Hello again!

It’s Martin, principal researcher at Freedom of the Press Foundation (FPF), with our regular update on the U.S. Journalism School Digital Security Curriculum.

J-school security curriculum highlights

  • To account for new username and privacy options in recent versions of Signal, we made some small changes to the Signal activity recommendations, as well as chat safety handouts used in “Digital security 101” and “Chat safety” modules.

Highlights from digital security in the news

  • Some news from us: We just launched an advice column! In “Ask a security trainer,” we cover questions we frequently receive from reporters in our digital security trainings, as well as questions we receive from our audience. You can follow it on our blog. If you’re not subscribed already, we’ll be sure to let you know when new advice columns drop as part of our digital security digest newsletter: https://fpf.training/subscribe
  • According to an internal slide deck obtained by 404 Media, a company called Cox Media Group claims it can listen in on devices with microphones to serve targeted advertisements based on what prospective customers are saying. Following the reporting on the company’s so-called “Active Listening” software, Google kicked the company out of its Advertising Partners Program. According to 404 Media, “The deck does not say where CMG allegedly sources this voice data, be that a particular brand of smart TV, a smart speaker, or smartphone loaded with a particular app.” https://www.404media.co/email/862be333-9ce8-4d88-a175-840509462bb1/ (Suggested module: Device protection)
  • Apparently there is a recent increase in the number of so-called sextortion scams that involve personal information — this time, leveraging the physical location of a target’s home. The classic construction of this scam goes something like this: The scammer will typically email, suggesting they’ve put malware on your device and observed your… *ahem* behaviors, and if you don’t want the evidence shared with anyone, you’ll send them some money, often using cryptocurrencies. Many of these emails include the target’s real name and phone number, but in this modern spin on this old scam, the attacker will also send a photo of the target’s home as well. Don’t fall for it, because this is all publicly available data, and there’s no reason to believe they actually implanted malware. In fact, the scam often claims the use of malware designed to be sold to state actors — Pegasus. As the kids say, that’s mega sus. https://www.404media.co/sextortion-scammers-try-to-scare-people-by-sending-photos-of-their-homes/ (Suggested module: Targeted harassment and doxxing)
  • In new versions of Windows 11, Microsoft is now making its BitLocker disk encryption enabled by default. The Windows 11 24H2 release will also lower some of the hardware requirements for disk encryption, so it will be available to more devices than in years past. Alongside the nearly equivalent FileVault disk encryption feature for Mac devices, we often recommend enabling BitLocker for protecting data housed on your device. If you haven’t yet done so, learn more here. https://www.theverge.com/2024/8/14/24220138/microsoft-bitlocker-device-encryption-windows-11-default (Suggested modules: Device protection, Law enforcement surveillance tech)

What we’re reading:

  • Our friends at Consumer Reports and Tall Poppy released a well-researched analysis on the efficacy of anti-data broker services. We often recommend using these kinds of tools to get some extra help dealing with companies that aggregate and sell personal data (e.g., your phone number) to anyone willing to put up a few dollars. But which of these services are most effective? Find out by reading the report, "Data Defense: Evaluating People-Search Site Removal Services."

As always, let me and our digital security team know how you're using the curriculum, what’s useful and how it can be improved! Feel free to respond to this email or [email protected].

Thanks so much,
Martin