5 technical facts journalists should know about digital communication
The job of journalists is to report, and, therefore, digital security matters a lot. Thanks to multiple user-friendly tools, journalists do not have to become technology experts to remain at least relatively safe on the internet. However, a basic understanding is necessary, because ignoring some core facts about digital technology can lead to serious consequences that can compromise your security.
We list five facts journalists should know about digital security. Also check out our Dangerous Errors to learn more about this.
The internet only works with data
Data packages are necessary to transport the information you want to send and receive — and it will always be like that. Whenever you read something about “anonymisation” or “encryption”, this could in fact help you hide what you do or who you are. Use it! But be aware: There is still data that might be linked to you and your behaviour, especially in cases where you have a very powerful adversary, you do something wrong or if the service has a security breach.
In other words: There is no absolute security - but you could try to achieve a level that makes it very hard to link data you produce to your identity.
Metadata versus Content
A core differentiation you should make in your risk assessment is the one between metadata and the content. In general, mostly everything can be divided in these two groups. While ‘content’ means what is communicated, ‘metadata’ means who communicates with whom, when, where and in what manner. ‘Metadata’ are data about the communication itself. They are necessary to make the communication work. Similar to a letter: While you write a letter, you also have to write your name and the name of the recipient on the letter to tell the post officer where to deliver it.
This is important to keep in mind when you think about countermeasures: While it might be relatively easy to protect the content using strong encryption, this does not solve the problem of metadata. You cannot just encrypt the recipient's address on a letter for example, because the post officer would then not be able to transmit it. Protecting metadata means to hide your real identity, for example in using a pseudonym.
Communication over the internet does not only work over one common signal, but transports different kinds of information over different layers. Some are only technically relevant, but others could compromise the confidentiality of your communication. You should therefore be aware that protecting yourself on one layer might not be enough to reach your desired security level. For example, hiding your IP address (“IP layer”) might not be enough if your browser also sends information that makes you unique (“application layer”).
A smartphone is a tracker by definition
Smartphones are useful, because people can communicate always and everywhere. This usability feature, however, has an important downside: It means that telecommunication service providers (TSPs) constantly need to know where the smartphone is located. The system that the TSPs use is called triangulation and could locate a device on a level of accuracy of meters. Be aware of that –- and maybe leave your smartphone in another place if no one should know where you’re going.
Excluding an ISP entirely is fairly impossible
An internet service provider, in almost every case, provides you with access to the internet. Either you signed a contract with the ISP, or you use the internet of another person or company that did - for example a public WiFi or the internet of your company. All these entities signed a contract with an ISP, and they provide people with an IP address.
Whatever you will do on the internet, it will not be possible to exclude such an ISP entirely from your connection, because you rely on it. This does not mean that the ISP can monitor everything you do. On the contrary, approaches like encryption can make it possible to hide a lot from an ISP. But you are never entirely “invisible” against an ISP, even if you use tools like a VPN or Tor. In these cases, the ISP at least “sees” that you use the VPN or Tor.
Why is that important for journalists? Compared to other internet companies, ISPs are mostly deeply regulated by states. They operate a critical infrastructure, and they are in many cases obliged to provide access to the communication flows in their systems.