“Journalists in this country have enjoyed the benefits of press freedom, but now the combination of aggressive investigations and unprecedented reliance on technology mean journalists need to get up to speed on digital security, and so do their sources,” said Frank Smyth, senior advisor for journalists’ security at the Committee to Protect Journalists. “Journalists have to start thinking about operational security in terms of reporting.”
In light of these leaks, Alan Pearce, who has contributed to TIME Magazine, The Sunday Times and Sky News, among other news outlets, has written a handbook to help journalists protect themselves in the digital world, “the emerging battleground.”
“Not every journalist needs to be concerned about this,” Pearce writes. “But it is important to know how to operate securely should you ever need to. If you can’t offer confidentiality, you are compromised.”
With that in mind, here are some of the most important takeaways from Pearce’s recently-released Deep Web for Journalists: Comms, Counter-Surveillance, Search to help journalists develop digital security strategies.
It’s all too easy to become a target for government monitoring based on search history, Pearce writes. Algorithms can pinpoint users that make questionable searches, meaning journalists may often be identified because of research for controversial stories.
The “Deep Web” offers a cloak of anonymity for journalists. In short, it is everything online that’s un-indexed by surface search engines, and by some estimates it’s 5,000 times the size of the surface Internet. Individual users can thus better blend in for more secure browsing.
Tor is one way of accessing the Deep Web. Short for The Onion Router, the hidden network was developed with U.S. Navy funds in the early 2000s, Pearce writes. It’s top-grade privacy makes it a hot bed for criminal activity and communication, but it can be just as useful for journalists concerned about their privacy. Currently there are about 400,000 daily Tor users, compared to the surface web’s more than 2 billion.
Pearce recommends journalists download the Tor/Firefox bundle (from TorProject.org — do not download elsewhere, as the file may not be secure). For maximum security, install it to a portable storage such as a CD or USB drive, then encrypt the file using software such as TrueCrypt.[Editors note: True Crypt was discontinued in 2014. For the reasons why, and a list of free alternatives, go here]
The Deep Web has its own search engines, but when searching the surface web, security-conscious journalists should avoid using Google. Instead, they should opt for a service that does not track searches, such as Secret Search Engine Labs or Ixquick.
It’s also essential to pick a high-security password for your at-home Wi-Fi network — simply leaving the administrator password makes it vulnerable to infiltration. Pearce also advises using a virtual private network (VPN) whenever possible to mask your identity. Options include FreeVPN, ProXPN and VyprVPN.
To keep out viruses that can track your keystrokes and collect personal information, Pearce lists Comodo Personal Firewall, Lavast’s Ad-Aware and Spybot Search and Destroy as reliable software options.
“If you want to be monitored 24/7 and followed wherever you go, buy a smartphone,” Pearce writes. Indeed, phones can be tracked even when they’re turned off, and data sent and received from them is “inherently insecure,” said Katrin Verclas, innovation officer at the National Democratic Institute.
To make tracking more difficult, GPS and geotagging should be turned off, and, in particularly sensitive locations, airplane mode should be activated. Pearce says 2G, 3G or 4G should be used preferentially over Wi-Fi networks, which are less secure. Journalists should avoid connecting to office Wi-Fi networks or hooking up their phones to work computers.
Your phone should be secured with a code, and you should avoid storing sensitive data on it. To protect files, save them on an external SD card rather than the phone’s internal storage. Your SD card can be encrypted to further protect information.
Furthermore, apps such as Secret Compartment for Android or iOS also allow users to hide files. Pearce also recommends having a spare SD card, without personal or sensitive data, for covering demonstrations and other events where arrest is possible. Additionally, apps such as Mobile Security for Android make it possible to remotely wipe files from your phone, and Wickr for iOS encrypts data and self-destructs it after viewed.
Moreover, some apps on the Google Play for Android and App Store for iOS include malware that collects data on users, even going so far as recording phone calls. Pearce writes that a red flag for apps is when one asks permission to use your location or prompts a user to enter personal information such as an email address. It is important to keep track of which apps are running in the background. If your battery rapidly depletes or you begin receiving unusual texts, you may have malware installed to your phone.
Spam text messages from unknown numbers also often link to sites with malware, so it’s best to never click on a link from an unknown sender.
To avoid these issues in the first place, Pearce recommends several smartphone security apps, including AVG Mobilation and Trend Micro for Android and Anti-Virus & Malware Scanner for iOS. Lookout will work for both operating systems.
One of the biggest dangers to security is to save files in a cloud store, as an amendment to the Foreign Intelligence Surveillance Act allows U.S. agencies to access data saved there without a warrant, Pearce writes. However, if you must use a cloud service, Trend Micro and avast! appear the safest, and saving to Tor is another option.
Secure files should not be stored on computers’ internal storage, as investigators frequently target them. Instead, users should save and encrypt sensitive data on a removable hard drive or SD card.
Journalists can even embed particularly sensitive files within others. Peare offers the example of smuggling war footage from a country within an MP3 track on an iPhone or sending a hidden message through a vacation photo over email. Software such as OpenPuff and Mp3Stego facilitate this process. Secretbook even allows files to be hidden in Facebook photos.
Email sign ups should be done through a VPN or Tor, though there are more secure alternatives to email use. Anonymouse offers a re-mailing service to anonymously send emails, and 10 Minute Mail creates a short-term email address for one-time use.
Alternatively, a reporter can create a free email address and provide a source with the login details. Information can be shared between the two by saving copy in the draft box. These emails are less likely to be intercepted.
Other messaging options include PrivNote, which self-destructs notes after they’re read, spammimic, which makes sensitive messages appear like spam until they’re decoded, and PrivacyBox, a German Privacy Foundation initiative that allows journalists to send and receive encrypted messages through Tor.
Pearce notes that iOS iMessage and FaceTime are unable to be intercepted. Android and iOS users alike can also use Secret SMS software to encrypt text messages. Similarly, several Android apps encrypt phone conversations.
Stay informed as technologies evolve
These tips only scratch the surface of digital security, and it is essential for journalists and newsrooms to stay informed as technologies evolve.
“There needs to be a push in the newsroom to do really good trainings, so it’s not just self help,” Verclas said in an interview with Columbia Journalism Review. “Newsrooms have a moral and ethical obligation to invest in this kind of stuff in a very professional, high quality way.”
Alan Pearce will be speaking at the World Editors Forum International Newsroom Summit in Berlin, 8-9 October.