1. Outline your assignment and identify the risks

Updated:July 2016

1. Outline your assignment and identify the risks

Outline your assignment

Before you can properly identify the major risks to your digital security, it’s important to write down what your assignment will actually involve. Try to identify all the major components of your assignment: all the interviews, travel arrangements and actions that are vital to your plans. Write these out to help you complete your risk assessment.
 

Identify the risks:

A. Are you covering a sensitive topic?

If you’re working on a controversial issue, knowing who you’ll be working with and how you’ll transfer these details is important to protect yourself and your sources. Here are questions to help you begin:

When are you going to be at greatest risk? When will your sources be at the greatest risk of targeted surveillance? While researching and investigating the story? After submitting it? After the story goes public?

How are you preparing yourself for possible increased surveillance? How are you helping your sources prepare?
 
START YOUR RESEARCH:
 

B. The location of your assignment

What is known about government surveillance/censorship of the web and mobile communications in that area? What are the laws around free speech and the right to privacy, if any? What’s been published about the persecution or rights of journalists, whistleblowers or activists because of their online activity?
 

START YOUR RESEARCH:


C. Who are the adversaries likely to pose a threat to your digital security?

An adversary could be anyone trying to stop your work or who poses a threat as a result of it. What do you know about the people or organisations that could be potential digital adversaries? Think of them in two ways:
 
  • INTENTIONAL ADVERSARIES: These could be government, businesses, criminal organisations or individuals opposed to your work or to media exposure. Think of who may face some cost (legally, reputationally, professionally, etc.) as a result of your assignment.
  • UNINTENTIONAL ADVERSARIES: This can include random hackers targeting a service used by thousands of people including you. It could include someone hacking a wireless network you happen to be using at the time. It could also be the theft of your equipment.
Thinking about things in this way will help you decide on password protecting your equipment or encrypting hard drives. You may want to install firewall protection and consider whether you should be using some online services that could put you at greater risk, or be more cautious about what you click on or download.
 
START YOUR RESEARCH:
 

D. What ways will these threats be manifested?

  • Unencrypted communication: In this situation, anyone monitoring your online or mobile traffic can access all the information you’re sending and receiving.
  • Metadata: Many tools and services keep logs about who you’re communicating with, the date and time and subject lines. Files you create, edit or share can also contain metadata about you and your work.
  • Geo-tracking: Your mobile phone is (and your computer could be) revealing your location so long as it’s turned on. Removing the battery (if possible) and letting any reserve power die out is one way to ensure your phone powers down completely.
  • Malicious software: Your phone or computer may contain software you don’t know about that’s giving other parties access to it and anything stored on it.
  • Theft or confiscation of your equipment: When it’s out of your sight, someone else could be accessing your device’s contents, making copies of it, or loading malicious software to remotely access it later.
  • Hacking attempts: Network spoofing, man-in-the-middle attacks and other methods could be used to capture or redirect your internet activity and record what you’re doing.
  • Mass surveillance: Many governments and companies monitor and record online activity. Some will trade this information among allies and partners.
  • Targeted surveillance: If you’re working on a sensitive topic over a long enough time, you’ll end up on an adversary’s radar, and they may start trying to intercept your specific communications and find out who you’re working with.
  • Your other online activity: It may sound obvious, but using social networks whilst working on something discreet can be a bad idea. You may be unwittingly linking your work with your personal life, revealing more about yourself to potential adversaries than you should be.
  • Your contact’s digital trail: All the above items refer to areas where you can reveal your own digital trail. Even if you’re practising good digital security, your contacts may not be. Be careful how much personal information you share with them. Assess how you’ll encourage them to be safer.
START YOUR RESEARCH:

The risks you may face

Look at the possible digital risks from the perspective of what you’re trying to protect. This should fall under two main headings:
 
  • Identity: This could be your own, or the identities of people you’ll be on contact with. Is it important that the content you’re working with isn’t traceable to someone’s real identity? Write down the various identities of all involved and what could happen if an adversary knew they were assisting you. If you think that this could put you under threat, then you should focus on behaviours, tactics or services that offer more anonymous methods to communicate.
  • Data: This could be text, images, video, spreadsheets or anything transmitted electronically. Could someone use this content to harm you or others, or stop your assignment before you’re finished? Write down all the ways this data could be used. If you think that it could be used against you, you should prioritise strong encryption for all your data at risk.
START YOUR RESEARCH:

 

Next: 2. Understand your equipment
 


Image credit: The hidden danger of internet cafes, by Tactical Technology Collective, used here under a Creative Commons Licence.

Created: May 2014

Help us be a better resource!

Give us feedback about this page. What was helpful here, or what could be included to make it more useful?

Create a comment
Create a Comment
  • Security code
News letter sign up