Data at Risk: How To Protect Your Sources and Your Work

Information stored on your computer or mobile is at risk. You could leave it on a train; it could be seized at an airport security checkpoint; or by the police or courts. And of course hackers can access your data.

You need to be aware of all the risks and ways to protect your information, your sources and yourself.

Encryption

Encrypted information is scrambled and can only be unscrambled using a password. You need to use an encryption programme, and may need to seek advice on the best one for you.

Encryption works by using prime numbers (those which are only divisible by themselves and one). To encrypt your script, you use two prime numbers – one on the system and another that you chose — that you multiply together. The programme then provides you with a public key, which you give to others so they can send information you can then decrypt, and a private key, which is just for you and contains your password.

There are still prime numbers that are yet to be discovered, so a hacker would need forever to work through all the code numbers.

Some people are still worried about the security of the encryption programmes; that a skeleton key might be made for all the encryption passwords. They prefer to use encryption programmes with open source software where you can read the programme code and IT experts can check this.

There are different levels of encryption – called bit encryption. Journalists should use at least 256-bit.

In the UK, you should be aware that under the Regulation of Investigatory Powers Act any journalist can be forced to reveal their password to encrypted material. Refusal to comply risks potential imprisonment.

When you are working in a hostile environment, encryption may not be the answer because it could draw attention to your message. Security services often look out for encrypted messages. It is sometimes better to ‘hide a leaf in a forest’ and blend into the normal internet traffic. In some circumstances, sending a message on Facebook might be even more secure than using heavy encryption.

When you encrypt, as with any other password you create on your devices, you should use a long unguessable password with a mixture of numbers, symbols and capitals.

Passwords

Passwords are susceptible to a ‘dictionary’ attack: a method which guesses passwords by applying different combinations of words and numbers in the dictionary. It is always advisable to use seemingly random numbers and letters.

Use a different password for everything you do. For particularly sensitive stories, create one that is unique. If you write the passwords down, make sure only you can understand your notes. Never save passwords for sensitive content in the browser.

SD Cards

If you are working on a really difficult investigation you might feel it is not safe to keep any information on a computer. If you are working in a hostile environment and fear your computer might be seized, you can save information directly on to an SD card or external memory device. The advantage is that it is easy to conceal; the disadvantage is that it is very fragile and easy to lose.

Cloud Storage

Sometimes you might not be able to store your information on an SD card because you want to share documents with other members of your team.

Cloud storage is a central online area — like Box and Dropbox — where you can save material. BBC programme teams often use them to share documents. There are two main issues: encryption and access.

Choose a service that uses encrypted storage and transmission of data files. And you must vet and completely trust the people who have access.

Digital Shredders

If you delete something from your computer and then delete it from the recycle bin, it is still stored on your computer and can be brought back with a file recovery programme such asEncase or FRED. These can restore all the information you have ever saved on your computer. If your computer ends up in the wrong hands so can the new owner.

A digital shredder will not only delete the data but replace it with random 1s and -0s with the aim of making it impossible to recover. It will also clean up system files and disc space that temporarily store information on your computer. And there are digital shredders for mobile phone devices too.

Mobile Phones

Phones are much easier to lose and journalists often have a lot more personal information on their phone than their laptop. If you are working undercover or on a difficult investigation, it might be a good idea to buy a pay-as-you-go phone, especially if you think your phone might be hacked or seized.

You might also chose to use an app like Wickr which deletes your messages and photos after you have sent them.

Metadata

The Greek word ‘meta’ means ‘after’ or ‘beyond’ and metadata is the trail you leave behind when you do something with a device.

Every time you use a computer or create a file, not only is there the data that makes up that file but also a secondary file containing information about the nature of the file. The metadata may include the date, location, camera model, mobile phone device, computer, author, the company they work for, and other details which reveal information about you. This can be in emails you send, Word documents, photos you take or sound and video files you create.

There are websites and programmes that anyone can use to examine the metadata on computer files. You can find out a lot of information on your computer by right-clicking on a file and clicking on ‘properties’ on a PC or ‘get info’ on a Mac, but more specialist information can be provided by these websites.

You can obviously use this information to check information sent to you as well.

Emails

You can use the metadata in emails to trace their origin. It is sometimes possible to see the location, the company the person works for, the internet service provider, the time and date that the email was sent. The ISP can sometimes reveal where the user lives or works.

Cookies

Every time you access a new website you send metadata relating to your connection to the internet to the owner of that site. This allows them to see details about your connections to the net, including the computer you are using, the browser and, more importantly, your IP address, which may reveal your location, home town or place of work.

It also reveals the search terms you have typed in to get to the website. You might be working on an investigation where you would raise suspicions if they knew you worked for the BBC. The search terms you enter in the search engine may also reveal the nature of your investigation.

If you have reached a page by clicking on a link, the owner of that page will be able to see the address of the page containing the link – for example, a Facebook page. If this is matched with your IP address, it may reveal details of the nature of your investigation and your identity. Some journalists may take appropriate measures to conceal this information.

Secure Communication

Sending an email is a bit like sending a postcard. Anyone can read it along the way. It goes through a number of different computers before it arrives at its recipient, and the identity of the computer from which it was sent (the IP address) is revealed as well as the message itself, the subject and recipients.

You must be aware of this if you are working in any hostile environment.

Virtual Private Networks

Virtual private networks are connections and software that mask your IP address and encrypt your activity. They allow you, for example, to use the internet securely in countries that inhibit your work online. China, for example, blocks many sites. A VPN will get you beyond China’s restrictions to surf the internet.

If you are working in a hostile environment and fear your presence might be detected or your internet use intercepted, it might be a good idea to use a VPN.

VPN for Mobile Phones

You can also use a VPN for mobile phone access to the internet, social networks and email. The VPN will not however encrypt your normal mobile phone calls. There are phones on the market which do this automatically, or you can download specialist apps.

Virus Protection and Malware

A virus is anything that spreads from computer to computer. Even urban myths can be said to be viruses, if spread on social media.

Malware is damaging software that is deliberately designed to invade your privacy, bombard you with advertisements or damage your computer. You can get malware which steals your contacts and sends emails in your name, spreading itself to other people. Although malware is not necessarily viral.

Some malware can compromise the story you are working on. If you have all your notes and contacts on your computer, the person you are investigating could read these if they manage to get a virus on to it. They do this by installing a RAT (remote access tool) or Trojan on your system.

These RATs could get on to your system via email attachments or web pages if your browser is out of date, by tricking you into downloading the software or opening attachments on emails.

On your phone, malware is even more dangerous because there is a lot more personal information in one place. Malware would reveal not only your emails but your text messages, contacts, phone calls, internet use, and social network use. Once installed, people could listen to you through your telephone’s microphone, look at you through your phone’s camera, and even track your movements around town.

This is made easier because most people do not install virus protection software on their phone, even though apps are available for this.

Always make sure you have virus protection software on your devices and prepare for risks if you are carrying out an investigation. It might be a good idea to buy a new laptop for your investigation, just in case, and put tape over your webcam.

This post originally appeared on the blog of the College of Journalism at the BBC Academy and is reprinted with permission.

Paul Myers is the BBC College of Journalism‘s Internet Research Specialist. His role involves helping TV & Radio programs conduct investigations that involve trickier aspects of Internet research. He also hosts regular training courses. Blending his previous career as a computer programmer with  journalism, Paul pioneered many online research techniques now widely used.