Don’t give yourself away to the NSA
Arjen Kampuis (standing)
IS IT getting harder to give sources reliable guarantees of anonymity? The scale of state surveillance revealed by Edward Snowden suggests that it is.
While police have historically used PACE (the Police and Criminal Evidence Act) and production orders to drag information from news desks, Sun political editor Tom Newton-Dunn recently discovered his mobile phone had been hacked by police wanting to identify a source over Plebgate.
The NUJ is supporting Press Gazette's Save Our Sources campaign and is taking steps to help journalists learn to combat routine snooping.
In September the NUJ and the Centre for Investigative Journalism teamed up with professional infosecurity consultant Arjen Kamphuis to deliver a session of free training.
The right to privacy is enshrined within Article 12 of the United Nations Declaration of Human Rights. Despite this, at least 100 million people around the world have been placed on a slightly heightened level of surveillance, although all internet users are subject to a degree of automated interception.
Email, video, data sharing, VoIP calls, photographs, Cloud data storage, file transfers and video conferencing are all susceptible. Secret US court orders compel social media companies, including Google, Microsoft and Yahoo, to release stored data from their servers to the NSA. While many of their applications are free to use, Kamphuis says that this should be a warning. "If you're not paying, you're not the customer - you're probably the product.".
Given that facilities such as Google's gmail are often well-made, easy to set up and easy to use, this is an inconvenient truth. Worse, some products, such as Apple iPhones, have built-in backdoors that allow the NSA to switch on the phones' internal microphones and cameras. And iPhones cannot be switched off.
Kamphuis's job is to teach ordinary journalists how to make it much harder for states to intercept their private data. The NSA's $78bn budget breaks down to a surveillance cost of $0.10 per Westerner per day. Basic security precautions, including encryption of data, can dramatically raise this cost to $100,000 per person per day, however. If we all encrypted everything, sheer force of numbers would make the NSA's data-hoovering unfeasible.
Top tips run from fancy tricks with geeky software to making basic choices about which server to use.
- First off, no dot coms. Wherever in the world they are, any servers whose addresses end with .com or .org or .net have been deemed by the US government to be on US territory and US law applies. It is much better to go for a Swiss (.ch) or German (.de) site as Switzerland extends its famous concern for business privacy to the internet and the German constitution presupposes that the citizen must be protected from state interference.
- Social media sites, despite their bad press, can be useful for spreading disinformation about one's activities. Although it is a bad idea to post poolside snaps onto Facebook while on holiday and advertise an empty house to burglars, it can be useful to put false information about current activities onto Twitter.
- Think CIA. Good security is based on a consideration of three factors:
Compromises may need to be made. For example, cloud servers offer easy storage, but those running the servers can both terminate your access to your data and access it themselves.
- Confidentiality of data (who can access it?);
- Integrity (will it remain unaltered?); and
- Accessibility (will it always be available?).
- Security should not only be passive (eg encryption); active breach detection is needed. So is a well-thought-out response plan. Kamphuis says that if you do find out that your communications are being monitored, you were probably meant to find out.
- With good free software available, these days the biggest problem is the hardware. A fancy Mac is great for video editing but not good for security. A second-hand laptop is cheap - and disposable if it gets compromised. Kamphuis recommends an IBM Thinkpad X60. This is new enough to run modern security applications and old enough to allow replacement of the BIOS. Wifi and Bluetooth cards can also be removed.
- For an open source operating system designed for anti-surveillance, use Tails - details are in the CIJ handbook (see below).
- Use different browsers. For example, Firefox works well as a main work browser. It is cross-platform and, although funded by Google, is still the most publicly owned one about. It also has the most extension options. Tor, which hooks users to sites via a chain of randomly chosen servers, is best when the need for IP anonymity is paramount. It is slow and streaming video is not possible, however.
- Choose good passwords - and do not post them underneath your keyboard. A strong password has 20+ characters. A line from an obscure poem, in lower case, is easy to remember and hard to guess. Passwords to your Amazon or LinkedIn accounts - where the idea is to keep out the mob rather than the state - can be shorter. Ideally, use separate passwords to login to the system, to switch on hardware and to login to software and unlock an encrypted hard disk.
- PGP stands for Pretty Good Privacy encryption and you should use it. Instructions are in the handbook. Be aware that the metadata (sender and recipient IDs, time of sending and subject line) is not encrypted.
- For secure chats, use OTR (yes, it's short for off the record). Cryptocat, the Safari chat extension, is not as secure.
- For updates on security issues, keep in touch with your local community of technoactivists. Next August will see a lot of these descend upon Berlin for a week of happy hacking, so think about booking a holiday.
Arjen Kamphuis's Information Security for Journalists handbook, co-authored by Silkie Carlo, is available on the CIJ website.