Online Privacy Guide for Journalists 2019
You can see the eBook PDF-version of this guide here.
Many veteran journalists, but not only these, surely noticed that we are all of a sudden bombarded again from all-over with mentions of Watergate. Books like George Orwell’s 1984 are on display at bookstores and an air of danger to freedom of speech and freedom of the press is spreading slowly like a dark cloud over the Western Hemisphere, raising old fears.
When an American serving president accuses a former president of surveillance; when he prevents central US media outlets access – so far always granted, and taken for granted – to press conferences he holds; and when he incessantly knocks and accuses the media of being the country’s enemy number one, it isn’t surprising that memories of President Nixon surface up more with every self-pitying tweet about SNL, and that even Republican Senators such as John McCain express fear for the future of democracy.
And McCain is not alone. Many journalists whom I have spoken with recently, expressed concern for whatever lays ahead for the freedom of the press. At a time when it’s possible to express the following statement – “Donald Trump controls the NSA” – and not be held a liar, anything’s possible. Add that to the fact that recent news on CIA taught us that almost all encryption systems can be compromised, if someone has the perseverance to crack them – and you are en route to envisioning an utterly Dystopian world, where you cannot even get too comfortable laying on your sofa, in front of your own smart TV.
The good news is that it is nevertheless possible to make it difficult for anyone to try and intercept your emails, the text messages you’re sending or your phone calls. You can take measures to make the lives of those who want to uncover your sources and the information being revealed to you, much harder. Of course, the degree of effort you’re prepared to take to protect your privacy, your sources’ anonymity and your data’s safety, should be commensurate to the likelihood of a real threat, be that hacking or spying.
“The old-fashioned promises – I’m not going to reveal my source’s identity or give up my notes – are kind of empty if you’re not taking steps to protect your information digitally”, says Barton Gellman of the Washington Post, whose source, former NSA contractor Edward Snowden, helped uncover the scope of the NSA’s and British GCHQ’s operations, to his interviewer Tony Loci. Loci herself, who covered American judicial system for AP, The Washington Post and USA Today, and was herself held in contempt of court for refusing to identify sources, would probably endorse that.
So, what is it that needs to be done to ensure that a journalist’s sources and data are secure and well? Grosso modo, the tips can be described as falling within the following categories:
- Securing on-device applications and functions- This is known as reducing the “attack surface”, i.e. limiting the installed apps to the bare minimum, installing only from trusted sources, selecting apps that require minimal rights, keeping the system fully patched and updated, and having as many security controls (based on recent best-practices white papers) on the device.
- Isolating your devices and/or their environment– For example, the physical insulation of a computer for the purpose of checking files, or the use of prepaid mobile devices.
- Acting cautiously both in the digital and real world- This has a lot to do with common sense and a little less to do with software: For example, never write down the name of the source, certainly not on any app or on any document that’s stored on your computer – and most certainly not on anything stored on the cloud.
2. Communicating with your source and
safeguarding the sensitive data
Let’s begin by listing what you can do when it comes to communicating with a source, and storing sensitive information obtained thereof:
- Beware of big names: Presume that large companies’ encryption systems and possibly even big name operating systems (proprietary software) have back doors that secret services in their country of origin (at least in the US and the UK) can access. Bruce Schneier, Security Expert, explains it here.
- Always encrypt everything: Security experts use simple math to make their point: as you raise the cost of decrypting your files (say, for intelligence agencies like the NSA), you automatically increase the degree of effort expended on following you. If you’re not Chelsea Manning, Julian Assange, or Edward Snowden and if you weren’t involved in active surveillance around Trump Tower apartments, They may give up the effort even if your encrypted communications were stored. And should anyone decide to track you despite your efforts, it will be more of a headache if you use strong encryption like AES (Advanced Encryption Standard) and tools like PGP or openVPN, which are the strongest widely available encryption methods (VPN’s are used by the US government itself).But if you want bullet-proof security, you will need more than the AES encryption method. P.S. if you want to discover the year your information landed at the NSA’s hands, just have a peek here.
- Perform full disk encryption: This is done just in case someone gets their hands on your computer or phone. Full disk encryption can be done using FileVault, VeraCrypt or BitLocker. Putting a computer to “Sleep” (instead of Shutdown or Hibernate) may allow an attacker to bypass this defense. Here, Mika Lee gives a complete guide for encrypting your laptop.
- Avoid chatting with sources on the phone: All phone companies store data related to the caller and the receiver’s numbers, as well as the location of the devices at the time calls were made. In the US and several other countries, they’re required by law to disclose information on registered calls in their possession.What can be done? You should use a secure call service, such as the one the Signal app – which was tested repeatedly for security – possesses. Although this may mean that both the source and the editor need to download the app as well, the process takes just a few minutes. Here is a guide on how to use it. Just for the hang of it, check out how many of your non-journalist friends are hanging out there.However you choose to communicate with your source, do not bring your mobile phone to sensitive meetings. Buy a disposable device and find a way to convey its number to the source in advance. The source needs to have a disposable safe device too. Authorities can track your movement through cellular network signals and it’s advised to make it harder on them to locate you retroactively in the exact same cafe where the source was sitting. If you fail to follow this rule, all local authorities will be required to do is ask (politely and legally) for the video filmed by the café’s security camera at the time of your meeting.
- Choose secure messengers: your calls (cellular ones and via landlines) can be monitored by law enforcement agencies and each SMS is like a postcard – all text is fully visible to those who may intercept it. Therefore, use Messengers that allow for secure end to end call: signal, which was already mentioned above, and Telegram are considered to be the safest (although Telegram as well as WhatsApp’s web apps were compromised once and then fixed). According to some experts, you can also consider using SMSSecure, Threema and even Whatsapp.The Signal Protocol has been actually implemented into WhatsApp, Facebook Messenger, and Google Allo, making conversations using them encrypted. However, unlike Signal and WhatsApp, Google Allo and Facebook Messenger do not encrypt by default, nor notify users that conversations are unencrypted – but offer end-to-end encryption in an optional mode. You should also keep in mind that Facebook messenger and WhatsApp are both owned by Facebook.Adium and Pidgin are the most popular Mac and Windows instant messaging clients that support the OTR (Off the Record) encryption protocol and Tor – the web’s best encrypted browser, which we will get to in detail later (See how to enable Tor in Adium here and in Pidgin here). Naturally, you could also use the Tor Messenger itself, which is probably the safest of them all.Two final notes on texting: A cyber security expert I’ve discussed this with, says you should also have a working hypothesis that text is encrypted but the fact that these specific two individuals are talking, at this present time, might not go unnoticed.The second note is you should also remember to delete the messages in your phone (although this may not be enough to withstand a forensic check), just in case your device falls in the wrong hands, to avoid exposing them.
- Do not use organizational chats: Slack, Campfire, Skype and Google Hangouts should not be used for private conversations. They are easy to break in, and are exposed to disclosure requests for courts use, to resolve legal issues at the workplace. Therefore, it’s best to avoid them, not only when it comes to conversations with sources, but also conversations between colleagues, editors, etc., when you need to pass information received from your source, whose identity must be kept under cover. Many popular VoIP services like Jitsi have built-in chat features, and several of them are designed to offer most of Skype’s features, which make them a great replacement.
- In extreme cases, consider using a Blackphone: This phone, which strives to provide perfect protection for web surfing, calls, text messages and emails, is probably the best substitute for a regular phone if you are about to topple your government or getting ready to publish secret military files. An anti-bullet vest may also come in handy. Alternatively, try to do without a cell phone, Or opt for a cellular phone RFID signal-blocking bag. There’s always an option that even the Blackphone can be tracked using its IMEI (the mobile phone’s ID).
- Protecting Data on your computer: It’s very easy to break regular passwords, but it can take years to break passphrases – i.e., random combinations of words. We recommend trying secure password management tools like: LastPass and 1Password and KeePassX. You’ll need to remember only one password, versus too many Passwords. And still, when handling important services such as your email, do not rely on password managers: Just make sure you remember the password.In an interview to Alastair Reid in journalism.co.uk, Arjen Kamphuis, an information security expert, recommended that for encrypted hard drives, secure email, and unlocking laptops, one should choose a password of over 20 characters. Of course, the longer the password, the harder it is to crack – but the harder it is to remember too. That’s why he recommends the use of a passphrase. “It can be anything, like a line of your favorite poetry,” Kamphuis says, “maybe a line from something you wrote when you were nine that no one else will know about”.Reid reports this thought provoking calculation, using the Gibson Research Corporation’s password strength calculator: A password like “F53r2GZlYT97uWB0DDQGZn3j2e”, from a random password generator, seems very strong, and indeed it is, taking 1.29 hundred billion trillion centuries to exhaust all the combinations even when the software is making one hundred trillion guesses per second.Screenshots from GRC.com, showing the difference in strength between a password and a passphraseThe phrase: “I wandered lonely as a cloud”, he points out, is so much easier to remember and is also more secure, taking the same software 1.24 hundred trillion centuries to exhaust all possibilities. Well, passphrase it will be.
- Two-factor authentication is also a very good idea. In a regular two-stage authentication you sign in with your password and receive a second code, often via a text message to your smartphone. You can use Yubikey, as well as hardware tokens to further secure sensitive files on your computer. For more information, read the 7 golden rules for password security.
- Assign a computer for inspecting suspicious files/attachments: The easiest way to distribute malware and spyware is through installation via USB or through attachments and email links. It is recommended therefore you use one air-gapped computer to examine these threats under quarantine. With this computer, you can freely use a USB and download files from the Internet, but do not transfer the files to your regular computer or re-use that USB.
- How to buy your own secured computer: Security expert Arjen Kamphuis recommends purchasing a pre-2009 IBM ThinkPad X60 or X61. These are the only modern enough laptops with modern software systems, which enable replacing low level software. Another point to take into account is that you should not buy your computer online, as it may be intercepted during delivery. Kamphuis recommends buying it from a second-hand store for cash. He also points out that you should abolish all connectivity: Remove all Ethernet, modem, Wi-Fi or Bluetooth capabilities. Personally, I know security experts who wouldn’t trust such a computer. ThinkPad X60. Don’t buy it online
3. How to become anonymous online
Beyond securing the communications with your source, and protecting possible breaches of the sensitive data you get hold of, you should also avoid being tracked while browsing. Online habits can disclose or provide hints as to the story you’re working on, or worse, hint or disclose the identity of your source. Here are the golden rules for surfing the net safely and then, at the next chapter, for securing your email account:
- Private browsing mode: There are two basic ways to maintain anonymity while surfing the web. The first, most basic and popular, yet insufficient way is to browse the information in private mode, an option that most browsers allow. Your browsing history will not be saved, and basic tracking technologies, which advertisers use, such as HTTP cookies, will be prevented from creating your detailed profile. But this is more of a nice to have privacy: It basically hides your browsing history from family members who can access your computer. Your IP address can still be monitored and information regarding all the sites you visited is still exposed to your ISP.
- Use alternative browsers: browsers, such as Dooble, Comodo Dragon or SRWare Iron, which focus on user privacy, are limited in capabilities. You can achieve a similar degree of privacy offered by these browsers simply by deleting cookies – bits of code which have been downloaded to your system by websites you visit, that monitor your activity and sometimes even follow which content you consume; Another way to remain anonymous is by neutralizing your browser’s location settings, and installing various features aimed at achieving anonymity. To check whether you disabled all cookies effectively, you can use the app CCleaner, which also handles Flash cookies, but none of these browsers are fully encrypted. The only standard browser that ensures total privacy is the Tor browser. Tor is ugly and slow, but it will protect you and your sources. The next section will give a more detailed account of it.
- TOR: This “notorious” browser, which was developed by the US Navy, allows you to operate in a hidden network, carry out private communications and set up web sites anonymously. Tor’s browser, which can be downloaded at Torproject.org, makes it very difficult to monitor your activities on the internet, or let governments or your ISP pinpoint your location. The only drawback is that it’s slow at times, a bit cumbersome – but that’s only because Tor routes you through three encrypted random relays around the world, before landing you at your destination site. You should also bear in mind that your neighbors may be shady characters.
Another option related to Tor is to download Whonix, a secure operating system that is focused on privacy. It works as an access gate to Tor, and only allows connections with Tor sites and users. But the most popular Tor OS is Tails (The Amnesiac Incognito Live System). Tails can be booted from a USB stick or DVD, and it anonymizes all information. Edward Snowden is considered a fan of this software. Qubes is another OS that supports Whonix and is recommended by Snowden.
- Alternative search engines: Google, the most popular search engine, saves your search history in order to optimize the results. To stop this personalization you should click on: Search Tools > All Results > Verbatim. Or you sign into your Google account on www.google.com/history, find a list of your previous searches and select the items you want to remove by clicking the ‘Remove Items’ button. DuckDuckGo. A search engine that doesn’t store your info
But to avoid being monitored entirely, it’s preferable to use a search engine such as DuckDuckGo. If you find it difficult to give up Google, download Searchlinkfix to at least keep away URL Trackers.