At last month’s “Journalism After Snowden” event at Columbia University, Guardian US editor in chief Janine Gibson described the very first call she got last summer from Brazil-based Glenn Greenwald, which set in motion the series of work that would become the “Summer of Snowden.” Greenwald had called her on a Skype connection to tell her that he was on the receiving end of “the biggest intelligence leak in a generation, if not ever.” Gibson was intrigued, and a bit skeptical, but above all else concerned; because of the highly sensitive work that she and her colleagues had previously done on the WikiLeaks story, she knew that Skype was not a particularly secure way to communicate.
“My first question was, ‘Are you calling from your delightful Rio residence using a Skype phone?’ and he said ‘Yes,’ and I said, ‘Hm,’” Gibson recalled. “So, we didn’t talk very much in that conversation, and it became clear that the first thing he was going to have to do was to get on a plane [to the Guardian office in New York].”
We can’t all get on a plane every time we want to have a sensitive conversation with a source or an editor, of course, which is why secure phone calls and emails are a necessity. Skype has long been favored by journalists and travelers because it’s free and easy to use. But there are some real risks to using Skype, and many of the safer alternatives are actually just as free and easy.
Since its launch in 2003, Skype was generally perceived as being safer and more secure than traditional phone lines; it advertised that its voice calls and chat communications were encrypted. However, its software has always been proprietary, as opposed to open-source, making it impossible for Skype’s relative safety to be independently vetted.
Human rights organizations and privacy experts began to expose Skype’s various vulnerabilities several years ago. In 2008, the Electronic Frontier Foundation publicly asked the FBI whether it had the capability to hack into Skype communications, after news broke that the German government had commissioned a program to hack into Skype calls there. The same year, a group of Canadian researchers found that the Chinese government was monitoring text messages on the Chinese version of Skype for certain words and terms that indicated that the users might be critical of the government. In 2012, those same Canadian researchers discovered a type of malicious spyware that was being circulated via Skype in order to target Syrian activists.
Then, with the help of Edward Snowden, the Guardian and others revealed the scope of the NSA’s capability to monitor and collect Skype communications. “It is what many of us feared, and now we know for sure,” Reporters Without Borders digital security expert Grégoire Pouget told Ryan Gallagher at the Guardian in a followup article. “If you are a journalist working on issues that could interest the US government or some of their allies, you should not use Skype.”
So, what should we use instead? There are a lot of secure chat apps on the market, but what about safe voice communications?
“One non-Skype option is Mumble, which is an open source voice chat software that offers encrypted communications,” writes Jennifer Henrichsen, a consultant researching digital security issues facing journalists, working for UNESCO among other clients. “Many people use it for gaming, but journalists and their sources could also use it to chat.” Henrichsen notes, though, that in addition to choosing the right software, you also need to choose a secure, password-protected server, hosted by an organization that you trust (she suggests the International Modern Media Institute).
“Security in a Box,” a very thorough guide written by the activist-supporting groups Tactical Technology Collective and Front Line Defenders, recommends a free and open-source app called RedPhone for mobile phone calls. The person you’re calling has to also have RedPhone installed for it to work, but once you’re connected, everything is encrypted and safe. Then there’s Ostel.co, developed by The Guardian Project—of Tor fame—which is a server that works in conjunction with different secure voice apps like Jitsi (for Mac and Windows computers), CSipSimple (for Android), and Acrobits (for iPhone and iPad—this is the only one that costs money).