By Tiffany Hsu July 18, 2016
Journalists and sources can connect in just a few keystrokes — but doing so comes with serious risks.
Digital conversations over email, text or even the phone are vulnerable to tracking and hacking. And although some beats are more prone to attacks—war coverage, technology, national security, anything investigative—shielding sources is responsible journalistic practice for any reporter.
Luckily, setting up a basic line of defense isn’t hard.
What’s at risk?
Former National Security Administration subcontractor and whistleblower Edward Snowden sought out filmmaker Laura Poitras because she was familiar with encryption techniques. ©DonkeyHotey
Privacy, basically. Hacks can expose what you’re working on. A breach can threaten your source’s identity, reputation and, in extreme cases, life.
“You are part of a network—you have contacts and access to systems through which a bad actor can get not just your information but the information of someone else in your group,” said Susan E. McGregor, assistant director of the Tow Center for Digital Journalism at Columbia Journalism School.
“Your secure practices don’t just protect you, but everyone with whom you work and have contact,” she said.
Some sources, especially those who seek anonymity, refuse to interact with reporters who don’t safeguard their communications. Former National Security Administration subcontractor and whistleblower Edward Snowden sought out filmmaker Laura Poitras because she was familiar with encryption techniques—but only after trying to establish secure contact with Guardian reporter Glenn Greenwald (who eventually learned to encrypt and began working with Snowden and Poitras).
Who has access to my information?
Hackers are legion—and they’re getting wilier. The FBI said its Internet Crime Complaint Center received more than 288,000 complaints last year, nearly 20,000 of which involved personal data breaches. Journalist Steven Petrow was hacked while working on a story during a flight earlier this year. Fusion news director Kevin Roose recently invited two hackers to break into his data—who were ultimately able to discover and control a terrifying amount of information.
But spy agencies and law enforcement can also tap into journalists’ communications, sometimes surreptitiously but often legally. In 2014, the Securities and Exchange Commission was found to have combed through employees’ phone and email records in an (unsuccessful) attempt to catch a whistleblower within the agency.
Glenn Greenwald, speaking at the Young Americans for Liberty’s Civil Liberties tour at the University of Arizona in Tucson, Arizona. ©
Gage Skidmore
The Senate is set to consider a bill, approved unanimously by the House in April, that would require the government to obtain a search warrant when asking data service providers for customers’ digital communications. The so-called Email Privacy Act would update rules that currently require only a subpoena for agencies to pry into stored data.
That’s possible because telecommunications companies, email hosts and other providers hang on to troves of so-called metadata, which can include information on when and where a message originated and ended up. Metadata can be used to map out your entire social network (as an MIT project called Immersion demonstrates). Some companies keep the information for years, according to the Department of Justice.
What makes data secure?
Encryption and authentication are two major principles to understand when it comes to securing data.
Encryption, McGregor explains, is “the process of scrambling information in such a way that it cannot be unscrambled except with a mathematically unique key — a series of numbers.” This can be done using cryptographic methods such as the so-called Diffie-Hellman key exchange (for a visual explanation, check out this video). End-to-end encryption shields against eavesdropping and tampering by allowing only the users with the necessary codes to decipher the data being shared or stored.
Authentication helps identify imposters, ensuring that both the contact and the message are legitimate. This can be accomplished by signing correspondence with so-called digital fingerprints that certify the message sender’s identity. Two-factor authentication also protects accounts, keeping them locked until a user inputs first a password and username followed by a unique piece of information or physical fob that only they possess. Enable two-factor authentication for Google here.
What should I do to protect myself and my sources?
Here’s a short list of some programs and platforms that journalists use. A note of caution: Look for systems with true end-to-end protection, where the service provider can’t circumvent the shields. It’s also a good sign if the programming is open-source, so the developer community can identify and fix potential flaws.
CRYPTOCAT: Glenn Greenwald used this application when interacting with Edward Snowden. Users can exchange encrypted messages and files on a number of devices (whose ownership can be verified so as to thwart interlopers). Download it here.
ENIGMAIL: This extension for the Mozilla Thunderbird email platform and the SeaMonkey internet suite allows data encryption and decryption. And it validates contacts’ credentials using the web of trust authentication method, which relies on endorsements from other users. Download it here.
OTR: This protocol, which stands for Off The Record, attaches to instant messaging programs and allows for confidential, encrypted and authenticated discussions. This is not the same thing as the off-the-record function available through Google Chat. OTR is built on a concept called perfect forward secrecy — it creates encryption keys throughout a conversation, making it impossible to retrieve old messages. It’s almost like having a face-to-face conversation. OTR only works if both chat participants have it enabled. Mac users can access OTR via Adium (download it here), while Windows users can get it via Pidgin (here). Security experts also recommend Tor Messenger and CoyIM.
PGP: This system, short for Pretty Good Privacy, is a quarter-century old. It’s infamously convoluted, but many tech reporters swear by it. Each user has both a public and a private key code. The public key is attached to the user’s email address and published on online key servers, where anyone can find it. To send a message, encrypt it with the recipient’s public key. The recipient’s private key is the only way to unlock the message. Alternately, users can sign messages with their private key to help recipients verify the origin. Set it up here or here. For help, check out these handy guides for Mac and Windows.
Micah Lee, journalist at The Intercept. ©Elate Festival, YouTube
SEMAPHOR: Prolific technologist Micah Lee, a founder of Freedom of the Press Foundation, says he’s excited about this service, which lets teams of people collaborate in encrypted chatrooms for $9 a month.
SIGNAL: This service, developed by Open Whisper Systems and recommended by Snowden, encrypts phone calls and instant messages between users. It allows for identity verification via key fingerprinting and is, according to Wired, “idiot-proof.” Install it here.
TAILS: One of the more difficult strategies to employ, Tails is also one of the most secure. It’s an entire operating system—along with email, messaging and browser applications — housed on a DVD or USB stick that can store encrypted files and route Internet traffic through the anonymous, decentralized network Tor (see below). Calling itself the “amnesiac incognito live system,” it leaves no trace of activity on computer hardware. Tails wipes evidence of every session once it’s over, which results in a blank slate each time the system is booted up. Install it here.
TOR: Short for “The Onion Router,” this free software allows a degree of anonymous Internet use by concealing users’ IP addresses. Normally, a quick Google search of an IP address can pinpoint exactly where a user is operating. But instead of making a direct connection between a search request and its destination, the TOR system bounces traffic through a decentralized network of thousands of volunteer-operated servers — known as nodes. No single node knows both the IP address and the final destination of any particular user. The idea, according to Tor’s website, is “similar to using a twisty, hard-to-follow route in order to throw off somebody who is tailing you — and then periodically erasing your footprints.” While Tor has attracted some shadowy behavior, it is designed to circumvent censorship while also protecting confidentiality from network eavesdroppers. The SecureDrop platform, which is designed for journalists to connect with and accept submissions from whistleblowers, routes communiques through Tor. Download the Tor browser here.
Any tips for safe interview protocol?
When setting a password for chat accounts (or any account, really), try to use a series of randomly generated figures instead of a combination of known words or names. And don’t rely on the same password for multiple accounts — otherwise, one cracked account could lead to a domino effect of hacks of other accounts (read Wired writer Mat Honan’s cautionary tale here). Try KeepassX, which keeps all of your passwords in an encrypted database accessible by a single master password. The program can create complicated passwords that you can cut and paste into your various accounts. Other options include Dashlane, LastPass and Sticky Password.
It’s the same idea for a chat ID. A nom de plume with some sort of personal meaning (like “starjourno”) can be traced back to you or your source. That’s harder to do with a pseudonym composed of a string of unrelated characters. And if you’re having sensitive conversations with several different sources, set up a different ID when chatting with each of them.
“Your secure practices don’t just protect you, but everyone with whom you work and have contact,” says Susan E. McGregor, assistant director of the Tow Center for Digital Journalism at Columbia Journalism School.
McGregor also suggests introducing noise as a cover. That is, if you’re in touch with one source at an organization, try to develop more contacts at the same place. And, she said, keep all of those sources “warm” by staying in consistent communication with each of them. It’s harder for data snoops to pinpoint which source is sharing sensitive data if you’re having regular encrypted chats with multiple people.
So, if I do all that, I’ll be safe, right?
If only. The big red disclaimer when it comes to data security is that no data is ever completely secure.
“Using secure communication methods help a lot, but they don’t make you surveillance-proof,” said Micah Lee.
Many tools are complicated, he said. And sources and journalists resist security training and then make mistakes. They forget that some systems, such as PGP and OTR, encrypt content but leave metadata exposed, revealing the fact that a conversation happened, even if the details are hidden. Also, the full reporting team — editors, researchers, fact-checkers, designers — needs to be protected, not just the main reporters.
“It’s also important to realize that no security tools can protect you from surveillance if the device you’re using to communicate, your computer or your phone, gets hacked,” Lee said. “If you’re discussing secrets, you should be extra careful to protect the security of your computer.”
Are there other resources to help me learn more about data protection?
Jennifer Valentino-Devries is a Wall Street Journal reporter who has written extensively on online privacy. She participated in an “Ask Me Anything” segment on Reddit a few years ago that’s worth browsing here and was part of a 2012 Pulitzer finalist team for the series “What They Know.”
Lee has posted several encryption and privacy how-tos and explainers for the Freedom of the Press Foundation and the Intercept. McGregor has a good roundup about digital security and source protection for the Tow Center. The nonprofit digital rights activist group Electronic Frontier Foundation breaks surveillance self-defense into overviews, tutorials and briefings here. Security In A Box provides an anti-hacker and censorship guide here. ProPublica ranks secure messaging tools here.
This is overwhelming. Why can’t I just cut off electronic communication and regress to a pen and pad?
Unfortunately, technology is now a vital part of journalism. It’s key to reporting, corroborating and disseminating a wider breadth of news than ever before. Data danger is just an inescapable part of that. As McGregor points out: “Going off the grid as a solution would massively curtail the ability of any contemporary journalist to do their job effectively.”
