Digital Security
for Journalists
(and Activists, Govt. Officials, etc.)
Pranesh Prakash
Policy Director (and Resident Geek)
Centre for Internet & Society
CC-BY-SA 4.0
(copy, share, adapt: sharing is caring)
no proprietary software or standards were used in the making of this slideshow
Journalists & Activists
Source Confidentiality Matters.
Sources trust you: you owe them a duty
So you need to protect information on who you're communicating with.
Often, no legal protection.
Journalists & Activists
Confidentiality of internal communications matters.
Investigative journalism is impossible otherwise.
Your communications with your editor, with colleagues.
(Imagine the Panama Paper leaks)
Journalists & Activists
Confidentiality of Research Matters.
Again, investigative journalism is impossible otherwise.
But sometimes the information is in the public, so this may not be true in your case.
You requirements may vary with time, with project, with story.
Digital Security (OPSEC)
"Threat Model"
(i.e., why asking "Is Gmail/Facebook/WhatsApp secure?" is not a sensible question.)
What are you protecting?
Whom are you protecting yourself against?
What capabilities does the adversary have?
What do you hope to achieve?
(e.g., preventing the snooping or simply to make it tougher?)
(e.g., confidentiality of communications, or anonymity?)
To what lengths are you willing to go?
Trade-offs: Convenience vs. Privacy/Security
Threats
Data in Transit vs. Data at Rest
(most of this workshop will focus on former)
Casual vs. Employers vs. Police vs. Intelligence Agency vs. NSA/GCHQ
Access to device vs. Access to network vs.
Access to intermediaries
To what lengths are you willing to go?
At Stake
Identities
Communicated Information
Secondary Research + Stored Data
It depends. But potentially:
Location + IP Address + E-mail address (& Subject) + Phone number + MAC ID + IMEI, etc. + URLs (DNS + HTTP) + Timestamps + correlation
cleartexts
(from Telco, ISPs, WiFi hotspot/OTA, web service, MITM, etc.)
What all can they have access to?
Your phone is a surveillance device
Your ISP is a surveillance provider
FB/Google are spyware
Privacy comes at a cost
(usually at the cost of convenience, but sometimes at the cost of security or of privacy too)
Solution?
No one simple solution!
Think about your security practices.
Encourage at-risk sources, colleagues to be security-conscious (and not just wrt tech!)
Also: Use phone calls and SMS (and your phone, even if just for Internet) as little as possible in sensitive matters. It is much harder to communicate anonymously using your phone.
Realize that security technologies are tools and not solutions.
Tech Solution?
Good Hygiene
{Traffic, End-to-End, Device-Level} Encryption
Free/Open Source Software
Open Standards
Decentralized Solutions
Federated Networks
Non-Solution?
For end-to-end encryption (meaning the decryption happens at the your/the source's end, and that intermediary can't read it), the source will also have to be using the same encryption as you, and potentially the same software.
This means, this won't happen. So generally, you'll need to figure out what the source is comfortable doing, what their security risks are, and how best to secure your communications with them. It's always a trade-off.
Security is not only about "ultra-secure" tools, but about applying the best practices to a given circumstance. Many times the tools may not befit the circumstances.
Don't fetishize the tools. They're just tools.
Commonly Used + Insecure
Communication Protocols / Apps
- Mobile + Landline Calls (v. weak)
- SMS (v. weak)
- Email (from v. weak to not strong)
- Signal + WhatsApp + Wechat + Skype + Twitter + FB Messenger, etc. (from okay to not v. strong)
There is no magic bullet!
What's "good"/"secure" depends on your needs.
SMS
No way to really secure. (Metadata always leaks.)
Instead use data or use coded language.
Alternative:
Silence (SMS, Android-only - Metadata still leaks)
If you have data connectivity, other alternatives exist: XMPP (Conversations, Android: Play Store + F-Droid), Signal (Android, iPhone), WhatsApp, etc.
For average needs: Use WhatsApp
(since all your non-anonymous sources/correspondents already do)
Phone Calls
No way to truly secure. (Metadata always leaks to telco.)
(For 2G, only Airtel & Tata DoCoMo use even weak encryption. Also SS7 attacks!)
Instead use data or coded language.
Alternative:
1. WhatsApp (multi-platform, call quality is good)
or
2. WebRTC
(free providers like meet.jit.si / appear.in)
IM/Chat + Files
WhatsApp (since Dec. 2015 supports file transfer)
or:
Other options: XMPP App (w/ OMEMO) + XMPP Provider
Modern apps: Conversations (Android), ChatSecure (iOS), Dino (Windows, Linux), Dino (Mac OS X)
Provider: Jabber.at / Yax.im /
(or ask me for the service I maintain)
E-mail + Attachments
Use something other than e-mail (since metadata leaks)
For press orgs: GlobaLeaks / SecureDrop
Else: E-mail Provider + E-mail Client + Autocrypt
Provider: Riseup.net / ProtonMail
(downside: painting-target-on-your-back)
Client: Thunderbird + Enigmail / Claws + Claws GPG plugin / K-9 (Android)
OpenPGP using GnuPG: built-in (Linux), GPG4Win (Windows), GPGTools (Mac OS X), OpenKeychain (Android)
Sharing/Publishing Files
Scrub the "metadata" if the source is sensitive.
Just as you redact a document to protect sources / sensitive information, you need to "redact" metadata too.
Metadata and other embedded data in files (jpg, pdf, mp3, docx, etc.) you upload can lead directly to your source.
NSA whistleblower Reality Winner was doxxed because the Intercept didn't take care to remove printer "microdots"!
OpenNews's guide to removing metadata
Mat2 is a tool that can strip most (not all) metadata.
Skype (video/voice/desktop)
WebRTC
It just works.
Anonymity
Keep your identities separate!
Compartmentalize using
- Separate devices (never on together in the same place!)
- Separate internet connections / phone numbers
- Separate OSes and browsers
- Separate accounts (e-mail, social network, etc)
Weak anonymity is easy. Strong anonymity is difficult. Truly untraceable anonymity if a well-resourced police department or intelligence agency is after you: next to impossible.
For a good guide to paranoia and tradecraft, read the grugq's blog, esp. this presentation.
Transport Security + Anonymity
Against ISP / WiFi
- Encrypted Proxy Service ("VPN") (weak anonymity, security till VPN, so hides content from ISP but is not end-to-end)
- RiseUp VPN, ProtonVPN, etc.
- Complex / software-only, i.e., not a service:
-
WireGuard (Linux-only, using your own provider),
Tailscale, etc.
-
WireGuard (Linux-only, using your own provider),
- Anonymizing Networks (Tor / I2P) (very strong anonymity, hides content from ISP, but security is not end-to-end & traffic data is transparent)
- Tor Browser Bundle (Linux+OSX+Win) / Orbot+Tor Browser (Android)
- TAILS / Whonix / Qubes OS / Subgraph OS
General Hygiene
- Set a lock-screen with a passcode!
- Use Free and Open Source Software
-
Linux (even my parents find Ubuntu easy to use)
- If need be, use TAILS /
QubesOS / Whonix
- If need be, use TAILS /
- Android (e.g., LineageOS, GrapheneOS, etc.)
- FOSS on Mac/Windows
-
Linux (even my parents find Ubuntu easy to use)
- Physically secure your devices!
-
Use full-disk encryption
- Linux (dm-crypt), MacOS (FileVault), Windows (BitLocker).
- Android (v5+), iOS (v8+).
Passphrase Hygiene
Use a password manager (pass / BitWarden / KeePass / Browser)
Long master password / passphrase using phrases in Hindi/Tamil/etc. / WebPassGen / Diceware
Test password strength using telepathwords & zxcvbn
Use multi-factor authentication wherever available (but don't tie your real identity to a pseudonymous account!). And beware, MFA can cause you to lose access!
Make sure you keep an eye on what you've authorized using your {Google, Facebook, Twitter, etc.} credentials
Never share your passwords, except through secure mechanisms like a group password manager. Don't ever respond to e-mails asking for password.
Browser Hygiene
Use Brave, Firefox, or Chromium
Essential Extensions/Add-ons
Password Manager (inbuilt, or add-on)
uBlock Origin (FF & Chromium & Safari)
HTTPS Everywhere (FF & Chromium & FF for Android)
uMatrix (FF & Chromium, not for beginners)
NoScript (FF-only, I use it w/ default "allow")
"Private Browsing" mode only deletes stuff (browser history, cookies, etc.) once you close the browser.
Browser Hygiene
If anonymity is needed in addition to security, then use the Tor Browser
(and don't use any of your regular usernames, and don't visit HTTP sites since many exit nodes do sniff traffic)
(While Tor Browser is easy to use, I would recommend using TAILS over Tor Browser if at greater risk.)
Anonymity does NOT work without identity segregation.
E-mail Hygiene
Attachments
Only ever open attachments using Zoho or Google Docs. Never download it or open it locally on MS Word / Excel, etc.
Scan all attachments using a malware scanner (especially if you use Windows). VirusTotal is a great online scanner.
E-mail Hygiene
Links
NEVER click a link in an e-mail that scares you into thinking you need to change your password, etc. The bulk of these are phishing attempts.
ALWAYS check the link (usually it appears in the status bar) BEFORE clicking it.
E-mail Hygiene
Requests for Personal Information
- Howsoever authentic looking, never reply to an e-mail asking you for personal information like your password, bank account details, etc.
Temporary Accounts
Contact Details
Get in touch with me using:
XMPP: pranesh(at)prakash.im + pranesh(at)cis-india.org
E-mail: pranesh(at)prakash.im + pranesh(at)cis-india.org
IRC: the.solipsist/freenode + sol/oftc
Mumble: sol:chats.im
For help, join this XMPP chatroom:
crypto@chat.cis-india.org
Digital Security for Journalists
By Pranesh Prakash
Digital Security for Journalists
- 10,431