Digital security for human rights reporters

Digital tools and technologies are making it easier for journalists to do their work — to research, verify, store, and publish information on computers, mobile phones and the Web.

However, these same technologies can put journalists at risk if they are not used with care. Reporters who cover human rights issues – who call public and international attention to crimes and wrongdoing – are at special risk.

Several repressive governments and powerful corporations have used sophisticated surveillance technologies to track down journalists (both professional and citizen) and punish them for their work. If journalists are not careful to “cover their tracks” when working online, anyone with an interest and a few basic hacking skills can trace the journalist’s steps, potentially putting both the reporter and his/her sources in danger.

That’s why every human rights reporter needs to know basic digital security precautions.

What is digital security?

“Digital security” is a combination of tools and habits that users can use to prevent others from secretly monitoring their actions online, accessing or tampering with their electronically-stored information or communications, and interfering with their electronic devices or programs.

No set of precautions or tips can fully guarantee the safety and security of you and your data, but following some basic guidelines can help keep you and your sources safer.

Evaluating your digital habits

The first step to creating a digital security plan is evaluating the environment in which you work and assessing the level of risk to which you may be exposed.

You can start your own evaluation by answering the following questions:

  • Where do you usually carry out your work: in an office, at home, or in a public place like an Internet café or library?
  • Who has access to this space? How much do you trust those people?
  • Do you use your own computer or a shared computer?
  • Is the computer you use (or your account on a shared computer) protected by a password? Does anyone else know that password?
  • Where do you store your sensitive data? On your computer? Phone? USB drive? Do you ever print sensitive materials?
  • How do you transfer and discard information that you have stored electronically? 
  • What could happen if someone had access to those materials?

See Section 1.2 of FrontLine’s “Digital Security and Privacy for Human Rights Defenders” PDF guide for a complete set of questions you should answer to help determine your particular security needs. Then, go on to Section 1.3 for help creating a threat assessment and a reaction plan to prepare for a variety of problematic situations.

Digital Security Toolkits

Gathering information and communicating with sources safely

Journalists’ increasing reliance on electronic tools for gathering information and communicating with sources – whether through online searches, email communications, instant messaging, Skype conversations or social media – raises digital security concerns. Most of these channels of communication can easily be monitored by people who wish to ensure that the journalist’s story never receives an audience.

As a reporter, your best defense is to become informed about the risks and vulnerabilities you face, and then modify your habits to minimize these risks. A number of online guides exist to help lead you through this process. You might also consider participating in a targeted digital security training if possible.

To maintain privacy and security as you research a story and communicate with sources:

  • Browse the web anonymously using an anonymity network like Tor Browser Bundle.
    • Visit the download launch page on TorProject.org. Be sure to read the usage tips and pitfalls listed on this page before downloading.
    • Download the Tor Browser Bundle appropriate for your operating system.
    • Extract the files and click “Run” when prompted. If Tor Browser does not open automatically, click “Start Tor Browser.exe” in the folder you’ve extracted the files to.
    • Consult Security-in-a-Box for more tips and additional guidance.
  • Erase your browsing history and “cookies” (tags that websites use to identify your computer) from your Web browser after each use. Depending on your Web browser, you can usually do this by changing your “History” or “Privacy” settings under the browser’s “Options” or “Tools” menu. You can also erase your history, cookies and other browser traces with free utilities like CCleaner.
  • Improve the security of your email and instant messaging services by only using those that provide a Secure Sockets Layer connection (SSL, denoted by the “s” in “HTTPS” in the URL), like Gmail or, better yet, RiseUp.
    • Most free webmail services (like Yahoo! and Hotmail, for instance) provide secure access to your inbox, but send messages openly by default, so they could be intercepted anywhere along the way. Gmail offers a secure connection even when sending and receiving messages if you access your account through https://mail.google.com(as opposed to http://mail.google.com, without the “s”). However, Google records the content of users’ messages for various purposes and has complied with demands of governments that restrict Internet freedom in the past, so it’s best not to rely on them for full security.
    • RiseUp is a free webmail service built for activists that takes the security of its users extremely seriously and has successfully defeated subpoenas by US authorities to get access to their server records. In order to create a new account on the service, you will need two invite codes from users already registered on the site, or you may have to wait up to a few weeks for RiseUp to approve your account request.
    • The email client Mozilla Thunderbird can support advanced security features like PGP encryption, using the free Enigmail add-on and a free encryption application called GnuPG.
    • Visit Security-in-a-Boxfor more tips and step-by-step instructions on all of these services.
  • Increase the security of your mobile phone with tips from SaferMobile and Security-in-a-Box. The basics include:
    • Always keep your phone with you and make sure to protect it with a passcode that is not easy for others to guess. Never share this passcode with others.
    • If you are worried about maintaining anonymity, change phones and SIM cards often (making sure to wipe your phone of any data before exchanging). Changing the SIM card alone is not enough to protect your identity.
    • Use unregistered, prepaid SIM cards if this option is available to you. Always pay in cash for SIM cards.
    • If you are worried that your movements might be tracked, carry your phone turned off with the battery removed until you come to a safe place where you will make a call. After the call, switch the phone back off and remove the battery again. If you do this between every call, the phone cannot be used to trace your movements.

Storing information securely

Even if you are careful about covering your tracks while you browse the web and speak with sources, you will need to store the information you gather somewhere other than in your own head. The simple act of putting something “on paper,” even virtually, makes it vulnerable to discovery.

To ensure that the information you store is as secure as possible:

  • Protect your computer and mobile phone with strong passwords that only you know. See the text box (below) for tips on what makes a strong password.
  • Never share your passwords with anyone else, never write them down except in a secure password storage service like KeePass, and use different passwords for every device you use. Also, use a different password for every web account that you maintain, such as your email, Facebook and Twitter accounts.
  • Never leave your computer unattended with sensitive documents open or unlocked, even for a few minutes. Instead, log out of your user account, and make sure that your computer requires a password to log back in.
  • Be careful never to leave behind any device with sensitive information stored on it in a café, taxicab, etc. Don’t carry your phone in your pocket or in an unzipped bag, where it could easily be stolen without you noticing. In addition, use a passcode for your phone and enable it to “lock” automatically after short periods of time. If your phone supports long passphrases, rather than just four-digit codes, choose that setting.
  • Consider encrypting particularly sensitive information stored on your hard drive or USB drive. Security-in-a-Box tells you how to do this using software called TrueCrypt, which stores your files in a sort of electronic “safe” that you access with a password. (Do not forget this password or you will lose access to your data!)

To begin:

  1. Visit http://www.truecrypt.org/downloads.
  2. Download the version appropriate for your operating system.  
  3. Save the installer to your computer, then find it and double-click it.
  4. Read the installation instructions before continuing.
  5. Read the instructions for getting started using the software.
  • Delete your files securely. Just pressing “Delete” or emtpying your Recycle Bin won’t prevent someone from recovering your files later. To be sure your files can’t be recovered -- whether on your PC, camera, USB stick or phone – follow these directions:
  1. Download, open, and run the free, open-source tool Eraser from Security-in-a-Box. (Note: newer versions are available, but they may require downloading the .Net framework, which can take a very long time for users with low bandwidth.
  2. Be sure to read the installation instructions and step-by-step guide for use

Publishing information anonymously

Strong passwords…

  • Contain at least ten characters
  • Include at least one character from each of the following categories:
    • Uppercase alphabet
    • Lowercase alphabet
    • Numbers
    • Special characters (e.g. !, @, #)
  • Are never the same as, or contain any part of, your username
  • Never contain personal information about you, your relatives or pets
  • Never contain commonly understood sequences of letters or numbers (e.g. “1 2 3…” or “A B C”)
  • Do not contain large parts that can be found in the dictionary

Extra tip: One way to make an existing password stronger, especially against automated guessing-programs, is to make it longer.

When you publish or post a story on a human rights topic, either you or your sources may wish to remain anonymous. Protecting the anonymity of your sources at this point draws on basic journalism skills of withholding identifying details and finding other ways to corroborate what sources have told you if possible. You also can publish online without revealing your identity by blogging anonymously. Global Voices has put together a step-by-step guide that will teach you how to do so.

The basic steps include:

  1. Download and install the Tor Browser Bundle and use that to surf the web and disguise your IP address. You also can run the Tor Browser Bundle from a USB key if you work on a shared computer.
  2. Create a new, hard-to-trace e-mail account that does not contain personal information and is not tied to your other accounts or your mobile phone.
  3. Launch Tor and, when the Aurora browser automatically opens (after Tor has started working), create a new WordPress blog registered under your new anonymous e-mail address.
  4. Write your posts offline. When you are ready to publish…
  5. Log into your new Wordpress blog, edit the blog’s timestamp, and post it.
  6. Securely erase the rough drafts, browsing history, cookies, and passwords from your browser.
  7. Repeat Steps 4-6 every time you post.

Final thoughts

Maintaining digital security is not something you can do once and forget about. It is a continuous process that requires constant awareness of potential threats and vulnerabilities and proactive work to address them. It may seem daunting, but the benefits you will gain from taking the steps to protect your own safety and that of your sources are well worth the effort.