| বাংলা |Español | Português | Русский | العربية
With regular headlines about massive data hacks, everyone should be worried about digital security. But investigative journalists — who work with vulnerable sources and deal with sensitive information — should pay special attention.
At the Uncovering Asia 2018 conference in Seoul, Chris Walker, a digital security expert from the Tactical Technology Collective, shared key tips that journalists can implement today to protect themselves, their sources and their story.
1. Encrypt Your Devices
If you haven’t enabled disk encryption on your laptop, do it now. FileVault is pre-installed on recent Macs and can be activated by going to System Preferences > Security & Privacy > FileVault. Make sure it is turned on and never turn it off. For Windows, Walker recommends BitLocker, which is available for “Pro” and “Enterprise” versions of Windows 10. (If you have Windows 10 Home, you can upgrade but it’s not cheap.) Once activated, it encrypts the computer’s hard drive and can be used to encrypt attached USB devices.
Whichever operating system you use, be sure to stay on top of software updates.
2. Get a VPN
A Virtual Private Network allows you to browse the web privately through a proxy, or intermediary, server. VPNs are typically subscription services and can be installed on smartphones as well. Do your research! VPN service providers in Europe are likely to offer more privacy protections than those in the US, for example. And know when to turn your VPN on and off (always “on” when using public and unsecured WiFi).
Depending on your threat level, location and activity, using the Tor Browser may be a better option. With VPN, you have to trust that the provider is not recording and sharing the list of websites you visit. Tor Browser is designed in such a way that even the Tor servers themselves do not have access to this information. It’s safer, but it does slow you down. As always, be sure you trust the Tor software you download.
Expert advice: depending on the desired level of security, use at least a VPN and the Tor Browser, as needed.
3. Protect Your Communications
Talking with sources? Download a safe messaging app like Signal or Wire, which offer free, encrypted messaging and voice calls.
Consider opening an email account with an encrypted, “walled garden” provider, such as Tutanota or ProtonMail, and advise your source to do the same. Want to keep using your current email account? Install the Mozilla Thunderbird email client, the Enigmail extension and the GnuPG encryption software (for Windows or Mac), and get comfortable with the extra steps necessary to protect your communications.
4. Get a Real Password
The tricks most people use for passwords are, well, pretty useless, according to Walker. Make your passwords long, make sure they’re not common phrases (i.e. from poems or song lyrics), and use a different one for each account. One trick is to choose seven random words and string them together into a single “passphrase.” Or try KeePassXC, which will generate passwords and store them for you in an encrypted database.
Not sure if your email address has been compromised in the numerous data breaches? Check the website Haveibeenpwned. When any online account gets compromised in a data breach, immediately change your password.
There is no such thing as complete security, but you can certainly raise your level of protection. For more tips and guidance, check out SecurityInaBox.org
Roland Bednarz is a freelance journalist and chemical engineering student in Delft, Netherlands. He is part of the Konrad-Adenauer-Stiftung journalism multimedia program, and was a newsroom fellow for Uncovering Asia: The Asian Investigative Journalism Conference, which was held Seoul in October.
ExpressVPN over Tor is the de facto duo. Speeds aren’t compromised and you’re 100% anonymous.
I use NordVPN which operates from Panama where there’s no data retention laws so I feel like I can trust Nord to not be collecting any of my data. There’s plenty of information about providers who proved that they aren’t collecting anything, e.g https://vpnpro.com/blog/best-vpn-no-logs/.