If you’re a journalist, you’ve probably been privy to information that could put your sources at significant risk if it got in the wrong hands. I’ve written a post on The Freelancer with some basic tips on how to protect your in-person communications, but ran out of space to talk about the tools of the trade–patiently explained to me by Michael Carbone, Manager of Tech Policy and Programs at Access, Runa Sandvik, privacy and security researcher at Freedom of the Press, and a couple of other experts speaking on background.
You may want to start playing around with these tools now, as it’s best to get a handle on them before you actually need them. But before we delve into complex, high-tech tools, be aware that basic digital security measures should be in place. I’ll have a post within the next week or so on ways to make yourself safe(r) on line, whether you’re a journalist or not, but for now, here are some basics:
- Make sure you use long, complex passwords, using a password manager such as 1Password or KeePass. (Memorizing your main password, not writing it down, and not using password hints is, of course, preferable… and think twice before )
- Set up two-factor authentication, which can alert you to break-in attempts and make your data harder to compromise. You’ll have to use your password and type in a code texted to your cell phone when you log into programs with two-factor authentication set up.
- Keep your software up-to-date, so that you’re not vulnerable to security issues that have been patched up in newer versions.
- Try to stay on top of any concerning issues, such as Apple’s troubling default autosave settings (which I just wrote about for Slate’s Future Tense blog).
- Be careful when clicking on links or opening attachments. You can view non-confidential attachments on Google Drive, or use Virus Total (now owned by Google) to scan links and attachments. Long URL expands shortened URLs for you so you’ll know what you’re clicking on.
Now that the basics are taken care of, let’s get to the fun stuff. Here are some tools you can pick and choose from to decrease the chances that your source’s identity will be compromised.
Your invisibility cloak: Tor
What is it?
Tor is a robust anonymity network that protects your location and identity online by bouncing communications through multiple volunteer-staffed locations around the world. Originally developed for the U.S. Naval Research Academy to protect government communications, Tor was also famously used by whistleblower Ed Snowden to send information about PRISM to the Washington Post and the Guardian. Tor sometimes gets a bad rap because it’s been used as a tool to spam web forums or send anonymous hate mail, but it’s also been used by domestic violence survivors to avoid cyberstalking without needing to quit the internet cold turkey.
If you’re reporting from a country with internet restrictions, you can use Tor to access the websites that would otherwise be blocked. If you’re okay with giving away your identity but not your location, you can post on social media sites using the Tor browser.
The Tor Browser is incredibly easy to use, and doesn’t even require that you install any software. The operating system Tails, which can be used while traveling, lets you use the internet anonymously and routes traffic through Tor. It requires a bit more technical know-how.
Obviously, logging into Facebook, a bank account, or an email account associated with your name reveals your identity.
- Opening documents, enabling or installing browser plugins, checking into email and Facebook accounts using your real name, and using Torrent are a few other ways that your identity can be compromised.
- In addition, your internet service provider or local network administrator can see that you’re using a Tor relay unless you take special members to try to hide it.
- Another potential drawback is that some websites either block traffic coming from Tor, or do not allow comments from Tor users.
- Tor and Tails have posted warnings detailing other potential vulnerabilities.
Making user identity and location for both journalists and sources is highly useful, and the fact that it requires limited technical knowledge makes Tor a no-brainer.
Your Dead Drop
SecureDrop is used by prominent publications and websites, including the New Yorker, Forbes, ProPublica, Intercept, the Washington Post and the Guardian.
Difficulty: SecureDrop is challenging to set up without some computer know-how, and it’s recommended that an organization has an IT professional or system administrator to maintain it.
- Secure Drop needs two servers and an old laptop, so the cost is between $1000 and $3000.
- As mentioned, having a computer professional on staff is recommended. (Another option that may be better for freelancers is OnionShare.)
- It’s not impossible for an entity to break or hack into the news organization to seize the document.
Your decoder rings
What it is: PGP stands for “pretty good privacy,” while GPG, an open-source version, is “Gnu Privacy Guard.” Both tools allow you to send and receive encrypted messages to people online, using their public key code. These messages look like a jumble of text to anyone unless you sent it to them, and they open it with their own special private key code. Even if you don’t want to encrypt a message, you can digitally sign an email, so that the recipient knows it wasn’t tampered with in transit.
Difficulty: Let’s just say that I definitely wouldn’t recommend trying to learn how to encrypt email while on deadline. Although it’s not hard to download and there are numerous tutorials online (like this one by opsec expert Tom Lowenthal), it can be challenging to get all of the components to work together with your email client. (GPG also doesn’t work with Yosemite, if you’re on a Mac, and it looks like they will begin charging for the service once it’s ready.)
I was lucky enough to make fast friends with someone who gave a presentation on the topic. Even with assistance, I made multiple juvenile errors, including hitting reply to an encrypted message (thereby unencrypting it), sending something unencrypted when I thought it was encrypted, and setting an expiration date a year sooner than I’d intended.
The email client Thunderbird offers a robust encryption plugin called Enigmail that is a little finicky but can simplify the process, and a new program called Mailpile looks promising, though it isn’t finished.
- As mentioned, email encryption can be hard to learn, and both the user and the sender need to use it to communicate.
- If your computer is stolen, encrypted messages may be compromised, depending on the strength of your computer’s password, since a few mail servers unencrypt messages and store them in unencrypted form.
- If a key is lost and you are storing messages in encrypted form, the data is gone forever.
- Email service limitations and other issues sometimes make it difficult to send large files using encryption. (They can be shared through thumb drives, Onionshare, or other file sharing sites.)
- Sending encrypted emails does not hide information about who is emailing who, when, how often, and with what subject line.
- Senders need each other’s public keys, which adds another step to the process. Some journalists link to their public key on their websites, and I’ve loaded mine up to my Twitter bio and linked to it in my email signature.
What it is: Off-The-Record (OTR) Messaging is a chat extension you can use to encrypt chat conversations. It can be used through the Tor browser to protect user location as well. It is used with other software, such as Adium for Mac or Pidgin for Windows.
Difficulty: OTR is incredibly easy to set up. If you are routing another chat program through OTR, you can see the encrypted conversations happening in that chat window. However, learning how to verify the identity of the person you’re speaking with proves to be a bit more challenging.
- Both users need to use OTR in order for it to work.
- Separate steps must be taken if you wish to verify the identity of the person you’re speaking with.
- OTR does not support group chat, file transfers, or audio and video communication.
- National security researchers may want to stick with Jitsi because OTR does have a few security concerns that those with high-level technical experience may be able to exploit.
- OTR with Adium appears to be saving some messages in plain text. This needs to be disabled manually.
Encrypted phone calls and texts
Open Whisper Systems offers two Android tools, Redphone and TextSecure, for calls and texts. Apple users can use Signal on their iPhone to make encrypted phone calls.
In addition, a company called Silent Circle offers encrypted calling and texting, with plans ranging from $12.95 to $24.95 a month to call non-user numbers. Otherwise, you can call users for $9.95 a month.
- Both users need to have Open Whisper Systems tools installed on their phone. Silent Circle allows its users to call or text those not using the services, but this obviously makes the calls less secure. Otherwise, both users need to pay for the service.
- Since your phone number is attached to the tools, anonymity is not protected, and your cell phone tracks your location through cell tower signals as well as GPS systems. (It is possible to use Signal with an iPod, however.)
- It’s always possible to trace GPS information from cell phones (or location from towers), and phones can be turned into listening devices.
Encrypted video chat
Skype has a complicated security history both locally and internationally. In some cases, Google Hangouts can be used instead. Otherwise, Jitsi is a good alternative for secure video communication. It can be used for chat, as well, as an alternative to OTR. Jitsi is easy to set up and use, does not require any installation, and allow you to use current services you have set up, such as AIM, Google Talk, or Facebook chat.
- Users need to be accessing Jitsi using the same chat program (i.e. AIM, Google Talk, or Facebook chat).
- Account providers like Google or Facebook keep records of who is communicating and perhaps who they are communicating with. They can share this information with corporations and governments, even if the actual content is encrypted. (It’s possible to use programs like Ostel.co, but this takes a little more setup time.)
- Jitsi requires you to install Java on your computer, but Java has many security problems of its own. If you don’t have Java installed already, and download it to use Jitsi, you may need to go through the added steps of disabling Java and its associated plugins from your computer.
Encrypting your hard drive
Say you’re covering border issues and your laptop is confiscated at the airport… or even that you misplace it at a conference. If anyone makes a copy of your hard drive, it’s best if the material on it is encrypted.
Using a full disk encryption service such as FileVault (for Mac), BitLocker(Windows) assures that the image of your hard drive will be scrambled. Most Linux providers allow you to encrypt the hard drive when you first install the service. If you are storing your data in the cloud, make sure to use a service, such as SpiderOak, that encrypts cloud backups.
Difficulty: Installing full disk encryption is incredibly easy, but encrypting cloud backups and especially sharing files through SpiderOak has a steep learning curve.
- If you forget your password for any of these options, all of your files are lost.
- SpiderOak is considerably more difficult to learn and use than its competitors (DropBox and Google Drive).
- In addition, its features are less robust.
So there you have it—a wide selection of tools to choose from based on what your sources are able and willing to use, and what’s most appropriate for your specific situation. It may be worth picking just one to start messing around with before you really need to, so you’re not trying to install and master challenging tools on a deadline.
For more information, check out some of these links as well:
Privacy Tools: The Best Encrypted Messaging Programs (ProPublica)
Also, check out EFF’s secure messaging scorecard.