An example PGP key for encrypting e-mail (screen capture). © DR
Whistleblowers, journalists, activists, citizens: we all have the right to communicate privately and anonymously. Here are a few tips to protect yourself from the eyes and ears of all Big Brothers.
Do you have secret files to reveal? Are you a closeted whistleblower? As wiretapping scandals and the latest Vault 7 dump by Wikileaks dominate our newsfeeds, it’s not too late to take precautions with your electronic devices, especially mobile. As the world’s most famous whistleblower, Edward Snowden, said: “Wireless devices are kind of like kryptonite to me.” In other words, any electronic gadget is potentially a discreetly surveilling spy. Even those in our own house intended to watch over us can be hacked to watch and listen to us instead. Beware the Internet of Things!
Be smart
In typical DIY style, it never hurts to take basic common sense measures in protecting your equipment from security holes in hardware: put tape over the (idle) camera and microphone of all your connected devices, and even the blinking LED light of a computer hard drive. If you’re still paranoid, pull down the shades and unplug the machines.
Be anonymous
Being anonymous in your online communications and research means being invisible. But keep in mind that the more you hide, the more complicated it becomes. In 2013, Snowden had to make an entire video tutorial about PGP encryption just to teach journalists how to receive his information confidentially by e-mail. Since then, fortunately, a number of privacy tools have become accessible to the general public.
1 – Install Tails
Tails is a live operating system that you can run on almost any computer (even a Raspberry Pi), a USB stick or SD card, which leaves no trace on the computer used. This free software was developed specifically to operate in symbiosis with Tor (see below) to ensure your privacy while erasing everything behind it. Therefore it is highy recommended that you install Tails on a separate device from the one you use every day. Best isolate your whistleblowing communications from your usual online activity as much as possible.
2 – Use Tor
Anonymity starts with protecting your own machine, in order to mask your identity during communications. Tor is an open and distributed network that constantly bounces encrypted communications around a network of relays, so that no association can be made between the users (via IP address) and their data.
The Tor network, explained by the Tor Project:
To access the Tor network, use Tor Browser, included with Tails, or download it from the Tor website or its Github mirror, especially in Farsi, Turkish or Chinese. If you are browsing on a mobile device, Tor Browser is available under the name Orbot for Android or Onion for iOS.
But no network is infallible, as famous hacker Kevin Mitnick reminds us: “You have no control over the exit nodes, which may be under the control of government or law enforcement; you can still be profiled and possibly identified; and Tor is very slow.”
Also be aware that any anonymous access to the Internet rubs shoulders with the Darknet, which hosts a number of illegal markets, malicious activities and other “alt-content”. Nonetheless, Tor is increasingly penetrating the mainstream by supporting services that are directly associated with online privacy in a more transparent manner.
3 – Use SecureDrop
If you have a particularly potent secret to share anonymously with the media, this dedicated project by the Freedom of the Press Foundation (presided by Snowden) was designed with you in mind. SecureDrop is an open-source submission system (originally created by the late Aaron Swartz) that media organizations can use to securely accept documents from and communicate with anonymous sources. All it demands of the whistleblower, once Tor Browser is installed and in use, is to memorize her unique code name.
Supposing you have steaming hot files to slip to the press, start by choosing a target organization that uses SecureDrop (a non-exhaustive list is here). In Tor Browser, enter the .onion address of the chosen organization and follow the instructions on its site. The process is detailed here.
Media outlets such as the New York Times, the Washington Post and The Intercept also list other secure options for anonymously sending information and documents. See which one works best for you, because end-to-end encryption requires that both sides (sender-receiver) use the same system.
4 – Buy a burner phone
If you want to communicate anonymously with someone who is not on a secure system, or if you simply prefer a more old school, relatively low-tech, temporary solution—buy a disposable burner phone. Use this cheap, no-subscription cell phone exclusively for your whistleblowing communications. And soon you can add to Wired’s list of great burner phones the modified iPhone 6 model, developed by Snowden with the hacktivist Bunnie Huang.
Buy your burner in a small shop, in a neighborhood where no one knows you, pay in cash and activate it on an open wireless network, preferably using Tails and Tor. Make your call, send your texts, then quietly dispose of the incriminating object.
Even more simple, but less secure, and still uncrypted, for more limited communications: Install a mobile application such as Burner on your Android or iOS smartphone to generate an anonymous local number that you will use once and then immediately delete.
Be indecipherable
Encrypting your texts on an ordinary smartphone (so not quite anonymously) is probably simpler than you think. If you are among the billion users of the messaging service WhatsApp, then you already have an end-to-end encryption system by default in your pocket. In Japan, the ubiquitous Line offers the same protection to its network of users. Other services such as Peerio encrypt your data and communications all the way into the Cloud.
Today, messaging is the way to go. Signal (for Android, iOS or as a Google Chrome extension) is the latest darling of the media, the most sophisticated messaging app currently available, and will most likely be the preferred platform of our encrypted future. Unlike the other proprietary services, Signal is open source, owns no information on its users, and retains no metadata from their communications (text, audio, photo, video). It also has an option for the messages to self-destruct on the devices once they’ve been seen on both sides of the exchange.
Signal is supported financially by the Freedom of the Press Foundation and was developed by cypherpunk Moxie Marlinspike, who created the service to facilitate civil disobedience. But perhaps most significantly, Signal’s technology, seamlessly integrated into WhatsApp, is already being used by a good part of the world’s population.
Whistleblowing tips from the Freedom of the Press Foundation