Under certain circumstances, journalists may need to stay anonymous online to protect themselves and their sources. In this article, Reporters Without Borders (RSF) breaks down tools they can use to browse the internet and communicate privately.
The data trail a person leaves on the internet is linked to their identity and can compromise their privacy. Under certain circumstances, journalists therefore may need to stay anonymous to protect themselves and their sources. They cannot limit themselves to a single tool and must instead employ a combination of resources and behaviours in order to operate under the radar.
Several types of data may compromise a user’s anonymity online, namely: their IP address, provided by an internet service provider, which identifies a device connected to a computer network; system “fingerprints” (software version, language, hardware information or screen size); account information, including email addresses, telephone numbers and bank information given when signing up for accounts or services; and basically every piece of information posted online or written in unencrypted messages, such as texts, photos or metadata.
- Encrypted messaging apps. Apps like Signal, Telegram and Session use end-to-end encryption to protect the content of private messages from ISPs and other entities. However, some encrypted apps like WhatsApp collect and store user metadata, leaving one’s security vulnerable. Element is a unique alternative to other popular encrypted messaging apps, as it stores all its data on a personal server that uses a decentralised framework.
- VPNs. A Virtual Private Network (VPN) hides a user’s internet traffic and metadata from ISPs. Journalists must always have their VPNs switched on, especially if they are using public wifi. Some VPN services – especially free VPNs – might store user data, so journalists are encouraged to conduct sufficient research before choosing their VPN.
- Tor network. The Onion Router (Tor) is an encrypted internet network that offers stronger overall protection for anonymous browsing and communication. Since the network is decentralised, it does not have to abide by a single country’s laws and is less vulnerable to third-party attacks. Tor can be accessed using the Tor browser, but it should still be used in combination with other anonymisation services.
Key questions to pick anonymisation tools
- Is the product open source? Open source means that the code of a programme is publicly available. Open Source tools are beneficial because experts constantly review the code and improve it. The opposite is “Closed source,” meaning that no one but the developer can review or edit it, which makes it more vulnerable to security breaches and malicious code lines.
- Does the product have an active user base? The broader the user base of an anonymisation tool, the harder it is to identify a particular user, as their identity is blended into the pool of every other person using the product.
- Is the product actively developed? Anonymisation tools contain bugs and vulnerabilities that adversaries might use to find users’ identities. If the product is not actively developed, vulnerabilities might not be addressed.
- Does the service store user data? “The most secure data is data that does not exist.” It is important that an anonymisation tool does not store user data such as log files, which are at risk of being stolen, or handed to governments, depending on where the service is based.
For more information, see our digital resource catalogue for a comprehensive list of recommended digital security services and their limitations.
Test your knowledge about anonymisation here.