Reports

March 9, 2017 - Updated on March 12, 2017

Journalists: protect your data and communications


The ways to delete this data varies from browser to browser. A good way to avoid making any mistakes is to use the private browsing mode in Firefox or Chrome.

To combat surveillance and censorship effectively, both professional and non-professional journalists should use software developed by civil society organizations and should take the concrete measures recommended in the guides to online security that are available online. RSF’s Safety Guide for Journalists, which was updated in 2015, contains many practical tips for staying safe online.


The advice provided below, which applies to both computers and smartphones, does not claim to be exhaustive. RSF often organizes cyber-security seminars and provides free tutorials.


Attention: Always research the tools you are going to use and the techniques you are going to adopt. Technology is evolving fast and today’s good advice may no longer be good tomorrow




General online behaviour:


Before beginning to secure your computer and install software capable of encrypting communications and data, you should adopt good digital hygiene by following common sense advice that will help prevent anyone from hacking into your computer or email account.

Avoid prying eyes:


  • Don’t work with your back to a window.

  • When travelling by train or plane, put a privacy filter over your laptop screen. A privacy filter is a transparent sheet that blocks lateral vision so that only the person sitting directly in front of the screen (you) can see what’s on it.
  • As far as possible, avoid being separated from your equipment when travelling so that no one can remove files from your computer or install a Trojan horse on it.

  • All operating systems (Windows, Mac OS and Linux) allow you to set a password to prevent easy access by others. Use this basic protection.

  • Don’t download any files or click on any links sent to you from unknown sources.

  • Carefully check the email address or Twitter account of anyone who shares a link with you. If in doubt, verify the sender with other contacts or by using a search engine.

  • If a file or sender seem suspicious to you, contact experts who can help you. The ever-helpful Citizen Lab analyses suspicious links and malware that have been received by dissidents and activists.

As well as taking the above precautions, do the following:

  • Use antivirus AND anti-malware software such as Malwarebytes
  • Activate your firewall.
  • Keep your operating system (Windows, Mac OS X, etc.) up to date.
  • Encrypt your computer’s data storage (a function included in OS X).



Digital tracks:

If you work in an Internet café or on a computer that is not your own, don’t leave any traces of your work session when it is over:

  • If you check your email, Facebook account or Twitter account, remember to disconnect afterwards
  • Erase your browsing history. It contains a lot of information that an expert could use to access your online accounts

  • Never save a password in the browser of a public computer. If you have saved one by mistake, erase the browsing history when you finish working
  • Delete cookies
The ways to

delete this data varies from browser to browser. A good way to avoid making any

mistakes is to use the private browsing mode in FireFox or Chrome.



Messaging and accessing online services:

Most online services (such as Twitter, Facebook, WordPress, Tumblr and Skype) allow you to recover a lost password by emailing you a new one. It is therefore vital to protect your email account as much as possible. If it is compromised, your entire digital identity could be in danger.

Google’s email service, Gmail, allows you to provide your account with an extra level of security by using two-step authentication. Once installed, your email account is protected by:

  1. A username
  2. A password
  3. A different code that is sent to your mobile phone every time you want to connect to your inbox.

So, without your mobile phone, it is impossible to access your emails.


When you connect to your Gmail inbox, click on the “Details” link on the lower right of the page. This opens a window that shows all recent connections to you account and will allow you to see if there has been any suspicious activity.

You should also encrypt your emails and chats. As there are easy-to-use encryption tools, you should encourage your sources to use them so that all communications between you can be encrypted. They include:

  • Cryptocat installs easily on a computer. Chats with fellow Cryptocat users are encrypted from end to end.
  • Privnote and Zerobin are websites that allow you to create an online message that self-destructs as soon as it is read by the sole person to whom you can send a link to the message

  • Do you want to phone your sources via the Internet? No problem, but use Jitsi Meet, the “open-source Skype”.




Passwords:

Strong passwords need to be long. Length is the leading factor in a password’s strength. So instead of passwords (which should be banned), we should refer to “pass phrases.” They are the only way to resist a “brute force attack”. And follow these tips:

  • When creating a pass phrase, use digits and letters in uppercase and lowercase to create a sequence of characters that is relatively complex but at the same time easier to remember than a more abstract sequence of digits and special characters.
  • Use a different pass phrase for each online service.
  • Use a “password manager” such as LastPass, which is available as an extension for Firefox, Chrome and Safari. You can use it to safely store all your pass phrases.


Social network footprints:

Facebook and Twitter are very effective ways to communicate. But you should be careful about what information you are making available to the public. These tutorials and online services will help you monitor and control your online presence:


Secure browsing:

Use the following apps and plugins for Firefox and Chrome:

  • https Everywhere: It makes websites use an encrypted HTTPS connection if available on the site and helps evade certain kinds of phishing.
  • NoScript: It prevents (potentially dangerous) JavaScript scripts from executing on any website except those “whitelisted” by the user.
  • Privacy Badger: It blocks the tracking cookies used by websites.
  • Certificate Patrol: It verifies the certificates of HTTPs websites.
  • A Virtual Private Network (VPN): It encrypts your Internet connections.
  • Tor Browser: It allows you to browse anonymously.


Mobile phones:

  • Create and use a code to communicate with your sources and other contacts. “Beep” them (by calling and letting their phone ring once or twice before hanging up) to let them know, for example, that you have arrived at a given location or that everything is all right.
  • Don’t put your contacts’ real names in your phone’s contacts list. Assign them numbers or pseudonyms so that the police cannot get the details of your network of contacts if they ever seize your phone or SIM card.
  • Take a spare SIM card with you to demonstrations if you think your SIM card might be confiscated. It is important to have a working mobile phone with you at all times. If you ever have to get rid of your SIM card, try to destroy it physically.
  • Lock your phone with a PIN if it has this feature. All SIM cards have a default PIN. Change it and lock the card with this code. You will have to enter the phone PIN every time you use the phone.
  • If you are at a demonstration and think the police may use force to disperse it, turn on your phone’s flight mode. You will no longer be able to make or receive calls, but you will still be able to take photos and shoot video, and upload them to websites later. This tactic is also useful if you think the police may target people at the demonstration who have phones. The authorities could later demand the call or SMS records or phone data of any individual at a given location at a given time in order to carry out mass arrests.
  • Turn off geolocation in your apps unless you are using it to tag certain media outlets during an event for activism purposes. If you are using your mobile phone to live stream video, turn off the GPS and geolocation functions.
  • If your phone uses the Android operating system, software for encrypting your browsing, chats, texts and voice messages is available from the Guardian Project and Open Whisper Systems. When using your phone to go online, use https whenever possible.


Combating censorship:

Some of the software listed above (such as VPNs and tools for anonymous browsing) also helps you to circumvent government censorship. For more information:

  • Check out RSF’s “Collateral Freedom” website. To help the citizens of certain countries circumvent website blocking by governments that violate human rights, RSF has used the technique of “mirroring” to create duplicates of the censored sites and put them on the servers of Internet giants such as Amazon, Microsoft and Google (which these governments would be reluctant to block).
  • Visit the “Circumvention Central” website created by GreatFire (the NGO behind the “Collateral Freedom” initiative) to learn more about VPNs.
  • Check out the Tactical Technology Collective’s Security in-a-box website and these articles by the Electronic Frontier Foundation in order to be better able to circumvent online censorship and stay anonymous while online.


I - II - III - IV <<