
A webinar on ‘Digital Security for Journalists’ conducted on 20 September 2022 by Wan-Ifra, supported by the Meta Journalism Project, provided important insights on how journalists can keep their phones and devices safe from online security threats by using various available tools and services.
Gurshabad Grover, a technologist and legal researcher based in Bangalore, gave a quick rundown on how to secure accounts and profiles along with tips on tools and techniques for digital security, and the use of encryption, among other topics.
The program was designed for editors, sub-editors, news editors, digital editors, reporters, and other editorial members in the Indian news publishing industry using digital platforms for writing and reporting.
Starting the discussion, Grover explained how press freedom was under attack across the world and how governments in power or other various other actors often intervene using information access laws, and other interception methods such as hiring hackers or even seizing devices physically.
Password and encryption
He suggested the use of strong passwords as the first and foremost method to keep the devices safer. One key aspect one should keep in mind is not using the same password across devices. A password manager, he explained, is a useful tool that can collate all passwords and generate new ones.
Encryption is another way to keep our devices safe from unwanted actors. It is a way to scramble information so that only those with keys can understand what is being shared. Encryption makes information unintelligible and even if someone accesses the data, it would be meaningless because they wouldn’t be able to decode it.
There is data at rest, which is static information stored on devices. And there is data in transit, which is moving data such as emails or messages, which are being sent from one device to another. Encryption can help secure both kinds of data, he explained.
Websites with HTTPS make info transfer and browsing confidential whereas those with HTTP are not secured and all information such as who has visited and what the person has accessed is visible to all. With HTTPS, service providers can, however, see which website a person visited but not see the passwords, specific information, etc.
A device, or a specific folder or file, can be encrypted software but it may slow down the machine. It can add another layer of security but is not completely foolproof.
VPNs, messages, and mails
Some people use VPNs (Virtual Private Network), where no metadata about the final destination is visible to internet service providers. However, Grover warned that VPNs are not the final word as they come with their own risks. One should take into account the quality, grade, and privacy policy of VPNs before using them.
Then there is Tor, or The Onion Router, which is a multi-layered software that enables anonymous communication. It helps conceal a user’s location and usage from anyone performing network surveillance or traffic analysis.
Coming to calls and messages, he suggested going for end-to-end encryption platforms such as Signal and WhatsApp, in which third parties cannot decide the information or messages in transit. Some platforms such as Telegram are not encrypted, he warned. In the Twitter DM, a service provider can decrypt and read the data but not any other third party.
People often store and share data on Google Drive or Dropbox, which is not completely safe. All services have advantages and disadvantages, Grover explained.
Emails are a common mode of communication, which is quite like sending a postcard. It is, however, possible to send end-to-end encrypted emails using premium services such as Proton mail or Tutanota.
One question that came up was can hackers access computers without the Internet or an external network? A device can always be physically accessed and broken into and so it is always better to keep them secured.
Chargers and public plugin points can still comprise a device even if not connected to the internet, he warned. The same goes for public WiFi.