By: Gabriel Keeble-Gagnère
6 Nov 2015
The UK government published its draft investigatory powers bill on Wednesday, which gives police and security services new surveillance powers. The bill promoted some criticism from media lawyers highlighting how it could be used to spy on journalists and their source.
But it's not just UK-based journalists who should be aware of the tools and techniques they can use to protect themselves and their sources from surveillance, especially if they are working on investigative projects and speaking to whistle-blowers.
The following is an extract from Data journalism: Inside the global future, edited by Tom Felle, John Mair and Damian Radcliffe, published with permission. It forms part of a chapter on information security by Gabriel Keeble-Gagnère – read part one here.
In addition to encrypting communications, journalists will often need to encrypt documents they are working on, such as articles in progress or documents passed to them in confidence. Commonly used compression tools often provide encryption support; though commercial tools are potentially compromised and should not be trusted.
A reliable open source compression tool is 7zip, which supports the AES-256 encryption standard. As noted previously, the strength of the encryption will be compromised by a trivial password. The full set of US diplomatic cables leaked to WikiLeaks was distributed as a 7zip-encrypted file; it was decrypted only after Guardian journalist David Leigh published the password in a book by mistake.
Another popular tool is Truecrypt (not strictly open-source, though the source code is available), which offers a wider range of cryptographic functions, such as encrypting entire file systems.
It is worth noting that extra care may be needed when working with particularly sensitive information. Any computer connected to the internet is potentially at risk of being spied on. In such a situation, the sensitive data can be accessed before it is even encrypted.
An extra level of care that can be taken – and one adopted by renowned computer security expert Bruce Schneier while working on parts of the Snowden documents (Schneier 2013a) for the Guardian – is to buy a new computer, which is never connected to the internet, and used solely for the purpose of working on, encrypting and decrypting sensitive files (this is known as ‘air-gapping’). This way, the plaintext (non-encrypted) data will never be loaded into memory on an online computer.
Accessing the internet anonymously
When connected to the internet, our identity is revealed by a unique IP (internet protocol) address. Each connection we make on the internet (to websites, email servers and so on) may be traced back to us with this address.
What this means is that even with prudent use of encryption, the identity of whistleblowers and those they work with can be uncovered (though what they are saying may not be). Because of this, and depending on the situation, anonymous access to the internet may be desired.
One of the simplest ways of achieving this is with the Tor softwarepackage, which anonymises connections by sending them through a series of intermediate nodes (computers running the Tor software in ‘relay’ mode), before finally accessing the website through the final node in the chain, the exit node.
One important point to note is that while communications within the Tor network are encrypted, the exit node will transmit data as it was at the beginning – in other words, the user is responsible for encrypting their communications. Failure to do so can compromise anonymity.
Care should also be taken when links are followed, since external applications (for example, when opening a linked PDF file) opened will not be running through Tor by default and can unmask you.
While there are a number of potential issues with Tor, and new vulnerabilities are often being found, it is still believed to be a reliable way to achieve anonymity online. Indeed, the NSA’s own exploits of Tor have focused on the Firefox web browser supplied with the Tor Browser Bundle (these exploits have since been fixed), not the Tor system itself (Schneier, 2013b).
Despite this, the Tor Browser Bundle is still recommended (the website states: ‘almost any other web browser configuration is likely to be unsafe to use with Tor’) – just make sure to always use the latest version.
Another way of anonymising oneself online is to purchase an account on a VPN (Virtual Private Network) service. In a nutshell, this simply serves as a relay point for your connections; the IP address you appear to be connecting from is that of the VPN server, not your personal computer.
Data is encrypted between your computer and the VPN servers (though it should be noted that this is one of the types of encryption that the NSA has worked to compromise).
There are a large range of VPN services available, with varying levels of security. One word of caution: many VPN services will log all user activity and hand over this information when pressured by governments and law enforcement.
For true anonymity, a VPN provider that does not log user activity is essential; AirVPN and PrivatVPN are two providers that claim not to.
More recent revelations have shown that VPN networks are not safe from NSA spying; according to one document, ‘from late 2009, the agency was processing 1,000 requests an hour to decrypt VPN connections’.
Note that Tor and VPNs can also be used to access websites that have been blocked. In countries which operate particularly aggressive censorship of the internet, such as Iran, China and Saudi Arabia (and let’s not pretend that Western governments are exempt – Australia, Italy, France and the UK were placed ‘under surveillance’ in the annual Reporters Without Borders Enemies of the Internet report in 2010 following moves to implement their own filters), access to sites routinely used by journalists such as Twitter may be restricted; a VPN account allows you to bypass such filters regardless of physical location.
The all-in-one solution: TAILS
Tails is a customised version of Debian Linux which has most of the tools discussed above pre-loaded and uses Tor by default to connect to the internet. Importantly, it can be installed on a USB key and used to boot directly into the operating system.
Once sensitive tasks have been completed, you can boot back into your usual operating system and no trace of the Tails session will remain.
This is the easiest way to get up and running with encryption and anonymity with the least chance of a mistake, but note also that it is not suitable to use as a day-to-day operating system and should only be used to carry out sensitive tasks.
It can be assumed to be effective when used properly: The NSA specifically complains about Tails in some of the Snowden documents. Tails can be downloaded here.
Blowing the whistle securely: SecureDrop
SecureDrop is an open source submission tool that can be installed by media organisations as a way to allow anonymous, secure submission of documents. Among the technologies and techniques it uses are Tor, GnuPG, Tails, and air-gapping, all discussed in this chapter.
It was originally created by the late Aaron Swartz and is now managed by the Freedom of the Press Foundation. It is used by many media organisations including the Intercept, the Guardian, Pro Publica and The Washington Post.
In an ideal world everyone would use encryption; in practice, however, it is beyond the technical skills, and patience, of most people. There have been a number of initiatives recently that seek to educate the broader public on cryptography issues.
Started more than a year before the Snowden leaks came to light, the now-global Cryptoparty emerged practically overnight following an exchange on Twitter initiated from Melbourne, Australia.
It aims to provide a space for those interested in learning about cryptography to learn from users who are already familiar with tools and concepts, through talks and workshops.
In New York, an encryption workshop was organised by the Hacks/Hackers group, with the specific aim to educate journalists. These kinds of initiatives can be expected to become more common in the post-Snowden age.
Journalists who are keen to learn should contact local computing groups (such as Linux user groups) or ‘hackerspaces’ (a comprehensive list can be found here) and try to organise similar sessions.
Data journalism: Inside the global future' is available on Amazon.