Laptops are lost, stolen, and confiscated everyday. Seth Schoen, a senior staff technologist for the Electronic Frontier Foundation, a digital rights advocacy organization, suggested full disk encryption as a New Year’s resolution for 2012. Schoen says encryption is a very important step for journalists, who often have a goldmine of confidential information on their laptops. While lots of people have a password prompt when they power up their computer, this doesn’t protect the actual hard drive. “People might think that’s safe, but it’s very straightforward to bypass that password,” says Schoen. The contents of the computer could be accessed by simply disconnecting the hard drive and plugging it into another computer.
It is not unusual for computers to be searched at border crossings. The Electronic Frontier Foundation (EFF) recently published some tips about this in regards to entering the United States. Most major operating systems have a built-in option for full disk encryption, but this tool is also available through third parties like TrueCrypt. Saved documents that contain notes, contacts, and sensitive reporting material would be scrambled with full disk encryption, so its contents are illegible to those without the key.
For communicating with sources through instant messaging, Off The Record Messaging (OTR) encrypts the text, and allows users to authenticate the identity of who they are communicating with. It works in conjunction with other chat services, so it can be configured to work with an existing IM account, while blocking that messaging service provider from having access to the communications. OTR should not be confused with AOL Instant Messenger or Google Chat’s off-the-record functions, which simply block the account from keeping a log of the chat. Using OTR on top of an IM system is powerful, Schoen says, “because it says regardless of what kinds of privacy protections the intermediate system or systems do or don’t provide, only the parties to the conversation will be able to decrypt its contents.”
Pretty Good Privacy (PGP) is a popular tool for encrypting and decrypting the contents of e-mail messages, also allowing users to digitally “sign” a message to authenticate its origins. PGP was built twenty years ago, making it one of the oldest digital privacy technologies. In the case of both OTR and PGP, both parties in the communication must be correctly using the tool. Schoen recommends OTR because it’s easier to use than PGP, and says it may be better for “journalists having sensitive conversations” because it provides something called “forward secrecy.” This means that if a private key was ever stolen for an OTR-encrypted machine, the person could only record future conversations; if it was stolen with PGP, the stolen key could also be used to decrypt previous conversations.
Tor (previously known as “the onion router”) makes it very difficult to track which computer an action came from by ping-ponging the data packet between many participating servers. Tor, combined with other encryption tools, is the most secure and private means of communicating over the Internet, since encryption can’t hide where a message originates, just its content. “Suppose you wanted to leak something to WikiLeaks and didn’t use Tor. In that scenario, your ISP, if it cared to, could see that you’re connecting to the wikileaks.org site, while WikiLeaks, if it cared to, could log your real IP address, which could eventually be associated with your true physical location,” explains Schoen. “But if, instead, you decide to use Tor, your ISP sees that you’re using Tor, and WikiLeaks sees that you’re using Tor, but no single entity can easily see the whole picture.”
The vast majority of journalists care deeply about protecting their sources, and while no tool can completely guarantee anonymity, these small steps can help improve the chances that those who stick out their necks don’t do so in vain. While governments, banks, law firms, corporations, and other organizations that deal in sensitive information have embraced security, journalism has lagged behind, and CJR will have more on security operations and its relationship to journalism in the coming weeks.