It is possible to make a film without going anywhere, but it's pretty hard to do so without communicating with anyone. To make your film, you're going to co-ordinate with your team and then some combination of advisors, suppliers, subjects, funders, festivals, etc. And unless you opt for potentially having your communications under surveillance, you will need a digital security plan! That's why we've put this section first, to start assessing together whether your communications are sufficiently secure to protect yourself, your subjects, your team and make sure that your important work can reach the public and be as influential as possible.
In short, digital security affects us all and will only become a bigger concern as many governments pass new legislation granting them greater powers of digital surveillance. There has never been a better time to start learning about the risk that filmmakers are exposed to and how to protect yourself, your film, subjects and colleagues. Physical safety is often contingent on digital security.
Even though you may not think at the outset of a project that you need to protect your communications and rushes, this may become necessary as events unfold, so it's advisable to think ahead and plan for privacy wherever possible.
It's also important to note that technology is constantly changing and digital security safeguards are being compromised, so you have to be right up to date with the latest tools and understand fully what is no longer safe. Information received in a digital safety course taken last year might not be applicable today. It is also critical to know what sort of software or apps are illegal in certain countries - and which have anti-encryption legislation - as falling foul of these laws could lead to your equipment being seized and could even lead to imprisonment. There is no single, catch-all source to check for these regulations: you have to check country by country with reliable specialists and local sources.
This following section draws heavily on guidelines and advice from the Freedom of the Press Foundation, Committee to Protect Journalists, the Rory Peck Trust and Tactical Technology. Links to key resources are included at the end of this and every chapter.
1.1 Assess Your Digital Risk
First things first, consider what you are trying to accomplish with your film project and what it is specifically that you might need to protect (i.e. confidential data, source identities, locations, film footage, etc) and who or what might threaten it - and how.
Take time with your team to think through both the digital security challenges you could be facing throughout the project and how you will communicate and share source material with your team members securely.
As recommended by the Freedom of the Press Foundation, work through what the digital threat model is to your project by assessing who your potential adversaries are, what their objectives might be and what would happen to you if they succeeded in achieving them. Try asking yourself, and others you work with these following questions:
- Who would be most likely to target this project?
- What resources (for example money, time, equipment and expertise) do they have to dedicate to targeting the project?
- What is their objective: money? incriminating information? access to my friends or other trusted contacts?
- What would happen to me, my project and my contributors if they were successful?
From there, look first at how you normally communicate, and then try to assess where your processes are vulnerable to those specific threats and how you would mitigate them.
Consider where digital security breaches could occur - not forgetting situations such as working from internet cafes or on computers at business centres of hotels and airports, communicating information on social media platforms or speaking on an insecure (and therefore potentially "tapped") telephone line. And remember that everyone in the project needs to adhere to the same, agreed digital security protocols. Your protocol is only as strong as its weakest link.
Whether in pre-production, production or postproduction, consider any specific local regulations or operating contexts that may be faced. Depending on the countries you are working in, you may find that use of encryption or the use of a particular digital security tool is against the law and so you may need to handle your digital security in another way.
We are recommending digital risk assessment resources you can use from the Rory Peck Trust, Freedom of the Press Foundation and Tactical Technology in the Resources at the end of the section.
Suggested Team Discussion Points:
These questions have been designed to provoke team conversation about the digital risks your production may face. These questions are not exhaustive and it is understood that each project has its own bespoke issues that will merit discussion.
|Can you currently foresee any reason why you might be targeted for surveillance by an individual, a government, law enforcement agency, hackers or corporations?
If yes, why?
|What is it you are specifically trying to protect? E.g. confidential data, source identities your location, video footage etc?|
|Who would be interested in accessing your sensitive information and why? Have they committed a crime; are they involved in corruption; perpetrating human rights abuses - or would the information be damaging or embarrassing in some way?|
|What methods could they use to get it? Could they access your internet or mobile service provider, hack your device, confiscate your equipment, use a court order, etc.? Could they access devices belonging to your sources or support staff?|
|What would happen if they succeed?
Could you or your source or fixer/ translator/ driver (or others) be arrested, could filming be stopped, or could confidential information be used against others?
|What are the local regulations on protective software?
Is encryption illegal? Do you need carnets for equipment like sat phones?
|Given your responses to these questions, do you need to perform a risk assessment on this project? There are some great resources available for both risk assessment and threat modelling from organisations such as the Rory Peck Trust and the Electronic Frontier Foundation - please see the end of the section for recommendations|
1.2 Minimise Your Digital Risk
Of course, each documentary film project has its own bespoke requirements when it comes to safety and security and it's worth considering exactly what steps you and your team need to take to minimise the identified digital security risks. If you are at risk of surveillance:
- You may need to avoid being traced by your mobile or sat telephone - consider using a burner phone (meaning a phone without any personal data on it or linking it to you, with an anonymous SIM if possible, this is not legal in all countries) and which you'll use only for a particular trip or period of time)
- While paper notepads are digitally secure, they cannot be encrypted and can be confiscated or stolen - so consider this, particularly when on location
- Password managers can generate very hard to crack passwords, 1Password comes recommended (read this guide from Freedom of the Press Foundation on improving passwords). Never use the default or factory password (often 0000 or 1234) on any device or service.
Often sensitive material needs to be communicated in the quickest, most efficient way. Technology is the go to habit, but it's important to be aware of how you communicate certain pieces of information if you do not want it shared by anyone else. Think about also how you will be recording and saving the information from your shoot - for example, will you be traveling with footage across borders that can be compromised? It's important to take a step back as a filmmaker and assess any elements of your story that may need to be protected.
If your project demands it, there are a number of encryption tools that can be deployed to protect aspects of your work by making it unreadable to all except the person who knows how to decrypt it such as:
- Using an encrypted form of communication like the mobile (and Chrome plug-in) secure messaging application Signal, an encrypted email like ProtonMail or the one-off encrypted communication, One Time Secret (available in a number of languages). Note that researchers found a vulnerability with PGP email encryption in May, 2018. Digital security experts recommend temporarily disabling PGP plugins for the time being. See the Electronic Frontier Foundation's guide on how to do so here.
- Sharing password protected sensitive encrypted files using SpiderOak ShareRooms or the disk encryption software, VeraCrypt.
- Using Freedom of the Press Foundation's Secure Drop to pass files between team members or from sources and subjects.
- Implementing a secure web browser such as TOR or those recommended in this article
Remember that to function securely these applications need to be updated regularly. Remember also that even if your adversary cannot crack your encryption, they may well be able to see that a device or drive contains encrypted material - so as well as encrypting material, consider hiding it digitally, too.
Bear in mind that important as communication security is, physical theft of data and hardware often poses as great or greater risk in the field than remote surveillance.
You should also think about whether your project merits safe technology too, such as working from a clean laptop when in the field and using a burner phone, a prepaid phone bought for a specific purpose and paid for in cash and therefore untraceable.
There are some excellent resources at the end of the section, including the Center for Investigative Journalism's 2016 guide to Information Security for Journalists.
Carefully consider what your project digital security needs are and then identify the tools that your team need to operate safely.
Suggested Team Discussion Points:
These questions have been designed to provoke team conversation about the risks your production may face. These questions are not exclusive and it is understood that each project has its own bespoke issues that will merit discussion.
|Will you, your sources and local support staff (e.g. fixer, translators, drivers) need to use encrypted communications as part of the filmmaking process?|
|Will you or members of your team need to leave your usual phone behind to avoid being tracked and surveilled?
If this is the case, how will you protect yourself?
|Will you need to protect your documents on location and at home? And if so, for what duration?|
|Should you be encrypting rushes at source on location? Will you be crossing borders? Do you need to encrypt them in your edit room? Should your edit room be quarantined and off-line?|
1.3 Online Profile Risks
It's crucial to undertake an evaluation of your team's online presence and the profile of your project, both in terms of search engines such as via Google, Yahoo, Bing and others as well as assessing any risks their social media profiles - e.g. on Facebook, LinkedIn, Twitter or any other personal or professional site or network service - may present.
Suggested Team Discussion Points:
|Do any search results put you or the film at risk?
Which of the search results could put you at risk on your upcoming assignment? Are any of them under your control?
|Do your social media profiles put you or the film at risk?
Does your team's social media presence jeopardise the project in any way? Would it be beneficial to ask them to change their profiles?
|Do you or any of your team members have any of your previous work accessible or listed online?
Is that a risk to the project?
|Should you or your team members be using a different name on location vs what you use for your online presence to protect yourself and your subjects/ sources and their families?|
|Have you or your team members mentioned this project at all on any social media or blog in the past?
Does this compromise the safety of you and /or your team?
1.4 Experience & Training
Having established what the digital security risks are to your project might be, how knowledgeable are you and your team in understanding how to protect yourselves and your film from methods in which your communications could be compromised?
Before your project heads too far into pre-production, an assessment of your entire team's current level of experience with digital security is highly recommended to ascertain whether formal digital security training would be worthwhile. If there's sensitive material associated with your film project, it's important that anyone involved in communicating about it digitally - whether in the production office or on location - is fully up to speed on the most appropriate methods to be using.
1.5 Digital Security Resources
Digital Risk Assessment
Additional Digital Security Resources
When Things Go Wrong
*(24/7 services are available with support in eight languages: English, Spanish, French, German, Portuguese, Russian, Tagalog, and Arabic. They apparently respond to all requests within two hours)
1.6 Digital Security Training for Filmmakers
We are only putting forward training that we have heard good things about from filmmakers. We want to hear from you if you have taken Digital Security Training that you can recommend to your fellow filmmakers. Email us anytime at: firstname.lastname@example.org
Freedom of the Press Foundation organise trainings with the IDA and others and also do bespoke training with teams.
In Europe we recommend: