Chapter 1: Understanding and evaluating digital risk
Introduction
Journalists face a wide range of digital threats because of the work that they do. These threats range from online abuse to hacking to spyware and they have serious consequences both for the journalists themselves as well as for freedom of expression. Even though these challenges are significant, there are steps that journalists can take to protect themselves. The first of those steps is understanding digital risk and how to mitigate it.
Training journalists for the first time?
Take a look at our helpful guidance below:
- Journalists face a wide array of digital threats because they are often revealing information that others do not want made public and also because journalists are usually public facing and need to have a presence online. This makes them, unfortunately, an easy target for digital attacks.
- Not all journalists face the same digital risks. What risks they face depend on a series of factors including what topics they are reporting on, who the people or groups who want to target them are (adversaries) and what their tech knowledge and capacity are, which country the journalists and their adversaries are based in and the tech capacity of that government, how tech-savvy the journalists are, and whether they have already been identified as targets.
- While journalists know that digital security is an important issue they may not have time to dedicate to it.
- Journalists may be using outdated digital safety advice.
- Journalists often use their personal devices for work; they frequently have very little separation between their work and personal life both online and off.
- A digital risk assessment is a document with questions that helps journalists think about the digital risks they face as well as ways to reduce the risks. Journalists may or may not be familiar with risk assessments as they may have had to complete a physical risk assessment for some stories.
Training digital security for the first time?
This section covers best practice that can be used when teaching the activities in this chapter. See the resources section in this chapter for further reading.
- Journalists face a wide-range of digital risks. This is because of the nature of their work and because they are often publishing information that others do not want made public.
- Adversaries will target a journalist in a number of ways and for a number of reasons. Some common threats include:
- Taking over accounts to obtain information saved therein or in order to post information that could discredit the journalist
- Seizing devices or infecting them with spyware
- Obtaining information contained on those devices, including documents, access to accounts, intercept communications
- Monitoring their internet activity
- Gaining information on their research and who they are contacting
- Intercepting communications
- Figuring out who they are speaking to and when
- Online abuse
- Attempting to discredit the journalist and try to undermine their reputation, to get them to stop publishing content, or to force them offline.
- Getting the journalist to understand who may wish to target them and the tech capacity of that adversary is an important part of keeping them safer. Governments, for example, have access to high-levels of tech ability as well as financing to hire others to commit digital threats on their behalf. Non-government adversaries can also have plenty of time, determination, or advanced tooling. Research the tech and operational ability of an adversary by carrying out an online search with the name of the attacker plus keywords, such as hacking, spyware, online attacks.
- Recommend that journalists stay up-to-date with digital security issues by signing up to tech newsletters produced by media outlets in their region. Security News This Week is an excellent global newsletter, though it is US-centric at times.
- A digital risk assessment is a document with questions that helps journalists think about the digital risks they face as well as ways to reduce the risks. At the end of each section of this course, journalists have the option of completing a section of a risk assessment.
Completing the risk assessment
When speaking about the risk assessment and personal security plan it may be helpful to touch upon the following:
- Get the journalists to focus on the types of digital risks they may face based on where they live and the type of stories that they cover. Encourage them to think of, research online for, or speak to other journalists in their region or covering the same beat and find out the risks they face. Have any journalists reported hacking attempts on their accounts? Have they faced legal requests for their data? Is online abuse prevalent and who is behind it? Having answers to these questions will help journalists to better gauge their own risk.
- Ask them to think about any previous digital threats they may have faced. For example, have they noticed that someone has tried to hack their accounts? Are they receiving malicious calls or messages?
- Get them to think about particular stories or beats that could be riskier than others. For example, are they covering a story where sources may cause them harm or are doing something illegal? Are they receiving sensitive materials? Do they have to contact people to talk about an issue that could be considered sensitive?
- Ask them to think about how visible they are online. Do they share a lot of data about themselves? Are they public-facing, for example do they host a show or write opinion pieces? How at risk are they from doing this work?
Common questions asked
Below are some common questions that journalists ask about account security. It can be helpful to have answers to these prepared in advance.
What is a digital security risk assessment?
Explain that it is a document with questions that help the journalist think through risks that they could face as well as steps they could take to reduce that risk. Tell them that ideally the risk assessment would be completed with support from an editor and the final copy shared with the editor and/or the team the journalist is working with. Point out that it is important to do a risk assessment for all stories that could include digital risk. This could include stories that involve contacting sensitive sources, receiving sensitive information or may involve digital risks, such as device seizure or hacking of accounts amongst others.
Why do I have to complete a risk assessment?
Completing a risk assessment is the best way of being able to predict risk and then mitigate it. It will give journalists time and space to carry out any security steps they may need to take in advance of a story. This means, if there is a security issue, the journalist will have already put all the steps in place to ensure they are as safe as possible and they will know what to do if there is an incident.
Once I have completed the risk assessment what should I do with it?
Explain that it is important to share that risk assessment with the editor or others in the newsroom who may need access to it. If the risk assessment contains sensitive data then the journalist should restrict its distribution and only share it through encrypted channels, which this guide will cover in more detail in chapters five and six.
Learning outcomes
At the end of the session journalists:
- Have a greater awareness of how they use technology in their everyday lives
- Have a greater understanding of the digital threats they face based on their own risk profile
- Understand what a risk assessment is and how to complete one
Resources
The following resources may be helpful for teaching this chapter:
Threats that silence: trends in the safety of journalists by UNESCO
How technology is changing the harassment of journalists and what newsrooms can do about it by Freedom of the Press Foundation
Safety and risk assessment by the Rory Peck Trust
Online Harassment Field Manual by PEN America
Activities
The activities below are designed to accompany this training session on account security. Trainers should feel free to use their own activities as well as to adapt the materials in this guide to best suit the needs of the journalists they are training. The number and type of activities selected will depend on the level of knowledge of the trainer as well as the amount of time the trainer has to spend with the participants. For those new to training in digital safety, don’t forget to review the Training digital security for the first time? section for best practice guidance.
Getting started
You and technology
| Learning outcomes | Time | Difficulty level | Resources |
|---|---|---|---|
| Participants gain a deeper insight into the role that technology plays in their daily life Participants gain an understanding of how others use of technology can play an important factor in their own security The understanding developed in this session will help participants map the risks related to using technology in the next two sessions |
30 minutes | Low | Whiteboard or flipchart, Board pens, paper, pens, post its |
❶ Step one
- Ask the journalists about their day-to-day use of using technology. Some key questions could include:
- How much do they enjoy technology?
- How old are their devices or do they like buying the latest gadget?
- Who else is using devices in their home? Are they sharing devices?
- Are they using personal devices for work-related content?
❷ Step two
- Tell the journalists they are going to spend some time mapping on a piece of paper the different ways that they interact with technology. This can include; makes and models of devices (if known), who has access to their devices, what kind of online accounts they have, for example, messaging apps or food delivery apps, and where these apps are located, whether they use any apps or services which share details such as their location, what devices they connect to in their home, for example their TV.
❸ Step three
- Have a class discussion focused on the ways journalists are interacting with technology. Points to discuss include: how they use technology for work and in their personal lives, how do family and friends influence what tech they use and how they interact with this technology? Is there a difference in how they use tech for work compared to their personal life? How their job requires tech and how much support they have from media outlets.
Knowledge building
I Risk and technology
| Learning outcomes | Time | Difficulty level | Resources |
|---|---|---|---|
| Journalists start to think about the risks involved in using technology both in their personal lives and their work environment and how their work increases that risk. Participants gain a deeper insight into how others in their network can increase or decrease their risk |
45 minutes | Medium | Board or flipchart, pens |
Trainer note: this activity follows on from the introductory activity at the beginning of this chapter. Some of this activity asks journalists to talk about possible sensitive issues. Remind them that they do not have to talk about their own personal experiences instead they can speak about more general issues. Best practice for this activity can be found in the section, Training digital security for the first time?, located at the beginning of this chapter.
❶ Step one
- Ask the journalists to look at their previous work around their use of technology from the previous exercise. Ask them to think about what possible risks they could face from using technology. For example, are they concerned about hacking of their accounts? Do they worry about what data apps and services are collecting about them? Would they like to know more about how to secure sensitive documents?
❷ Step two
- Write up the following: What do you want to protect? Who are you protecting it from? How will you protect it? What happens if you fail to protect it?
- Ask the journalists to look at the questions and to think about what threats they could face. Ask them to write down answers to the questions.
- Help them think about the types of data that could be most vulnerable, for example, financial data, sensitive documents given to them by sources.
- Consider who may target them. For example, do they worry about being targeted by criminals who may steal their identity? Are they concerned about governments obtaining their data? Could they be threatened by online groups who may try to steal their information?
- Tell them that they may not know how to protect themselves yet and that these will be skills they will gain during the training session.
- Encourage them to think of the worst case scenario and what will happen if someone does gain access to their data. Explain that thinking about what could happen will help them plan to better protect it.
- Encourage participants to think of where risks occur when their personal life overlaps with their profession. For example, using the same phone for work and personal communications
❸ Step three
- Facilitate a class discussion on this issue pulling out common themes and threats.
II Introducing the risk assessment
| Learning outcomes | Time | Difficulty level | Resources |
|---|---|---|---|
| Introduce participants to the risk assessment and risk mitigation | 45 minutes | Medium | Whiteboard, flip chart, pens, risk assessment document |
Trainer note: this exercise requires that trainers have a good understanding of what steps journalists can take to protect themselves online. Best practice for this can be found at the beginning of each chapter of this guide.
❶ Step one
- Ask the journalists what they are currently doing to protect themselves in terms of digital security. Facilitate a class discussion and point out common answers. Some frequent answers could include:
- Using secure passwords
- Having two-factor authentication turned on
- Using Signal
- Using a VPN
Point out that it’s not important that journalists know how to do all of these security steps yet as they will learn them throughout the course.
❷ Step two
- Ask the journalist whether they have heard of a digital risk assessment and what it does. Give a brief overview using guidance from earlier in this chapter to help you if needed.
- Share the risk assessment template with the journalists and ask them to look through it. Answer any questions they might have.
❸ Step three
- Tell the journalists they are going to work alone to complete their section of the risk assessment titled thinking about general digital risk.
- Journalists should work on answering the questions and providing concrete steps for mitigating risk.
- Support should be provided should they have questions, doubts, or look like they need additional help.
❹ Step four
- Help journalists reflect on the process by asking the following questions:
- What information have you learned in today’s session that has helped you make more informed decisions around this issue?
- What else do you think you need to learn?