protected file storage resources and other technical back-stopping.
It would also be important for journalists and other newsroom operatives to acquire an understanding of what is required in the conduct of threat assessments and the use of encryption tools. Some training will be necessary and there are several possible low-cost online options.
There are also several basic precautions that can be taken with respect to the two main communications instruments: your mobile phone and your computer – these days invariably a laptop or tablet. In a newsroom environment, there is likely to be a networked desktop computer.
Let’s first deal with your hand-held device. It is now widely acknowledged that your mobile phone is a virtual tracking device. People who want to know where to find you can do so through the use of simple apps and by simply using your mobile number. In countries where some journalists are at risk, they develop the habit of switching SIM cards to make it more difficult to be tracked and monitored.
Additionally, you need to bear in mind that with the tendency to store a variety of information including contacts, appointments, photographs and documents, you would need to ensure that your handheld device is secure in the event it is stolen or left carelessly around.
Then there is the web browser you use to access sites that might be of interest to you when researching your story or checking the balance on your bank account or making that airline booking or checking email if you do not use a separate app – activities that require disclosure of information that should remain private.
The fact of the matter is that whether you like it or not, your browsing history always leaves a digital trail, whether you have cleared your cache and browsing history or not. That “incognito” function on your Chrome browser might offer you a level of privacy with respect to casual users of your machine at the office, but does not erase data saved in the browser and your Internet Service Provider can still record all of your activities on the computer.
A growing number of journalists now use Virtual Private Networks (VPNs) which provide a high level of protection for personal information including your IP address, data exchange and browsing history by using an encrypted connection to the Internet.
You can also use a Tor browser which uses a network of proxy services to beat tracking of your browsing habits and reduce the ability of hackers to get hold of data exchanged via the Internet. Even well-resourced government surveillance agencies have reported difficulty with tracking data on clunky Tor networks that move slowly but work well to mask your online footprint.
Its effectiveness has however made it a prime tool for use by criminals of all shades and it is truly a double-edged sword.
Now, let’s deal with your webmail services. I once attended a digital safety workshop in Austin, Texas put on by the Knight Center for Journalism in the Americas. Well after registering for the workshop and sharing my Yahoo email address, the first presenter began by saying that using Yahoo mail is tantamount to leaving your car with the windows down and the engine running while you went away.
So, some of us switched to Gmail. Which is all well and good. It is recognised as being more secure than Yahoo mail and it works well. However, Gmail has now morphed into an integral part of the entire world of Google and your Google account. Outlook mail is considered relatively secure, except that as recently as last month, security experts picked up a vulnerability which leaves it as less than completely secure.
Increasingly, as well, journalists are using cloud file storage services not only as backup but as a primary platform for storing files. Apple, Google, Microsoft and Dropbox are among the most popular services. For the most part, these are generally secure services which encrypt your data while at rest. If you are concerned about the infamous iCloud hacks of last year, it was subsequently explained that the celebrities involved had been the victims of a concerted phishing attack through which hackers were able to secure log-in information.
There are also secure apps for instant messaging and for making voice and audio calls.
The brutal fact is that the best way to secure your data is not to use phones, tablets and computers at all. The bad guys, including snooping authorities, are at work morning, noon and night working on ways to find out more about you, for security, commercial and malicious reasons.
Journalists are particularly vulnerable not only as individuals, but as important links between sources of information and the audiences we serve. In the Caribbean, sufficient attention is not being paid to assessing the risks and taking action to mitigate their possible effects.
I would not prescribe a descent into systemic paranoia to which so many have already fallen prey, but would propose far greater caution than we have displayed within recent times.