Organisational Measures and Policies and Data Processing

What policies should a media organisation implement in order to secure data processing in line with the recommendations for the protection of the rights and freedoms?

Organisational measures and policies represent a set of rules in one organisation, in this case a media organisation. The substance of these acts may be internal rules, then the procedures and prescribing specific organizational measures that all employees must adhere to or only those who have access to sensitive data types. It is recommended that such internal documents be adapted to the circumstances of the manager and regulate the rules that are enforceable and enforced within a particular organization. Media organisation should strive to build a culture of security awareness. These measures and policies are not always prescribed, they include good journalistic practice, moral norms and ethics. 

Journalists work is connected with the data processing. The EU General Data Protection Regulation (GDPR), in Recital 78 defines Appropriate Technical and Organisational Measures. The protection of the rights and freedoms of natural persons with regard to the processing of personal data requires that appropriate technical and organisational measures be taken to ensure that the requirements of Regulation are met. The organisation should adopt internal policies and implement measures which meet in particular the principles of data protection by design and data protection by default. Such measures could consist, inter alia, of minimising the processing of personal data, pseudonymising personal data as soon as possible, transparency with regard to the functions and processing of personal data, etc. 

According to the UK Information Commissioner’s Office (ICO), an information security policy is an example of an appropriate organisational measure, but a ‘formal’ policy document or an associated set of policies in specific areas is not needed. It depends on your size and the amount and nature of the personal data organisation process, and the way it uses that data. In practice, it has proven to be very useful for operators and processors to have internal policies and procedures for data processing. According to GDPR, the basic principle is that the operator himself must apply the law in such a way that he is at all times able to offer evidence that he complies with all the rules – that he can foresee the application of the law. In this regard, prescribing and adhering to internal procedures that must be followed by all employees of the controller can serve as useful evidence that the controller has indeed taken measures and practical steps directly aimed at the application of personal data protection regulations. The subject matter of these acts may be internal procedures in case of various types of data integrity violations and prescribing specific organizational measures to be followed by all employees or only those with access to sensitive types of data. 

Freedom of expression and information is treated as a special case of processing and in principle it is exempt from all provisions of the law concerning the principles of processing, citizens’ rights and obligations of operators and processors – provided that this is necessary in the specific case. The European regulatory framework envisaged a significant exception to strict data protection rules, taking into account the conflict of two fundamental rights: freedom of expression and information on the one hand, and the right to privacy on the other. Whenever this conflict weighs in favor of freedom of speech and the interest of the public, journalistic research and publication of information in the media will be relieved of the numerous demanding obligations related to protection of personal data. The journalistic exception applies to the performance of the journalistic work, which usually means that the work has been completed when the result is published. Thereafter, the processing of data should cease, therefore, it should either be deleted or anonymized – or the legal basis for further processing should be provided.  Although there is a journalistic exception, that does not mean that media organizations should not take care of personal data. Through adequate technical and organizational measures, media should show that they act in the interest of the public and respect personal data of citizens.

The Importance of Secure Submission of Confidential Information

Securing sources and confidential information continues to be a challenge in the digital environment. Here is how to improve it:

Journalism is based on gathering information from independent and competent sources, in order to inform in a true, impartial and fair way about current events. Journalists have the right to protect the identity of their sources, to publish information that comes from sources who, for some reason, and the most common reason is safety, wish to remain anonymous. Referring to anonymous sources is critical for reporting on issues of public interest that the public would otherwise not be aware of. The protection of journalistic sources exists in media law as a standard, with various minor discrepancies. As one of the most important standards of the journalistic profession, the protection of the identity of sources is found in many international documents and declarations, confirmed by the recommendations of international organisations dealing with the protection of freedom of expression and the media and is well founded in the judgments of international and national courts. A resolution on journalistic freedoms and human rights, adopted at the European Ministerial Conference on Mass Media Policy in Prague in December 1994, says that “protecting the confidentiality of journalistic sources enables the preservation and development of genuine democracy.” Also, the judgments of the European Court of Human Rights concerning the protection of journalistic sources are also important. One of the most significant examples is the case from 1996, Goodwin vs. The United Kingdom. 

In situations where individuals are employed in an environment in which they come in contact with extremely confidential information (military, police, judicial authorities and other government institutions, the private sector …) often need to share it with the public and thus point to potential abuses. The most common name for these individuals is whistleblowers. Without them, modern investigative journalism is almost impossible to imagine. One of the most famous whistleblowers of today is Edward Snowden, a former analyst of the US National Security Agency (NSA), who has provided a number of highly confidential documents to journalist Glenn Greenwald that indicate mass surveillance of citizens’ digital communications. When the public becomes aware of their reports, whistleblowers can be targeted by various pressures and legal consequences due to their actions. Whistleblowers are usually people who are insiders and can bear the consequences if their identities “blowing the whistle” relates, so anonymity in alerting is crucial. Due to the large number of factors affecting the alert, it is often the case that the alarm is done incorrectly. There are many types of alerts, ranging from mailing information to online alerts, which is one of the safest ways if handled properly. 

If someone wants to send the information, before that someone has to check if the information is relevant to journalist, there are different alerting platforms. It is not recommended to send  confidential information by e-mail, and if it is necessary to send like that, then the temporary e-mail address should be made. Temporary address which would deactivate after 10 minutes could be made. Also, it is recommended to use Tor Browser when sending alert by mail.  It is important to not report from an official or private telephone. In case it is necessary to send the notification by telephone, it could be done from a public telephone, but with awareness that a large number of telephone booths have video surveillance. It is also important to have material evidence when alerting journalists. After sending the alert, of importance is to behave as usual. 

Most recommended way of sending the information of public importance to journalist is using the secure submission platforms. These platforms should also be accessed withTor browser. 

The first open source, secure and anonymous alert platform is called GlobaLeaks. It was developed by Hermes Center for Transparency and Digital Human Rights. Tor is already integrated into GlobaLeaks; that way, the owner of the alert platform cannot know the exact location and identity of the alert. However, it can never be sure that someone will not do a deeper research on alert, and therefore maximum security is recommended. The easiest way to maintain anonymity is to use the already mentioned Tor – anonymous browser. Full security can never be guaranteed. However, the technology of this platform is designed keeping in mind situations where the life of the whistleblowers is at risk. A number of software tests have been performed by IT security experts to identify and address potential deficiencies.Moreover, the GlobaLeaks platform source code is open source, so anyone can analyze and verify that the software itself is secure. This is the best way to ensure the security of the application. One of the secure submission platforms which also can be used for anonymous alerts is Securedrop. To use this platform, Tor browser has to be installed. Securedrop has the list of media and organisation with which information can be shared. This platform has no third parties, data in transit and at rest is encrypted, metadata are minimized, and it is protected against hackers.

When information is sent by the secure submission platforms, the recipient, in this case journalist, does not know who the source of the information is. Nobody can be trusted completely. In accordance with the standards of responsible journalism and journalistic attention, all allegations should be checked before publication.

Caution is Never Enough: The Most Common Types of Cyber Attacks

From DDOS to worms and code injection: here are the most common types of cyber attacks journalists and media face:

Cyber Attacks are attacks on digital systems of users, that usually come from unknown sources. They enable the attacker to have access to some device, system or the victim’s network illegally.  Like other users, journalist can be the targets of these attacks. The most common kinds of these attacks are DDOS, System interference, Ransomware, Trojans, Code Injection, and Worms. 

Due to the harmonisation of classification of cyber criminals in general, in 2001 in Budapest, the Convention on Cybercrime was adopted. It is the first international treaty on crimes committed via the Internet and other computer networks and its main objective is to pursue a common criminal policy aimed at the protection of society against cybercrime, especially by adopting appropriate legislation and fostering international cooperation. This convention was adopted by the Council of Europe member states and also some other countries, such as the United States.

DDOS, Distributed Denial of Service is the kind of attack which creates server congestion with requests to access a specific resource. A huge amount of requests and capture connections leads to saturation, server congestion, and it can’t receive new requests and leaving it unavailable to use. When the requests are instructed from the same source, it is called Dos (Denial of Service) attack, and when they are launched from more connected sources (bot nets), it is called DDos (Distributed Denial of Service). This is broadly used form of attack, since it does not require a huge amount of knowledge, or resources to be executed. Botnets can be rented online for as low as 20-30 USD, which makes this attack one of the most effective and common. DDoS attacks are rather ineffective method of censorship, they last for a limited amount of time, do not destroy content permanently and they often attract even larger public attention. Taking this into account, perhaps we can think about these cases as a form of bullying, closer to traditional forms of pressure, intimidation and attacks on journalists, than as an effective way of online censorship. To prevent these types of attacks, the server can be configured to limit the number of requests made from the same IP address, and like that to automatically blocks the access in case of too much request. There are also systems to mitigate DDoS attacks, most commonly used by hosting providers, but they can also be selected as an independent service. These systems distribute the load when those attacking use a wider infrastructure, but cannot prevent the attack itself. The most well known services for the prevention are Cloudflare and Deflect.

System interference. Taking control of a particular part or all of an information system is colloquially called hacking. (((But not all hacking attacks are punishable….))) The intrusion is most often performed using existing passwords that were weak enough to successfully decode, or were somehow revealed by the victim to the attacker. To trick a victim into revealing their password, hackers use traditional fraud, or social engineering techniques. An attacker usually monitors the behavior of future target on the internet to find out enough details, and then contacts it to establish a trust relationship and instructs it to discover the password. This can be through a conversation, based on a person’s trusted identity, or by tossing infected documents into email correspondence, links to infected sites, and ect. Keylogger ”, a keyboard recorder is a type of software that is most commonly distributed as an attachment or by physically installing on a target device. The program is often invisible to the victim, running in the background and collecting every keyboard entry, click or touch on the screen, periodically taking screenshots. The collected data is forwarded directly to a specific server or emailed to attacker. A combination of technical and social methods results in “phishing”, and this represents a trademark of early American hackers. The attacker usually creates a web page identical to the site that the victim usually logs in from its account, and in email than informs about the alleged problem, prompting the victim to click on the link so that its account is not blocked or deleted. By going to a fake login page and entering own password, the victim sends personal information directly to the attacker. The fake page often then redirects the victim’s device to the real site, so the victim is often not even aware that her login information has been stolen. How can you protect? By using strong, complicated passwords, so you prevent machine decoding by combining letters or dictionary definitions, as well as the use of double-checking. It is also important to be aware of the risks on the internet, as well as that randomly clicking on links without checking, entails too much risk.

Ransomware- blackmail attack involves forcibly encrypting of content that a victim stores on their device, with a payment request (usually in bitcoins) in exchange for a data decryption key. The distribution of encryption software is mainly done through mail attachments. The main level of prevention- careful handling of files of unverified origin, but also you can use antivirus programs that can be configured to not allow auto-run files and scan e-mails before opening the attached files. The most important preventative measure for this type of attack is the updating of the operating system, anti-virus and firewall software.

Trojans, or “Troyan horse” is a malicious software most commonly taken into the system by social engineering. The victim usually picks up an “infection” on one of the obscure websites, where it recklessly accepts the warning that it is infected and activates a fake antivirus. This way, hundreds of millions of hacking attacks are commited in a year, which puts the Trojans at an unprecedented advantage over other hacking attacks. Best prevention from this kind of attack is an education and awareness of contemporary forms of threats. In organizations, this problem is solved in some way by filtering sites that can be accessed from computers on a local network.

“Code Injection” is a more sophisticated type of attack by which malicious code is inserted through vulnerable parts of the site (open, interactive forms) or through a URL. The inserted code prompts the base, or other part of the site, to perform destructive or invalid operations, when it retrieves the server’s resources until it is flooded with activities and thus shut down. After such an attack, the site may become completely unusable, so the content is reconstructed based on the last saved copy. Elementary security procedure for this type- back up your site regularly.

Worms– Programs that move independently through the system, using computer networks to transfer to other computers, usually without human involvement, can arrive as an attachment to the email. The “worms” operation is made possible by security vulnerabilities in the operating system. Primary protection are quality antivirus software and strong passwords. Good practices for protecting against computer worms include the use of firewalls, avoiding suspicious emails, and regularly updating software.

Hosting and Domain

Do you know where your website is hosted? And do you know why a hosting place is important for your organisation?

The hosting provider stores, on its servers, all the data that makes one portal available online. A domain is a registered a unique URL that points to a site, and domain and hosting may or may not be part of the same service package. Organisations can choose whether to host their site domestically or abroad. When choosing, they should consider questions pertaining to business and security. There are some advantages if a media organisation hosts its domain in their own country – the organisation can directly see the quality and security of the server room provider, where the site is located, the availability of technical support, online communication is increased, and the liquidity and reputation of the hosting provider can be verified in their own community. One of the bigger advantages is that there is no risk of implementing regulations related to the disclosure of data in the field of personal data protection. Also, if the site is intended for domestic audiences, if it happened to be under DDoS attack from abroad (which is usually the case) by temporarily blocking foreign IP addresses, the site can remain stable and accessible to domestic users. If the organisation is hosting abroad, the website is outside the jurisdiction of the responsible state authorities, as hosting is not subject to domestic legislation, so legal and administrative procedures regarding content removal cannot usually be carried out without the consent of the site owner and server. 

In technical terms, there are four types of hosting- Shared hosting, VPS, Dedicated Server and Cloud hosting. 

Shared hosting is the principle of sharing resources. Different sites can be hosted on a shared server share processor, speed, disk space, etc, which means that if one of the sites on the shared platform has increased access, the data flow to other sites on the same server will be slower. Also, if one of the sites is under attack, there is a big possibility that the other sites on that server will be compromised as well.

VPS – Virtual Private Server is a hosting platform where everyone has their own resources. Technically, multiple virtual servers are raised on one physical server and each of them has certain resources that are not shared with the others. Also, if one of the virtual serves are attacked, the integrity of the others on the platform will not be compromised.

Dedicated Server is a type of hosting where only one site is hosted on a physical server, the user is granted the exclusive right to access the machine, and the user disposes of it as it wants. Additionally, it can build virtual servers and use them for various purposes, web hosting, email, data storage (data storage), and more.

Cloud hosting is hosting on multiple servers that are connected in order to function as one, which contributes to the decentralisation of the system and leaving it more incorruptible. In the case of a failure on one of the servers, the others assume its role, so the problem will not affect the operation of the site.

Shared hosting is not recommended in cases where the site is composed of active content that changes relatively often and when the number of visitors varies, while dedicated hosting and Cloud hosting are better solutions, but their costs are a little higher. Choosing one option or another depends on the needs of the organisation. Technical support is one of the most important segments of hosting requirements because, in case something goes wrong, this service becomes a point of contact that needs to be fully cooperative to resolve the problem as soon as possible. It is advisable to choose a company whose technical support is operational day and night, every day of the week. Additionally, while all content and traffic on the internet is mostly virtual, these devices are still machines, that is why it is important to check what kind of hardware the hosting company uses. The technical specifications of the packages are, finally, the most important feature and their scalability is most desirable; that is, they can be adapted and upgraded to meet the changing needs of the organisation. Good hosting also means decentralisation. It is not recommended that the same server be used to host the site as a mail server, or data center. The web server must be accessible from the public internet, while the availability of a data center from that same domain would be a serious security issue. If there is a need to access data stored in a centre remotely, it is best to use VPN services. There are portals for comparing hosting packages on the Internet, such as HostMonk and Web Hosting Reviews. When an organisation buy a domain, it should be careful and invest in a name with as many top level domains as possible (.net; .org; .com), because if the organisation buy all of them, nobody else can abuse their uniqueness.

Securing Communications and Files

To secure your communication and files, and to share them safely, is imperative for every investigative journalist. Here is how to do it:

In the digital environment, there are a lot of factors which can determine if the system will be safe or not. Primarily, there are technological and infrastructural factors, which every media organisation uses when it comes to data protection and security. Besides technological, there are also non-technological factors that represent specific users habits. These non-technological factors are important, as within the organisation, as well as all outside communication and information exchange.

How to safely share and store information?

Encryption is a cryptographic concept of encoding information, ensuring that only those who know a way of decrypting it can read it. Modern digital encryption stems from the concept in ancient Rome, when primitive algorithms based on letter modifications ordered a certain way were used. However, modern encryption has vastly developed into a whole new, and different, direction of cryptography. Originally, most information systems were not encrypted, which means that this must be set up to exist. If that is not done, someone puts themselves, the people who they interact with and the organisation as a whole at risk. Encryption is implemented on multiple levels – disk encryption and connection encryption.

Disk encryption involves creating a layer of security that prevents unauthorised persons from accessing the contents of the disk. In order to access the materials, you need to enter a code and, in some cases, additional parametres such as two-level authentication, digital certificate, or biometric data. Each encryption implementation is different because its needs vary depending on how the encrypted data is used, i.e. whether it is a data transfer, or being used as storage. One of crypt software that can be used is Veracrypt – program that locally encrypts data. VeraCrypt adds enhanced security to the algorithms used for system and partitions encryption making it immune to new developments in brute-force attacks.

Connection encryption includes safe browsing and communication protection. While browsers are used to search the Internet, technical search accesses content on the Internet using HTTP Internet protocol. There represent different commercial solutions, and the all, in some way, perform the same function, but for a search to be safe, you need to configure additional parametres and install additional plugins. A basic level of security implies the use of SSL (Security Socket Layer – a special layer of protection on the HTTP Internet Protocol) or TLS (Transport Layer Security – an upgraded and newer version of SSL). These technologies encrypt client-to-server communication and thus effectively protect against MitM attacks (Man in the Middle- a type of technical attack in which the client and server are not necessarily compromised, but the connection between them is, and the attacker uses connection defects to have access to communication to compromise it). In this way, secure transfer of sensitive data via the Internet such as usernames, passwords, confidential personal information (i.e. social security number), credit card information, bank account numbers, etc. is enabled. SSL is installed on the server, which means that it does not exist as an option for every website. Websites that use SSL in the URL address have “https” instead of the standard “http”. Email, aside from the development of newer ways of communication, has remained the most commonly used platform for official communication over the Internet. Consequently, a great deal of relevant and compelling information is still transmitted via email. On the other hand, the technology behind this universal platform is not completely secure, and it presents a number of security flaws, including the fact that users have no control over who can access the metadata and content of his or her email communication, especially when using public email services such as Gmail, Live, Yahoo Mail, etc. A partial solution to the metadata problem is using the TOR network (The TOR network is a hybrid hardware and software solution that allows users to connect to the Internet anonymously), as well as blocking active content such as images and various other potentially risky elements in email messages. In most cases, content is not encrypted in this way. One of the best ways to encrypt email content is PGP (Pretty Good Privacy – an encryption and decryption method used for end-to-end content protection). The downside of PGP may be that its implementation is not fully customer-oriented. Also, both parties need to use PGP in order to establish it as a secure communication mechanism. Beside email communication, journalist use other various chat services for communication, and these are often the subject of correspondence about confidential user information that should not be made available to third parties.

There are some other applications which offer the ability to encrypt chat communication, such as Signal. A free and open source application, which is available for popular mobile and desktop platforms, enables end-to-end encrypted calls and messages, as well as other security features, such as screen lock and disappearing messages.

Technical Protection of Sensitive Data

Media systems are made up of data that needs to be protected and preserved. Here is how:

Journalists are often expected to protect public interests, provide timely and accurate information to the public but, in the digital age, they are struggling to do so without adequate technical protection of sensitive data. Otherwise, the confidential information they collect is at risk of being exposed, and even their sources, or they themselves can be put in danger from internal business, organisational plans and communication with confidential sources being published on the Internet. Media’s entire information system is made up of data, which needs to be protected and preserved.

Internal network – In newsrooms, all computers, printers, storage servers or mini data centres, mail servers, routers and other components are connected to an internal, local area network, physically (by cable) or wireless (WiFi). The concentration of sensitive data in this network is high, therefore special safeguards should be applied. 

Wireless network: A wireless network may have different physical ranges depending on the strength of the broadcast signal. Indoors, this range averages around a 20-metres radius from the router, which often means that this network is also available outside the newsroom. Wireless signal routers have several layers of protection of which the administrator is supposed to configure. The most common measures of protection are Wireless security mode, Mac filtering and SSID hiding. 

Wireless security mode – It is recommended to use WPA2 (Wifi Protected Access 2) protection, which has two possible applications. PSK (Pre-Shared-Key) is easy to set up by setting a code; Enterprise requires slightly more complicated setup and an additional RADIUS (Remote Authentication Dial In User Server) server. In most cases, the PSK method is a good enough protection mechanism for small and medium-sized organisations, if the set code meets these normal standards. 

Mac filtering A MAC address is the physical address of a device that connects to the network. The router can be configured to allow only the addresses on its list to be accessed. This method will not stop advanced attackers, who, with the help of software such as Aircrack-ng, can detect a list of MAC addresses from the router and download some of the associated addresses for their device.

SSID (Service set identifier- the name of the network, which is usually public) hiding– Similar to the MAC filter, hiding an SSID will not stop advanced hackers, but will prevent some less capable attackers from playing with someone else’s network. Multiple wireless networks are recommended when there are at least two categories of people for whom the network would be targeted, such as employees and guests. Given the characteristics of a wireless network, the only way to physically separate the network used by employees from the network other editorial visitors connect to is by maintaining separate routers where each will have its own cable that connects directly to the internet provider.

Physical protection measures: Air gapping – a measure of protection in which individual computers or a group of interconnected computers are kept in isolation, that is, they do not connect directly or indirectly to the public Internet. Air gapping is applied to parts of a system that store or process sensitive data. This security measure is one of the most effective methods of preventing network intrusion and data theft. In addition to air gapping, other physical network security measures are available, such as preventing the use of USB ports. One of the most complex computer viruses, Stuxnet, is usually transmitted through a USB flash drive.

Data Centre: Decentralisation of a system is becoming a key condition for its security. It is recommended that the data is not stored on the same computer from which it is connected to the network or on which it is processed. There are several ways to store large amounts of data; the easiest way is on an external hard drive. Storing data on an external hard drive means that the data physically remains in the hands of the organisation. From a data-loss risk perspective, renting storage space on a cloud server is a significantly better way to store important data. Cloud services use RAID technology, which significantly reduces the risk of failure. RAID (Redundant Array of Independent Disks) is a technology based on a model of multi-disk, side-by-side comparisons, with at least two locations per data set. However, if it is sensitive data, it is not recommended to store it on other devices, despite the fact that all cloud services include encryption. The third way of storing data is to create your own mini data centre, where all the data relevant to the organisation will be stored. As a result, the data will remain within the physical space of the organisation, and the application of RAID technology will reduce the risk of data loss and theft.

Backup: Backing up does not affect the security level of the system itself, but it is crucial following a security crisis in which recovering lost data is a necessity. Sometimes it is possible to determine, on the basis of the backup itself, the cause of the system crash, by reconstructing security flaws or system errors, etc. It is recommended to use an open source backup system, such as UrBackup (http://www.urbackup.org/). When making this choice, make sure that the backup system provides the ability to recover data quickly and accurately, and that it is optimal, i.e. that it does not overload server or storage resources.

Long distance work: Physical access to applications and data in the newsroom is possible, with the appropriate permission, from any computer in the world.This greatly facilitates the work of journalists and editors, shortening the time it takes to process data and enabling participation in the field. From a security standpoint, long distance work has serious drawbacks; establishing a connection between the newsroom network or server and an external computer opens up to system to the possibility of MitM (Man in the Middle) attacks. This is a type of technical attack in which the client and server are not necessarily exposed to danger, but the attacker uses connection defects to access their communication and commit data theft. A secure way to work remotely is to connect via VPN (Virtual Private Network). It is a service of creating a separate tunnel between two computers on a public network, which is specifically encoded for protection. Of the many types of VPNs, the safest is to use so-called secure data transfer protocol- TSL (Transport Layer Security protocol).

Private email server: Email is a particularly sensitive data set in every newsroom. For the sake of protection, each organisation should provide a dedicated server for email. In this way, it protects itself against attack while, at the same time, leaving it to the jurisdiction of other states. In addition to the content of ones email, the importance of data from everyday communication is metadata – information that is generated and exchanged during an email conversation by the software and devices used to send and receive it. To attackers, metadata is often more important than the content of the letter itself because it carries precise information about the digital context of communication. Metadata is stored on a mail server, so its security is specific. A basic protection step is to block all protocols (for example, FTP or HTTP) that the server is not required to perform its primary function, ie. receive and send email. A dedicated server can be rented as part of a hosting package or other services, or an organisation can purchase a server with special software – an example of such software is iRedMail.