Secure your phone and be aware of the risks it poses.
Your mobile or “smart” phone may be essential for many aspects of your reporting, but it can also put you at risk.
Your phone collects and transmits data about you and your location. This data – as well as the information and material you record, store and send on your phone – can be used to build up a picture of you and your identity.
Your mobile phone will never be 100% secure so it is important to be aware of the risks it poses to your digital security.
Understanding your phone
Be aware that your phone can be traced back to you through a number of ways these include:
- The IMEI number: This uniquely identifies the hardware of your mobile and is usually found inside the phone, printed on the battery.
- The IMSI number: This uniquely identifies the SIM card.
- The phone number: This is often included in meta information on a number of apps that may be on your phone and will be on the mobile phones of anyone you contact, if they choose to save your number and your name.
- Apps on your phone: These can often reveal specific information, known as metadata, including your phone’s make, model and location. You need to read and understand the permissions of each of the apps on your phone.
Best practice: mobile phones
- Set a security lock on your phone. Using a pin is more secure than using pattern recognition and using at least six digits is recommended.
- Know what content is stored on your phone and understand how that can put you at risk if your phone is taken or seized. This includes documents, recordings, photos as well as chats and phone logs.
- Avoid clicking on links or documents sent to you via SMS, email or social media chats. These could install malware onto your phone which can steal your data and/or listen to your calls. Read our guide on malware.
- Do not leave your phone unattended especially if you are charging it in a public place. Do not connect your phone to an unknown computer as this could result in malware being installed on your device. Avoid lending your phone to others.
- Download software updates regularly both for the operating system and for apps on your phone. Updates protect your phone from vulnerabilities which hackers can exploit.
- Your mobile phone and some apps on your phone record your location. This is to help them provide you with phone coverage as well as services that need to know your location, such as Google Maps. This data is stored by the companies.
- If your phone is lost, stolen or confiscated you may be able to remote wipe it. You will need to have set this up beforehand and your phone will need to be connected to the Internet in order to remote wipe. Read more about remote wiping here.
Your mobile phone and your data
Your mobile phone and your mobile phone company collects immense amounts of data about you and your activities. This data can be used to build up a picture of who you contact, when you contact them and your location.
Ways your mobile phone records your data:
- Mobile phone companies record who you contact and when. They use this information for billing purposes. Governments may access this data through legal channels or this data can be hacked by adversaries.
- Apps that you have installed on your phone store can transmit data to third-parties. This data can be cross-referenced and used to create a more complete picture of you as a mobile phone user.
- Your phone’s operating system keeps data on you. If you have an iPhone, this data is stored by Apple. If you have an Android operating system, this information is stored by Google.
- Mobile service towers receive a signal from your mobile phone. These towers are needed in order for you to receive and make calls. They also record your location.
- Content that you receive and send is stored on your phone. This means if people have access to your phone then they can steal your data. This could include your phone being physically taken or adversaries can hack your information as it is in transit from your phone to the online service you are trying to access.
There is no single tactic to create a secure mobile phone but the following strategies can be used as a way of increasing your security. You may want to include them as part of your security or risk assessment.
Use more than one phone
If you are worried that using your phone could put you or your sources at risk you may want to buy a second phone. This second phone should only be used for confidential tasks or for contacting a particular source. Below are some tips on best practice for having more than one phone:
- Buy the second phone in cash so it is not linked to your bank cards. A pre-paid mobile phone is best.
- Do not use the two phones in the same location as it will be possible to show a link between the two devices.
- Do not keep personal contacts on the second phone.
For a detailed guide on buying and using a second phone, read this section on mobiles at the Tips and Whistleblowers’ website.
Minimise the data you are transmitting
Your mobile is transmitting a location whenever it is on. You can control some of the information that is being collected on your location by doing the following:
- Turn off the WiFi connection.
- Turn off geo-location and geo-broadcasting on social media apps.
- Disable all auto-updates. Update your phone using the Internet connection in your home.
Encrypt your communications
Keep your messages and calls as secure as possible using applications that encrypt your communications.
Read our guide on how to do this.
Metadata – This is information about data. Examples of metadata could include the time, location, and contact details of both a sender and recipient of an online message.
Third party applications – These are apps that are not built by the service that provides them, for example Facebook; instead they are built and owned by external developers.