11 privacy steps every journalist should take to protect themselves and their sources
For some, maintaining privacy is simply a matter of preference, and breach of information doesn’t necessarily have negative consequences. However, for many individuals, seeing certain pieces of information fall into the wrong hands can have much broader implications. For journalists, this is particularly true, and having sensitive data compromised can have a potentially disastrous impact. Whether you’re handling data that needs to be safeguarded or dealing with undisclosed sources, there may be many nuggets of information you need to keep under wraps.
Thankfully, even in today’s age where privacy seems like a thing of the past, there are steps you can can take to protect yourself and your sources, as well as the information that is passed between you. These range from simply utilizing common sense to employing some of the most up-to-date technologies, and involve tactics such as encrypting communications and avoiding popular platforms. While some of these methods may seem like a lot of extra work, when combined together, they can greatly reduce the risk of information being discovered by prying eyes.
This article will walk you through 11 key steps you can take to protect yourself, your sources, and your information. Let’s get started!
1. Use common sense
First and foremost, you need to use common sense. While this may seem glaringly obvious, when you take a close look at your everyday habits, you may be surprised at how many small mistakes you make.
For example, if you scribble notes on a piece of paper pertaining to any tiny details about your source or information passed between you, you may be putting both parties at risk. The same goes for keeping notes on a laptop, on your cellphone, or in the cloud. It’s simply not worth the risk.
Aside from recording data, common sense should also be used in other situations. We’ll go into more detail about various forms of contact later, but it’s worth stating the basics from the get-go. When it comes to meeting, don’t use public transportation as this can be easily tracked, and don’t meet in places where there’s going to be a lot of security cameras. When you need to make payments, always use cash or prepaid credit cards, or even consider Bitcoin.
Finally, make sure you keep up-to-date with technological advances. You should always know what you’re up against when it comes to protecting your privacy, and be aware of the tools available to help you.
2. Educate your sources
Aside from utilizing common sense, the other most vital step you need to take to ensure protection is to make sure that your sources are as educated as you are when it comes to privacy. There’s absolutely no point in taking extensive measures on your end if they are careless and blow it all with an unencrypted email or casual text message.
Every step you take to protect you and your source needs to be mimicked by them. As you learn, be sure to educate colleagues, sources, and any other potential leaks so you can minimize the risk of a breach of information. This involves everything from data storage to communication via safe devices. Every facet needs to be covered by everyone.
3. Conduct meetings with caution
There are various methods by which communications may be passed from a source to you and vice versa. Arguably, one of the safest ways is to meet in person. The major benefit of a face-to-face is that there doesn’t have to be transmission of data through any kind of third party, as the information can be communicated verbally. It also enables you to be certain of who the information is coming from or going to, i.e. not someone posing as the source.
However, personal meetings come with their fair share of risks that might far outweigh the benefits. The biggest risk, of course, is being seen together in the same place, either by witnesses or security cameras. However, even if you manage to evade both of those, there is also the potential that you could be placed together in the same location at the same time by cellular network signals.
The simplest way to avoid this, if you do have to meet in person, is to put your phone in airplane mode. However, phones with GPS devices could still be be tracked, so it might be better to turn your phone off or leave it behind, and advise your source to do the same. If you absolutely need access to a phone at the time of the meeting and don’t want to risk tracking, a disposable device is your best bet.
4. Make your phone calls discreet
Talking to your source over the phone represents a far more convenient method of communication than meeting in person. It’s also a much easier way to conduct interviews than trying to use emails or messages. However, phone calls also come with their own set of challenges. After all, every call that is made produces data that is stored by the telecom provider, such as the date, time, call duration, caller number, and receiver number.
If you do need to make phone calls, as mentioned earlier, there is the option to use a prepaid disposable device. However, this is not always practical. If you need the source to contact you via the device, you have to find a secure way to communicate the number to them. There is also the option of conducting voice or video calls using a voice-over-IP service, such as Skype. However, this particular service might not be as secure as it claims to be, so should be used with caution.
Another option is to use a secure calling service, such as the Signal app by Open Whisper Systems. This is considered the gold standard of encrypted messaging and offers private calling (and messaging) for iPhone and Android. You could also consider using products and services provided by Silent Circle, whose priority is data protection. This company is more often utilized by enterprise consumers rather than individuals, and offers devices, such as the Blackphone, as well as services for encrypting calls, messages, and emails for a monthly fee.
5. Protect your messages
While we haven’t forgotten about the all-important method of email communication (we’ll get to it soon), it’s time to talk about viable ways to use chat apps or messenger systems. These offer a convenient way to communicate, but whether you’re checking facts or arranging a call or meetup, there are certain messages you’ll need to keep discreet.
One of the key things to remember here, and indeed when considering all types of communication technology, is that bigger is not necessarily better. As discussed by Bruce Schneier, larger companies may employ encryption services that will enable relatively easy access to your information.
Regardless of their encryption services, the text within some messenger systems is open to anyone who intercepts it. Therefore, you need to use one that provides secure end-to-end encryption. As mentioned in the previous section, Signal is one such app. This system is also highly user-friendly and completely free.
If you’ve heard about the Signal protocol being used in other (more well-known) messenger systems such as WhatsApp, Google Allo, and Facebook Messenger, then you’ve heard right. However, depending on the app, the protocol is not necessarily used in the same way as it is in the Signal app itself. Encryption may not be enabled by default and the identity of the end user may be questionable. Ultimately, this means that used in their default state, these other systems may be arguably less secure, and using the actual Signal app is probably the best way to go.
One potential issue with Signal is that, although the content is encrypted, details of the receiver and sender is not, and you still use your own phone number to communicate. Threema is a similar option in that it provides end-to-end encryption. However, this app, which is also available for iOS and Android, provides you with a unique ID, so you don’t have to use a phone number or email address. Other apps to consider are Telegram, Viber, and Dust (formerly Cyber Dust).
Finally, when it comes to browser instant messaging, if you’re using the Tor browser (more on that below) you can use TorChat. Alternatively, there is also Adium, Pidgin, and Cryptocat. You might also be wondering about organizational chat systems such as Campfire, Slack, and Skype. In general, these are simply considered too risky.
One last note about messages, which falls under the notion of common sense we talked about earlier, is that you should delete messages as soon as they have been viewed. Otherwise, even if their content is encrypted, they will be easily read by anyone who happens to get their hands on your device or breaks into your messenger account.
6. Encrypt information and utilize passwords properly
We’ve touched on encryption in earlier sections, but this really is key across the board when it comes to maintaining privacy. Encrypted data requires resources to decrypt it. As such, the more difficult your data is to access, the more costly it becomes for an outside party to retrieve it. Aside from making your information more secure, it may lead potential snoopers to think twice before moving forward.
When it comes to your computer, and indeed your phone or any other device, full disk encryption is recommended. Services such as VeraCrypt or Bitlocker can be used for your computer. There are also various methods you can utilize to encrypt your Android device, and apps like Disk Decipher and Crypto Disk have been derived from VeraCrypt for use with an iPhone.
Of course, another vital layer of protection for your computer, devices, and all accounts you hold is password protection. We’ve gone into detail about password best practices before, but some top tips are to make them as long as possible and to use the entire keyboard. Also make sure you never use the same password for different accounts. If you’re worried about remembering them all, there are plenty of password management tools available – although their usefulness has been debated – such as Dashlane, KeePass, LastPass, and 1Password.
You should also always consider taking advantage of two-step verification (2SV) whenever it’s offered. In this case, you are typically sent a verification code via email or SMS to add an additional layer of security. However, there is still the potential that these messages could be intercepted.
An alternative to 2SV is is two-step authentication (2FA) which requires two different types of verification that may include passwords, key cards or fobs, or physical verification methods such as a fingerprint or retina scan. An example of this is YubiKey, a USB device which offers an additional layer of protection for access to hundreds of businesses and tools.
7. Protect your documents
If your computer should happen to fall into the wrong hands, you might be confident that the password protected device won’t allow prying eyes to see your most sensitive documents. On the other hand, you may want to add another level of security to certain files and folders. For example, you may have items such as interview recordings or transcripts that simply can’t be deleted but definitely need to be hidden.
Of course, if your computer is in fact in the wrong hands, then it probably won’t take long before they can bypass the additional layer. However, it will at least make the retrieval of information more difficult. After all, no measures are 100 percent tight, and difficulty is what we’re really going for here. If you’ve identified files and folders that you need to keep but you’d much rather people didn’t see, you can add another layer of password protection using the steps in this guide.
When it comes to documents in the cloud, you really shouldn’t have sensitive information floating around there in the first place. However, if it’s a must, make sure you check the privacy policies of the systems you’re using. As mentioned earlier, bigger names might not necessarily be better so consider switching out Dropbox or Google Drive for services such as SecureDrop, OnionShare, and SpiderOak. There are also multiple apps you can use to encrypt your files before uploading to the cloud, such as Encrypto, Boxcryptor, and Cryptomator.
8. Encrypt your emails
We’ve talked about both encryption and communication earlier, but haven’t gotten to the topic of encrypting emails. This is a vast subject that we discussed in detail recently. That post covered exactly how to encrypt your email using S/MIME or PGP/MIME, depending on which email client you use. Bear in mind that to use PGP, which is the most common form of encryption used with web-based clients, you’ll need to find out your source’s public key, and vice versa. Thankfully, these are usually stored on a public server and can be searched by name or email address.
You might also be interested in our recent article about how to use Hushmail to encrypt your messages. Bear in mind that whatever encryption method you use, although the content of emails is encrypted, all other information such as sender, receiver, time, date, and subject line is still visible. As such, you might want to consider using a disposable email instead.
Essentially, this means that you sign up for an email account anonymously and delete the account as soon as you’re done. While using this method with most of the larger email providers wouldn’t be considered very secure, there are some providers that specialize in disposable email addresses, such as Guerrilla Mail and Mailinator.
9. Control your browsing information
Now that we’ve covered protecting communications with your sources and making sure your messages and documents are as safe as possible, we’ll take the next couple of sections to address how you can become anonymous while continuing your regular online activity. We covered much of this in a previous post, but a few items are worth a special mention, one being how to control your browsing information. Whether you want to hide your current line of investigation or need to avoid a particular detail being leaked, there are likely countless circumstances in which you want to keep your browsing activity private.
While private browsing mode might seemingly shelter you from detection, all it really does is hide your history from those who have access to your computer. The sites visited by your IP address are still recorded. An alternative option is to use a different browser that offers more privacy such as Epic Privacy Browser or Comodo Dragon. However, these are typically limited in functionality. Moreover, simply deleting cookies will give you a similar level of security as these offerings.
Other measures you can take to make browsing more secure is to delete the DNS cache (your computer’s short-term memory) and disable HTML Web storage (which is typically enabled by default). You can add to these steps by changing your location settings, and by utilizing privacy extensions such as ScriptSafe or NoScript.
One browser we haven’t covered in this piece yet is Tor, which could well be the answer to all of your private browsing woes. Although Tor doesn’t offer the most refined browsing experience, it’s currently touted as the best option when it comes to browsing anonymously. We’ve written extensively about Tor in this guide and we’ve also discussed some of its potential pitfalls. If you do decide to use Tor, we recommend setting it up with a Virtual Private Network (VPN) for maximum privacy.
Finally, for an additional layer of security, you can also use a “live” operating system (OS), such as Tails. This runs off a CD or USB and is booted to your computer without an installation process. You then run your computer through the live OS which includes browsing using the Tor browser by default. When you shut down, since nothing was actually transferred to your computer, there is no trace of the activity.
10. Use an alternative search engine
Aside from needing to use a browser, no doubt you’ll need extensive use of a search engine. Unfortunately, these pose yet another threat when it comes to privacy as search engines like Google and Bing store your search history. Just one or two searches could reveal far too much about you, your story, or your sources. You can limit the information storage by changing your settings within each search engine to stop it from saving the search text you enter. You can also visit your history for both Google and Bing and erase your past search activity.
However, you might prefer to simply use a search engine that doesn’t store info by default, such as DuckDuckGo or StartPage by Ixquick. These don’t track any of your activity and therefore don’t share it with others. An added bonus is that you don’t get bombarded with ads based on your search activity.
11. Use a VPN
Last, but certainly not least, a step anyone wanting to retain their privacy online should take, is to use a VPN. Not only will a VPN encrypt internet traffic, but it will also send it through a remote intermediary server. What this means for privacy is that it prevents ISPs from monitoring your activity, and whatever website, app, or service you’re using cannot identify you by your IP address. It also prevents anyone else from intercepting your data, including when you’re on an open Wi-Fi connection.
While VPNs can prevent third parties from seeing what you’re doing online, the VPN provider itself can still view your activity. As such, we recommend going with a “logless” VPN. In this case the provider has a policy whereby they promise not to store information about your online activity. Provided you can trust them, if the information isn’t stored, you don’t have to worry about it being leaked.
While not strictly related to privacy, a bonus of VPNs is that you can access content and services that are available where the server resides, rather than where you are. You can learn more about the benefits of using a VPN and how to get started with one by delving into our in-depth guide.
As a journalist, there’s probably a plethora of information you need to keep under wraps, whether it’s to protect a source, hide certain data, or even protect your own identity. Unfortunately, with current technological advancements, privacy and protection of information seem like things of the past.
Fortunately, there are various steps you can take to minimize the risk of your precious information being revealed to the wrong party. Even something as simple as common sense can be a powerful weapon in the privacy war. You’re also not alone in wanting to keep information private, and as such there are a myriad of helpful tools at your disposal. In this post we’ve revealed 11 ways you can protect you and your sources from prying eyes and ears. Time to put them into action!
Do you have any more tips for protecting information? Let us know in the comments section below!