Print

securityBook by Michael DaganBY MICHAEL DAGAN

{NOTE: The original pamphlet from which this article was drawn—Online Privacy for Journalists: A Must-Have Guide for Journalists in 2017—contained a number of specific recommendations for the use of existing computer programs, as well as links to various “white papers” on the topic. Because new or updated programs are always being prepared by a variety of organizations and individuals, and because many of Media Ethics readers are interested in the parameters and philosophies of such programs rather than needing to use them professionally, and also because it is easy for a semi-annual publication such as this one to go out of date quickly, many of these detailed recommendations have been omitted from this edition. If this article is being used “for real” it is urged that the user obtain an up-to-date version from the author, who can be reached at the addresses in the “author’s bio” at the foot of this article. Other expert sources—such as Micah Lee—and references may be reached through the author. Other material, such as some “tips” from Edward Snowden, a description of the Rosen case—which shows the lengths to which a government may go, and a discussion of anti-malware, antivirus and firewall software is also available from Michael Dagan.}


An air of danger to freedom of speech and freedom of the press is spreading slowly, like a dark cloud, over the Western Hemisphere, raising old fears.

When a serving American president accuses his predecessor of surveillance; when he prevents major U. S. media outlets access—previously always granted and usually taken for granted—to news conferences he holds; and when he incessantly accuses the media of being the country’s number one enemy, it isn’t surprising that memories of disgraced President Nixon surface up more with every self-pitying tweet about Saturday Night Live’s satire, and that even some Republican Senators (such as John McCain) express fear for the future of democracy.

And McCain is not alone. Many journalists with whom I have spoken recently expressed concern for whatever lays ahead for the freedom of the press. At a time when it’s possible to express the following statement—“Donald Trump controls the NSA”—and not be a liar, anything’s possible. Add that to the fact that recent news about the National Security Agency should have taught us that almost all encryption systems can be compromised, if someone has the perseverance and computer power to crack them—and then you are en route to envisioning an utterly Dystopian world, where you cannot even get too comfortable laying on a sofa in front of your own smart TV.

The good news is that it is nevertheless possible to make it difficult for anyone to try and intercept your e-mails, the text messages you’re sending, or your voice phone calls.

So, you can take measures to make much harder the lives of those who want to uncover your sources and the information being revealed to you. Of course, the degree of effort you’re prepared to take to protect your privacy, your sources’ anonymity and your data’s safety, should be commensurate to the likelihood of a real threat, be that hacking or spying.

“The old-fashioned promises—I’m not going to reveal my source’s identity or give up my notes—are kind of empty if you’re not taking steps to protect your information digitally,” says Barton Gellman of The Washington Post, whose source, former NSA contractor Edward Snowden, helped uncover the scope of NSA’s and Britain’s GCHQ’s operations, to his interviewer Tony Loci. Loci herself, who covered the American judicial system for AP, The Washington Post and USA Today, and was herself held in contempt of court for refusing to identify sources, would probably endorse Gellman’s opinion. A list of when NSA obtained access to your e-mail, video or voice chat, videos, photos, stored data, VoIP calls, file transfers or video conferencing is available—starting with Microsoft/Hotmail in 2007 and continuing through YouTube, Facebook, Skype, Apple and others. (A list of when each service became tied to the NSA is available.)  

So, what needs to be done to ensure that a journalist’s sources and data are secure? Grosso modo, the following tips on “what can be done” can be useful for that purpose.

  1. Isolating your devices and/or their environment — For example, the physical isolation of a computer for the purpose of checking files, or the use of prepaid mobile devices.
  2. Securing on-device applications and functions — This is known as reducing the “attack surface,” i.e., limiting installed apps to the bare minimum, installing only those from trusted sources, selecting apps that require giving up minimal rights, keeping the system fully patched and updated, and having as many security controls (based on recent best-practices white papers) on the device as possible.
  3. Acting cautiously both in the digital and real worlds — This has a lot to do with common sense and a little less to do with software: For example, never write down the name of the source, certainly not on any app or on any document that’s stored on your computer—and most certainly not on anything stored on the cloud.

COMMUNICATING WITH YOUR SOURCE AND SAFEGUARDING SENSITIVE DATA

Let's begin by listing what you can do when it comes to communicating with a source, and storing any sensitive information obtained that way:

  1. Always encrypt everything — Security experts use simple math to make their point: As you raise the cost of decrypting your files (say, for intelligence agencies like the NSA), you automatically increase the degree of effort expended by that agency on following you. If you’re not Chelsea Manning, Julian Assange, or Edward Snowden and if you weren’t involved in active surveillance around Trump Tower apartments, they may give up the effort even if your encrypted communications were stored. And should anyone decide to track you despite your efforts, it will be more of a headache if you use strong encryption like AES (Advanced Encryption Standard) and tools like PGP or openVPN, which are the strongest widely-available encryption methods (VPN is used by the U. S. government itself). But if you want bullet-proof security, you will need more than the AES encryption method.
  2. Perform full disk encryption — This is done just in case someone physically gets their hands on your computer or phone. Full disk encryption can be done using any of several programs (see introductory note at the head of this article). Putting a computer to “Sleep” (instead of “Shutdown” or “Hibernate”) may allow an attacker to bypass this defense.
  3. Beware of “big names” — Presume that large companies’ encryption systems and possibly even big-name operating systems (proprietary software) have back doors that secret services in their country of origin (at least in the U. S. and the U. K.) can access.
  4. Avoid chatting with sources on the phone — All telephone/telecommunications companies store data related to both the caller and the receiver’s numbers, as well as the location of the devices at the time calls were made. In the U. S. and several other countries, they’re required by law to disclose information coming into their possession in the normal course of business—without informing the caller or the receiver.

What can be done? You should use a secure call service, such as the one possessed by the Signal app—which has been tested repeatedly for security. Although this may mean that both the source and the editor need to download the same app, the process takes just a few minutes. However you choose to communicate with your source, do not bring your mobile phone to sensitive meetings. Buy a disposable device and find a way to convey its number to the source privately, in advance. The source needs to have a disposable safe device as well. Authorities can track your movement through cellular network signals and it’s advised to make it harder on them to locate you retroactively in (for example) the exact same cafe where the source was sitting. If you fail to follow this rule, all local authorities will be required to do is ask (politely and legally) for the video recorded by the cafe's security camera at the time of your meeting.

  1. Choose secure messengers — Your calls (cellular ones and via landlines) can be monitored by law enforcement agencies and each SMS is like a postcard—all text is fully visible to those who may intercept it. Therefore, use messengers (a list is available) that allow for secure end-to-end calls.

The Signal Protocol has been actually incorporated into WhatsApp, Facebook Messenger, and Google Allo, making conversations using them encrypted. However, unlike Signal and WhatsApp, Google Allo and Facebook Messenger do not encrypt by default, nor notify users that conversations are unencrypted—but do offer end-to-end encryption in an optional mode. You should also keep in mind that Facebook Messenger and WhatsApp are both owned by Facebook.

Two final notes on texting: First, a cyber security expert I’ve discussed this with says you should always have a working hypothesis that text may be encrypted but the fact that these specific two individuals are talking, at this present time, might not go unnoticed. Second, you should also remember to delete the messages in your phone (although this may not be enough to withstand a forensic check), just in case your device falls into the wrong hands. 

  1. Do not use organizational chats — Slack, Campfire, Skype and Google Hangouts should not be used for private conversations. They are easy to break into, and are exposed to court-imposed disclosure requests to resolve legal issues in the workplace. Therefore, it’s best to avoid them, not only when it comes to conversations with sources, but also conversations between colleagues, editors, etc., when you need to pass information received from your source whose identity must be kept under wraps. Many popular VoIP services like Jitsi have built-in chat features, and several of them are designed to offer most of Skype’s features, which make them a great replacement.
  1. In extreme cases, consider using a Blackphone — This system, which strives to provide perfect protection for web surfing, calls, text messages and e-mails, is probably the best substitute for a regular phone if you are about to topple your government or getting ready to publish secret military files. (An anti-bullet vest may also come in handy.) Alternatively, try to do without a cell phone, or opt for a cellular phone RFID signal-blocking bag. There’s always the possibility that even the Blackphone can be tracked using its IMEI (the mobile phone’s ID).
  1. Protecting Data on your computer — It’s very easy to break regular passwords, but it can take years to break passphrases—i.e., random combinations of words. We recommend trying secure password management tools like LastPass and 1Password and KeePassX. You’ll need to remember only one password. And still, when handling important services such as your e-mail, do not rely on password managers: Just make sure you remember the password.

In an interview with Alastair Reid at journalism.co.uk, Arjen Kamphuis, an information security expert, recommended that for encrypted hard drives, secure e-mail, and unlocking laptops, one should choose a password of more than 20 characters. Of course, the longer the password, the harder it is to crack—but the harder it is to remember, too. That’s why he recommends the use of a passphrase. “It can be anything, like a line of your favorite poetry,” Kamphuis says, “maybe a line from something you wrote when you were nine that no one else will know about.”

Reid reports this thought-provoking calculation, using the Gibson Research Corporation’s password strength calculator: A password like “F53r2GZlYT97uWB0DDQGZn3j2e” from a random password generator, seems very strong, and indeed it is, taking 100 sextillion centuries (23 zeros) to exhaust all the combinations even when the software is making one hundred trillion guesses per second. But the phrase “I wandered lonely as a cloud,” is so much easier to remember and is also more secure, taking the same software 3.40 nontillion centuries (30 zeros) to exhaust all possibilities.

  1. Two-factor authentication is also a very good idea — In a regular two-stage authentication, you sign in with your password and receive a second code, often via a text message to your smartphone. You can use Yubikey, as well as hardware tokens to further secure sensitive files on your computer.  
  1. Assign a computer to inspect suspicious files/attachments — The easiest way to distribute malware and spyware is through installation via USB or through attachments and e-mail links. It is recommended therefore you use one air-gapped computer to examine messages that may contain these threats—in a quarantine environment. With this computer, you can freely use a USB and download files from the Internet, but you should not transfer the files to your regular computer or re-use that USB. 
  1. How to buy your own secured computer — Security expert Arjen Kamphuis recommends purchasing a pre-2009 IBM ThinkPad X60 or X61. Although not everyone agrees, these may be the only modern enough laptops with modern software systems, which enable replacing low-level software. Another point to take into account is that you should not buy your computer online, as it may be intercepted during delivery. Kamphuis recommends buying it from a second-hand store for cash. He also points out that you should abolish all connectivity: Remove all Ethernet, modem, Wi-Fi or Bluetooth capabilities.
  1. Educating your sources  It’s possible that by the time the original information reaches you, it’s already too late. Your source may have made every possible mistake, leaving behind a trail of evidence. But beyond the need to secure the information once it’s in your hands, you should strive to teach your sources how to hide the information: store it securely and communicate safely via safe devices. Most people have no clue how to handle sensitive information.
  1. Use a designated secure system for receiving documents — Replace Dropbox or Google Drive and use something less popular but more secure. For example, SecureDrop is a designated system allowing you to receive files from anonymous sources and to safely scan and check them. But Edward Snowden described Dropbox as “hostile to privacy” and recommended Spideroak instead. OnionShare is another free service that allows transferring files easily and anonymously.
  1. Be wary of “cloud” services  Most of the big providers of cloud storage have collaborated with NSA at some point in the past. Most also reserve the right to investigate all uploaded files, and will hand the files over to authorities when served with a court order.  However, there are still several things you can do: Try to limit the number of files you upload to the cloud, and always encrypt them using strong encryption. The most secure and simple method is to manually encrypt the files, in which case you can use all cloud storage services. Don’t forget though: Do not upload your encryption keys to the cloud along with your files.

Or, use cloud services that automate encryption before uploading files, and sync everything with local versions. The provider might have the decryption key, but data risk is not as high as is the case with other cloud providers.

Cloudless Syncing with BitTorrent Sync is not a true cloud-based service, and cannot be used to store data for long periods of time, but it is free, and designed to be a replacement for Dropbox.

  1. Don’t keep notes — Don’t keep them on a laptop, nor calendars or contact lists on your cellphone or computer or in the cloud. Do not keep record of your source’s name, initials, phone number, e-mail or user name in messengers. Just don’t.
  1. Visual tracking — On the way to sensitive meetings, avoid using public transportation and guide your source to do the same. You should also avoid meeting places such as modern malls, where video cameras are spread all over the place. 
  1. Evading social media — Some people prefer to opt for radical anonymity. If for some reason, you need to vanish from the face of the earth without leaving a fully blown profile behind on every social medium, totally delete your accounts. It’s different from “deactivating” them, a state in which all your info can be re-activated.
  1. Make friends among hackers — This will help you avoid big mistakes, save time and headaches and keep you up-to-date on this technological arms race.
  1. Payment method — Pay for everything in cash, consider using Bitcoins—buy them anonymously (use the Business Insider guide for that purpose)—and, if you have somebody willing to accept them at the other end of the transaction, use Darkcoin. A pre-paid credit card from an online store is also an option.
  1. Scribble wisely — If you jotted down information on a piece of paper, what they used to call a note in the Precambrian world, destroy it.

HOW TO BECOME ANONYMOUS ONLINE

Beyond securing communications with your source, and protecting possible breaches of the sensitive data you obtain, you should also avoid being tracked while browsing. Online habits can disclose or provide hints as to the story you're working on, or worse, hint or disclose the identity of your source. Here are some golden rules for surfing the net safely:

  1. Private browsing mode — There are two basic ways to maintain anonymity while surfing the web. The first, most basic and popular (yet insufficient) way is to browse the information in private mode, an option that most browsers allow. Your browsing history will not be saved, and basic tracking technologies, which advertisers use, such as HTTP cookies, will be prevented from creating your detailed profile. But this is more than “It’s nice to have privacy.” It basically hides your browsing history from everyone—including family members—who can access your computer. But your IP address can still be monitored and information regarding all the sites you visited is still exposed to your ISP.
  1. Use alternative browsers — Browsers are limited in capabilities. You can achieve a similar degree of privacy offered by those boasting of high privacy simply by deleting cookies—bits of code which have been downloaded to your system by websites you visit, that monitor your activity and sometimes even follow which content you consume. Another way to remain anonymous is by neutralizing your browser’s location settings, and installing various features aimed at achieving anonymity. To check whether you disabled all cookies effectively, you can use the CCleaner, which also handles Flash cookies, but aren’t fully encrypted. The only standard browser that ensures total privacy is the Tor browser—ugly and slow, but it will protect you and your sources (see #3 immediately below).
  1. TOR — This “notorious” browser, which was developed by the U. S. Navy, allows you to operate in a hidden network, carry on private communications and set up websites anonymously. Tor’s browser, which can be downloaded at Torproject.org, makes it very difficult to monitor your activities on the internet, or let governments or your ISP pinpoint your location. The only drawback is that it’s slow at times, and a bit cumbersome—but that’s only because Tor routes you through three encrypted random relays around the world before landing you at your destination site.

Another option related to Tor is to download Whonix, a secure operating system that is focused on privacy. It works as an access gate to Tor, and only allows connections with Tor sites and users. But the most popular Tor OS is Tails (The Amnesiac Incognito Live System). Tails can be booted from a USB stick or DVD, and it anonymizes all information. Edward Snowden is considered a fan of this software and a list of his “tips” is available. Qubes is another OS that supports Whonix and is recommended by Snowden.

  1. Alternative search engines — Google, the most popular search engine, saves your search history in order to optimize the results. To stop this personalization you should click on: Search Tools > All Results > Verbatim. Or sign into your Google account on www.google.com/history, find a list of your previous searches and select the items you want to remove by clicking the “Remove Items” button. But to avoid being monitored, it’s preferable to use a search engine such as DuckDuckGo. If you find it difficult to give up Google, download Searchlinkfix to at least keep away URL Trackers.
  1. Direct treatment of “short-term” computer memory — Another way to neutralize options for monitoring your surfing is by deleting the DNS (domain name system) cache. Deletion is done using simple commands in the operating system. Rebooting the router—which sometimes has a DNS cache—or rebooting the computer can also work.
  1. Try to avoid HTML Web Storage — Web Storage is built into HTML5 and, unlike cookies, the stored information is impossible to monitor or selectively remove. Web storage is enabled by default, so if you’re using Internet Explorer or Firefox, simply turn it off. You can also use the add-on Better Privacy for Firefox to remove the stored information automatically. The Click and Clean extension will do the same job for Google Chrome.
  1. Use a VPN — As I mentioned already, your ISP can monitor the sites you surf, and anyone who wants to eavesdrop on you can also intercept your communications. To protect all incoming and outgoing communications, it’s important to make use of a VPN which encrypts all your communications, so that even the ISP or governments, or just hackers hovering around your favorite Wi-Fi, won’t be able to know who you sent an e-mail to, which service you used, etc.  However, not every VPN is suitable for journalists. A VPN for journalists won’t necessarily be the fastest one or have the best support, but it has to be trusted not to keep VPN logs—that is, it cannot determine who you are, what sites you’ve visited and so on.

A truly safe VPN needs to be provided by a company that’s not located in one of the “14 Eyes” countries, where intelligence networks have agreed to collect and share information with one another. The USA belongs to this system—so VPN companies located in the former Soviet Union have an advantage. Their courts do not easily hand out orders to retrieve information collected by local companies, be it regarding their citizens or foreign nationals. By the way, even if governments are on the hunt for traffic that is sheltered by a VPN, you can still use stealth VPNs like TorGuard to confront such a challenge, whether it is active government censorship or just run-of-the-mill spying.

  1. Repair DNS leaks — Using a VPN does not protect you completely, because DNS traffic may provide clues to your identity. DNSLeakTest.com will allow you to detect such leakage. If the test shows that DNS IDENTIFICATION is of your VPN, you can relax, but if it shows that the DNS IDENTIFICATION is of your ISP, you are not anonymized.
  1. Virtual Machines — This nifty little trick is actually a second (virtual) computer, which operates as an app in your operating system. You can download files or open links in a similar way to the isolated computer I recommended earlier, so that your computer is less exposed to malware or spyware of any kind. Virtualization software, like VirtualBox should be opened using a secure operating system. File downloading is done with the virtual machine Internet connection shut down. After using the file, you’ll need to delete it—and, depending on your adversary, perhaps delete the machine as well.
  1. Proxy server — As in the case of virtual machines, here too the activity moves to another “area" and allows you to keep safe from spying and other attacks. Actually, the proxy servers substitute your IP address with theirs, which can mislead people into thinking you’re in a different country, for instance. Some experts say that these should be used with a VPN and/or Tor for higher levels of security. But then, other experts claim that if you bother using Tor, you’re as secure as one can be. 
  1. Three more types of extensions that can increase your level of security — To verify that the Internet protocol where you operate is https secure, you can install an extension called HTTPS Everywhere, made by the Electronic Frontier Foundation’s (EFF), one of the organizations that funds the Tor Project. This extension will ensure that websites you visit use the secure protocol, which is definitely not an insurance policy against anything, but better than the unencrypted protocol. The second type of extension controls the data that javaScript is revealing to websites. Two popular options here are ScriptSafe and NoScript. Another extension is the Ghostery browser. This extension will reveal who is following you among 2,000 companies, and will allow you to block unwanted ones. It’s sweet, but you probably won’t be blocking the NSA this way. Privacy badger, a project by the EFF, works similarly.

 

SECURING YOUR E-MAIL

The problem with maintaining the confidentiality of e-mails is even tougher: Google and Microsoft will most likely just give out your e-mails to government agencies if and when required by the courts to do so. What should you do?

  1. Safe extensions — The simplest option, assuming you use common Web mail services such as Yahoo and Google, is to install the browser plugin Mailvelope, and make sure that the person on the receiving end does too. This extension simply encrypts (and decrypts) the e-mail. SecureGmail will perform a similar job. E-mails that go through this extension are encrypted, and can't be decrypted by Google. “Encrypted Communication” is a simple to use Firefox extension. For that you will need a password that the recipient has access to—but remember to never transmit the password itself by e-mail.
  1. Secure e-mail providers — Hushmail is an example of an e-mail service that provides better security than the more common networks you use, but it may be forced to hand over e-mails to the U. S. government under a court order, and it does log IP addresses. Another e-mail service with similar features and security levels is Kolab Now, which prides itself (among other claims) with storing data exclusively in Switzerland.
  1. Disposable e-mail addresses (DEA’s) — This is an e-mail created ad hoc for a specific purpose, which is completely anonymous and is deleted immediately after use. This solution, commonly used when signing up for various services in order to avoid spam, is also a great solution for maintaining anonymity. However, I wouldn’t advise journalists to communicate with their sources over it, because security is not its strongest trait. There are dozens of such temporary e-mails, but the British Guardian newspaper, for example, recommended Guerrilla Mail and Mailinator. Using Guerrilla Mail with the Tor Browser ensures that almost nobody can connect your IP with your e-mail address. Likewise, if you use e-mail encryption software, such as GnuPG, on Tor, you’re all set.
  1. Encrypting your mail — Wired got this recommendation from Micah Lee, a privacy-focused technologist who worked with the EFF and First Look Media. Encrypting messages with webmail can be tough. It often requires the user to copy and paste messages into text windows and then use PGP to scramble and unscramble them. PGP (an acronym for “Pretty Good Privacy”) is an encryption program that normally provides cryptographic privacy and authentication for data communication. That is why Lee suggests a different e-mail setup, using a privacy-focused e-mail host like Riseup.net, the Mozilla e-mail app Thunderbird, the encryption plugin Enigmail, and another plugin called TorBirdy that routes its messages through Tor.

As Reid pointed out in his interview with Kamphuis on journalism.co.uk, Glenn Greenwald almost lost the NSA story because he initially ignored Snowden’s instructions on e-mail encryption. In other words, if you want a story that will go down in history it makes sense to be secure.

Kamphuis agrees that PGP can be trusted. As he and Reid explain, with PGP encryption, you have a public key, like your public phone number, and a private key. The public key can go on Twitter biographies, business cards, websites and wherever else your work is publicized, but the private key must be stored securely, as with any other sensitive information. Then, when a source wants to send information, they will use your public key to encrypt their e-mail, that only your private key can unlock.

Kamphuis recommended the GNU Privacy Guard, an open-source version of PGP, that is simple to set up and has an active support community. For encrypting files, data and hard drives, he suggested consulting his free eBook, Information Security for Journalists published with Silkie Carlo and released through the Centre for Investigative Journalism (CIJ), which fully explains the process. If you do choose to encrypt the message itself regardless of your mail provider’s identity, using zip with a password is a good idea, and 7ZIP is a recommended tool for accomplishing that.

  1. Back to basics — Please try to avoid phishing. Watch the “from” field in your e-mail for little misspellings; someone else can pose as somebody you know.

And one last word on e-mail encryption: One of the real problems to bear in mind is that even after encrypting a message, not everything is encrypted. The e-mail addresses of the sender and recipient, the subject line and the time and date when the e-mail was sent, are all out in the open.

 

FINAL WORDS

As Micah Lee put it when interviewed about privacy in Wired: “If your computer gets hacked, the game is over. Creating a virtual sandbox around your online communications is a good way to keep the rest of your system protected. Tor is awesome and can make you anonymous. But if your endpoint gets compromised, your anonymity is compromised too. If you really need to be anonymous, you also need to be really secure.”

And journalist Tony Loci puts it in even harsher words in an article published in an eBook about the future of crossborder investigative journalism for the Nieman Foundation at Harvard: “Some journalists, computer scientists and privacy advocates are so alarmed that they recommend reporters go old school ... and rely on in-person interviews and snail mail.”