Digital rights advocates often say the best way to fight government or even private surveillance is encryption.
Many news organizations and journalists investigating corruption or human rights abuses look to these encryption tools to overcome security threats, but the digital world is still built to make us rely on third parties to store our information.
“The worst practice that journalists are doing with their security is relying on third parties that they don't control, that they shouldn’t depend on, to protect their privacy,” said Micah Lee, an expert on source protection and cryptography, at a recent privacy conference in San Francisco held to celebrate Aaron Swartz Day.
In memory of Swartz, who developed SecureDrop to let sources anonymously share information with journalists, organizations like the Freedom of the Press Foundation, Electronic Frontier Foundation and Internet Archive got together to hack on known or new tools to help journalists keep their data and sources safe.
Lee, who works at The Intercept, teaches people like Pulitzer Prize winner Glenn Greenwald and other reporters how to use state-of-the-art security measures when dealing with sensitive information.
“If you store your story drafts in Google docs, or your newspaper uses Gmail or Hotmail, not its own email server, I think that’s pretty bad,” he said. “If there is some investigation into your sources, authorities will send a request to those third parties, not to you.”
These are some tools featured over the weekend:
Developed by Lee, Onion Share lets anybody securely share any size file. Instead of carrying sensitive information provided by sources on USBs or portable devices, reporters can share it in this temporary, untraceable website.
"It is like Dropbox, but encrypted and reliable. As soon as the person downloads the file, it can be erased from the server and it’s no longer accessible to anyone,” explained Lee. If a reporter or a source wants to send files, the tool creates a URL and a password that can be shared via encrypted messages. Freelancers can find this tool useful for communicating with whistleblowers.
If you are familiar with the TOR Project, currently the best way to navigate online without leaving trace, you will be glad to learn that it recently launched TOR Messenger. The cross-platform tool facilitates encrypted chats on a variety of networks like Facebook and Gchat. Lee recommended to run it with Jabber or Xmpp, which are “decentralized servers owned by privacy nonprofits that are more into keeping your data secure than giant corporations.”
OpenArchive is a mobile application that seeks to preserve audiovisual civic media in a secure way.
“A lot of citizen journalists take photos of human rights abuses or videos of police brutality, and they are hesitant to put it on social media immediately,” explained OpenArchive founder Natalie Cadranel. “They want to give it to someone they trust, so they could upload into the Archive, using a pseudonym if needed, and the app makes it widely available for a long time.”
The app, currently in beta for Android, uses mobile TOR technology to allow people on the ground to send sensitive images without fear of being tracked. All content uploaded to OpenArchive will have a Creative Commons license. In the future, the idea is to make this content searchable.
Keybase is an open directory of public keys that you can verify through social media accounts. A public key combined with a private key can be used to effectively encrypt messages. If a source is sending you an encrypted email and you want to verify that person is reliable, the Keybase directory can tell you who's that key, according to his or her profiles on Twitter, Reddit, Github, Bitcoin and domain names. “The tool is a beta code, so it needs more development to be verified through Facebook or Instagram,” Jeremy Stribling, co-founder of Keybase, said.
Journalists can create a Keybase account and share their public key. That way, sources can verify who they’re sharing information with. It’s a trust model that seeks to avoid impersonation. “If you put a link to your Keybase account in the footer of your articles, anybody can search your profile and verify you through your social media accounts,” added Stribling.
Don’t confuse it with the Facebook or Linkedin Signal apps. This tool, developed by Open Whisper System, allows you to make encrypted voice calls, as well as send encrypted text messages, with your existing number and the contacts that also download the app. The one problem with sources talking to journalists through Signal? If the phone gets seized, authorities would know they have been in touch, although they won’t get access to the content of conversations.