Hackers are everywhere. This tip sheet offers free resources to help journalists protect their sources and themselves.
by David Trilling | March 9, 2017
With hacking and other digital intrusions becoming a regular feature of life in the computer age, it’s more critical than ever for journalists to protect their sources. But for many, the tech world is intimidating. This tip sheet offers free resources for journalists of all digital-comfort levels as well as links to useful tutorials.
Whether you are concerned about eavesdropping by the National Security Agency, Russian agents or a nefarious corporate leviathan, nothing is 100 percent secure. If you are meeting a confidential source in person, someone who may be risking his or her safety by speaking with you, don’t bring your phone or laptop. A hacker could track you through your phone using GPS and cell-phone networks or turn on the microphone or camera – even, possibly, when you think the phone is off. Security wonks praise paranoia.
Instant communications: Of the many free instant messenger apps out there, Signal is widely used by rights activists and journalists. According to the Electronic Frontier Foundation (EFF), a digital and free-speech activist group:
Signal is an app available on both iOS and Android that offers strong encryption to protect both text messages and voice calls. This type of protection is called end-to-end encryption, which secures your communications in transit. Other apps, such as WhatsApp, have implemented underlying cryptography. But we believe Signal is the better option because it implements best practices for secure messaging. […]
Recently, a grand jury in the Eastern District of Virginia issued a subpoena to Open Whisper Systems, the maintainers of Signal. Because of the architecture of Signal, which limits the user metadata stored on the company’s servers, the only data they were able to provide was ‘the date and time a user registered with Signal and the last date of a user’s connectivity to the Signal service.’
On March 7, 2017, Wikileaks released documents that claim the C.I.A. has managed to hack Signal and other encrypted messaging programs on Android phones.
Encryption: Full-disk encryption scrambles your data so that even if the device (your laptop hard drive, for example) is stolen or seized, the material on your computer cannot be read without the password. So, you need a strong password. Apple and Windows offer built-in encryption, but it needs to be turned on. There are also third-party applications available. Here are some step-by-step instructions from the University of California at San Francisco and The Intercept.
Install an “HTTPS Everywhere” plug-in for your browser, which encrypts your traffic and makes your browsing more secure.
A popular way to encrypt email is the PGP protocol (“Pretty Good Privacy”), though some experts are starting to abandon it. For Columbia Journalism School, tech reporter Tiffany Hsu describes an alternative, known as OTR, in an excellent tip sheet that also discusses other encryption protocols:
This protocol, which stands for Off The Record, attaches to instant messaging programs and allows for confidential, encrypted and authenticated discussions. This is not the same thing as the off-the-record function available through Google Chat. OTR is built on a concept called perfect forward secrecy — it creates encryption keys throughout a conversation, making it impossible to retrieve old messages. It’s almost like having a face-to-face conversation. OTR only works if both chat participants have it enabled. Mac users can access OTR via Adium (download it here), while Windows users can get it via Pidgin (here).
Hsu also suggests that users “look for systems with true end-to-end protection, where the service provider can’t circumvent the shields. It’s also a good sign if the programming is open-source, so the developer community can identify and fix potential flaws.”
Finally, back up your data on an external, encrypted hard drive and store it somewhere (physically) safe.
Strong passwords and two-factor authentication: A number of services such as Google, Dropbox and Amazon support two-factor authentication (“2FA”), which requires users to complete an extra step to login. In addition to using a username and password, you’ll also inputa random, one-time code sent to a second device, like your cell phone. This makes it much harder for an unauthorized person to access your account.
Use strong passwords (the kind including symbols like $*&@!<) and don’t use them in more than one place. If it’s too hard to remember them all, consider using a password manager like 1Password or LastPass. But nothing is completely secure: Some experts suggest not using a manager for the most sensitive accounts, like your email and bank.
Searching safely: For the safest browsing experience you can use the free Tor browser. Tor conceals users’ online addresses, its makers say, “bouncing your communications around a distributed network of relays run by volunteers all around the world: it prevents somebody watching your Internet connection from learning what sites you visit, it prevents the sites you visit from learning your physical location” and it allows you to visit blocked websites. It does not need to be installed and can be opened from a flash disk. See this Lifehacker guide to getting the most out of Tor.
Keep your software up-to-date: Software updates often fix bugs and holes that have only recently come to light. Matthew Green, a cryptographer at Johns Hopkins University, explains why mobile platforms (and their updates), rather than desktops, are generally safer.
Cover your webcam with a band aid or tape: Your webcam or videoconferencing equipment could be hacked. Don’t believe it? Read this story in The New York Times.
Other resources from JR:
ProPublica’s Julia Angwin — author of Dragnet Nation: A Quest for Privacy, Security and Freedom in a World of Relentless Surveillance — gave a comprehensive 2014 talk on her security tips here.