Secure your phone.
Your mobile phone may be essential for many aspects of your reporting, but it can also put you at risk.
It collects and transmits data about you and your location. This data – as well as the information and material you record, store and send on your phone – can be used to build up a picture of you and your identity.
Your mobile phone will never be 100% secure, so it is important to be aware of the risks it poses to your digital security.
Understanding your phone
Be aware that your phone can be traced back to you through a number of ways. These include:
- The IMEI number: This uniquely identifies the hardware of your mobile and is usually found inside the phone, printed on the battery.
- The IMSI number: This uniquely identifies the SIM card.
- The phone number: This is often included in meta-information on apps on your phone and will be on the mobile phones of anyone you contact.
- Apps: These can often reveal specific information, known as metadata, including your phone’s make, model and location. You need to read and understand the permissions of each of the apps on your phone.
Best practice: mobile phones
- Set a security lock on your phone. Using a pin is more secure than using pattern recognition and using at least six digits is recommended.
- Know what content is stored on your phone and understand how that can put you at risk if your phone is stolen or seized. This includes documents, recordings and photos, as well as chats and phone logs.
- Avoid clicking on links or documents sent to you via SMS, email or social media chats. These could install malware onto your phone that could steal your data and/or listen to your calls. Read our guide on malware.
- Do not leave your phone unattended, especially if you are charging it in a public place. Do not connect your phone to an unknown computer, as this could result in malware being installed on your device. Avoid lending your phone to others.
- Download software updates regularly both for the operating system and for apps on your phone. Updates protect your phone from vulnerabilities that hackers can exploit.
- Your mobile phone and some apps on your phone record your location. This is to help provide you with phone coverage, as well as services that need to know your location, such as Google Maps. This data is stored by the companies.
- If your phone is lost, stolen or confiscated, you may be able to remote wipe it. You need to set this up beforehand and your phone will need to be connected to the internet in order to remote wipe. Read more here.
Your mobile phone and your data
Your mobile phone and your mobile phone company collect immense amounts of data about you and your activities. This data can be used to build up a picture of who you contact, when you contact them and your location.
Ways your mobile phone records your data:
- Mobile phone companies record who you contact and when. They use this information for billing purposes. Governments may access this data through legal channels or this data can be hacked into by adversaries.
- Apps that you have installed on your phone can transmit data to third-parties. This data can be cross-referenced and used to create a more complete picture of you as a mobile phone user.
- Your phone’s operating system keeps data on you. If you have an iPhone, this data is stored by Apple. If you have an Android operating system, it is stored by Google.
- Mobile service towers receive a signal from your mobile phone. These towers are needed in order for you to receive and make calls, but they also record your location.
- Content that you receive and send is stored on your phone. This means if people have access to your phone, they can steal your data. This could include your phone being physically taken or adversaries hacking into your information as it is in transit from your phone to the online service you are trying to access.
How can you make your mobile phone more secure?
There is no single tactic to secure a mobile phone, but the following strategies can be used as a way of increasing your security. You may want to include them as part of your security or risk assessment.
1. Use more than one phone
If you are worried that using your phone could put you or your sources at risk you may want to buy a second phone. This second phone should only be used for confidential tasks or for contacting a particular source. Below are some tips on best practice for having more than one phone:
- Buy the second phone in cash so it is not linked to your bank cards. A pre-paid mobile phone is best.
- Do not use the two phones in the same location, as it will be possible to show a link between the two devices.
- Do not keep personal contacts on the second phone.
For a detailed guide on buying and using a second phone, read this section on mobiles on the Tips and Whistleblowers’ website.
2. Minimise the data you are transmitting
Your mobile is transmitting a location whenever it is on. You can control some of the information that is being collected on your location by doing the following:
- Turn off the wifi.
- Turn off geo-location and geo-broadcasting on social media apps.
- Disable all auto-updates. Update your phone using the internet connection in your home.
3. Encrypt your communications
Keep your messages and calls as secure as possible using applications that encrypt your communications. Read our guide on how to do this.