Keeping your private dealings private is a must for anybody in the 21st century, no matter who you are. It’s nobody’s business what you do online or what you’re up to. That said, some people are under more scrutiny than others, none more so than journalists. Here at Cloudwards.net we decided to hand out a few tips to our fellow scribblers with this online privacy guide for journalists.
Regular readers will find there’s some overlap between this piece and our online privacy guide, but that’s because in a way this one leads off where that one started. We’re all potential victims of cybercriminals and marketers, maybe even of government surveillance, but anybody even remotely challenging the status quo through print needs to employ more caution than regular folks.
This is because the methods employed against a journalist who’s on to something are of a greater magnitude than some low-level eavesdropping. In the offline world journalists have been harassed, tortured, even murdered and as media have gone to the internet, so have the bullies evolved ways to make sure that they can export their methods as well.
The best recent example are the cyberattacks on Ukrainian journalists, which are likely the work of both the greatest cyberbully of them all, Russia, our number two pick for internet censorship (our first of course being China), as well as the Ukrainian government. Not that it’s always so blatant, this report details how countries all over the world eavesdrop on journalists as a matter of course.
So, if critical journalists being barred from White House press briefings wasn’t enough, the web is also not the safest place around. Thankfully, protecting yourself either as a private citizen or as a sleuth is perfectly doable, you just need to know how. So, no matter if you’re an old-school pen-and-paper hack or a hip investigative blogger, let’s see what you can do to keep yourself and your sources safe.
Educate Your Sources
First off, nothing that comes below will be any good if the people you’re conversing with don’t follow suit. If you’re on an airgapped, encrypted, securely booted laptop while your source is rocking an iPhone, you’re screwed. Well, they are, mainly, but your story is toast even if you do avoid whomever is after you.
If you’re reading this guide because you’re about to start talking to someone who has vital information, make sure they read it too. Not a single one of the below tips require any particular knowhow or will cost you a single penny — well, except for the VPNs, but you can sell that as a way to also circumvent the Netflix VPN ban besides saving yourself from a bullet in the head.
Use a VPN
Speaking of bullets, let’s bite this one right off the bat: the very first step in any privacy strategy is signing up to a virtual private network. Though we do have a selection of the best free VPN providers, none of them offer the protection a journalist needs, meaning you’ll have to go to the paid options we talk about in our article on the best VPN services.
In fact, we’ll go one step further an recommend that you use one of our best VPN for China picks as if the Chinese secret police can’t crack them, nobody can. All of the providers in that article offer advanced encryption, meaning you can access the internet anonymously without anyone tracking your movements.
The reason you want to use a VPN is very simple: it hides your presence on the web as instead of accessing the internet from your own location, you do so via a third-party server elsewhere in the world. Great if you’re trying to circumvent geoblocks, fantastic if you don’t want anybody to be able to trace you.
It’s very important that you keep your VPN on at all times, you may want to enable it to start up together with your computer. This is because if you’re even visible for a second on the web, you can be traced back to your location. Another important feature is a killswitch, which will sever the connection if your server stops working for any reason.
Another measure you can take to keep your browsing secure is to use TOR, a special browser that can in most cases replace Chrome, Safari or whatever else you’re using to access the internet.
We have an article in which we discuss the pros and cons of VPN vs proxies vs TOR, but what it boils down to is that using a VPN and TOR at the same time, especially using a provider that allows for VPN over TOR like NordVPN, means you’re doubly secure.
Using TOR takes some getting used to, but is great for situations in which you’re worried that your VPN may be compromised or because you want to chat to a source using a deep web chat site, as you can’t access those darker recesses of the internet without TOR.
Encrypt Your Data
With your browsing secure, let’s take a look at keeping your files safe as well. After all, if a hacker manages to get access to your computer, or simply steals your laptop from your hotel room, any other measures you take will be pointless.
The simplest thing you can do is encrypt your hard drive. The simplest way to do this is to either use Linux, most distros will let you set this option upon install, or use a TrueCrypt alternative like VeraCrypt or FileVault. All of these are easy to use and are mostly free, as well.
You can opt to either encrypt your entire hard drive, certain folders, or both. Doing both seems like overkill and it’s not very practical if you don’t have a head for remembering passwords, so this may not be the best option.
Besides encryption, you may also want to consider airgapping one of your computers, which basically means keeping it disconnected from the internet at all times. This reduces what’s called your attack surface, meaning unless an attacker can physically access a device, they can’t get to it — locking it into a safe when you’re not using it would be a good idea, too.
An airgapped laptop isn’t a very useful thing, but can be used to keep only highly sensitive information, which you then transfer using a thumb drive when you do need it. However, to be truly effective, an airgapped computer can never be connected to the internet, ever, unless you want to run the risk of accidentally opening it up to attack.
Encrypt Your Messages
With your data locked away behind a wall of encryption, we’re going to have to do the same with your messages, especially if you and your sources are sending files to each other. We have an article on encrypting emails, though whatever you do, avoid free services like Gmail, Hotmail and all the others. If you need to share files securely, either use a secure service like Thunderbird or skip to our file-sharing section, further down.
As for regular communication, you’ll likely want to avoid telephone or VoIP calls as these are easily monitored. You’ll want to rely on text messages instead, though again there are better alternatives than anything that comes stock with your smartphone.
The best of these is WhatsApp, the insanely popular messaging app that is used by millions worldwide. It features end-to-end encryption, meaning that as soon as you hit send on a text it’s encoded and not decoded until it hits your recipient. It’s a great system and, again, comes free.
However, WhatsApp is under pressure to install a backdoor so security services can snoop around to catch terrorists, which is really spookspeak for “anyone that disagrees with us.” Though the company is resisting so far, eventually they’ll have to cave, meaning you’ll have to turn to DIY text encryption. As the linked article shows, there are plenty of options here, so you should be alright.
Another thing you should watch out for is using services like Slack, Google Hangouts, etc. Though we’re not going to argue how useful they are — Cloudwards.net uses Slack to communicate with our far-flung team — for secure communication they are useless.
Which brings us to another point: smartphones, handy as they are, are basically a great way of hanging out a big ol’ sign pointing to your location. GPS is great if you’re lost in a strange city, but a downright handicap if you don’t want your local secret police to find you. Though using a VPN and uninstalling stock messaging apps and the like should help, the best way to avoid any trouble is to either not use a smartphone at all, or use burners.
Burners, as fans of The Wire know, are basically throwaway, pre-paid phones. You buy ‘em, use up the credit and dump ‘em. These phones usually won’t be able to use the internet and usually only allow calling and texting, which negates the advice we’ve given you so far. However, with the advent of cheap-as-dirt knockoff smartphones, you can more or less make your own burners.
The trick is to find one that you can easily customize with a ROM, then install secure alternatives to your usual apps. This burner could then be used to communicate with your sources exclusively, while your regular phone is used, well, regularly.
The only way you could still be tracked using your burner is the SIM card (avoided by mail-ordering a SIM from a country that doesn’t require ID, like Ireland or the UK) and the IMEI. This last one is trickier to avoid, which is why we emphasized the “cheap” angle earlier: if you think someone is on to you, ditch the phone and get a new one.
Though it’s all a bit laborious, it beats an interview session with men in black trench coats. Whatever you do, though, avoid using stock apps for messaging as any of those will have you in the back of a van with a bag on your head before you can say “probable cause.”
Share Files Using Cloud Storage
With communication covered, let’s take a look at the best way to share files. Though you could simply email them, encryption could be an issue and few services will take files larger than 25MB or so. If a source is delivering a full earnings report or something, those .pdfs can run into the hundreds of MBs, while videos can easily hit a gig.
Though most of our best cloud storage services can handle those volumes, security is usually an issue. What you really want is one of our best zero-knowledge services, where not even the employees of the company can look at your files, let alone some NSA agent with a warrant. Zero-knowledge has as a downside, though, that you need to make sure you can’t forget your password, so make sure you write it down in a safe place.
In this case, we’ll go ahead and recommend Sync.com. As you can read in our review, not only does this service have great security, it also gives you up to 2GB of storage for free, meaning it’s perfect for journalists that are running their blog on the cheap. It also makes sharing files pretty easy and signing up takes maybe two minutes. If your source has files to share, this is probably the way to go.
The last point we’d like to make in this article is that all the above tips and tricks rely on password security, which means that you may want to take a look at our guide to creating strong passwords.
In a nutshell, a good password is random (preferable made using a password generator), long and not a dictionary word. Though these tips will make them hard to remember, using a password service could help with this, though you need to keep the security risks in mind.
Another way to go is to use weaker passwords, but use two-factor authentication to access services. This means that anyone wanting to access your account needs to also have your phone or another device to be able to do so. Though not ideal — someone could simply knock you over the head, then access your cloud storage using your phone and weak password — it may be a solution for people that have trouble remembering their codes.
And there you have it: a few simple tips that should keep journalists, bloggers and every other kind of sleuth safe from electronic snooping. You’ll notice that we don’t really touch on countersurveillance and other types of spycraft, but that’s just because Cloudwards.net is a wholly online outfit; we don’t do meatspace.
Hopefully our advice proves useful to someone trying to uncover the truth on corporate malfeasance, governmental incompetence or police brutality. If you have any other tips you’d like to share, we’d love to hear from you in the comments below. Thank you for reading and stay safe out there.