Virtually every electronic communication we make or receive is being recorded, stored and subject to analysis. As this surveillance is being conducted in secret, without scrutiny, transparency or any realistic form of accountability, our sources, our stories and our professional work itself is under threat.
Information security, or InfoSec, is the practice of defending information from unauthorised access. This information may include a news report you are working on and any associated files, the identity of your source(s), your communication with them and at times your own identity. Start by considering:
- Your potential adversaries or attackers
- The tools they have and how likely they are to use them
- The risks for you or those you communicate with from an attack
- The risks that arise from passive surveillance
- Practical, safe and effective defence strategies for you and your sources
Laptops
You can be spied on via: webcams, mics, WiFi cards, Bluetooth cards, 3G modems, Ethernet ports and hard disc drives.
New laptops are nearly impossible to defend. Older laptops such as the IBM ThinkPad X60 (and the X60s) are more secure as they have an Intel 945 chipset and specialist work can be done to safeguard the hardware and firmware.
In very high-risk situations you should have at least two laptops – one of which must never connect to the internet by any means. This can be a very useful machine for storing or accessing files (from a USB stick), writing articles and producing reports. You, or the specialist helping you, should remove or disable all of the laptop’s connectivity devices to ensure it is truly offline at all times.
Preventing theft, damage and physical attacks on your laptop means keeping it on you, near you, or within your sight at all times in situations where it could be compromised. If at any point your laptop is left unattended (at home, in a café or at the office) or is in someone else’s possession (checked-in baggage on a flight; being held by the police/authorities), you should consider the possibility that the system may no longer be secure.
Operating systems
To increase confidence that your operating system does not have potential surveillance ‘backdoors’, it should be ‘open source’. ‘Open source’ software such as Linux is freely distributed software for which the source-code, the very fabric of the operating system, is ‘open’ and publicly available.
Ubuntu is the most widely used Linux operating system. It is easy to install, highly functional, and user friendly. Using Ubuntu is a good option for day-to-day, non-sensitive work.
Tails is the most secure operating system. No trace of your computer is left on the system after you shut down. Tails is designed for use from a USB stick independently of the computer's original operating system. This means that you can remove your laptop’s hard disk drive (recommended for high-risk work) but still boot up the laptop through a Tails USB stick. Alternatively, you can put a Tails USB stick into a computer with the hard disk drive intact, and boot up via Tails. The machine will ignore the original hard disk and operating system, and run from the USB drive with Tails instead.
Safe browsing
1. Firefox is a general purpose web browser for Linux and Windows
2. Chromium is a general purpose web browser for Mac
3. Tor is a secure browser that anonymises your location and identity and overcomes web censorship (Linux, Windows and Mac).
The Tor browser was specially designed for anonymity by routing all its traffic through the Tor (‘The Onion Router’) network. This browser prevents internet providers storing accurate information about your web browsing history. The Tor network is a global network of computers called Tor nodes that have encrypted connections with each other.
Encrypting emails
You can protect the privacy of your email content by using ‘public key cryptography’. Public key cryptography scrambles the content of your email into (thus far) unbreakable code using the recipient’s ‘public key’. The encrypted email can then only be decrypted using the intended recipient’s ‘private key’. We recommend the GNU Privacy Guard, GPG. Using GPG, whilst very different to normal emailing, is not difficult and you will get used to it very quickly. Understanding exactly how it works, however, is slightly more challenging.
Key pairs: keys are essentially unique long sets of numbers, and each user of email encryption has a key pair – a public key, and a private key.
Your public key: Your public key is what people will use to encrypt emails that they send to you. Like listing a phone number in the phone book, you can choose whether to list your public key on the public keyserver or not (if it is a secret or anonymous email account, you may not wish to upload the key to the keyserver). If you choose to list your public key on the keyserver, it will be openly available so that anyone can contact you securely.
Your private key: Your private key allows you to decrypt emails from others who have contacted you using your public key. Although your public key is then freely available, the private key in the key pair is exactly that – private! A private key corresponds to your public key, ensuring that no one else can have unauthorised use of your public key. You will probably never even see your private key – it lives and works under the bonnet of your GPG software
Cryptography
Many common privacy tools are cryptographic tools. This cryptography may be illegal, or require a license, in several countries including China, Cuba, Iran, Libya, Malaysia, North Korea, Singapore, Sudan and Syria. When entering some of these countries, you may need to declare any encryption technology on your laptop. You can find out more about cryptography laws for each country here.
Useful resources for staying safe online
Email: GMX and Yandex offer more anonymous email options to Gmail and Yahoo.
Websites: HTTPS Everywhere forces encryption for all connections between your web browser and the webserver you are visiting.
Apps: Signal (instead of WhatsApp) offers more secure instant messaging. But remember, the vulnerabilities of smart phones are numerous, with some existing in the hardware, and they are not fixable.
Storage: VeraCrypt is open source encryption software. Mac users will also need to download FUSE for OS. There is comprehensive documentation here (https://veracrypt.codeplex.com/documentation). VeraCrypt allows you to create an encrypted 'container' that acts as a digital strongbox for files, locked by a password. Once this box is created and filled with files it can be moved to an external storage device such as a USB drive, or sent over the internet to others. Even if the file is intercepted, the strongbox will not reveal its contents to anyone who does not have the password
File sharing: Mega is an alternative to popular file-sharing platforms such as Dropbox and Google Drive. Mega runs some encryption inside the browser before the file is uploaded to protect the user against low-level snooping. While their encryption should not be considered 'government-proof' it does add a thin layer of protection against snooping on data as it is being transmitted over an open Wi-Fi connection.
For more information the Information Security Handbook For Journalists is available here.
Watch our video