How digital security can be like a health check up, with Harlo Holmes
Freedom of the Press Foundation's Harlo Holmes shares insights and tips on digital security for journalists
Harlo Holmes is the Chief Information Security Officer and Director of Digital Security at the Freedom of the Press Foundation. She works with journalists and media organisations to help make the digital space safer for them and their work. She’s also contributed to The Guardian Project, a collaborative open-source project that develops secure apps for users all over the world. You can find more details at guardianproject.info and freedom.press has additional digital security resources.
We got to ask Harlo about some really complex but common issues journalists face. And what they can do to prevent and navigate them. To listen to the interview, click here. The transcript is below.
In Old News: Often, digital security might seem like a separate task from our daily work. But can a more holistic approach be beneficial?
Harlo: I do believe that digital security is not only supposed to be something that you think about as an afterthought, but something that can be worked into every aspect of not only your professional life, but even your personal life.
Increasingly, our personal lives collide with our professional lives in ways that are less escapable than they were ten, 20 years ago. So, for instance, a lot of people don't necessarily understand the impact of, you know, their social media and how they use that increasingly for promotion, not only of their own personal work, but of the projects that they're associated with, how even like, you know, producers and other people surrounding a project might actually ask them to do that type of promotion on their on behalf of the project.
But using the social media activity of the person themselves. And that's just one example. So also, I believe that digital security, if you apply it evenly across your entire life, can actually make you way more effective at securing projects that have more sensitivity than you even thought.
In Old News: Journalists sometimes feel like they need to self-censor when they’re being mobbed or trolled or attacked for covering a topic. Is this a rising trend?
Harlo: It's something that we do see. I wouldn't say often, thankfully, but it's increasingly become an issue. And depending on whose feathers you ruffle, as they say, it can be more... impactful in a very, very negative way that leads people to self-censor themselves. Not only self-censor themselves, but actually just leave the field and stop telling stories entirely because it does become so personally harming that people no longer feel that it's worth it to continue to tell stories if they're going to have to face that type of harassment. Yes. And we do see that it has become like really effective for people who are like either like, retaliating against somebody because they're nationalistic or simply retaliating against someone because they're saying something on the opposite side of the political spectrum. These are kind of different things, even though they tend to be intertwined or saying something because they just don't like them and they want to just harass them out of existence. But whatever the person's ideology is, when they start to attack, thankfully, the majority of the methods that you can take to protect yourself are the same.
In Old News: How did you start working on digital security for journalists?
Harlo: I'm a big consumer of media, first and foremost, and a huge [advocate] for press freedom and always have been. I love and admire the storytellers who are telling the stories. But that said, I got started primarily as a developer and security professional and definitely did notice that when we were training people to use tools, there were so many gaps that needed to be filled regarding people's security on the very devices that they use and the way that they use those devices.
So, for instance, an engineer can build an excellent piece of software that is like designed so perfectly, as perfect as things can be to keep you safe. But if you're using it on a device that is riddled with malware or where you don't understand exactly, like why your privacy is also integral to this particular piece of software working successfully, then you still are set up to fail.
And I felt that there's so many amazing engineers out there who do work I admire so much. But rather than tear my hair out trying to write the best piece of code, I felt that I personally would have more use just helping people bridge the gap between like our common misconceptions about how devices should be used and the tools that will keep them safer and make them more effective at their job. And I felt that there was like a gap in our ecosystem that I could better fill.
In Old News: If someone is facing online harassment or their identity has been stolen, the first instinct is panic because they don't know what they're dealing with. Is there an approach you would recommend for those initial moments?
Harlo: Well, one is knowing that people are not alone at all. And increasingly this is so common. People are going to have different reactions and they're going to need different things to feel better. And I can't really say whether the best tact is to literally turn off your computer or check your phone into the sea. That might be the appropriate response for some people. Or if it is to steal yourself up and actually go in there and battle it, even though you're in a very, very vulnerable and frightened place and anything in between. But I think the best thing that people can do is be in a position to make sure that they have access to the right resources, to help them figure out what the right path is for them and to help them pick through the various options in order to get through it.
There is a saying that… An ounce of prevention is worth a pound of cure. And what we train people to do is to establish baselines, healthy baselines, meaning, you know, to give an example, you're way more prepared to go into fighting an online harassment campaign if you know that there are, you know, like certain privacy settings within your platforms that you could turn on and off depending on how safe you feel to be online. If you are in the face of, let's say, an attempt for somebody to take over your accounts and log in to your Facebook account or something like that, know that there are settings that allow you to be notified if something is weird and also you already know which devices you own are already logged in to Facebook. So if something else appears, you know, automatically that that is outside of the baseline. And since you already establish a baseline, it's easier for you to, like respond with a clear head. So those are the things that we like to empower people to do.
In Old News: Do you think it is better to approach digital security and safety as a team sport or an individual sport? Especially in newsrooms.
Harlo: I like that you put it that way, and actually I think that it's both. The reason why it's both is because the media ecosystem is one where nowadays people are, once again, required to leverage their social media and their personal digital life in order to augment what their organization needs to do in order to promote stories and to promote their talent.
And for some reason, we've all decided as an industry that that was entirely fair, and people do it. People even feel compelled to do it, even if they're uncomfortable with it. And so given the fact that my Twitter account, your Twitter accounts, whatever, are going to have been started way before you even thought you might have gotten into this industry and will follow you along your career path as you move from organization to project to other organizations to project, it belongs to you.
And there's really only so much that an employer can do in order to maintain that. And so unfortunately there is a certain responsibility that individuals have to take because that is media property that belongs solely to them. But it is also a team sport because knowing that and knowing that organizations insist so much upon this weird mixture between like the personal and the professional at all times, they do have a responsibility to provide as much support as they possibly can in order to lessen the friction when people do get into trouble in their individual digital lives.
So it's both.
In Old News: For journalists that don’t have a support system, how can they improve their digital security without having to invest a lot of time into it?
Harlo: That's a really good question. I do think that, well one, this type of security does not have to be incredibly hard or onerous or time-consuming. And people can, you know, make improvements bit by bit by bit whenever they find the time to do so. And quite frankly, a lot of the recommendations that my organization and organizations like PEN America and the IWMF recommend, actually do not take so much out of one's day if you want to just kind of get started. So no one should feel intimidated about, you know, how much time it will actually take to get to a like a good standard of security. But that said, it's a good idea, and this comes back to your team sport idea, for organizations to help people allocate their time by making it as manageable and also conveying the fact that it doesn't have to be incredibly hard. Two ideas that come out is one, if people in an organization whose job it is to worry about people's security, communicate like, you know, on a very like sparse but regular basis, what people should look out for, what they should have taken care of, and like boil it down to like a checklist that people can, like, take care of during, you know, like an hour that would be fine. And also upon like certain events like onboarding, when you join an organization, off boarding, when a project is over... For instance, in a documentary film cycle, looking at the initial research that you do, then looking at the situation once again during production, then looking at it again in post-production and then looking at it again when you go on the conference circuit. Having specific times that you schedule in a calendar that allow people to take care of those items on the checklist without feeling that they're like volunteering their own personal time, but rather making that part of the work that they have to do for that project would be really generous and beneficial.
In Old News: How can digital threats manifest in the physical world?
Harlo: For a variety of reasons, so much of our physical presences on this planet are intertwined in the digital artifacts that we leave. And that means that, I don't know, people might recognize the background of this particular footage and say, "hmm, I'll bet that, you know, we are in Perugia right now in this very, very specific spot." That's not so far fetched of a thing to expect.
So that's one example of how watching a piece of media on the Internet could then point to a physical location on Earth. Then there's stuff that we don't see. Things like the fact that all of our phones are emanating so much data, whether it's talking to cell phone towers or it's when we check in on Facebook or we tweet something on Twitter where all of that information in aggregate can paint not only a picture of where I am, but where all of us are, together as a network and under certain circumstances and in the hands of people who do not have your best wishes at heart, that can be pretty damaging. And so when it becomes the most scary... and actually, did you ever see the movie The Ring? Right? So, you know, they think it's a videotape. Right? And we'll watch this videotape. But then during like one of the final scenes (sorry, spoiler alert!) the ghost character actually like crawls out of the television set and is like immediately like in front of the guy. And she is physically there to harm him. And so when we think of online harassment campaigns, that includes things like doxxing, meaning finding out, you know, what your favorite cafe is. Or finding out where you live or where your best friend lives or something like that and actually like has, you know, it's set in their head to go after you in physical, physical space.
That is exactly that moment when what you think is behind a screen actually jumping out into your physical world. And we need to work so hard in order to protect that. And that means protecting our data, protecting our privacy, understanding how to respond, what's appropriate and what's most urgent if we are under threat of that happening. And also lobbying for more control legally and also within the platforms and also with developers and stuff like that who make these tools to make it less likely that someone who does not wish you well can actually jump out of the screen like that.
In Old News: What can journalists do to stay vigilant and not get demoralised by threats including undetected ones like Pegasus hacks?
Harlo: I do feel that people are way more willing to keep themselves safer if you give them ways to empower themselves rather than to scare themselves. And this is also where preparedness comes into play, but ultimately, because there is such a line between the digital and the physical. Think about what you do physically, right? We get checkups, right? We brush our teeth. This is pretty much the same as keeping sure our software is up to date, making sure that we are aware of sweeping changes to privacy policies in the platforms that we use and no longer expect that Facebook plays by the same rules today as they did ten years ago.
And I think that if people want to stay empowered, you can challenge them to do that. And do it when on their own clip, on their own schedule, rather than do it under duress. Then that goes a very, very long way. But ultimately, when you did mention, you know, things like Pegasus and by the way, like that's just the one whose name we know. Right? Like there could be a bajillion Pegases-es out there. Right? Compartmentalization goes a long way there. So, and this means different things from a personal perspective than it does from a professional perspective, but you probably do want to think around, you know, your relationship to devices in a way that should something happen to one specific compartment in your entire workflow, then it's less of a blow to an overall project or to your safety or to your privacy than if you all had it out there like, just in the same bin. Actually, if you want to think about the correlate, it's like, it's best to clean your room so you know where things are.
In Old News: What is a good starting point to do a risk assessment?
Harlo: So the way that we usually teach risk assessments is challenging because it's a lot of, like, jargon coming from the security world, and we're trying to put that in people's hands. And unlike in security, with computers and stuff like that, security, as far as individuals are concerned, takes a lot of translation in order for it to make sense to us as people. But we boil it down to roughly five questions. And the first one is, what is it that you have to protect? And this could be anything from the contents of your phone, your text messages, your mom's phone number, like a password, anything like that. And then who do you have to protect it from?
And so perhaps, like, I don't know, a corporation, if I were investigating them, doesn't really want to know my mom's phone number because why would they? But perhaps a troll on the Internet who wants to harass me would want to try to terrorize my mom just because they know that that would make me really, really, really upset.
So once you decide from whom these assets are important to, then you might ask yourself, what are the implications and where, between the personal and the professional, do these implications lie? Is it going to make me like really uncomfortable going onto Instagram today if there was a certain type of harassment? Or is it going to jeopardize the project if that same harassment were supposed to occur. And then you kind look at that room, you walk into your room and you look at the mess and you say, okay, I'm now kind of in a position to sort things into appropriate places within this room where I can handle how to protect them based off of where they live in that room, using the resources that I have, which is how much time do I have, perhaps how much money it would cost to do that and ultimately, like how much skill I have or the people in my network have that can help me raise myself to the level of security that just covers what I need to do to move on.
Thanks for reading In Old News! Subscribe for free to read more stories from journalists around the world.