What’s the best way to protect you and your sources from commercial spyware? When the actual systems and applications used in everyday communications aren’t transparent and lack adequate security measures, using open source programs with encryption can be the best line of defense for journalists.
In its simplest definition, open source refers to applications, programs and systems with code that are available for anyone to view and modify. These tools offer maximum transparency for ensuring security as well as the ability to crowdsource improvements to the program.
While these tools are not yet widespread, journalists should be taking advantage of open-source systems for the safety of their sources and themselves. The following is a concise guide on exactly what mainstream applications you can swap for open source programs and how.
Signal / Whatsapp
Growing concerns with privacy have forced the hand of mainstream messaging applications like Whatsapp, one of the world’s most popular messaging applications, to improve their security by incorporating end-to-end encryption. In fact, the Signal Protocol for encryption, which was developed by Open Whisper Systems, has been adopted by many mainstream apps, including Whatsapp. However, there are still security risks to using Whatsapp because of how much of your data the app stores when you send a message.
Whatsapp stores metadata. This includes information such as usage and log information, device information, contact information, cookies, status updates and even location. This is partially because it is owned by Facebook, which uses this data for ads, and because it has a variety of app features that require this data to operate.
Signal, however, only stores what it needs for the service to work: keys, phone number and profile information. Signal also only stores IP addresses for as long as it takes to send a message.
Features like disappearing messages, changing security numbers and inability to screenshot or view browser previews make it difficult for intruders to access your sensitive conversations if your phone is stolen or lost.
Skype / Jitsi Meet
While Skype revolutionized video-calling (an expensive and low-quality communication method until the mid-2000s) by pioneering a free, good-quality video chat service, there are gaping security issues in its software and how it processes user data.
From malware-installing flash ads to a bug that leaves a Skype user’s entire computer vulnerable to attack, users are vulnerable to exposure of not only the potentially sensitive content of their video calls, but also their call initiation data (sender, recipient, time of call), location, access to their webcam, internet browsers and everything in them.
Jitsi Meet is an open source alternative to Skype, both for two-way and conference video calling. It works on almost all operating systems (Windows, Mac OSX, Linus, Android) and you can choose to use it as a downloadable application, or in a browser, with the same feature functions. You can screen share, upload documents and edit them on screen.
All you need to start a call is to enter a username and invite participants via a link or a dial-in number. Sessions can be password protected for extra security, while both the audio and video is encrypted.
Gmail / Thunderbird + Enigmail add-on
One of the biggest draws of webmail clients like Gmail is the assurance that if your computer crashes, your email inbox is safe on another server and can be accessed through any browser via login. From a privacy perspective, this is also a major problem.
With webmail clients, even if you use encryption, your entire key library is stored on another (usually a big corporation’s) server. Meaning your sensitive emails can be, in theory, accessed by anyone with access to that server. The other major security problem is the fact that Google services span multiple platforms (YouTube, Google Drive, Google+), and legally, if Google thinks, say, that you’ve violated their Terms of Service on Google Music, they can seize your Gmail inbox for as long as they need to resolve the issue.
On top of this, practical concerns like no external backup, internet access required to manage your inbox, and finicky encryption make a case for using desktop email clients.
Enigmail is an add-on to Thunderbird which makes encrypting email communication as simple as one click. Once you generate your PGP key, an icon appears in every message that you can click to encrypt prior to sending or use the signing method to verify you are the true sender. Sharing your public key is as simple as clicking Attach>My Public Key.
Like all open source code, Thunderbird code repositories can be searched, examined and analyzed on Github.
Common Browsers / Tor Browser or Browser + VPN
While most updated browsers encrypt browser traffic, meaning someone can see what site you visit but not the content of the pages you visit or what you search, Tor browser prevents outsiders from seeing any of that. The security and anonymity Tor offers was scrutinized by law enforcement and policymakers, who held it up as the browser of terror groups. In reality, what Tor offers is a secure way to access important information, especially journalists communicating with whistleblowers. In fact, anyone who has a legitimate fear that their personal safety would be compromised if their internet privacy was visible can access important, life-saving tools and information via Tor.
However, Tor can be cumbersome for users, with slower performance and longer initial start-up time. The features that mainstream browsers have which make web browsing easy and convenient, such as browser plugins, often forego security and privacy, and shouldn’t be used with Tor. If you can limit your sensitive conversations with sources to Signal or encrypted email, using Google Chrome or Firefox with a VPN (Virtual Private Network) is a good alternative to Tor. VPNs essentially provide a private, encrypted tunnel between your browser and anything you access on the internet. It connects your device to a server in a different country, making your physical location private. If you use public Wi-Fi networks, a VPN is a must, as they are more susceptible to digital intruders.
Dropbox / OnionShare
The issue with most cloud storage is the need to share data with a third-party provider. Storing data on a server instead of your device — even if it’s encrypted — leaves it vulnerable to possible misuse. Online storage services often retain copies of encryption keys, which make them easier to get hold of by employees, intruders or law enforcement.
In terms of file-sharing programs, there is a huge variety of open source options to choose from, but most require you to host your own server for maximum security. OnionShare, although it is simple in terms of layout, allows you to share files or folders securely and anonymously. All that’s required is a download, after which, files you’ve uploaded are stored on your device and shared through the Tor network.
Each file has its own unique .onion URL that can be accessed through Tor browser.
As an OnionShare user, you have full control over files because they are shared from your computer/phone directly instead of a third-party server.
Additional security features allow you to limit the amount of times a file can be downloaded and set timers for shared items to expire.
Most of these open source tools are free (except the VPN subscription) and are compatible across all major operating systems (Windows, Mac OSX, Linux). Incorporating the use of even one or two of the tools on this list will go far in protecting you, the sources and journalists you work with, and those closest to you.
Interested in more? Check out GIJN’s detailed guide on more ways you can improve your online security.
Katarina Sabados is a freelance journalist and researcher with the Organized Crime and Corruption Reporting Project (OCCRP). She has worked with the Crime and Corruption Reporting Network (KRIK) in Serbia and on such OCCRP projects as an investigation into shady mining deals in Tajikistan.