Note on 12/08/2020: The content in the post below was overhauled in our newer piece, "Security and privacy tips for journalists in a moment of turbulence." We recommend referring to that piece for the most relevant and up-to-date resources.
As of January 20, Donald Trump is the president of the United States, which has prompted deep concerns from many over the constraints his administration may place on our ability to connect, express, and spread information safely.
Trump, a longstanding adversary of the free press, has expressed support for expanded surveillance powers, insulted and blacklisted both individual journalists and entire news organizations, selected an Attorney General appointee who actively eschews commitments to protecting a free press, and has called for leak investigations that would ensnare both sources and journalists. If these comments and actions are any indication, both the press and ordinary citizens may be forced more than ever before to use technology to keep their communications safe.
Below, we present eleven digital security tips you can implement today to help you better protect yourself, your fellow journalists, and your sources when communicating on your phone or computer.
We expect the threats will change in the coming years. These tips represent strong security standards right now, and we pledge to stay on top of any changes in the future.
There is no one-size-fits-all formula for digital security. Perfect security simply does not exist, but there are plenty of ways to better protect yourself depending on the situation. Just as each individual has a unique digital life, each individual has a unique threat model — a concept used to describe an amalgam of risks that threaten an individual’s privacy and security. It is not a static concept, rather it changes according to conscious choices you make, as well as technical, social, and political changes beyond your control.
Threat modeling allows you to identify who you are worried about, locate potential security vulnerabilities in your current practices, and take stock of the assets you wish to protect. You can begin thinking about your threat model by asking yourself: What information do I have to protect? Who am I protecting this information from? How far am I willing to go to protect said information?
Access Now has developed a visual guide to get you started with threat modeling. The Electronic Frontier Foundation provides more information on threat modeling as well as in-depth security guides catered to journalists, activists, and academics. In addition to targeted advice, there are rich collections of general resources and guides available to aid you as you go about determining which practices are right for you.
When downloading a new tool, consider where it is coming from. The source code of free and open source software is publicly available for the developer community to audit software for security vulnerabilities, and is traditionally developed without the intent of turning a profit off of your data. Opt for vetted open source tools over proprietary options whenever possible.
Remember to install updates on your devices whenever they are available. Typically updates are sent out by developers to patch vulnerabilities in software that threaten privacy and security. Updating your software can often be easily done with one click, and is one of the best ways to protect yourself from being hacked.
As a mobile device is as much of an asset to journalists and activists as it is a liability, always check an application’s permissions before you download any piece of software on your phone. A game you play on your commute, for example, has no business knowing your location data at all times. Limiting your phone’s ability to track you is key to maintaining your privacy on-the-move.
You can find app permissions on the iPhone in the “Privacy” menu of “Settings.” There, you can see which applications have requested access to your devices critical resources, and grant or revoke that access accordingly.
OnAndroid, you can check individual permissions in your application menu by dragging an application icon upwards to reveal its “App Info.” From there, click on “App Permissions” to toggle what permissions you are comfortable granting the app.
Before doing anything else, ensure that you use strong and unique passwords on all your accounts. Common software now exists that takes advantage of the computing power of a desktop, botnet, or supercomputer that can crack millions of the most common passwords. . Passwords like “123456” or “password123” are trivially easy for these programs to figure out. (So is “[email protected]” for that matter.) These types of passwords lack a suitable amount of entropy, or randomness, to stop concerted attempts to hack into your accounts.
Creating passwords with a long and random string of digits, letters, punctuation or words is ideal, but are often hard to remember. To simplify making a complex and memorable password, consider adopting a passphrase instead. We’ve come up with a guide to help you think about what passphrase is appropriate given the use case.
Remember: do not reuse passwords across multiple sites. You’ve no doubt heard of the millions of compromised accounts leaked in high-profile data breaches. Once an account is compromised in an attack, it is often posted online for a host of bad actors to try out your credentials on more damaging accounts, like your bank or email. Ensuring you use a unique password for each account will leave you less vulnerable to a subsequent attack after compromise.
Not sure how you’ll remember all your new, complex passwords, or don’t trust yourself to create them? Password managers make the process of generating unique passwords and rotating credentials on a regular basis streamlined and systematized. You can use a single passphrase on your password manager, and then store, generate, and fill out dozens of other credentials for various sites for you. That way, you won’t even have to worry about remembering it because it will be stored in your password manager.
There are some great online and offline password managers on the market today. Online password managers like 1Password and Bitwarden offer user-friendly options for those interested in accessing their credentials through a browser. For those inclined to an offline version, open source alternative KeePassX stores your credentials in a local, encrypted file on your desktop.
As is common with technology, both approaches present tradeoffs between usability and security. Shop around and decide which option is best for your workflow.
Adding an additional layer of authentication to your accounts mitigates the threat of account compromise. With 2-factor authentication (2FA) enabled, attackers won’t be able to able to gain access to your account, even if they know your username and password.
Depending on the service, you can enable 2FA through voice call, SMS, software, or hardware token. For example, if you are using Gmail, the first time you sign in with your password, Google will send a short code to your phone that you will then type in to confirm that it is, in fact, you who is trying to access your account.
While it is certainly better than not having 2FA enabled, authentication through call or SMS can be vulnerable to interception by a sophisticated adversary through a man-in-the-middle attack, as well as access to your voicemail or mobile carrier account. Software like Google’s Authenticator, Authy, or Duo allow you to link an offline, time-based code generator to your mobile device and are more secure than text-based 2FA schemes. Hardware tokens like Yubico’s Yubikey are even more secure, make phishing attempts almost impossible to pull off as authentication codes can only be used by the site you're trying to log into.
If you want instructions on how to set up 2FA on your various accounts, twofactorauth.org is a helpful resource to get you set up with 2FA across any service that provides the option.
While unencrypted SMS and voice calls are subject to network snooping and government court orders, end-to-end encrypted communications are designed to be unreadable to anyone but the sender and recipient. In 2017, using end-to-end encrypted messaging tools is critical to protecting yourself and whomever you communicate with from network or government surveillance.
Signal is widely considered the most secure messaging app for calls and texts and you can download it on Android, iPhone, and sync it to a desktop application. Messaging apps like WhatsApp, Wire, and CryptoCat already followed Signal’s example and rolled out its encryption protocol in their applications and it is turned on by default.
That said, each of these messaging platforms has different levels of other privacy protections, balancing the desire for usability over security to varying levels of success. This highlights the importance of threat modeling — no form of digital communication is perfectly immune to the risk of exposing your metadata—who you’re talking to, when, and for how long.
If you have sensitive data stored on your mobile phone or desktop, your first line of defense against that information finding its way into the wrong hands is through device encryption.
While not necessarily advisable, sometimes we must attend controversial events or cross borders with our personal devices. If you are traveling or attending a protest with your personal device and fear it may be confiscated or tampered with, authorities will not be able to access your sensitive data if you:
- Encrypt your device;
2. Lock it with a complex passphrase; and
3. Turn it off.
iPhones are encrypted by default, and most Android phones have the capability to enable device encryption through Settings. If you use a Mac, you can encrypt your computer using FileVault, which you can find in your System Preferences. Device encryption on a PC is a bit more nuanced — and depends on your threat model, operating system and device version. If you run Windows 10 (Pro, Enterprise, or Education editions), you can use Microsoft’s native software BitLocker to initiate the encryption process. If that is not an option for you, you’ll have to make a decision based on which options are compatible with your device and threat model.
In addition to the data that you store on your local devices, you also transmit data while you are browsing and communicating on the web. Configuring your browser to your security and privacy needs is essential to taking control of your data-in-transit — you can get started by routinely deleting your browsing history, electing to use browsers like privacy-forward Mozilla Firefox or security-minded Google Chrome, and managing your browser settings and plugins. Here, for example, are great instructions on how to adjust your Google Chrome settings to be more secure.
If anonymous browsing is what you seek, consider using the Tor Browser, with the caveat that in certain circumstances it can be risky to use the software. Worried about being identified as a Tor user by your internet service provider? Fire up a trusted Virtual Private Network (VPN) before you connect — that way only your VPN provider knows you’re connecting to the Tor network.
As an added measure, using a browser extension like EFF’s HTTPS Everywhere ensures that you are connecting to a site through an encrypted connection whenever possible. Also consider purchasing a VPN, a service that tunnels your web requests through a secure server before making it to your internet provider. VPNs are essential to protecting your security when you are logged on to public wifi at places like cafes or hotels.
Not all VPNs are created equal, so selecting the right VPN for your threat model requires nuance and research. Always look for a VPN provider that promises a short data retention policy — aim for no logging whatsoever — and the option for a “kill switch” — a feature that directs your computer to disconnect from the internet when your VPN connection is interrupted. It’s important, too, to look into the protocol your VPN provider uses to establish a connection between your device and its server. Aim for a protocol that is open source (like OpenVPN), or robust when properly implemented (like IPSEC). Avoid a protocol that has known security vulnerabilities (like PPTP).
Finally, avoid free VPN providers, as selling your traffic data is likely how the company is turning a profit! While a VPN can be a helpful tool to protect you from traffic snoopers, using one does not promise perfect anonymity.
Finally, you can throw as much software at your threats as you want, but privacy and security is still contingent on human error. If you get hacked, all the encryption in the world won’t protect you. Oftentimes the origin of a hack can be traced back to an individual clicking on a malicious link or unknowingly downloading malware from an email — such attacks are called phishing. For example, this is how Hillary Clinton’s campaign manager John Podesta had all of his emails stolen.
You can find a number of methods to detect phishing attempts, as well as preventative measures in our anti-phishing and email hygiene primer.