Tradecraft 101: Cybersecurity for journalists, activists and dummies

Are you a journalist scared of having your phones tapped by the police without a warrant? Are you an activist who is scared of having their details doxxed (making your details like address and phone number public without your permission) and then getting lynched? Are you a chill guy using certain plants for recreation but are scared of your chats being read out on national TV by a lady with serious anger issues? All this has been happening around us, and we should be concerned about our privacy. But don’t fret, for this guide will teach you the secret-agent tradecraft for maintaining your anonymity online so that you can lead your lives without the fear of dudes with ‘lathis’ showing up on your doorstep.

Don’t take all of this from me though, take it from a Cybersecurity specialist who wished to be identified only as a ‘Reddit user’. He says, “Indian cyberspace grew all of a sudden and I assume most of it was because of cheap internet and cheap android devices. With growing internet users, it’s mandatory to have people know about the risks online, how their data is handled.”

When asked who stands to gain from breaching your privacy, they said, “It depends. The government of India, as far as public reports go, have no mass monitoring systems like NSA in the USA. Nor is anyone concerned about it in India which makes it less likely for anyone to learn about it. However, if something is less likely we can’t just ignore this growing threat, we need to have precautions ready.”

George Orwell’s dystopian concept of “Big brother is watching you” is becoming a sad reality.

He also believes that the education system needs to make it mandatory for each person to know how internet data is handled, how to maintain privacy, the ethics of activities, and what is legal and illegal in the cyberspace. So let’s get into the details of how to protect yourself.

1. WhatsApp: WhatsApp is end-to-end encrypted and it cannot be intercepted and decrypted without the encryption key from the user’s device. Unless your friend decides to share screenshots of your chats, the only other way the chats can be leaked is through Facebook’s shady privacy policies (which don’t have a great record, look up Cambridge Analytica) or your Google Drive backups. Anyone with Google credentials or a login session from Google services can access all your chat backups and read them without a key.
   There are 2 ways to prevent this. You can stop using WhatsApp for sensitive conversations as it isn’t trustworthy and switch to ‘Threema’ which does not require a phone number to sign up. If you don’t want to switch from WhatsApp, disable the Google Drive backups.
2. SMS: SMS is the least secure of any communication modes and it’s vulnerable to all kinds of attack. Use the ‘Silence’ app if you really have to send sensitive information via SMS. It will encrypt the content of the message if both parties are using Silence.
3. Browser: If you’re just casually surfing the internet and are concerned about your privacy, use the Mozilla Firefox browser along with ‘GoDuckGo’ search engine or with ‘UBlock Origin’ (blocks ads and filters contents), ‘NoScripts’ (blocks malicious scripts) and ‘Https Everywhere’ (switches the website you visit from insecure “http” to secure “https”) browser extensions. Anything but Chrome and UC browser.
   If you want to be completely untraceable, use the Tor Browser. This browser is decentralised and no organisation owns it. It routes your internet traffic in layers through different self-hosted servers (TOR nodes). These are hosted by people all over the world and nobody knows each other. The Tor Browser is not all “Dark web, illegal drug trade and terrorist organisations” like the mainstream media portrays it. It is just random IP addresses all over the world. Setting up The Tor Browser will require some effort so you may also use the Orbot app, if you cannot find it on the PlayStore, download its APK.
   VPNs aren’t particularly secure as they may sell your information if the government demands it, but can be useful if you only want to circumvent the pesky restrictions on some website or want to access region-blocked content.
4. Emails: For sensitive emails, do not use email clients like Gmail, Outlook or Yandex. Instead use Protonmail, Tutanota, Disroot or TorMail.
5. Cloud storage: As said before, Google Drive isn’t very secure, so to store sensitive files online, use Tresorit and Mega Cloud for your private stuff. They also have android apps and have automated folder sync. For added security, make sure you encrypt the content using apps like Cryptomator before uploading them to the Cloud.
6. Contacts: To save contacts without the fear of them being accessed by Google, use Open contacts. This app also allows you to export your contacts which you can back up in the aforementioned storage services.
7. Keyboard: Your keyboard application can save your key-taps on your mobile. You can use Openboard, AnysoftKeyboard or Simple Keyboard which are open source and don’t save your key-taps.
8. DeadDrops for sending and receiving messages(Yes, just like in spy movies): Many journalists all over the world use SecureDrop which is an open-source whistleblower submission system which is used to safely and anonymously receive documents and tips from sources.

If you wish to go the extra mile and are willing to sacrifice more comfort, you may also look into more advanced steps like installing the Graphene Operating system on your phone or switch to IOS(Apple’s Operating System) which is generally good for privacy, as the FBI investigation into the San Bernandino shooting in 2015 proved.

In the end, these steps don’t necessarily make you a ghost on the Internet.
According to our cybersecurity specialist, “Your privacy is no one else’s, just yours. How you handle it is your responsibility. Using real names, aliases, common passwords, typing practices, phone number, pictures, it’s all you who controls it. If you can make good practices, you can become a 21st-century ninja.”