There are considerable security risks for a journalist or blogger who uses the Internet, a smartphone or a satellite phone in a war zone or under a repressive regime. The data that you transmit may be used to locate you and thus put you in danger. Your files and your communications may be intercepted, compromising your sources. For this reason, it is essential to take precautions regarding digital security.
The following guidelines, which apply to your computer and smartphone, are not intended to be exhaustive. Reporters Without Borders organises regular training sessions on digital safety and offers free tutorials at wiki.rsf.org and http://slides. rsf.org.
1. HAVE A GOOD CLEAR-OUT BEFORE YOU LEAVE
Rule 1: Have as “clean” a digital ID as you can.
If you are intercepted or taken hostage, everything about you on the Internet or on you computer may be used against you and put others around you in danger. Do some cleaning, particularly on social media – remove photos and comments on politics or religion that could be damaging if taken out of context. Use high-level privacy settings in order to restrict what is publicly accessible about you, including your networks, stories and photos, and on your Facebook profile, consider replacing your real ID with a nickname.
Back up your hard disk and leave a copy at home. Reformat your computer, i.e. permanently wipe all the data. If you don’t know how to do this, install a new disk and leave the old one at home. Then all you need to do is install the operating system and all traces of your previous activity will have been removed.
NB:
- If you merely delete all your files, they can still be found easily on your computer.
- Do the same with your smartphone, whether Android or iPhone, which these days behave like a computer. Back up the content on another medium, which you can leave behind, and restore the phone to its factory settings.
Rule 2: On this clean slate, install your digital safety tools.
Carry out all recommended updates so that your operating system, browser and your anti-virus software (such as ClamXav, ClamTk, Avast, MSE, McAfee or Norton) are as secure as possible when you set off. Turn on the firewall. You are strongly advised not to carry out any updates once you are in the field because of the risk of inadvertently downloading malicious software or spyware.
Encrypt your entire hard disk, using FileVault for Mac, or TrueCrypt or BitLocker for Windows. This is essential to protect your data. Using a password each time you log in will reduce the chances of opportunistic surveillance, but a more determined hacker will be able to take control of your disk and unlock it.
Lock you sessions and strengthen your passwords. Prefer longer “pass phrases”, combining random words that can be easily memorised but could not be easily deciphered by software. For example: “spider in pyjamas knitting bandanas”. NB: it is advisable to use different pass phrases for different applications. If necessary, use a password manager such as LastPass, 1Password or KeyPass.
Install a Virtual Private Network (VPN) that will encrypt your Internet connections. This means they cannot be read by anyone else, making them secure against interception or hacking and will allow you to access sites that are blocked or censored in the country you are visiting. Reporters Without Borders, with help from French Data Network, a French non-profit organisation, has its own VPN server, which is available, free of charge to journalists and netizens who request it.
NB: never connect to a Wi-Fi network without VPN.
Install the Tor Browser, which will allow you to browse sensitive sites anonymously via an encrypted Internet connection. It can be used with VPN.
Install cryptographic software and applications that you can use on assignment to encrypt emails, chat and SMS messages, making them indecipherable to anyone except the sender and recipient:
- Email: Thunderbird or Enigmail
- Instant messaging: OTR, CryptoCat, Pidgin, Adium
- Phone calls or online video: Firefox Hello or Qtox (more secure that Skype, whose data can theoretically be decrypted by Microsoft)
Note that those you communicate with must use the same tools for them to work. Familiarise yourself with a range of simple cryptographic tools and also encourage your sources to encrypt their messages. Examples are CryptoCat or Zerobin.
Rule 3: Know the risks and keep your activities separate.
Computer experts note that is has become almost impossible for non-professionals to secure their data permanently and it would be counter-productive to encrypt all one’s communications, as this might in fact attract the attention of some authorities. A more pragmatic approach would be to find some private space to allow you to carry out sensitive activities discreetly. You will have to decide which data you particularly want to protect and take targeted and effective action. Ask yourself these questions:
- What are the critical data that I want to protect as a priority?
- Who would want to get their hands on them and why?
- What steps can I take to protect them?
- If this fails, what would be the consequences?
- If anything goes wrong, how can I delete the data and limit the damage?
Once you have identified the risks, keep your activities – professional, personal, highly sensitive – separate on different devices and numbers and in different mailboxes in order to avoid possible links between them and better protect your data. Some examples:
- To contact a sensitive source, you could use a prepaid mobile phone, which cannot be put under surveillance and which you use rarely and briefly, away from your usual haunts.
- You could also create an email address to connect with a sensitive contact, via a secure and encrypted browser session, and specifically encrypt your communications with them. In parallel, you should continue normal, unencrypted activity using your normal mailbox for innocuous correspondence, in order not to generate a suspicious volume of encrypted messages.
- With your newsdesk and your key contacts, you could also agree on certain code messages to impart news or sound the alarm if you are encountering difficulties.
2. IN THE FIELD, BE CAUTIOUS AND DISCREET
You’ve set off with little information about yourself and plenty of digital safety tools ready for use. Throughout your mission, caution and discretion are your best allies.
Rule 1: Watch out for prying eyes.
Avoid working with your back to a window. Put a privacy filter over your screen, which restricts lateral vision and prevents those sitting next to you from seeing what you are looking at.
As far as possible, keep your equipment with you. Never leave your laptop in your hotel room when you go down to breakfast, for example. If you are working in an Internet café or using a shared computer:
- Remember to log off from your email or social network account.
- Erase your browser history, as well as cookies and any information you have entered in forms (or activate “private browsing”).
Rule 2: Be wary of smartphones.
- In the field, carry a basic phone with a local prepaid SIM card that has only a few contacts and info:
- If you enter any contacts, make sure you do so on the SIM card and not in the phone’s memory. It’s easier to destroy a SIM card than a phone, if you have to.
- To protect your contacts, use nicknames in the directory or even disguise numbers by leaving out some digits or entering them back-to-front.
- Erase your call and message logs as often as possible.
- Take extra SIM cards, especially when covering demonstrations, if you think there’s a chance they may be confiscated.
A smartphone can be treacherous. It constantly emits large amounts of data to enable it to connect to mobile networks and the Internet, which can easily be used to locate you. If it falls into unknown hands, even for just a few minutes at a checkpoint or customs post, malicious software can be installed which can transform it into a bugging device. This can make it your worst enemy.
When you are travelling with a smartphone, turn off Wi-Fi, Bluetooth and the geolocation features of your applications, or switch to airplane mode in order to reduce the risk of surveillance. If you are going to a critical meeting, leave your phone behind or turn it off and remove the battery BEFORE you go to that meeting.
A smartphone is often chock-full of data about you. Bear in mind that, if you are abducted, and your smartphone is confiscated, all the information on it, such as photos, contacts, browsing and call history may be used against you or could put other people in danger.
Rule 3: Use a secure method to communicate with your newsdesk.
Exercise the greatest care when sending stories, videos, or travel information to the newsdesk.
Assess the risks: sometimes it is wiser to wait until you leave a highrisk area before sending any sensitive information. In other cases, it may be better to share the info quickly then delete it from your equipment immediately to avoid problems if it is seized.
Be very brief: It is increasingly easy to determine where a call or an Internet connection is being made, whether from a cell phone or a smartphone. A satellite connection can also be quickly triangulated by the military. Moreover, a satellite phone is easily recognisable and is seen as a typical tool of war reporters. Keep it hidden and use an earpiece, only turn it on outdoors or in a location that you can vacate easily. Be very brief – ideally less than a minute – and do not make more than one call from the same location. Switch it off and remove the battery after each use.
Encrypt your emails. The program Pretty Good Privacy (PGP), among others, allows email content to be encrypted before it is transmitted via the Internet. It works on the principle that the person who installs PGP has two encryption keys: a public one consisting of a unique padlock that the sender closes when sending the encrypted email, and a private one, which the recipient uses to open and decrypt the email. Before using PGP, you must obtain your own pair of keys as well as the public keys of your contacts.
Watch out for metadata: the addresses of the sender and recipient, the time stamp and the subject line are rarely encrypted. Be careful that these don’t give you away.
A tip: make your message appear to be spam, for example giving it the heading “Miracle Diet Offer”.
Rule 4: Exchange messages securely with your sources.
To exchange messages discreetly with someone, use a ”dead drop”, a mailbox to which both you and your source have the password. You communicate by leaving draft messages there, without sending them via the server. You and your sources could also use an anonymous mailer or a disposable email address. There are also other encryption tools that are simple to use, which you could encourage your sources to use for encrypted exchanges:
- Cryptocat, an application that you install on your browser, immediately encrypts conversations end-to-end and deletes them immediately afterwards. You don’t need an email address to use it – a nickname and a chat name are sufficient.
- Privnote and ZeroBin are sites that create URLs linked to encrypted messages that self-destruct after they are read. Easy to install and designed for those who don’t want to install anything on their own computer. You just need a means to send the encrypted message, by email or chat, for example.
- Firefox Hello, a feature of the Firefox and Chrome browsers, which allow encrypted video conversations.
3. EXTREME CONDITIONS OR INTERCEPTION
In the heat of the action, for example during a conflict or demonstration, your goals are to stay safe and to send your story. These may turn out to be conflicting. Using a network, GPS or satellite connection may give away your position and be a source of danger. You should be aware of the risks of the various means of communication and know how to circumvent them while protecting your material.
Rule 1: Learn how to do without your phone.
Favour face-to-face meetings and make sure you are not followed. Bear in mind that if the meeting has been arranged by phone or email, it may be compromised. Remove the smart card and battery from your phone before setting off, or before meeting a sensitive source. This is the only way to make sure that your phone can’t be used to monitor or locate you. Switching it off or setting it to airplane mode is not sufficient. Be aware also that nowadays it is not possible to remove the battery from an iPhone without special tools – and patience – so consider leaving it behind.
Rule 2: Save your skin as well as your data.
If your main priority is to get your story out, you can film or broadcast live without keeping anything, in case you are arrested, using lives streaming on YouTube or Bambuser (widely used during the Arab Spring).
If your main priority is your own safety, and you can wait to send your story, keep your data hidden in different places, or give it to a trusted third party. Keep some innocuous memory cards that you can (reluctantly) allow to be confiscated. These should contain some content in order to be credible.
If you are under threat and in a position to do so, destroy the smart card of your mobile phone and delete sensitive data from your laptop:
- Amnesty International has developed a “panic button” for Android phones, which can be pressed to warn key contacts of anything that might endanger the safety of yourself and/or your data, for example if you are arrested or abducted. These contacts will be able to locate you and, depending on the emergency arrangements you have made in advance, delete sensitive data or change your passwords on your behalf.
- An iPhone can be configured so that all its data is deleted after a certain number of unsuccessful attempts to unlock it (see privacy settings).
Rule 3: Keep some ultra-secure space for sensitive activities. For your most sensitive activities, use an ultra-secure encrypted operating system, such as Tails. It operates as a live system and is stored on a removable medium, which leaves no trace of your activities once it has been ejected from your computer. The operating system can be copied easily and distributed to your contacts. It is stored on a USB stick or a memory card, which is inserted into the computer. The device is then restarted using Tails as the operating system. All communications via Tails are encrypted and sent over the Tor network. By default the system is “amnesic” and retains no data from one session to another, leaving no trace of your activities, although you can activate a function (persistence) to encrypt and save files for future use.
If you face an imminent threat, all you need to do is eject the USB stick or the card and hide it, and your computer will retain no trace of your activities in this “parallel” space.