Your emails, phone calls, web surfing and searches are not guaranteed to be private. Neither are files on your computer. But there are important steps you can take to protect your information from most attempts to access it.
As a private citizen, the extent to which you wish to take advantage of these protections is your choice. However, as a journalist you may need to protect the identity of confidential sources, and information supplied by them. Poor security practices on your part puts them at risk. So it is important that journalists should follow good practice in digital security. They should also know how to encrypt their information and, when necessary, their communication.
People are the weak points in many organization’s digital security, because they can be tricked into doing things that are insecure. That’s why so many hackers launch “phishing” attacks, which are intended either to get people to enter their username and password into a fake login screen, or to download files infected with malware. Email is the most popular method, because sender addresses are so easy to fake, or spoof. But such attacks can come by other communication methods.
Phising can be disastrous for newsrooms, as in 2013, when the AP’s Twitter account was hijacked in phishing scam, and used to post a false message about an attack on the White House.
So don’t be the person that compromises your news organization’s digital security! Responsible websites should never ask you for your login details, so don’t follow a link and type them into a web form. Also be very careful about downloading and opening attachments — even Word documents can contain embedded scripts that can hijack your computer, and remember that an email that seems to have comes from a colleague’s address may be from someone else.
Most people are terrible at setting passwords, using common words or easily-guessed numbers. But even if you don’t use password
or 123456
you aren’t safe. Password-guessing software can try millions of combinations per second (probably trillions, in the case of the NSA). So even “strong” passwords, employing hard-to-remember combinations of letters, numbers and special characters, are relatively easy to crack.
Make sure to use a different password for each service you use, so that a breach of one doesn’t compromise other accounts. That creates a problem, however, because nobody can remember dozens of complex passwords. So use a password manager such as 1Password or Lastpass to generate and remember them for you. Protect your password manager account with a passphrase, consisting of a string of randomly-selected words.
If the words you pick are genuinely random, passphrases are much more secure than passwords, because they offer many more combinations. They are also easier for you to remember. (Indeed, they’re the opposite of traditional “strong” passwords, which perversely are hard for people to remember but easy for machines to guess.) As is often the case, XKCD is a source of wisdom:
This article explains how to create a strong passphrase. Using the method explained here, a five-word passphrase would require an average of 14 quintillion attempts to crack — that’s 14 followed by 18 zeroes, which would challenge even the NSA.
If your laptop is stolen or lost, a login password or passphrase offers little protection for your files and other information: A hard drive can simply be removed and booted on another machine. So you should routinely encrypt your hard drives. This post explains how to encrypt a hard drive on the Mac, using FileVault; this post explains the equivalent procedure on Windows, using BitLocker (included in Professional or Enterprise versions, but not Home version), or Veracrypt. (Do pay attention to the instructions on ensuring that you don’t get locked out of the drive!)
Once you have set up disk encyrption, your operating system automatically encrypts any data saved to the encrypted disk. To anyone without the password/key, the data on the disk will be gibberish.
Protect your encrypted drives with strong passwords (for instance a 100-digit password generated by a password manager), or a strong pass phrase.
Deleting files does not destroy them, so to remove traces you need to overwrite them multiple times. Eraser will do that on Windows; see this article for how to securely delete files on the Mac.
A web-based email account is an Achilles heel for security. If it is breached, an attacker can change your other passwords at will. So when using webmail, make sure to use two-factor authentication, which requires both a password and a code sent to your phone. Set up two-factor authentication for your GMail/Google account here.
Take advantage of two-factor authentication for web services wherever it is available.
Backing up your files is vital, and these backups should be secure. When backing up to an external hard drive, make sure that this drive is encrypted and protected by a secure password or passphrase.
I would also strongly recommend backing up files to a remote encrypted server. I use SpiderOak ONE. As well as allowing you to back up your files, it creates a folder called SpiderOak Hive that will sync files and folders dropped into it across multiple devices. This folder similar to Dropbox, except the files are encrypted on SpiderOak’s servers. It allows you to work securely on the same files across multiple devices. Importantly, SpiderOak cannot break the encryption on your files, either those backed up or synced through the Hive folder. Prices depend on how much storage you require.
The simple steps above will greatly improve your digital security. But there are many more steps that can be taken to keep your communications and online activity private. Those you choose to employ will depend on the circumstances, which involves considering the threat, as follows:
This article provides a good overview of how to weigh these questions, and act upon the answers.
Every time you visit a website you reveal your:
This site reveals the information you display to any website you visit.
Websites can also deposit tracking “cookies” on your machine. If you want to block attempts to track you online, try the Privacy Badger add-on for Chrome or Firefox. Be aware, however, that it will interfere with the functionality of some websites.
Note that the “private” browsing options in web browsers are not really private — all they do is block cookies, and prevent your activity being stored in your browser’s history.
For some investigations, you may want to explore a particular website without revealing your identity. For this, you can use an anonymous proxy server such as AnonyMouse or Guardster.
For a more systematic approach to anonymous web browsing, consider using the Tor browser or a Virtual Private Network (VPN).
As this article explains, Tor and VPNs are rather different.
Tor, which is based on Firefox, encrypts your data and connects you to one server in its network, which then bounces it on to two more servers before you are connected to the site you are browsing. Crucially, the second and third links in the chain only know the previous link, so your identity remains hidden.
All of this means that the website you are visiting doesn’t know who or where you are, anyone trying to snoop on your connection cannot see which site you are connecting to, and neither can your Internet Service Provider (ISP). While it is in theory possible for the NSA to deanonymise Tor users, for most purposes Tor offers reliably anonymous browsing.
The downside of all this bouncing around the internet is that connections are slow. Also, using Tor effectively, without compromising your anonymity, means changing aspects of your online behavior — such as avoiding insecure browser plugins such as Flash, and never opening downloaded documents while online using Tor.
If you subscribe to a VPN, your connection is encrypted and sent to the provider’s server, which then connects to the site you are visiting. Again, your true identity and location is hidden from that site, and anyone trying to intercept your connection will just see gibberish being sent to the provider’s server. The same goes for your ISP.
VPNs are much faster than Tor, but the provider can see all of your traffic — so your anonymity ultimately lies in its hands. Will it hand over your browsing information if asked by a government agency? Read providers’ privacy policies, but be aware that they may change, or not be followed under all circumstances.
I use this VPN service, which is relatively inexpensive and offers connections via servers in multiple countries across the world.
In general, VPNs are a good option for relatively low-threat situations where you require a fast connection. For example, it is a good idea to use a VPN when using an insecure connection, such as airport or coffee-shop wifi. If you really need to remain anonymous, however, Tor is your best option.
Google and other search sites routinely store your searches. For private web searching, use startpage or DuckDuckGo.
Public key encryption uses math to keep your information secure. It depends upon a “keypair,” two unique strings of randomly generated numbers and letters, which are linked together by a mathematical algorithm. You have two keys, one public, one private.
You can store your public key in the open in an online keyserver, or can simply email it to someone you want to communicate with securely. Other people can use this key to encrypt a message or file so that only you can read it, by decrypting it using your private key. It is vital, therefore, that you keep your private key secure.
Encryption is most commonly used to communicate securely by email, which is otherwise an extremely insecure means of communication. You should think of emails as electronic postcards that can be read by anyone who intercepts them as they travel over the internet. Encryption is like putting the same note in an envelope that can only be opened by the intended recipient. But note that only the body of the message is encrypted. Your identity, the identity of the recipient, and the subject line are all still readable by anyone intercepting the message.
Because email addresses are easy to spoof, you need to know that someone is who they say they are before setting up an encyrpted communication with them. Public encryption keys have signatures, and here is mine: 225F B2AF 4B8E 6E3D B1EA 7F9A B96E BF7D 9CB2 9B16
. Ideally, you will verify the intended recipient’s identify in person, when they can also show you the fingerprint of their public key on their computer. In practice, people usually publish their fingerprints on a trusted website, associated with their email address, like this.
The simplest way to set up encrypted email is using Mailvelope, which will work with most major webmail services, including GMail. In class we will get you set up with Mailvelope, an extension for Chrome or Firefox, and learn how to encrypt and decrypt email messages and files, following the instructions here.
Whatsapp, the instant messaging app for smartphones, now includes encryption as standard, although see here for discussion of a potential vulnerability. See here for more on Whatsapp encryption.
For encrypted instant messaging on your computer, use Cryptocat.
To encrypt text messages and cellphone calls, use the Signal app for iPhone and Android. For each of your contacts, Signal also allows you to select a “disappearing messages” option, which will automatically delete the messages after a set period of time after they are read, from a five seconds to a week.
For secure video conferencing, use Jitsi.
GPS-enabled phones are personal tracking devices, and may not be filly powered off even if switched off. If you are using a cellphone to communicate with a confidential source, you may want to use a prepaid cellphone, paid for with cash. Switch off and remove the battery when not in use. Don’t take your cellphone to meetings with confidential sources!
As noted above, emails are easy to spoof. Sources and targets of investigations may also use throwaway emails using false names. You can find out something about the origin of an email, however, through its header see here for how to find and extract).
Having copied an email’s header, paste into the boxes here or here.
Note that emails sent from Gmail’s webmail interface will always locate to Google’s headquarters in Mountain View — so a throwaway Gmail account offers little information. If a Gmail was sent using an email client such as Thunderbird or Outlook, however, information from the IP address of the host machine wiull be revealed.
Whois searches provide information on the underlying IP address and registration information, from a url.
Use this search for a site’s Whois history, as registrations for a domain may change over time.
This searchwill perform reverse IP lookups, listing other websites hosted at the same IP address. That may be useful in investigations in which you are trying to identify constellations of websites operated by the same source — however, bear in mind that it doesn’t reveal much if your target is using a large commercial webhosting provider.
Remember our previous discussion about using the Internet Archive’s Wayback Machine to find old versions of websites.
At ChangeDetection.com, you can set up alerts to monitor websites for changes, and notify you when they occur. Alternatively, use the Browser add-ons Distill Web Monitor (Firefox or Chrome) or SiteDelta (Firefox).
As we’ve already noted: Websites are likely to change if their owners realize that information on the site is incriminating. So save web pages that are key to an investigation!
Security for Journalists, Part One: The Basics
Good article on the basics of digital security, by Jonathan Stray.
Chatting In Secret While We’re All Being Watched
Overview article from the Intercept, covering some of the services mentioned in these notes, and more.
Ed Snowden Taught Me To Smuggle Secrets Past Incredible Danger. Now I Teach You.
Intercept article by Micah Lee, who helped get Edward Snowden in encrypted contact with Laura Poitras and Glenn Greenwald.