Are you a journalist that regularly works with sources that you would not want to disclose? Are you doing research and interviews for your reporting that you simply would prefer to keep private? Is there a chance that a potential story might pass you by simply because the source can’t communicate with you securely? If so, you should invest some time in getting up-to-speed on digital security. Here are some starting points.
Canadaland reported today that “only a handful of reporters in Canada have taken steps to secure themselves and their sources.” The article was reported by my colleague Tim Groves and is a topic that we’ve discussed on more than one occasion since the Edward Snowden leaks. Put simply: reporters in Canada need to step up their game.
It’s not like we know that the Canadian government spies on Canadians or anything. Ahem.
A different security landscape
As part of the Beautiful Rising project – where we are working with often-marginalized and targeted activists in the global south – we have been actively engaged in documenting, reviewing, and experimenting with the most contemporary security tools available today. It’s a topic that I am passionate about and one that I’ve been invested in for more than a decade.
One of the challenges today is that many of the great resources that were developed in the past about digital security have been obsoleted by what we now know about current digital surveillance practices. It’s coming to light that some governments are much further ahead than most digital security advocates thought, and those same governments are investing huge sums of money to stay ahead.
What that means is that modern-day digital security practices need a re-think.
Resources you can trust today
Out of all of the resources that I reviewed, here are the top three that I feel are the most up-to-date and still relevant in a post-Snowden era:
- The Electronic Frontier Foundation’s Security Self Defence site, is one of the best guides available. It offers several “Tips, Tools and How-tos for Safer Online Communications”
- The “friendly autonomous tech collective” Riseup has an often-updated security page full of goodies and advice, as well as providing an excellent Virtual Private Network service
- The Guardian Project provides a mobile-optimized site focused on mobile security that is handy in a pinch (get it?)
There are many, many more out there. But those are the resources at the top of my list today. Feel free to suggest others in the comments below, by sending me a quick note on Twitter, or by sending me an encrypted e-mail.
I’m still personally a big fan of good ol’ PGP. I use it daily to secure my e-mail communications with a number of friend and colleagues. Just this past January, I lead an online workshop to get the entire Beautiful Rising team set-up with PGP and listed on Keybase. You can find the slides for that workshop online here.
There are, however, a number of new services and tools entering the market that are worth mentioning. Many aim to take the complexity out of communicating securely – something that has up until now been a little too technical and not for the faint of heart. But, with simplicity, there often comes a trade off or two.
Here are a few of the newer security tools that we’re exploring:
- Keybase: A service that takes some of the pain out of setting up PGP keys, but at the expense of not publishing those keys to the usual places and not automatically associating the keys with an e-mail address.
- Telegram: A very polished and easy-to-install encrypted messaging application that runs on most platforms and devices. Downsides: not open-source software (yet), exclusively cloud-based, and encryption only happens when both parties are online. Though, Matt Mullenweg likes it, so that says something.
- Redphone/Signal: A work-in-progress mobile application (iOS or Android) that enables end-to-end encrypted voice communication and SMS-type messaging. The jury is still out for us: we’ve had hit-and-miss experiences communicating with these two apps.
Again, there are more new tools available than I’ve listed here. I’m gathering our research on Github that you can feel free to contribute to. You can also suggest others in the comments below, etc. These are the ones that we’re experimenting with. I’ve not yet found myself using any of these on a daily basis, like I do with PGP.
Consider security guidelines
As part of our efforts to be transparent, Beautiful Rising published a Statement of Values that outlines our commitments. Along the same lines, we also published a notice of security and privacy options that we share with the groups that we’re working with.
Making these commitments publicly helped us to prioritize the work necessary to ensure that our entire team had the basic understanding, knowledge, and tools to meet the commitment. This is not just a win for our team, but for the people that we are working with around the globe.
The question I have is: What would it take to convince news organizations in Canada to make a similar commitment? To themselves, to their readers, and to their sources?
Food for thought.