For some, maintaining privacy is simply a matter of preference, and breach of information doesn’t necessarily have negative consequences. However, for many individuals, seeing certain pieces of information fall into the wrong hands can have much broader implications. For journalists, this is particularly true, and the compromise of sensitive data can have a potentially disastrous impact. Safeguarding data and protecting undisclosed sources are part of the job.
Today, privacy seems like a thing of the past. However, there are steps you can take to protect yourself, your sources, and the information you share. These range from simply utilizing common sense to employing some of the most up-to-date technologies. When combined together, they can greatly reduce the risk of information being discovered by prying eyes.
This article will walk you through 16 key steps you can take to protect yourself, your sources, and your information. Let’s get started!
1. Use common sense
First and foremost, you need to use common sense, which may seem glaringly obvious. That said, when you examine your everyday habits, you might be surprised at how many small mistakes you make.
For example, if you scribble notes on a piece of paper pertaining to any tiny details about your source or information passed between you, then you may be putting both parties at risk. The same goes for keeping notes on a laptop, on your cellphone, or in the cloud. It’s simply not worth the risk.
Aside from recording data, common sense should be used in other situations. We’ll go into more detail about various forms of contact later, but it’s worth stating the basics from the get-go. When it comes to meeting, don’t use public transportation as this can be easily tracked. And don’t meet in places where there’s going to be a lot of security cameras. When you need to make payments, always use cash or prepaid credit cards, or even consider Bitcoin.
Finally, make sure you keep up to date with technological advances. It’s good to always know what you’re up against and have awareness of the tools available to help you.
2. Educate your sources
Aside from utilizing common sense, you need to ensure that your sources are as educated as you are when it comes to privacy. There’s no point in taking extensive measures on your end if they are careless and blow it all with an unencrypted email or casual text message.
Every step you take to protect you and your source needs to be mimicked by them. As you learn, be sure to educate colleagues, sources, and any other potential leaks. This way, you can minimize the risk of a breach of information. This involves everything from data storage to communication via safe devices. Every facet needs to be covered by everyone.
3. Conduct meetings with caution
There are various methods by which you can communicate with your source. Arguably, one of the safest ways is to meet in person. The major benefit of a face-to-face meeting is there’s no need for a third-party application. It also helps to weed out an imposter and ensure you know who information is going to or coming from.
However, personal meetings come with their fair share of risks that might far outweigh the benefits. The biggest risk, of course, is being seen together in the same place, either by witnesses or security cameras. And even if you manage to evade both of those, there’s the potential that cellular network signals could place you and your source together.
The simplest way to avoid this is to put your phone in airplane mode. However, phones with GPS devices could still be tracked. It might be better to turn your phone off or leave it behind, and have your source do the same. If you absolutely need access to a phone at the time of the meeting, a disposable device is your best bet.
4. Make your phone calls discreet
Talking to your source over the phone represents a far more convenient method of communication than meeting in person. It’s also a much easier way to conduct interviews than trying to use emails or messages. However, phone calls come with their own set of challenges. After all, every call produces data that is stored by the telecom provider, such as the date, time, call duration, caller number, and receiver number.
If you do need to make phone calls, there is the option to use a prepaid disposable device. But this is not always practical. If you need the source to contact you, you have to communicate the number to them securely. There is also the option of conducting voice or video calls using an app like Skype or Zoom. However, these may not be as secure as it claims to be, so should be used with caution.
Another option is to use a secure calling service, such as the Signal app by Open Whisper Systems. This is considered the gold standard of encrypted messaging and offers private calling (and messaging) for iOS and Android.
You may also consider using products and services provided by Silent Circle, a company that prioritizes data protection. This company is more often utilized by enterprise consumers rather than individuals. It offers devices such as the Blackphone, as well as services for encrypting calls, messages, and emails for a monthly fee.
5. Protect your messages
Chat apps or messenger systems offer a convenient way to communicate, but whether you’re checking facts or arranging a call or meetup, there are certain messages you’ll need to keep discreet.
Ideally, when shopping for a messenger system, you need to use one that provides secure end-to-end encryption. As mentioned in the previous section, Signal is one such app. This system is also highly user-friendly and completely free.
The Signal protocol is used in other (more well-known) messenger systems such as WhatsApp and Facebook Messenger. However, depending on the app, the protocol is not necessarily used in the same way as it is in the Signal app itself. Encryption may not be enabled by default and the identity of the end user may be questionable.
Ultimately, this means that used in their default state, these other systems may be arguably less secure. That said, one potential issue with Signal is that, although the content is encrypted, details of the receiver and sender are not, and you still use your own phone number to communicate.
Threema is a similar option that provides end-to-end encryption and has apps for iOS and Android. It provides you with a unique ID, so you don’t have to use a phone number or email address. Other apps to consider are Telegram, Viber, and Dust (formerly Cyber Dust).
Finally, when it comes to browser instant messaging, if you’re using the Tor browser (more on that below) you can use TorChat. Alternatively, there is Adium, Pidgin, and Cryptocat.
You might also be wondering about organizational chat systems such as Campfire, Slack, and Skype. In general, these are simply considered too risky.
Note that as a precaution, you should always delete messages as soon as they have been viewed.
6. Look for anonymous communication methods
One of the problems with in-person meetings, phone calls, and messages is that both parties are generally fairly easily identifiable to one another. Even with secure methods, corresponding parties usually need to have had some prior contact to find out things like contact information and preferred method of communication.
Platforms like SecureDrop and GlobaLeaks can help solve this issue. These enable whistleblowers to upload information securely and anonymously.
In addition, Tutanota has designed a tool called Secure Connect, which is a secure contact form that news outlets and other organizations can embed into their websites. It uses end-to-end encryption so that sources can contact journalists anonymously. The form encrypts entire conversations, including attached files.
Note that to ensure anonymity, it’s recommended you use the Tor browser (see below) when using these services.
7. Encrypt information and utilize passwords properly
Encrypted data requires resources to decrypt it. As such, the more difficult your data is to access, the more costly it becomes for an outside party to retrieve it. Aside from making your information more secure, it may lead to potential snoopers thinking twice before moving forward.
When it comes to your computer, and indeed your phone or any other device, full disk encryption is ideal. Services such as VeraCrypt or Bitlocker can be used for your computer. There are also various methods you can utilize to encrypt your Android device, and apps like Disk Decipher and Crypto Disk have been derived from VeraCrypt for use with iOS.
8. Use strong passwords
Of course, another vital layer of protection for your computer, devices, and all accounts you hold is password protection. We’ve gone into detail about password best practices before, but some top tips are to make them as long as possible and to use the entire keyboard.
Also, make sure you never use the same password for different accounts. If you’re worried about remembering them all, there are plenty of password management tools available.
Top options include Dashlane, KeePass, LastPass, and Sticky Password.
9. Take advantage of two-step verification
You should also consider taking advantage of two-step verification (2SV) whenever it’s offered. In this case, you are typically sent a verification code via email or SMS to add an additional layer of security. However, there is still the potential that these messages could be intercepted.
An alternative to 2SV is two-factor authentication (2FA) which requires two different types of verification that may include passwords, key cards or fobs, or physical verification methods such as a fingerprint or retina scan. An example of this is YubiKey, a USB device which offers an additional layer of protection for access to hundreds of businesses and tools.
10. Protect your documents
Password protecting your device is one thing, but you can add another level of security to certain files and folders. For example, you may have items such as interview recordings or transcripts that need to be well-hidden.
If you’ve identified files and folders that you need to keep but you’d much rather people didn’t see, you can add another layer of password protection using the steps in this guide. If your computer does fall into the wrong hands, then it probably won’t take long before they can bypass the additional layer. However, it will at least make the retrieval of information more difficult.
When it comes to documents in the cloud, you really shouldn’t have sensitive information floating around there. But if it’s a must, make sure you check the privacy policies of the systems you’re using.
Bigger names might not necessarily be better. For example, you may want to consider switching out Dropbox or Google Drive for services such as SecureDrop and OnionShare. There are also multiple apps you can use to encrypt your files before uploading to the cloud, such as Encrypto, Boxcryptor, and Cryptomator.
11. Encrypt your emails
We talked about both encryption and communication earlier, but what about encrypting emails? This is a vast subject that we discuss in detail in a dedicated post. That post covers exactly how to encrypt your email using S/MIME or PGP/MIME, depending on which email client you use.
Bear in mind that to use PGP, which is the most common form of encryption used with web-based clients, you’ll need to find out your source’s public key, and vice versa. Thankfully, these are usually stored on a public server and can be searched by name or email address.
You might also be interested in our recent article about how to use Hushmail to encrypt your messages. Bear in mind that whatever encryption method you use, although the content of emails is encrypted, all other information such as sender, receiver, time, date, and subject line is still visible. As such, you might want to consider using a disposable email address instead.
With a disposable email, you sign up for an email account anonymously and delete the account when you no longer need it. There are some providers that specialize in disposable email addresses, such as Guerrilla Mail and Mailinator.
12. Control your browsing information
Whether you want to hide your current line of investigation or need to avoid a particular detail being leaked, there are likely countless circumstances in which you want to keep your browsing activity private.
Private browsing mode sounds like a good option but all this really does is hide your history from anyone who has access to your device. The sites visited by your IP address are still recorded.
An alternative option is to use a browser that offers more privacy such as Epic Privacy Browser or Comodo Dragon. However, these are typically limited in functionality. Moreover, simply deleting cookies will give you a similar level of security as these offerings.
Other measures you can take to make browsing more secure is to delete the DNS cache (your computer’s short-term memory) and disable HTML Web storage (which is typically enabled by default). You can add to these steps by changing your location settings, and by utilizing privacy extensions such as ScriptSafe or NoScript.
13. Use the Tor browser
One browser we haven’t covered yet is Tor, which could well be the answer to all of your private browsing woes. Although Tor doesn’t offer the most refined browsing experience (it’s notoriously slow), it’s currently touted as the best option when it comes to browsing anonymously.
We’ve written extensively about Tor in this guide and we’ve also discussed some of its potential pitfalls. If you do decide to use Tor, we recommend setting it up with a Virtual Private Network (VPN) for maximum privacy.
Finally, for an additional layer of security, you can also use a “live” operating system (OS), such as Tails. This runs off a CD or USB and is booted to your computer without an installation process. You then run your computer through the live OS which includes browsing using the Tor browser by default. When you shut down, since nothing was actually transferred to your computer, there is no trace of the activity.
14. Use an alternative search engine
Aside from needing to use a browser, no doubt you’ll need extensive use of a search engine. Unfortunately, these pose yet another threat when it comes to privacy as search engines like Google and Bing store your search history. Just one or two searches could reveal far too much about you, your story, or your sources.
You can limit the information storage by changing your settings within each search engine to stop it from saving the search text you enter. You can also visit your history for both Google and Bing and erase your past search activity.
However, you might prefer to simply use a search engine that doesn’t store info by default, such as DuckDuckGo or StartPage. These don’t track any of your activity and therefore can’t share it with others. An added bonus is that you don’t get bombarded with ads based on your search activity.
15. Protect yourself from spyware
Spyware, a type of malware, is increasingly used to monitor devices and track information. For example, it may be used to intercept communications or log keystrokes to discover passwords. Spyware can find its way onto your device by a few methods including via an app install, a USB device, or a malicious email.
One way to prevent spyware is to use a good antivirus software. This can help detect and block various types of malware. Some top options include Norton, Bitdefender, and Kaspersky. You can get antivirus software for your mobile device too.
That said, some legitimate apps can be used for spying, so you can’t always rely on antivirus software. You should review your apps regularly and check their settings. If you suspect that your device contains spyware, there are ways to remove it.
16. Use a VPN
Last, but certainly not least, a step anyone wanting to retain their privacy online should take is to use a VPN. Not only will a VPN encrypt internet traffic, but it will also send it through a remote intermediary server. What this means for privacy is that it prevents ISPs from monitoring your activity, and whatever website, app, or service you’re using cannot identify you by your IP address. It also prevents anyone else from intercepting your data, including when you’re on an open wifi connection.
While VPNs can prevent third parties from seeing what you’re doing online, the VPN provider itself can still view your activity. As such, we recommend going with a “logless” VPN. In this case, the provider has a policy whereby they promise not to store information about your online activity. Provided you can trust them, if the information isn’t stored, you don’t have to worry about it being leaked. ExpressVPN is one example of a VPN that takes user privacy very seriously.
While not strictly related to privacy, a bonus of VPNs is that you can access content and services that are available where the server resides, rather than where you are. You can learn more about the benefits of using a VPN and how to get started with one by delving into our in-depth guide.
As a journalist, there’s probably a plethora of information you need to keep under wraps, whether it’s to protect a source, hide certain data, or even protect your own identity. Unfortunately, with current technological advancements, privacy and protection of information seem like things of the past.
Fortunately, there are various steps you can take to minimize the risk of your precious information being revealed. Even something as simple as common sense can be a powerful weapon in the privacy war. Bear in mind, you’re not alone in wanting to keep information private. As such, there is a myriad of helpful tools at your disposal. In this post, we’ve revealed 16 ways you can protect you and your sources from prying eyes and ears. Time to put them into action!