Full Report
Senior researcher John Scott-Railton speaks with GIJN about strategies journalists can employ to improve their digital hygiene and protect themselves from targeted attacks. The post John Scott-Railton Shares Tips and Tools to Protect Yourself Digitally appeared first on The Citizen Lab.
Analysis Summary
# Best Practices: Digital Defense Against Targeted Surveillance
## Overview
These practices address the high-risk environment faced by journalists, activists, and high-profile individuals who are targets of state-sponsored or commercial spyware (e.g., Pegasus, Paragon). The focus is on increasing the "cost of entry" for attackers and minimizing the impact of potential device compromises.
## Key Recommendations
### Immediate Actions
1. **Enable Lockdown Mode:** Activate Apple’s "Lockdown Mode" on all iPhones and iPads to reduce the attack surface by disabling complex web technologies and message attachments.
2. **Enroll in Advanced Protection:** Register Google accounts in the **Advanced Protection Program** to require physical security keys (e.g., YubiKeys) for login and enhance file scanning.
3. **Harden Messaging Apps:** Set Signal and WhatsApp to use disappearing messages by default and enable "Registration Lock" (PIN) to prevent SIM-swapping attacks.
4. **Reboot Regularly:** Perform a daily restart of mobile devices. Many modern exploits are non-persistent; a reboot can clear some "in-memory-only" malware.
### Short-term Improvements (1-3 months)
1. **Transition to Security Keys:** Phase out SMS-based Two-Factor Authentication (2FA) in favor of hardware security keys (FIDO2/WebAuthn).
2. **Audit Connected Apps:** Review and revoke third-party app permissions on primary email and social media accounts.
3. **Establish a Security "Buddy System":** Implement a group process for security where team members check in on each other’s digital hygiene.
### Long-term Strategy (3+ months)
1. **Develop an Incident Response Plan:** Establish a clear protocol for what to do if a device is suspected of being compromised, including who to contact (e.g., Access Now Helpline).
2. **Continuous Training:** Institutionalize "security as a process" by staying updated on new exploit vectors through organizations like The Citizen Lab.
## Implementation Guidance
### For Small Organizations
- **Focus on Free Tools:** Prioritize the use of built-in features like Lockdown Mode and Google’s free Advanced Protection.
- **Peer Support:** Designate one person to monitor security alerts and share them with the group.
### For Medium Organizations
- **Standardized Hardware:** Issue standardized hardware security keys to all staff.
- **Policy Enforcement:** Formalize a "disappearing messages" policy for all internal communications regarding sensitive sources.
### For Large Enterprises
- **MDM Configuration:** Use Mobile Device Management (MDM) to enforce Lockdown Mode and OS updates across all corporate-issued devices.
- **External Auditing:** Regularly collaborate with civil society tech-watchdogs to audit the threat landscape specific to the organization's operating region.
## Configuration Examples
### iPhone "Lockdown Mode" (iOS 16+)
1. Open **Settings**.
2. Navigate to **Privacy & Security**.
3. Scroll to the bottom and select **Lockdown Mode**.
4. Tap **Turn On Lockdown Mode** and restart the device.
### Signal Messenger Hardening
1. **Settings > Privacy > Disappearing Messages:** Set a default timer (e.g., 24 hours).
2. **Settings > Account > Registration Lock:** Enable to prevent unauthorized re-registration of your number.
## Compliance Alignment
- **NIST Cybersecurity Framework (CSF):** Aligns with "Protect" (Identity Management) and "Detect" (Anomalous Activity).
- **CIS Controls:** Specifically Control 5 (Account Management) and Control 6 (Access Control Management).
## Common Pitfalls to Avoid
- **The "Silver Bullet" Fallacy:** Thinking one tool (like a VPN or an encrypted app) makes you "unhackable." Security is layered.
- **Ignoring Updates:** Delaying OS updates for even a few days can expose you to "zero-day" exploits that have just been patched.
- **Isolation:** Trying to manage digital security alone without consulting experts or community resources when suspicious activity occurs.
## Resources
- **The Citizen Lab:** [citizenlab[.]ca]
- **Access Now Digital Security Helpline:** [accessnow[.]org/help]
- **Google Advanced Protection Program:** [landing[.]google[.]com/advancedprotection]
- **Global Investigative Journalism Network (GIJN) Security Resources:** [gijn[.]org]