(updated Dec. 12, 2016)
Long before Snowden, we who snoop in the public interest knew that if we weren’t being watched we would be eventually. So we took steps to protect ourselves. Digital self-defense is now vital for everyone, not just journalists. Our toolboxes are ongoing projects. This is mine, and I am grateful to the coders who help protect us. Questions/suggestions/criticisms encouraged.
The point of greatest vulnerability in our interaction with the Internet is the browser. That’s is why it is a must to use end-to-end encryption via Secure Socket Layer, or SSL. It is not perfect. In fact we learned in 2013 that it had been compromised by the NSA. Where, we don’t know. But the HTTPS secure communications protocol remains the best available shield for standard browsing. It was designed to protect against such scourges as identity theft. It is especially important on open Wi-Fi networks. I use the browser add-on “HTTPS Everywhere” from the Electronic Frontier Foundation. HTTPS does not hide your online activity, the websites you visit, from “sniffers” that monitor traffic. What it does is encrypt your interactions with websites that use HTTPS. If your favorite news website does not offer HTTPS, tell them to get with the program!
ANONYMOUS ON THE INTERNET
If you want to hide your online activity, a good option is Tor, originally short for The Onion Router. Tor is designed to hide your IP address, concealing your location and erasing your online footprints. It is best with a VPN (virtual private network) connection. It is open source, free and supported by a nonprofit. It encrypts users’ online communications – supporting applications including browsing and instant messaging – and bounces them around through a random set of servers called onion routers operated by volunteers. It makes web browsing slow, but much more secure. *Don’t not expect it to be effective, however against the NSA or other governments equipped with sophisticated global surveillance tools. Download it here and read the directions carefully. How Tor works.
A Tor proxy exists for Android operating systems. It’s called Orbot. On the Mac (as well as for iPads and iPhones) the Onion browser tunnels web traffic through the Tor network. Developer Mike Tigas formerly charged 99 cents. Now it’s free!
Tor is best used with a VPN proxy service. They are popular for circumventing censors. I am not going to tell you which one I use. But it’s smart to use one with exit nodes in multiple countries. Best if some of those countries are not apt to cave to the NSA and its Five Eyes allies and let them spy on your traffic.
Duckduckgo.com is the most popular anonymous alternative to Google’s search engine. Its makers explain why it’s a good idea even if you’re not trying to hide from the NSA or other spooks. It has its own web crawler and also uses other sites. There’s a Duckduckgo Firefox browser extension. Another good option is the Epic privacy browser that’s built on top of Firefox. Google search can be run through a Tor browser for more complete results. Google will demand that you prove you are not a machine. Startpage is an anonymous search engine hosted in the U.S. and the Netherlands that gets its results from Google.
Pretty Good Privacy (PGP) doesn’t just encrypt your email. It also authenticates them with digital signatures. Plus it can be used to encrypt disk partitions and files. What it does not do is hide from eavesdroppers the identity of those with whom you are communicating. Easiest to use of the free PGP products is the combination of Enigmail and the Thunderbird email client. I formerly used a commercial product from PGP Corp. until it was purchased by Symantec. Now I use gpg40, an Outlook plug-in. It is not free but works well. Also worth looking at are RiseUp (for the more technically inclined), Peerio (which is quite popular and available for IOS, Android, Mac, Linux and Windows) and Protonmail.com (Swiss-based and browser dependent).
For private smartphone calls, the absolute gold standard is Signal from WhisperSystems. It is free and does instant messaging, too. WhatsApp employs its technology but Signal is more trustworthy because it’s not owned by Facebook, which spies on WhatsApp users and accesses their address books unless specifically told not to. (Good article on Signal by Brian Chen)
For encrypted chat the easiest tool is WhatsApp. Purists opt for instant-messaging with the Off-the-Record Messaging protocol (OTR). It can be installed as a plug-in for Pidgin, an open-source chat program that can talk to all manner of propietary chat programs including AIM and Yahoo! (Google Talk was discontinued). Get plug-in here. Jabber.org is a free, public instant-messaging system that uses the XMPP communications protocol (originally called Jabber) and supports OTR. You’ll need to choose a server that supports XMPP to host your account. I use the server of the merry pranksters of cyberspace, Germany’s Chaos Computer Club. For MAC OS X there is Adium. It is free and can connect to AIM, Jabber, MSN, Yahoo and more.
AUDIO/VIDEO COMMS and CHAT
Skype, as we know, is insecure. To replace pretty much everything it does there is Jitsi. It supports some of the most popular instant messaging and telephony protocols and works for secure video calls, conferencing, chat. The easiest way to use the technology is to use meet.jit.si . It creates a secure video/audio chatroom to which one can invite multiple parties.
I have used TrueCrypt, freeware that supports Windows, Mac OSX and Linux. But there are questions as to whether it remains secure. There are also sophisticated ways to obtain the encryption keys of a TrueCrypt install on machines on which these products are installed, but not if the computers are shut off and the attacker is doing a cold boot. Some people use Windows’ Bitlocker. I tend to distrust Microsoft. Security expert Bruce Schneier recommends BestCrypt.
A strategy is vital for what to do if border guards _ or local police, for that matter _demand that you unlock the data on your cellphone or laptop so they can review it. Especially in need of a strategy are people who handle information so sensitive it could get people killed if revealed . Not carrying the information when you travel is one option. Putting it on a cloud-based encrypted backup service like SpiderOak One is another. There are many.
Journalists who travel internationally will benefit from this good guide by the Electronic Frontier Foundation on strategies for taking computers across borders, where airport searches aren’t just possible. They’re happening: EFF’s – Defending Privacy at the U.S. Border: A Guide for Travelers Carrying Digital Devices.
Whatever you do, make sure you LOCK your PHONE with a long password. Mine is nine digits. They might be able to crack it after I’m dead.
(There is a lot out there! Do send me links to guides not listed that should be)
A good guide with a catchy name to open source, free infosec solutions: https://prism-break.org/
The Committee to Protect Journalists includes an infosec page in its online Journalists’ Security Guide.
Press Freedom Foundation compendium of online security tools and how they work.
Surveillance Self-Defense from EFF: https://ssd.eff.org/
The Tactical Tech Collective have a very good list of tools and a how-to booklet at SecurityinaBox.org
AP colleague Raphael Satter’s June 14, 2013 piece on keeping your data private from prying eyes.