#stealthis: Security Essentials for Journalists
The following is an abridged version of “Steal this Digital Security Toolbox”, which I presented at the 2012 Online News Association conference. Please note that while the below is only a brief overview of security techniques, there are two major takeaways. (1) Encrypt your devices. (2) Set yourself up with a Virtual Private Network (VPN) to protect your wireless activity. Get in the habit; these practices are important no matter where or with whom you are working. The CUJ community can learn more on October 18, when Jeff Sieben, Columbia Journalism School’s head of IT, will be leading a Tow Tea on digital security.
Why do digital and device security matter?
Many journalists may be tempted to think that they don’t need to worry about digital or device security. In the U.S. especially, journalists enjoy the protection of strong press and privacy laws, and many of us may think that spilling coffee on our keyboard is the greatest risk to the data on our hard disk. Dealing with security may also seem like just one more technical issue that takes time away from our real job: producing good journalism.
The reality, however, is that digital security is part of your job. Protecting your stories, your sources, and yourself — whether in the U.S. or abroad — is an essential part of being a good journalist. True, most states (I’m looking at you Wyoming) have some kind of legislative or judicial protection for journalists, and some recent gains have been made in the Supreme Court’s interpretation of the Fourth Amendment with respect to digital surveillance. Even though we call it “e-mail,” however, the legal protections around information we exchange digitally and store in the cloud are minimal at best. What’s more, without device encryption and network protection, it can take only seconds to copy your entire hard drive or hijack your computer or wireless traffic almost undetectably — and then use them to track you and your sources both physically and digitally.
The good news is that with two simple configurations you can protect yourself enormously. With a few simple setup adjustments, you can help protect yourself and your sources — so that you can all continue doing the work of a free press.
Stop the hackers: encrypt your computer
The simplest way to protect your computer — and all the information on it — is to encrypt your hard drive. Doing this doesn’t change your workflow, it just prevents someone without your password from reading what’s on your drive. It may even help you protect your information against fishing expeditions by law enforcement.
For Macs:
- FileVault2 (already installed if you’re running 10.7 or later), otherwise use TrueCrypt
For PCs:
- Symantec offers GuardianEdge
All platforms:
- TrueCrypt is robust, open-source, free, and available for Macs, PCs and Linux machines
Stop the stalkers: use a VPN
You already know to only use secure, https networks, right? A Virtual Private Network (VPN) acts like a digital tunnel, channeling all your internet traffic through your VPN host and therefore making it almost impossible for someone watching your internet traffic to determine your location (which can happen even if the connection itself is encrypted). If you work with an organization, they may already have a VPN available; take an hour and set it up. Otherwise, check out some of the free and commercial options below.
VPN services:
Commercial & No Logging (OpenVPN, PPTP, L2TP, etc):
+ Crypto Cloud
+ Privat VPN
+ Private Internet Access
Commercial & Some Logging (OpenVPN, PPTP, L2TP, etc):
+ Strong VPN
+ Swiss VPN
+ Golden Frog
Free:
+ Proxpn
+ Cyberghost VPN
+ Raptor VPN
+ Anchor Free
Once your VPN is installed, a handy icon appears in your toolbar, a you’re a quick click away from surfing securely. Even better: use a VPN that offers an IPsec connection and your DropBox and other non-browser internet activity will be protected, too.
Don’t stop there: tools for voice, chat, and mobile
You may already have heard of Tor, which is a good, browser-only option if you can’t use a VPN. It’s best to use it in client-only mode, though; operating an exit node isn’t recommended. For a mobile version, check out Orbot and Orweb (used in conjunction). For voice, try the OSTel project, which uses encrypted VoIP. CryptoCat offers encrypted mobile chat, as does Gibberbot, which integrates with your GChat contacts. In general, tools from The Guardian Project and the Open Internet Tools Project are both worth checking out.
Finally, it’s worth familiarizing yourself with what the legal protections are (and aren’t) for data stored in the cloud. The Digital Due Process site is a good primer.
For further reading on all topics digital and legal, also visit the Electronic Frontier Foundation.