Chapter 3: Device security

Introduction

Protecting devices and the content on them is an increasingly complicated issue for journalists and newsrooms, especially with the threat of increasingly sophisticated spyware being used against reporters. This session will provide journalists with the best practice guidance needed to better secure their devices and help them think through what steps they need to take based on their own threat assessment.

This chapter will cover:

  • Thinking about individual risk when it comes to protecting devices
  • Best practice for securing devices
  • Protecting against malware
  • Understanding how mobile phone operators and mobile phones work
  • Guidance on spyware

Training journalists for the first time?

The following can be helpful to keep in mind:

General

  • Journalists often use their personal devices for work-related content.
  • Money is an issue for journalists, especially freelancers, when it comes to buying new devices. Newsrooms are not always able or willing to provide staff with work devices. Smaller newsrooms also lack the expertise on how to manage and secure devices. Newsroom IT often focuses on basic functions, such as setting up email and computers, and can sometimes lack more specialised security experience, especially concerning threats against journalists.
  • Media workers are likely to be using old devices, especially Android phones, which they often will not have updated. Media outlets may be using desktop computers which are using older versions of Microsoft software.
  • The use of pirated software is very common among journalists in certain regions of the world.
  • Journalists may be unaware of what content is being stored on their devices and where it is being backed up.

Mobile phones

  • Journalists’ phone numbers will have been shared with a wide-range of contacts, which may include government officials, the authorities, and people who may be classed as hostile to the journalist.
  • Journalists will have built up their contact list over years and they will not want to stop using their phone number. It is better to suggest that the journalist gets a new personal number and keep their original number for work.
  • Think about whether the journalist needs more than one device or whether they only need an extra number.
  • Be aware that, in some countries, having more than one phone or a SIM/ phone number issued in another country can make the journalist look suspicious.
  • Many countries now have compulsory SIM registration, which means that you need to present a passport or similar document to get a SIM card.
  • Journalists now do a significant amount of work on their mobile phone, including recording interviews, shooting video, and reviewing documents. In some countries, journalists will only be using a mobile phone for their work and will not have access to a computer.
  • Sources will be reaching out to journalists and journalists will often be accessing source data, including documents, via their mobile device.

Training digital security for the first time?

This section covers best practice that can be used when teaching the activities in this chapter. See the resources section in this chapter for further reading.

General best practice

  • A journalist’s computer and mobile phone are a target for adversaries who may want to obtain the information contained on them. Adversaries can use many different techniques: they could infect the device with malware, they could get authorities to seize a device, coerce the journalist into giving up the password, and search it, they could try to pick up an unlocked, unattended device and look through it.
  • It is important to always update the operating systems on devices. It’s also important to update all apps and browsers too. All software contains security holes; software updates fix those security holes as soon as they are discovered, so that adversaries cannot use them to break into journalists’ devices. Journalists should be encouraged to set their devices to carry out updates automatically, this can be turned on in the settings section of their devices.
  • All devices should be protected with a password, PIN, or biometric lock. Which one the journalist uses will depend on their individual risk profile and jurisdictions. In some places, law enforcement is allowed to ask people to unlock their devices by providing their finger- or faceprint, but is not allowed to ask for passwords. If a journalist uses a PIN or passcode to log into their device, they need to be careful to make sure that it is not captured by high resolution cameras, for example security cameras in elevators. Be aware that law enforcemnet and security agencies may also have the technical knowledge to unlock certain makes and models without needing either a passcode or biometrics, but this type of unlock usually requires significant resources and investment.
  • Avoid leaving devices unattended, for example at conferences, in hotels, or in cafes. This will protect against people installing malware onto the device or accessing data if the screen is left unlocked.
  • Having a process for backing up and removing content from both computers and mobile ensures that if devices are accessed then a minimal amount of content is obtained. You can read more about backing up materials in chapter five.

Malware

  • Malware is software that is designed to cause damage to a device or to grant unauthorised access.

  • There are many different types of malware including,

    • Viruses, an infection that replicates once on a device destroying data and/or corrupting the operating system

    • Spyware, malicious software that gathers information directly from the device and sends it to another entity

      • An example of spyware is a keylogger, a computer program that records every typed piece of content made by the user, including passwords.

    • Ransomware, software that blocks access to a device unless a ransom is paid

    • Trojan malware, a virus disguised as a legitimate program, for example an app, that once downloaded infects the device.

Devices can be infected by malware through the following:

  • Clicking on malicious links or downloading documents that contain malware
  • Installing programs or apps from providers that are not legitimate
  • Browsing insecure websites
  • Clicking on malicious ads that appear on websites.

You can protect against malware by doing the following:

  • Avoid clicking on links which look suspicious (for example, if they were designed to look like a Google Drive link, but have some small misspellings). If you need to open documents from unknown sources, open them in a web-based editor like Google Docs or O365 or use a tool such as Dangerzone.
  • Only download programs and apps from legitimate sites and manufacturer approved stores, such as the Google Play Store and the Apple app store.
  • Make sure that your operating system’s built-in antivirus is turned on (Windows has Windows Defender, while macOS has a host of security mechanisms, including Gatekeeper and XProtect). Alternatively, you can also use a third-party antivirus. Third-party antiviruses can disable most or all of the features of an operating system’s built-in antivirus. This is normal behavior.

Computers

  • It is recommended to secure computers in order to protect the information contained on them, both by setting a good account/ login password and by encrypting the internal drive. If a computer’s drive is encrypted then nobody can access the information on it without the password needed to decrypt the content. Be aware that law enforcement may, in some jurisdictions, request that the devices be decrypted, for example by forcing a user to disclose the password.
  • When setting up encryption on a computer, you will need to create a password that will be used to encrypt the drive. It is better to think of this password in advance and to ensure that it follows the best practice for creating secure passwords. Information on this is available in chapter two.
  • Backup all data on devices first before encrypting them, in case there are problems during the encryption process and you cannot access your data, you can restore it from backups.
  • There are different ways to encrypt a computer depending on whether it is a Windows PC or a Mac. Turning on encryption for Windows Pro involves activating their encryption program called Bitlocker. You can read about how to do this here. Users of Windows Home editions can use a feature called Device Encryption, though it is only supported on some devices as it requires a specific hardware configuration. Mac users can turn on FileVault, the equivalent encryption program for Macs. Read more about encrypting Mac computers here.
  • You can also encrypt your backup drives, something that is especially important if you are concerned about home or office raids or if you travel with backups. This means that anyone who accesses your backup drive will not be able to read its contents without the password which was used to encrypt them. Time Machine, the default macOS backup program, allows for encrypted backups. It’s a little more complicated in Windows. Users of Windows Pro editions can use Bitlocker to encrypt their backup drives, whereas those using Home editions should ideally use VeraCrypt, a reputable third-party tool.

Mobile phones

  • Mobile phones are always connected to services around them in order to receive and transmit information. This includes mobile phone towers, internet connections, and Bluetooth. All of these connections give away data about the mobile phone users, including their location. For a technical, in depth look at how mobile phones function and how they can reveal and leak out locations, see this report by Citizen Lab.

  • What is a mobile phone made up of?

    • Antenna
      Permits communication between the phone and the network
    • Battery
      Powers the device and is no longer removable
    • Baseband microprocessor
      Manages the communications of the phone, including commands from the user to the phone and from the phone to the mobile network
    • Bluetooth
      A wireless technology that uses radio frequency to share data over a limited distance. It can be used on a phone to share documents and other data as well as to connect to other services offering Bluetooth
    • GPS
      Stands for Global Positioning System. This is a receiver in the phone that connects with satellites. IT can be turned off in the settings section of the phone.
    • SIM and SIM slot
      Where the SIM card is stored. Some phones have the option for a dual SIM card. Some phones now use an eSIM instead, which consists of a dedicated on-device computer which stores subscriber data.

  • All mobile phone devices have a unique identity number called the Mobile Equipment Identity number, otherwise known as an IMEI (International Mobile Equipment Identity). This number is used by telecommunications companies to identify a device and provide it a service on its network. A mobile phone network provider will typically know the physical location of each phone. This can be used by people to locate lost or stolen devices. It can also be used by governments to locate people. This could be a risk for journalists if they are meeting with sensitive sources or are travelling to locations that they would rather others did not know about.

  • All SIM cards also have a unique identity number known as the IMSI number. When the mobile phone card connects to the network it shares this number with the provider. The IMSI contains information about the SIM card, including the country in which it was issued. This information is available to mobile phone providers and makes it possible for them to know your location. This information can be shared with governments. For those living in countries where their ID number is tied to their SIM card this means the government knows which SIM card they are using. This is known as a registered SIM. Unregistered SIM cards are SIM cards that are not tied to your identity.

  • A mobile phone gives away data about a journalist’s location and who they are communicating with. This data is collected by the telecommunications company and can be passed to governments. Telecommunications companies collect other data, including phone call history, the phone numbers of people you contact when making mobile phone calls and SMS messages.If they provide you with internet coverage they may also be obtaining data on your browsing history. This data can be accessed by people at the company and can also be obtained by governments.

  • The disks of all iPhones are encrypted by default, as are all Android devices running Android 10 or later. To activate encryption for an Android phone, ensure that the device is charged and plugged in, backup any content on the device first, and then follow the instructions in the settings section of the phone.

  • As well as the best practice outlined above, in the section on general best practice, it is advised to take the following steps to secure your phone, data and phone number

    • Make sure your phone has disk encryption enabled (almost every modern phone should have that)
    • When you receive a notification, your device could show the full content of the message on the screen. Some device configuations require you to unlock the phone with your face- or fingerprint before seeing the full notification, others do not. You can adjust notification visibility in the settings section of the phone.
    • Many journalists and other at-risk individuals could be targeted by an attack known as SIM jacking. In order to reduce the chances of this attack, you could call your mobile phone provider and ask them to put into place additional steps, for example a PIN or a password that you need to give them, before they offer a duplicate SIM card.
    • Turning off location tracking for apps and services when such tracking is not absolutely necessary for the app to function. For more information, see the Internews device location security guide, and Consumer Reports’ Security Planner pieces on reviewing Android and iOS permissions.
    • Make sure that your devices have a remote wipe capability enabled, which will allow you to delete all the content on them if they are lost, seized, or stolen. Do note that remote wipe will only work if the device is still connected to the internet, and some attackers will therefore remove the SIM card or put the phone in a room with no phone reception to frustrate attempts at wiping it remotely. Read about how to do this for Apple here and for Google here.

Spyware

  • Spyware is a form of malware that is normally used to infect mobile phones in order to obtain information. There are different types of spyware and they vary in how much data they can collect and the way in which they infect the phone.

  • Sophisticated spyware is being increasingly used by governments to surveil journalists and their communications. Some examples of this type of spyware include Pegasus spyware and Predator spyware. You can read more about these types of spyware here. Once this spyware is on a device all activity, including calls, email, and other apps linked to the device, can be monitored, recorded, and shared with others.

  • To get spyware on a device, the adversary may target the user using sophisticated spear phishing techniques. You can read more about phishing and spear phishing in chapter two. Increasingly, spyware is being inserted onto a device with the user doing anything. This is known as a zero click attack.

  • If spyware is on a device then all communications can be monitored; this includes any end-to-end encrypted services, such as Signal and WhatsApp. This is because it is the device itself that is compromised and the adversary is obtaining data directly from the phone.

  • Apple devices have a special mode which significantly reduces the probability of spyware infections while limiting certain features. This is called Lockdown Mode and is available on iOS 16 for phones, computers and iPads. Journalists who are at high risk of being infected by spyware should turn this on for their devices. They should ensure that others who are at high risk (possibly their coworkers, family, sources, and others) also activate Lockdown Mode where possible.

  • Other possibilities for protecting against spyware include:

    • Make sure that your mobile phone operating system is up to date. This, in addition to Lockdown Mode, is the single most effective step you can take, since spyware exploits software bugs which are fixed in subsequent updates.
    • Restart your devices regularly. There is some evidence which suggests that many types of spyware are removed after every restart and adversaries need to reinstall it.

Completing the risk assessment

When speaking about the risk assessment and personal security plan it may be helpful to touch upon the following:

  • When getting journalists to think about device security, the trainer should help them to focus on what content is already on their devices and work with them to think of how they can create a process for backing up and removing information.
  • Encourage the journalists to map out who may be interested in obtaining their devices and/or the content on their devices. This can include others who may already have physical access to the device, for example family members. Good questions to think about include:
  • Who could unintentionally remove or delete content from my device and how can I protect against that?
  • How likely is my device to be stolen or broken when I am out covering an event?
  • Does my government have a history of using spyware and have they used it against journalists in my country?
  • How likely is the government to detain me and take my devices?
  • To mitigate those risks, some journalists will prefer to live stream during events. This, however, could endanger sensitive sources who appear in the stream. There is a similar trade-off with uploading a copy of the information to the cloud: while it means that the information remains safe even if devices are destroyed or confiscated, it also opens it up to more data requests by law enforcement and others.
  • Understandably, journalists are increasingly worried about being infected by spyware. It can be helpful to get them to think about their own risk profile and whether it fits with being targeted by spyware. For example, are they from a country where the government uses spyware? Talk about the different types of spyware and highlight that more sophisticated spyware is expensive which means it is not being deployed on a massive scale.

Common questions asked

Below are some common questions that journalists ask about account security. It can be helpful to have answers to these prepared in advance.

Do I really need a work phone, it’s such a pain carrying around two devices?!

The important issue here is for the trainer to get the journalist thinking about what is at risk if they don’t separate out their work and their personal life on their devices. Based on this, journalists can make a judgement call on whether they need a new device. Good questions for the trainer to ask include: are your devices at risk of being confiscated or infected with targeted malware, do you have to contact highly sensitive contacts or people who may be breaking the law?

How much does my mobile phone provider know about me?

Explain that it is difficult to be one hundred percent sure about how much data a company is collecting. This is because the data they collect is often buried in lengthy terms and conditions set out by the company and they may also be sharing data with other companies without your knowledge. One step that journalists can take is to find out how long mobile phone providers are legally requested to keep data for in their country and also if and how they are sharing that data with governments. To find this out, they can carry out an online search with keywords such as mobile phone data retention and government subpoena amongst others.

If I delete content from my devices is there a way to recover it?

Explain that there is always a way to recover data but this depends on the tech capacity of the people who may gain access to the devices. For example, a government might have the capabilities to do so. This is a good opportunity for journalists to assess who may be interested in obtaining their devices and to build this into their work plan for better securing their materials.

How can I tell if there is spyware on my device?

The trainer should first focus on getting the journalist to consider whether they are at high risk of having spyware on their devices. Good questions to ask include, whether they live in a country where the government has a history of using spyware, are they covering stories that put them more at risk of spyware, have they or anyone they know been targeted. Explain that there are different types of spyware and the only way to be sure if a device has been infected is to send it off to be forensically analysed. Trainers could research ahead of the class whether there are any threat labs—or organisations which can forensically analyse devices for non-profits—within their region.

Learning outcomes

At the end of the session journalists:

  • Know what content is on their devices and in accounts linked to their devices and understand how this could put them at risk.
  • Are able to make informed decisions around what best practice to use based on their own risk profile
  • Understand how to encrypt their computer and how to tell that their phone has been encrypted
  • Better understand how mobile phones and mobile phone providers operate

Templates and tools

The following templates and tools can be useful for teaching this session:

  • Encryption services, such as Bitlocker and Filevault. More detailed information on this can be found at the beginning of this chapter.
  • Apple Lockdown Mode for protecting against spyware
  • Scenarios for helping journalists secure their phone
  • Risk assessment template

Resources

The following resources may be helpful for teaching this chapter:

How phone companies use our personal data by the European Data Journalism Network

Twelve million phones, one dataset, zero privacy by the New York Times

How to encrypt your computer (and why you should) by Mashable

What to do if your phone is seized by the police by Freedom of the Press Foundation

Physical and digital security: arrest and detention by the Committee to Protect Journalists

Control your smartphone data by Tactical Tech

The Pegasus archives by Citizen Lab

Journalists targets of Pegasus spyware by the Committee to Protect Journalists

About Lockdown Mode by Apple

Activities

The activities below are designed to accompany this training session on device security. Trainers should feel free to use their own activities as well as to adapt the materials in this guide to best suit the needs of the journalists they are training. The number and type of activities selected will depend on the level of knowledge of the trainer as well as the amount of time the trainer has to spend with the participants. For those new to training in digital safety, don’t forget to review the Training digital security for the first time? section for best practice guidance.

Getting started

What’s on your devices?

Learning outcomes Time Difficulty level Resources
Journalists become more aware about what content is stored on their devices and how it can put them and others at risk. 60 minutes Low Whiteboard or flipchart, Board pens, post-it notes

Step one

  • Put the journalists into pairs and hand out a pack of post-it notes.
  • Then ask the journalists to think about what type of content they have on their devices. Ask them to write one piece of content on one post-it note. For example an email account, the content of the in-box and also the cloud account linked to the email account
  • Give the journalists five minutes to complete the activity.
  • Ask them to work with their partner to group the content into categories, for example, work documents, social media apps.

Step two

  • Facilitate a discussion on what the journalists learned from doing this activity. Ask the following questions

    • Were you surprised by how much data was on your devices?
    • Did you learn anything surprising?
    • What information is at risk? What steps do you think you can take to protect it?

Knowledge building

Talking about best practice

Learning outcomes Time Difficulty level Resources
Journalists understand the basics of how to protect their devices 30 - 45 minutes Medium Whiteboard or flipchart, Board pens, PowerPoint slides prepared by the trainer, including case studies showing the local context

Trainer note: best practice for this activity can be found in the section, Training digital security for the first time?, located at the beginning of this chapter. The trainer may want to use local examples of how people have targeted devices, for example, devices seized during protests.

Step one

  • Ask the journalists what steps they currently take to protect their devices.

    • Using their answers as a starting point go over the general best practice for protecting devices, including:
    • A brief overview of how adversaries target devices
    • The importance of not leaving unlocked devices unattended, for example in hotel rooms or conferences
    • Being mindful of what they plug into their devices, including USB sticks which could contain malware.
    • The importance of updating operating systems, apps and browsers when prompted to do so. Explain that this helps fix vulnerabilities with the code which can be exploited by bad actors.
    • Using an antivirus
    • Securing devices with passwords, pin locks, and biometrics. It can be helpful to discuss the pros and cons of these options based on the journalist’s own risk profile.
    • A brief look at phishing and malware. Detailed guidance on protecting against phishing is included in chapter two.
    • The importance of encrypting devices. Explain that this chapter will cover how to encrypt computers

With each of these steps it can be helpful to get journalists thinking about why they are carrying out this best practice and what it is protecting against in terms of their own risk analysis.

Step two

  • Close the session by asking the journalists to think about and discuss the following questions

    • What do I feel I do well when it comes to securing my devices?
    • What do I need to do now to better secure my devices?

II Malware: the basics

Learning outcomes Time Difficulty level Resources
Journalists understand how malware can infect devices and what steps they can take to protect against it. 60 minutes Medium Whiteboard or flipchart, Board pens, PowerPoint slides prepared by the trainer, including case studies of local contexts

This exercise has been adapted from the Level Up chapter Malware and other malicious software.

Trainer note: best practice for this activity can be found in the section, Training digital security for the first time?, located at the beginning of this chapter.

Step one

  • Explain to participants what malware is, and review a few of the types of malware that exist. It is recommended to cover the following:

    • Trojan Horse
    • Spyware
    • Ransomware
    • Keylogger
    • Viruses

Step two

  • Explain some of the most common ways that devices become infected with malware, and the unsafe practices that can lead to such infections.

  • It is also important to explain the different purposes or motivations behind malware deployments:

    • Some malware is broadcast on a wide-scale with no particular target;
    • Other kinds are specifically targeted at activists, journalists or dissidents to gain access to their data or communications;
    • Still other kinds are targeted at individuals known to be connected to a number of activists, journalists or dissidents in the hope of infecting multiple targets across a network.

Step three

  • Show local examples of different types of malware attacks and generate a discussion between participants on this issue. Questions you may want to speak about include, have you seen any of these types of attacks? Are journalists in this region targeted by this type of malware? Who is targeting you with these types of attacks?

Step four

  • Ask the journalists what they are currently doing to protect against malware.
  • Explain that one of the best ways to protect their computers is to turn on the antivirus that comes as standard with their operating system.
  • Explain that malware is often downloaded onto devices via phishing attacks. The trainer may want to walk the journalists through best practice for protecting against phishing in chapter two.

III Encrypting a computer

Learning outcomes Time Difficulty level Resources
Journalist observe the encryption of a computer and feel comfortable encrypting their own devices at home 60 minutes Advanced Whiteboard or flipchart, Board pens, projector and laptop setup

Trainer note: this exercise is designed for advanced level trainers. Set up the tech in advance of the workshop. You will need a test computer for this activity. Show either FileVault for Mac, BitLocker/Disk Encryption for Windows, or VeraCrypt for all operating systems, depending on which computers the participants are most likely to be using.

Best practice for this activity can be found in the section, Training digital security for the first time?, located at the beginning of this chapter.

Step one

  • Ask the journalists why they think it is important to encrypt their drive. Find out whether anyone in the room has experience of encrypting their devices and/or what people know about the process of encryption.
  • Explain that there are different ways to encrypt a drive based on whether the user is using Windows (BitLocker works on Pro Editions of Windows, Windows Disk Encryption works on Home editions) or macOS (FileVault is the ideal solution, then). VeraCrypt is also great and works on all operating systems.

Step two

  • Tell the journalists that you are going to give them a practical demonstration of encrypting a computer.
  • Explain that it is good practice to backup the data on devices first before encrypting them. Make sure that the backups are also encrypted, and secured by a strong password. You can encrypt backups using Bitlocker on Windows Pro, VeraCrypt on Windows Home, and by using encrypted Time Machine backups on macOS.
  • Explain that once the computer is encrypted it will need a password in order to gain access to the content on the device. This password is what the journalists use to log into the device so they should ensure that the password follows best practice for password creation as detailed in chapter two.
  • Walk through the importance of creating and safely storing a backup key. Explain that if someone tries to gain access to the device and is unable to enter, the service will lock down the computer and will ask for the backup key in order to unlock it.
  • Walk the journalist through the step by step process for encrypting the device.

Step three

  • Answer any questions that the journalists may have.

IV How does your mobile device work?

Learning outcomes Time Difficulty level Resources
Journalists learn about the relationship between mobile networks and mobile phones and how the data they collect can put them at risk 90 minutes Medium Whiteboard or flipchart, Board pens, PowerPoint slides prepared by the trainer, local examples of how mobile phones have been used to track citizens

This exercise has been adapted from the Level Up chapter How do mobile devices work?

Trainer note: best practice for this activity can be found in the section, Training digital security for the first time?, located at the beginning of this chapter.

Step one

  • Tell the journalists that you are going to go over some key vocabulary linked to mobile phones. This can be done using a powerpoint presentation and can use the language mentioned in the mobile phone section of the Training digital security for the first time? This includes:

    • Antenna
    • Battery
    • Bluetooth
    • GPS
    • SIM and SIM slot
    • Removable media
    • Microphone and speaker

Step two

  • Talk about how the user is identified on the network. This includes:

    • IMEI number
    • IMSI number
    • Registered and unregistered SIM cards

  • Give a general overview of what data the network and others can see, including:

    • Network cell
    • Location
    • Metadata
    • Apps and location data
    • GPS

Step three

  • Put the journalists into groups and ask them to identify what risks carrying a mobile phone poses. For example, GPS tracking.
  • Ask them to think about which of these risks are applicable in their own circumstances.
  • Ask the journalists if they know of any local cases where journalists have been tracked using their mobile phone. The trainer may wish to provide some real-life examples here.

V Protecting your mobile phone

Learning outcomes Time Resources
Journalists learn best practice for protecting their device and the content on it
Journalists are able to make an informed decision around what steps are necessary for them to take based on their risk profile.		 90 minutes Whiteboard or flipchart, Board pens, PowerPoint slides prepared by the trainer

Trainer note: best practice for this activity can be found in the section, Training digital security for the first time?, located at the beginning of this chapter.

Step one

  • Put the journalists into small groups and ask them to work together to map out what they currently do to protect their mobile phones and the content on them? Ask them whether there are certain scenarios where they are more anxious about the security of the device.
  • Facilitate a discussion on the topic and write up any best practice that they provide on the board.

Step two

  • Walk the journalists through best practice for protecting their mobile devices. This guidance can be found at the beginning of this chapter in the section, Training digital security for the first time? The trainer may want to speak about the following:

    • Encrypting the phone
    • Backing up and removing data from the device
    • Locking the phone
    • Setting up a device to remote wipe
    • Turning off location tracking
    • Erasing the browsing history

  • Ask the journalists which of this best practice do they think is most applicable to them.

Step three

Trainer note: you will need to use scenario I for the following exercise

  • Put the journalists into small groups and tell them that they are going to read a scenario
  • Ask the journalists to work together to answer the question in the scenario and to plan out how best to protect the journalist.
  • Run a class discussion on the scenario and ask the journalist what steps they have taken to protect the journalist.

VI Better protection against spyware

Learning outcomes Time Difficulty level Resources
Journalists are able to make informed decisions around best practice for better protecting against spyware.
Journalists are able to better assess whether they are at risk of being targeted by spyware		 60 minutes Medium Whiteboard or flipchart, Board pens, PPT slides created by the trainer, a case study of a journalist targeted by spyware in the region

Trainer note: There is a lot of anxiety around spyware. Try to provide practical steps that journalists can take to protect against it.

Best practice for this activity can be found in the section, Training digital security for the first time?, located at the beginning of this chapter. The trainer may want to use local examples of how devices have been infected with sophisticated spyware

Step one

  • Write up Pegasus on the board and ask the journalists what they know about it.

  • Tell the journalists that they are going to read a case study of a journalist who was infected by Pegasus. After they have read the case study, discuss the case. You can use the following questions:

    • Have you had any similar cases in your region?
    • Why do you think the journalist was targeted?
    • What information do you think they were able to obtain for the journalist’s phone?

  • Ask journalists to take some time to think and write down general content they may have on their phone or in their accounts that they would not want others to find. They do not have to feed this information back to the group if they are not comfortable doing so. Tell them that the session will later deal with some best practice for better protecting that data.

  • Give a general overview of spyware. It can be helpful to have slides and illustrations to talk about this.

    • Pegasus is one of many types of spyware
    • Spyware varies in how sophisticated it is and how it infects devices
    • Use examples to show the different ways that spyware has infected devices, including spear phishing attacks. More information on these types of attacks can be found in chapter two.
    • Talk about zero-click attacks.

  • Walk journalists through some best practice for protecting against spyware. Points to mention can include:

    • You can never be one-hundred percent secure against spyware; there is only the option to manage risk. The more high-risk the journalist is in terms of spyware the more steps they will have to take to try and secure their devices.
    • Get the journalists to think about whether they are at high-risk for spyware, including considering the journalist’s location and use of spyware in that region, stories that they cover, the outlet they work for, how high profile they are.
    • Importance of updating devices to protect against malware
    • Carrying out a factory reset of the device if they are concerned it is infected. They should backup the device first before resetting.
    • Turning on Lockdown Mode for Apple devices running iOS 16 and above, if the journalist is at high risk of targeted attacks
    • Limiting the amount of content on their phone, including apps. For example avoid linking their work email to their phone
    • Where possible have separate devices for work and personal use
    • Best practice for protecting against phishing attacks. Consult chapter two for more details on this.

  • Close out the session by asking the following questions:

    • Do you feel you have a greater understanding of spyware?
    • What steps do you need to take to be more secure?

Step two

  • Walk the journalists through best practice for protecting their mobile devices. This guidance can be found at the beginning of this chapter in the section, Training digital security for the first time? The trainer may want to speak about the following:

    • Encrypting the phone
    • Backing up and removing data from the device
    • Locking the phone
    • Setting up a device to remote wipe
    • Turning off location tracking
    • Erasing the browsing history

  • Ask the journalists which of this best practice do they think is most applicable to them.

Step three

Trainer note: you will need to use scenario I for the following exercise

  • Put the journalists into small groups and tell them that they are going to read a scenario
  • Ask the journalists to work together to answer the question in the scenario and to plan out how best to protect the journalist.
  • Run a class discussion on the scenario and ask the journalist what steps they have taken to protect the journalist.

Personal security plan

Completing the risk assessment

Learning outcomes Time Resources
Journalists think through their individual risk and the risk associated with a particular story when using their devices.
Journalists are able to think through mitigation for those risks.		 20 - 30 minutes Risk assessment template

Case study

This case study accompanies the course material and provides journalists with real-life examples of digital threats against media workers. The case studies can be used to promote discussion around different types of risks as well as serve as a way to teach journalists steps to better protect themselves and others.

Our writeup: Reporter’s phone confiscated on Pentagon trip to Europe

US Press Freedom Tracker’s writeup: Reuters reporter’s phone confiscated on Pentagon trip to Europe