Table of Contents

1. Introduction

Many experienced journalists (and not only them) could not help but notice that we all suddenly began to hear and see references to the Watergate scandal. On the shelves of bookstores are copies of George Orwell’s 1984, and the like, and the threat to freedom of speech and freedom of the press slowly spreads like a black cloud throughout the Western Hemisphere, making us remember old fears.

The current president of the United States accuses the ex-president of total surveillance of his citizens, he closes the access of the central US media to his press conferences, before that was considered an undeniable right, he constantly accuses the media of being the worst enemies of their country. Not surprisingly, after every pitiful tweet about SNL news, the era of President Nixon comes to mind. Not surprisingly, even Republican senators such as John McCain express fear for the future of democracy.

And McCain is not alone in his fears. Many of the journalists I spoke to recently are concerned about what will happen next with freedom of the press. At a time when you can claim that the NSA is under the control of Donald Trump, and you will not be counted as a liar, everything is possible. Add to this the fact that recent news about the CIA has shown us that almost every encryption system can be cracked with sufficient persistence – and now we are on the way to turning into a grim dystopian reality, where you cannot even relax on your sofa in front of your smart TV.

The good news is that you can still get in the way of anyone trying to intercept your emails, messages, or calls.

 You can take measures to greatly complicate the life of someone who wants to disclose your sources and fish out the information that you were informed. Of course, how much you are willing to try to protect your privacy, the anonymity of your source and the security of information should always depend on the probability of exposing all this to a real threat, whether it is hacking or espionage.

“Old-fashioned promises like“ I won’t reveal the identity of my source and don’t give my notes to third parties, ”are worthless unless you do something that can truly protect your digital data,” says Barton Gellman from the newspaper The Washington Post, whose source, Edward Snowden (a former employee of the US National Security Agency), helped to release information on a number of operations by the NSA and the UK Government Communications Center by interviewing Tony Lozi. Lots herself, who covered the work of the American judicial protection system for the AP, The Washington Post, and the USA, and who was accused of contempt of court for refusing to open her sources, would probably approve of this.

So, what needs to be done to reliably secure the working materials and sources of a journalist?

 In general terms, tips can be categorized into the following categories:

  1. Protecting applications and device features  – This tactic is known as reducing the “attack surface”. In fact, this is limiting the number of installed applications to the required minimum, downloading applications only from reliable sources, choosing applications that require fewer rights, maintaining the system in a healthy and updated state, and also having a few security systems as possible (based on the most relevant expert conclusions, of course) on the device.
  2. Isolation of their devices and/or the environment in which they operate  – For example, physically isolating a computer to work on documents or using prepaid mobile devices.
  3. Prudent behaviour in both the virtual and the real world  – This section refers not so much to software as to common sense. For example, never write down the source name, especially in applications or documents that are installed or stored on your computer, and even more so you can’t do this in files that are stored in the cloud.

2. Communication with the source and protection of confidential information

Let’s start with a list of actions that can be performed when you communicate with a source and capture confidential information received from it:

Do not trust the software products of large companies: 

Always assume that there are loopholes in the encryption systems of large companies and, possibly, even in the most popular operating systems (in proprietary software, in other words), through which secret services of manufacturing countries can penetrate them (at least the USA and the UK). Bruce Schneier, a security expert, explains this point here.

Always encrypt any data:

 Security experts resort to the simplest mathematics to convey their idea to us: as soon as you increase the cost of decrypting your file (for example, for special services, such as the NSA), you automatically increase the effort spent on monitoring yourself. If you are not Chelsea Manning, Julian Assange or Edward Snowden and are not in the active surveillance zone somewhere near the Trump Tower apartment, you may be waved at you, even if you store encrypted files. And if someone still decides to track your data, despite all your efforts, you will become a real headache by resorting to such strong encryption as Advanced Encryption Standard (AES), and such tools, like PGP encryption algorithm or OpenVPN protocol – the most reliable encryption method available (the US government itself uses virtual private networks). But if you need impenetrable protection, you will need something more substantial than the AES encryption method. Postscript: if you want to know in which year the NSA got access to your data, look here.

Perform full disk encryption: 

 This should be done in case your computer or phone gets to third parties. You can completely encrypt data on a disk using FileVault, VeraCrypt or BitLocker. If you leave the computer in sleep mode but do not turn it off or put it into hibernation mode, an attacker can easily bypass protection. Here you will find detailed instructions from Miki Lee on how to encrypt your laptop.

Avoid talking to sources over the phone:  

All telephone companies store data related to the phone numbers of the caller and the recipient, as well as data on the location of the devices at the time the call was made. In the United States and several other countries, such companies are required by law to provide information about registered calls to their network. What can be done in this case? You should use secure voice communication applications – for example, the Signal application, which has been repeatedly tested for security. Although this means that both you and your source will need to download and install the application, the process takes only a few minutes.

 Here is a guide used for this application. To learn more about using the application, check how many friends of yours who are far from journalism are sitting in it. Whatever method of communication with the source you choose never picks up a cell phone for confidential meetings. Buy a disposable device and find a way to transfer its number to the source in advance. The source must also have a one-time secure telephone. The authorities can track your movements through the cellular network, and it would be better if you did everything possible so that it wouldn’t turn out later that you were sitting in the cafe where the source was located. If you do not follow this rule, then all that local authorities will need is to ask (politely and legally) to provide video from the cafe’s security cameras at the time your meeting took place.

Give preference to secure messengers: 

 your calls (both by cell phone and landline phone) can be monitored by law enforcement agencies, and each SMS message is like a postcard, i.e. any text is completely visible to those who intercept it. Therefore, use such instant messengers with which you can make a direct call to the subscriber: Signal, which was already mentioned above, and Telegram are considered the most secure (although Telegram and WhatsApp web applications were previously hacked, then these vulnerabilities were closed). 

Some experts also claim that you can use SMSSecure, Threema, and even Whatsapp for this purpose. Generally speaking, the Signal protocol is already implemented in WhatsApp, Facebook Messenger and Google Allo., therefore, conversations made using these services are encrypted. However, unlike Signal and WhatsApp, Google Allo and Facebook Messenger do not encrypt data by default and do not even notify users that conversations are not initially encrypted, although you can configure interpersonal encryption in additional mode. You should also keep in mind that both messengers (Facebook and WhatsApp) are owned by Facebook.

Adium and Pidgin are the two most popular instant messaging clients for Mac and Windows that support the OTR (Off the Record) encryption protocol and Tor is the best-encrypted browser on the network, which we will come back to later (see how to connect Tor to Adium here, and Pidgin – here) Naturally, you can use Tor Messenger directly, which is probably the safest of all. Two last notes on messaging. Firstly, the information security expert with whom I discussed this issue said that you should always remember that the text can be securely encrypted, but the fact that two specific people are talking about something right now may not go unnoticed. Secondly, you should never forget to delete messages from the memory of your phone (although even this may not be enough to hide messages from forensic experts) – just in case to avoid publicizing messages if the phone doesn’t get into those hands.

Do not use organization chats:

  Do not go to Slack, Campfire, Skype and Google Hangouts for confidential conversations. These services are easy to crack, and they are required to provide private information at the request of the court or to resolve legal issues at the workplace. Therefore, it is better to avoid them, and not only when it comes to communicating with the source, but also when communicating with colleagues, editors, etc., when you need to transmit information received from the source, whose identity should remain secret. Many popular VoIP services (for example, Jitsi) have built-in chat features, and several of them even have most of the same features as Skype, so they can be a great replacement.

In extreme cases, try using a Blackphone:

 This phone, whose developers seek to provide impenetrable protection while working on the network, making calls, sending text messages and emails, is probably the best replacement for a regular phone if you are going to overthrow the government or are preparing to publish secret military information. A bulletproof vest can also come in handy. Alternatively, try to do without a mobile phone, or take into service a signal-blocking case for a cell, working on RFID technology. There is always the possibility that even a crypto phone can be tracked by its IMEI number (international identifier of a mobile device).

Protect data on your computer:

  It’s very easy to crack ordinary passwords, but it can take years to crack code phrases (random word combinations). We recommend using secure password management systems such as LastPass, 1Password and KeePassX. You will need to remember only one password instead of several. And yet, when you work with important services (for example, your e-mail), do not rely on password managers, but just remember the password carefully. In an interview last Iro Raidu for journalism.co.uk, Arjen Kamphuis, an information security expert, advised us to select a password of more than 20 characters for encrypting hard drives, protecting emails and blocking laptops. The longer the password, the harder it is to crack … and remember.

 Therefore, the expert recommends the use of code phrases for these purposes. “It can be anything, for example, a line from your favourite poem,” says Kamphuis, “or a line written by you at the age of nine that no one knows about.” Ryde expressed this idea visually by resorting to calculations using the Gibson Research Corporation password strength calculator: A password like “F53r2GZlYT97uWB0DDQGZn3j2e”, randomly generated, seems very strong, and not in vain, since it will take 1.29 hundred billion trillion centuries to sort through all possible combinations, even considering that computer technology checks one hundred trillion combinations per second.

Screenshots from GRC.com showing the difference in the strength of the password and the passphrase
As the author emphasizes, the phrase “How clouds are a lonely shadow, I wandered, darkened and quiet …” is much easier to remember, and it is also much more reliable, since the same computing equipment will be iterate over all combinations of 1.24 hundred trillion centuries. Well, the advantage of code phrases is undeniable.

Two-factor authentication:

  This is also a good idea. Using the usual two-step authentication, you log in using your password and get a second confirmation code, usually in a text message, on your smartphone. You can use Yubikey keys or a hardware security key to provide even more reliable protection for sensitive files on your computer. To learn more, read the 7 golden password protection rules.

Suppose you have a separate computer on which you will check suspicious files and attachments: 

 The easiest way to distribute malware and spyware is to install it via USB devices or attachments and links in emails. Therefore, it is recommended that you use one physically protected computer to view such potentially dangerous files in quarantine mode. With such a computer, you can freely use USB devices and download files from the Internet, but do not transfer these files to your work computer and do not use these USB drives/devices on it.

How to purchase a secure computer:

  Security expert Arjen Kamphuis advises you to buy an IBM ThinkPad X60 or X61, released before 2009. These are the only more or less modern laptop models with fairly modern software, where you can replace low-level programs. Another tip to consider is not to buy a computer over the Internet, as it can be intercepted during delivery. Kamphuis advises buying a laptop at a used goods store for cash. He also insists that you need to remove all means of communication with other devices from the laptop: Ethernet, modem, Wi-Fi and Bluetooth. I know security experts who do not trust such computers.

ThinkPad X60. Do not buy this model in online stores

Spend an educational program on sources: 

 There is always a chance that by the time you receive exclusive and valuable information, it will be too late. Your source could have made any mistake and left behind a trail of evidence. You should not only protect the data you have in your hands but also make every effort to teach sources to hide them: to safely store information, to communicate securely with the help of secure devices. Most people generally have no idea how to handle confidential information. Trying to get in touch with you, few sources will have a clear idea of ​​what they are faced with.

Use a secure, dedicated system to transfer documents:  

Replace Dropbox or Google Drive with something less popular and more secure. For example, SecureDrop is a dedicated system where you can receive messages from anonymous sources, as well as safely view and scan these files. Edward Snowden spoke of Dropbox as the “ enemy of privacy ” and advised using Spideroak instead. OnionShare is another free service where you can simply and anonymously transfer files.

No notes!

Do not record source names, their initials, phone numbers, email addresses and user names in instant messengers either on a laptop, or on calendars, or in the contact list of your mobile phone, and even more so – in a computer or cloud storage. Just never do that.

Visual tracking:

  On the way to confidential meetings, do not use public transport, advise your source to do the same. Do not meet, for example, in modern shopping and entertainment centres, where cameras everywhere follow you.

How not to get into social networks?

Some people prefer to approach the issue of anonymity radically. If for some reason you need to disappear from the face of the earth without leaving an overly detailed profile in each of the possible social networks, delete your accounts completely and irrevocably. This is not the same as “deactivating” them, because in this case all the information is saved, and the profile itself can be reactivated.

Make some hacking friends:  

This will help you not to make fatal mistakes, save your time and nerves, and you will always be up to date with the latest in the technological arms race.

Methods of payment:  

Always and everywhere pay in cash; think about whether you can switch to bitcoins? You need to buy them anonymously (for this, use this guide on Business Insider ), and if someone is ready to accept them, use the Darkcoin payment system. A prepaid bank card received through an online store is also quite an option.

When making notes on paper, be prudent: 

 If you sketched some information on a piece of paper (in the prehistoric era, our ancestors called it a “note”), destroy it. And do not forget about that paper jam at the very bottom of your pocket. Yes, the one that stuck to the chewing gum.

3. How to maintain journalist anonymity on the Internet?

In addition to protecting your communication with your source and closing vulnerabilities to prevent the theft of confidential information that you own, you should also be careful that you are not tracked while working with websites. The query history may reveal or give hints about the topic you are working on, or, even worse, hint at the identity of your source, or even reveal it completely. Here are the golden rules for using the Internet safely, and in the next chapter I’ll show you how to protect your email account:

Using the Internet in incognito mode: 

 There are two main ways to remain anonymous while you are online. The first, simplest and most popular, but still not reliable enough, is to work in incognito mode, which is found in most Internet browsers. In this case, the history of your requests is not saved, and the main tracking technologies used by advertisers, such as tracking cookies (HTTP markers), will be blocked, preventing you from compiling a detailed report on your activities. However, this looks more like a gift from an institution than real anonymity: in fact, this mode can hide your request history from family members who have access to your computer, but your IP address you can still track, and information about the sites you visited is still available to your provider.

Use alternative Internet browsers:

  Browsers such as Double, Comodo Dragon or SRWare Iron, provide anonymity to the user but are functionally limited. To some extent, you can ensure your anonymity when working with these browsers by simply deleting cookies – snippets of code that are downloaded to your system when you visit sites and then track your activity and sometimes even the type of content you consume! Another way to preserve anonymity is to disable location tracking settings in the browser, and also activate various functions aimed at ensuring anonymity. To check if you have disabled cookies, you can use the CCleaner application, which also works with Flash cookies, but none of these browsers is fully encrypted. The only browser that provides complete anonymity is Tor. Yes, he is ugly and slow. But in this way you protect yourself and your sources. In the next section, I will describe this browser in detail.

 TOR: 

This “notorious” browser, developed by the US Navy, gives you the ability to work on a hidden network, communicate privately and visit websites anonymously. The browser can be downloaded at Torproject.org; it will be very difficult to track your activity on the Internet, and the government or your provider will have to sweat to determine your location. The only drawback is that at times the browser is very slow, rather cumbersome, but this all happens only because Tor connects through three randomly selected encrypted active network nodes around the world before giving you access to the desired site. Also, keep in mind that even your neighbour may be a dubious person. In addition to Tor, you can download Whonix- A secure operating system whose priority is user anonymity. Such a system serves as a kind of checkpoint for Tor and allows connections only through Tor with sites and users. However, the most popular OS for Tor is Tails (The Amnesiac Incognito Live System). Tails can be downloaded via USB or DVD. This OS makes all data anonymous. Edward Snowden is said to be a fan of this software. OS Qubes compatible with Whonix, it advises Snowden.

Alternative search engines.

 The most popular search engine (Google) saves the history of your queries to adjust the results. To disable this personalization function, click on Tools> All Results> Exact Match (under the search bar). Or log in to your Google account at www.google.com/history, find a list of your previous requests and delete what you want to delete by clicking the “Delete” button. Duckucko A search engine that does not store your data 

To be completely sure that you are not being followed, it is better to use a search engine like DuckDuckGo. If you’re having a hard time abandoning Google, download Searchlinkfix so you don’t even have to worry about URL trackers.

Direct processing of short-term computer memory: 

 You can also get rid of monitoring your network activity by deleting the DNS cache (domain name system). This can be done using simple commands in the operating system. During a reboot of the router, which sometimes also has a DNS cache or a reboot of the computer, the device’s DNS cache also reboots (if the router initially has one).

Avoid HTML Web Storage:  

The Web Storage feature is built into HTML5, and unlike cookies, the information stored in it cannot be tracked or selectively deleted. Web storage is enabled by default, so if you use Internet Explorer or Firefox, just turn it off. You can also use the extension for Chrome so that the stored information is deleted automatically.

Work with VPN:  

As I mentioned above, your provider can track the sites you visit, and anyone who wants to spy on you can also intercept your correspondence. To protect all incoming and outgoing data, it is important to learn how to work with VPN services (detailed instructions are here) Virtual private networks encrypt all your data in such a way that even your provider, special services or just hackers, winding around the Wi-Fi access point of your favourite coffee shop, will not be able to find out who you sent the email to, what service you used for this, and so on. 

VPN services are often used by people who, for example, want to see the full catalogue of Netflix channel movies, but who are located outside the United States; but be careful: not all VPNs are suitable for journalists. The VPN network for a journalist does not have to be the fastest and have the best support, but it must be adhered to a “keyless” policy, only then it will not be possible to determine who you are, what sites you visit, etc. A secure VPN network must belong to a company that is not in one of the countries on the list of “14Eyes,  because there, intelligence agencies are allowed to collect and share information, first of all, and especially this practice is in the United States. That is why VPN service companies located in the countries of the former USSR are most preferred. 

In the courts of these countries, it is not so easy to obtain a decision on the issuance of information collected by local companies, and this applies both to citizens of the country itself and foreign citizens. Here is a list of 5 VPN services that care most about maintaining user anonymity, and are located outside the countries in the 14 Eyes list. By the way, even if governments actively hunt for the flow of data transmitted inside the VPN, you can become a user of covert VPN networks such as TorGuardto fight this kind of interference, whether it’s censorship or just spying on you. Tor and VPNs will become your reliable protection when someone tries to get a history of your requests to find out more about you.

Eliminate DNS leaks:

  Just because you use a VPN does not mean that you are fully protected because DNS traffic can give an idea of ​​who you are. After testing at DNSLeakTest.com, you will be able to detect such leaks. If the test shows that the DNS belongs to your VPN, you can relax. If it turns out that the DNS belongs to your ISP, you are not working anonymously. Read here what you can do in this case.

Virtual Computers:

  A Very Useful and Tricky Trick! This is the second (but virtual) computer that functions as an application on your operating system. You can download files and follow links in the same way as when working with an isolated computer, which I wrote about earlier, so your computer will be less exposed to malware and spyware of various kinds. Virtualization software such as VirtualBox must be opened on a secure operating system. After downloading the file, the Internet connection to the virtual machine is interrupted; when you finish working with the file, you need to delete it. Depending on which people/organizations you oppose, you may need to remove the virtual machine.HMA proxy server. I will hide your proxy if you hide mine 

Proxy server:  

As in the case of a virtual machine, here all activity is also transferred to another “place”, which allows you not to be afraid of snooping and other attacks. Proxies replace your IP address with their own, and this can lead to false traces of ill-wishers, for example, making them think that you are in another country. HideMyAss.com/proxy, Psiphon (open source) and JonDonym provide similar services. Some experts believe that these services should be used together with a VPN and/or Tor to more reliably protect themselves. At the same time, other experts with whom I spoke state that while working on the Tor network you are in any case protected as much as possible.

Three additional types of extensions that can enhance your security. 

You can install the HTTPS Everywhere extension to check if the Internet protocol you use is a secure https protocol.developed by the non-profit organization Electronic Frontier Foundation, which, among others, finances the Tor Project. This extension is advised by many information security experts. With it, you will be sure that the websites you visit use a reliable protocol, which, of course, does not guarantee protection from everything, but is already much more reliable than an unprotected protocol. The second type of extension filters the data that JavaScript sends to websites (to optimize your network experience, yeah). 

The two most famous extensions of this type are ScriptSafe and NoScript. Option Three – Ghostery Browser Extension. This extension will show which of the 2,000 companies are monitoring your activity and will allow you to block unwanted observers from this list. The option is nice, but you probably won’t be able to block the NSA this way. The Privacy badger project developed by EFF works similarly.

4. How to protect your email? (for journalists)

How do we better protect our email? The problem of email confidentiality is even more acute: Google and Microsoft are likely to simply give out your letters to government agencies if they are asked about it. What to do about it?

Secure Extensions: 

 The easiest solution for anyone using popular email services such as Yahoo and Google is to install the Mailvelope plugin. You should make sure that the person at the “other end of the wire” did this too. This extension simply encrypts and decrypts emails. A similar but less functional extension for Gmail, SecureGmail, works similarly. Messages passing through the plugin are encrypted, and Google cannot decrypt them. You can also use the simple extension for Firefox – Encrypted Communication. Here you will need to come up with a password that the recipient will know, but remember that you can not transfer passwords by email!

Secure mail domains: 

Hushmail is an example of mail service in which the level of security is higher than most of the popular networks that you use. Nevertheless, by a court decision, the US government may also oblige this service to transfer personal letters from users, and yet there are records of IP addresses stored there! Another mail service with similar functions and the security level is Kolab Now, which, among its other advantages, stands out because all data is stored exclusively in Switzerland.

Disposable email addresses: 

 This is an email account that is created specifically for a specific purpose, it is completely anonymous and is deleted immediately after use. This solution is widely used when people register on various services and do not want to receive spam in the mail, it also helps to maintain anonymity. However, I would not advise reporters to communicate with sources in this way, since security is not up to par. There are dozens of similar email services, but the British newspaper The Guardian, for example, recommends using only Guerrilla Mail and Mailinator. If you use the Guerrilla Mail service in the Tor browser, this ensures that even the service itself will not be able to associate your IP address and email addresses. In the same way, if you use a special program for encrypting emails like GnuPG, as well as the Tor browser, you are safe. So let’s talk a bit about email encryption.

How to encrypt your mail?

Ebox published recommendations from Mika Lee, a privacy technician who worked with EFF and First Look Media here is his interview with Edward Snowden ): encrypting email messages can be quite difficult. Often a user needs to copy his message and paste it into a text box, and then use PGP to encrypt or decrypt it (PGP – “Pretty Good Privacy” – an encryption program with which you can encrypt and recognize data). That’s why Lee offers another way to protect emails – an email service where user privacy is a priority, for example, Riseup.net, the Mozilla Thunderbird email application, the Enigmail encryption plugin, and another TorBirdy plugin that routes messages through Tor. 

In an interview with Caphuis for journalism.co.uk Ryde writes that Greenwald nearly lost his NSA story because he initially ignored all Snowden’s email encryption instructions. In other words, if you want to write material that remains centuries old, it is wise to comply with safety rules. Kamphuis agrees that PGP can be trusted. He and Ryd explain it this way: when you start working with the PGP program, you will get a public key (like your phone number, which everyone knows), as well as a secret key. The public key can be posted on your Twitter profile, printed on business cards, indicated on websites and generally wherever your work is published, but the private key must be kept safe, like other confidential information. 

Then, when the source wants to share information with you, it will use your public key, to encrypt your message, and you can only decrypt it using your security key. Kamphuis also advised in this regard the open-source version of PGP -GNU Privacy Guard. This program is easy to install, plus it has an active support community. To learn more about encrypting files, data, and hard drives, read his free e-book, published jointly with Silki Carlo and published by the Center for Investigative Journalism (CIJ);  it describes in detail the whole process. If you just want to encrypt the message without looking at the mail service, it is a good idea to create a password-protected zip archive, and the 7ZIP program will help you with this.

Once again about common truths: 

 Yes, I know, this point again concerns security for “beginners”, but try not to fall for the bait of phishing. Make sure that the sender’s name is written accurately in the From field of the incoming letter (without typos, inaccuracies, etc.) because someone might want to pretend to be a person you know. And the last few lines about email encryption. One of the really serious issues to keep in mind is that even after you have encrypted the message, not all data is encrypted. The email addresses of the sender and recipient, the subject of the letter, as well as the time and date of sending the letter, all this remains visible. Only the message itself and the attachment to the letter are encrypted.

 5. Conclusion

Here I will talk about the most radical tips that I came across when I wrote this e-book.

As Mika Lee said in an interview on privacy for EBox: “If your computer is hacked, the game is over. Creating a virtual sandbox for the servers through which you communicate is a good way to protect the rest of the system. Tor is truly an outstanding network that will hide your identity on the network, but if your interlocutor compromises himself, your anonymity will also be in jeopardy. If you need to remain anonymous, you must try to protect yourself. ”

Journalist Tony Lots describes the problem even more sharply in an article for the Harvard resource Nieman Foundation, published in an e-book on the future of international investigative journalism: “Some journalists, computer scientists and lawyers specializing in protecting personal information are so excited that they advise reporters to stick to the old-school methodologies … and rely on private interviews and traditional mail for the turtle. ”

I hope that my work has helped people of certain professional circles and others to get some idea of ​​what needs to be done to protect themselves and sources in this turbulent time.