Learn to encrypt sensitive data.
Properly used, encryption is the best option to keep information and communications as secure as possible.
At its simplest, encryption works by using a mathematical formula to scramble data, which can only be unscrambled with a specific key and/or pass phrase. As a journalist, you store and transmit a great deal of information – some of which may be sensitive and/or put you and your sources at risk. You may want to encrypt this information to protect it.
In some countries, encryption has legal restrictions on use, so you will need to consider that before crossing borders and/or working in certain places. Thorough research on this should be included in your risk assessment.
Encrypted messaging apps and internet calls
There are a number of tools that encrypt communications while they are in transit from the sender to the recipient. This means that the message, voice or video call, or document can not, as far as we currently know, be intercepted when it is in transmission.
However, journalists should investigate the tool they are using to find out whether the information they are sending is also encrypted on the server of the company. Some communication tools decrypt on the server which means a copy of the conversation, document, or image is being kept by the company. This could be an issue if you are concerned that a government could subpoena the company for this information.
Journalists should also research how much metadata is being stored by the company. Metadata includes data such as, your location, your phone number, the phone number of the person you are speaking with, the last time you were online, amongst others. This data can be subpoenaed by governments and used to build up a picture of who you are speaking to and when.
The tool that you use should be dictated by your situation and the situation(s) of the people that you need to communicate with and the country you are in. Always speak with your sources using the most secure method possible and be informed about who makes the tool you are using.
Here are some common encrypted messaging services:
You can use different types of software to encrypt your email, which usually encrypts “end to end”. If used correctly, end-to-end encrypted email can be a very effective way of communicating securely.
End-to-end encrypted email means that the content of your email is encrypted and can only be decrypted by the recipient. The recipient will also need to use end-to-end encrypted email. Be aware that the title of your email and the email address of the sender and receiver are not encrypted.
Key points on encrypted email:
- There is a variety of software that you can use to encrypt your messages, but encrypted email will only work if the person you are sending to is also using it.
- You should always update your software to protect it against security vulnerabilities.
- Encrypted email can be complicated to set up and is not always convenient. There is currently no way to send encrypted email from your phone, for example.
Common ways to encrypt email:
- Thunderbird with the enigmail extension
- GPG Suite for Mac
- GPG4win for Windows and Linux
Encrypted cloud services
Journalists frequently back up documents to the cloud, using popular services such as Google, iCloud and Dropbox. These may be perfectly suitable for many users, but you should be aware that your documents are only as secure as the service they are stored on. Some of these services have been breached and user data has been stolen.
If you are storing especially sensitive documents and/or material or are concerned that you might be targeted directly by an adversary, you may want to use an encrypted cloud service.
Some examples of encrypted cloud services include:
Encrypt your devices
You may want to encrypt the drive on your computer, which is known as full-disk encryption. This is relatively easy to do and can be an effective way of protecting data. Be aware that travelling to and/or working in certain countries with encrypted devices is illegal.
Full-disk encryption for your computer:
- Bitlocker for Windows
- Filevault for Mac
Most newer phones have encryption as a default model. This means that information on your phone is encrypted when it is being stored or sent. However, if you want to prevent your data being physically accessed, you will need to encrypt your information and protect it with a long unique password. If your phone is not encrypted, you can turn on this option in the security settings of your phone.
Your phone will normally back up information on your device to the cloud service. If you are using an iPhone, for example, it will back up information to the iCloud. If you are using Android, it will back data up to Google Drive. Be aware that the information in the cloud may not be encrypted.
You may want to remove data from your phone if it is lost or stolen. To do this, you will need to set up your phone to remote wipe. Turning on this feature will give Apple and Google access to the location of your device at all times.
To set up remote wipe:
- Find my iPhone for iPhone
- Android Device Manager – you may need to enable ‘remote lock and erase’
Encrypt your files, your hard drive and USBs
If you want to keep sensitive documents safe, you might want to consider encrypting them. All major computer systems have their own methods for encrypting, so you should check which one is available on your computer.
You can also encrypt your drive and/or external devices using Veracrypt. To encrypt files in the cloud, Cryptomator is a good option.
Encrypt your website
See our guide on Navigating the Internet for information on this.