Q: In terms of cyber security, what do you think is the biggest threat faced by journalists today?
A: The biggest problem for journalists is the awareness of cyber security. This includes not only awareness of how to protect yourself against threats that are common to everyone, but also threats that are specific to journalists, in terms of state surveillance and people who are after your sources. I think the level of awareness for journalists in terms of protecting themselves is very, very low. Many journalists, even experienced investigative journalists who’ve put everything on the line, are not aware of the size of their digital footprint and the vulnerability of that digital footprint.
Q: If we put in a little bit of effort, would even the laziest, most technically challenged journalists be able to protect themselves?
A: Yes. There are three parts to the answer. Firstly, the message we’ve been sold by the big tech companies is that end-user convenience is everything. We can sacrifice anything regarding privacy and individual rights if the goal is end-user convenience. As humans we need to step back and ask, “Do we need that extra convenience?” and “Isn’t it worth jumping through a couple of extra hoops every now and then if it means I’m keeping private stuff private?”.
And that goes back to the argument that you wouldn’t write down banking details and credit card details, or very personal details about your relationships, on the back of a postcard and then not expect someone at the post office to read that. We forget the old adage that we used to teach people about email: most things on the internet are like a postcard, and not a sealed envelope. That is changing, and there’ve been some really important steps towards encrypting traffic between email servers and websites, but I still think we forget what is and isn’t a public space. If a stranger was to read your Facebook profile back to you, and tell you where you went on holiday, what your child had for dinner, how many pets you have, when your aunt’s birthday was, what your political leanings are, that would be really creepy. And if you asked them how they knew all those things, and they said, “Oh, I read it on Facebook!”, that would be even creepier. You’ve got an internet stalker! Yet we still don’t make that connection that we’re sharing too much stuff.
Then, thirdly, in terms of actually protecting ourselves, there are some very basic things you can do that are not difficult, that are much easier to do now than they used to be and that will give you a very good level of protection against most threats. The message that cyber security professionals are hammering on about now is that it’s all about risk mitigation. If you look at where the highest risk of interception is, and you can mitigate against threats on that level, you can create a substantially high level of protection. If you use long, unique passwords and two factor authentication, for example, you’re mitigating against the vast majority of threats straight away.
But things are going to get harder. Right now there’s a very low chance that you or I are being singled out as targets for cyberattack; our biggest threats are the scattergun malware infections or phishing emails. Bad actors are getting more sophisticated, though. Take phishing attacks: historically these are messages that look like alerts from your bank that are sent out in bulk to mailing lists of millions of people, in the hope that one or two people accidentally give away their login details. “Spear phishing”, where an individual is specifically targeted because of their wealth or position in an organisation, requires bad actors to delve into personal histories and social media records to create very individualised messaging. It’s a threat, but not a general one, as it requires a lot of effort.
The big fear right now is that machine learning and AI is being used to mine social media profiles and other data – such as leaked password lists or publicly available employment records – to craft spear phishing mails automatically, which means suddenly every phishing mail is more convincing and dangerous.
Then there’s the plethora of “smart devices” we’re inviting into our homes. Which? magazine in the UK, one of the most respected and sober outlets for consumer journalism in the world, just released a report describing the level of “home surveillance” – their words, not mine – as “staggering”.
Q: One of the things I’m most worried about is someone hacking my Gmail account…
A: Going back to the messages that security professionals are trying to get across: You should always assume that you have been hacked. Always assume your email password is likely to have been compromised. A great many people use the same password for their email as for other online services. So if the other online service is hacked, it’ll mean the password has been published, and then it’s trivial for a criminal or a state agent who has the previous leak to just run all the combinations of usernames and passwords against Gmail.
So what can you do to mitigate that risk?
Gmail is pretty secure. You can set two-factor authentication, so even if they get your password, they cannot access your email unless they also have access to your phone. And you can see, in your security settings, a complete log of where people have accessed your email from. So, if one of those isn’t you, it’ll also alert you. They also make a lot of effort with end-to-end encryption. It’s actually a very good system for privacy in that way. And that’s also because Google wants to keep your information to themselves as much as anything else.
There’s always the question with Gmail and other services from big tech companies around, “What access do US security services have to it?” There are a lot of questions that still remain from the Snowden leaks. You can’t really protect yourself against that level of access. In defence of big tech: they spend more on security than the GDP of some small countries. That’s their business. They can’t afford to suffer a big hack if somebody got into the Gmail core. That would mean Google’s finished. So, in many ways, you are better off using a big service that’s invested in security. But then the flipside of that is that these tech megacorporations with megaclouds have access to everything about you: it’s a really difficult choice.
Q: You’ve mentioned using a VPN to protect your privacy. What is it, and why should I have one?
A: A VPN is a virtual private network. These are very useful as a tool for privacy. If you subscribe to a VPN service, you can connect to their service from your regular internet connection – whether you’re on your phone or your laptop, at home or out and about. All your internet service provider will see when you connect to, say Facebook, is the IP address and the geographic location of the VPN server you are connected to. So a VPN hides your location details and any other details you want to hide from online services you are connecting to from the other side of it. Also, when we are talking about interception by the state, once you’re connected to a VPN, all your internet service provider can see is encrypted traffic. It’s a pretty effective way of hiding the metadata around your internet use. DM
If you want to learn more about cyber protection, Adam will be hosting a workshop (https://www.meetup.com/HacksHackersAfrica/events/251205962/) on Friday 8 June, 2018) at 13:00 at Duke MMX on digital security for journalists, on behalf of Hacks/Hackers JHB.
Heidi Swart is a journalist who has extensively investigated South Africa’s intelligence service.
This story was commissioned by the Media Policy and Democracy Project, an initiative of the University of Johannesburg’s department of journalism, film and TV and Unisa’s department of communication science.
"I have made a ceaseless effort not to ridicule; not to bewail; not to scorn human actions, but to understand them." ~ Baruch Spinoza