Privacy and digital security at the border

By Shelley Pascual

Though media workers such as journalists and filmmakers have long faced occupational and digital security and privacy issues while crossing international borders, new challenges to the way they do their work have recently emerged.

Now, you might also encounter challenges when you arrive in your country of origin, said Harlo Holmes, the director of newsroom digital security at the Freedom of the Press Foundation.

Holmes led an evening workshop in Toronto at Ryerson University’s Transmedia Zone on June 12th which covered common privacy and security scenarios media workers might face at borders. Participants in the interactive workshop also got tips on the tools they need in order to protect their work.

Community-based organization Off Assignment Toronto hosted the workshop. It was sponsored, in part, by CMG Freelance and CJFE.

Here’s a summary of the key points Holmes mentioned:

The importance of digital security

  • Your work is your intellectual property; you need to protect it.
  • Protecting your work means being as responsible as possible toward your sources and your colleagues.
  • From a financial and contractual perspective, demonstrating your ability to prioritize digital security will position you as a good person to deal with.

Border considerations

  • Don’t lie — For instance, don’t rely on crafty apps to make it appear like you haven’t been doing something that you have been doing.
  • Don’t overcomplicate things — Depending on the circumstances of your stay in a particular place (e.g. you’ve been under surveillance beforehand or you’re a media maker of considerable renown), situations can change; you never know if your devices will be searched more stringently.
  • Location and nationalities matter — The citizenship you hold can affect the questions that you’re asked and the way people treat your devices.
  • Only bring what you need — Don’t bring a device with Twitter on it if you don’t want your direct messages within the app to be seen, for example.
  • “Naked in, naked out” — Don’t have a device on hand with your entire digital history on it. Either digitally or physically encrypt and transfer your work out of your possession before leaving a place.

Threat modelling

Jonathan Stray’s 4-question threat model can help you determine what you have to protect and from whom. Trainers sometimes add a fifth question to address what you can do right now to increase your security.

  • Assets: What’s important for you to safeguard? (phone numbers, receipts, interviews that exist digitally, etc.)
  • Adversaries: Who might be interested in taking these things from you? (nosy customs agents, people surveilling you, etc.)
  • Resources against: What resources do your adversaries have? (money, access to infrastructure, skill in mobilizing time and money, etc.)
  • Consequences: What would the consequences be if your adversaries succeeded?
  • Already doing: What can you do and what tools do you have at your disposal to tip the scales in your favour? (e.g. the strategic use of password managers)

Password management

  • A password such as ‘runner181988’ is insufficient for two reasons: it’s not long and it can be cracked very easily.
  • The strength of your password is more attributed to the length of it rather than ensuring it has a variety of characters (numbers, letters, etc.), which is why you should shift to using complex, unique passphrases wherever possible.
  • Your password should only be shared with the service you’re trying to access.
  • The best passphrases are managed by a password manager.
  • Password managers such as 1Password and LastPass – software that remembers and generates unique passphrases for you – have done a great job of increasing everyone’s credential security.

Browsing the web securely

  • If there is no encryption between you and the service you’re accessing, everyone on the same network can see it and modify it (i.e. anyone could attempt to collect your information or surveil you).
  • Never do things like log into your bank account on a website that isn’t properly encrypted.
  • If you’re on an encrypted site, you’re better protected because the only thing that’s visible to people is the domain you’re on. This isn’t 100% foolproof, however.
  • Using adblockers such as uBlock and tracker blockers like Privacy Badger create a space that’s a lot safer for web browsing.
  • Use a browser such as Google Chrome if you’re concerned about the security of your browsing experience.
  • Be aware that an IP address is tied to a physical location unless you protect it.
  • VPNs make it look like you’re in a different physical location; using them is a great way to access services that you wouldn’t otherwise be able to use.

Choosing an end-to-end encrypted service that’s right for you

  • Signal, Whatsapp, Facebook Messenger, and Wire are examples of end-to-end encrypted services.
  • End-to-end services require all members of the conversation to have the same encryption capabilities in order for communication to exist; consider how accessible the service is to people you need to communicate with.
  • Metadata matters and it never changes. When evaluating which service to use, consider how it uses metadata.
  • Signal is considered the gold standard right now in terms of end-to-end encryption. It still has disadvantages, however (e.g. you need a phone number to access it).
  • One of the downsides of Whatsapp regarding privacy – even though the service has excellent encryption – is the ability to accidentally sync all your conversations into iCloud.
  • Facebook Messenger is less effective than many of the other end-to-end services in terms of privacy. This is because the service allows you to have encrypted and unencrypted conversations simultaneously – something many people don’t know – and it isn’t clear about these distinctions.

 

Posted on June 16, 2017 at 6:00 pm by editor · · Tagged with: ,

Leave a Reply