Secure collaboration among journalists: tips from an expert

Sebastian Mondial was one of the first journalists entrusted with millions of leaked offshore tax files. Because of the sensitive nature of the information – which involved the secret financial transactions of individuals from corrupt politicians and international arms dealers to millionaires and middle-class professionals – secure communications among those involved in the investigation was of the utmost importance. The ensuing collaboration, involving nearly 100 journalists from 40 countries, was probably the largest in journalism history

Mondial was pivotal in setting up the communication channels and ensuring that the information exchange avoided surveillance. In the following guest post for onMedia, he gives some tips on how to protect communications from snooping eyes while still keeping the information flowing.

There is much uncertainty and doubt (and perhaps fear) about whether it’s possible to keep any collaboration among reporters, editors and sources secure these days. Based on my experiences with the global offshore-leaks project and similar international endeavors, I want to share some recommendations for setting up secure communications for collaborative projects.

But before you even start, you need to be honest about your technical skills and the situation. If you are reading this text, chances are you’re not an A-grade hacker or system administrator. You don’t need to be. But the less developed your technical skills are, the more you will need to rely on other people’s work and the less you will be able to evaluate for yourself if a solution is really secure.

Take the anonymous surfing project Tor, for example, and more specifically Tails. Tails is a ready-to-use system that allows novices to surf the internet anonymously. While such software has major advantages, the drawback is that you absolutely have to trust the source, the creators, of this system. Since Tails and Tor are open source and used by many people, any security flaws will probably be found and fixed at some point. But as long as you can’t match the source code with the software yourself, there’s a chance it’s been manipulated. (Recently this was done for TrueCrypt, a disk encryption software – you can read about it here.)

So when you lack the necessary skills, you need to decide to either:
– “buckle up” and learn the necessary skills
– trust tutorials and follow step-by-step solutions
– find/hire an expert who you have to trust from this point on

This will be the Achilles’ heel of your security concept, so choose wisely!

The cardinal question

Then you need to ask yourself the following (multipart) question: How many people need to communicate, for how long and from where, what are their roles and how much time do you have to prepare for this situation?

RedPhone – an open source encryption app

I’ll walk you through some answers to this question using two scenarios. But before I start, if you need to keep the contents of your conversations secret and can’t meet face to face, I recommend RedPhone (Android) and Silent Circle (Android+iPhone) for the time being. Both of these will keep the content of your talks safe as long as your devices/phones aren’t compromised. (Calling people does creates specific metadata – while it’s possible to avoid this by controlling and encrypting the whole connection from end to end, that is too much ground for this post to cover).

Scenario A – exchanging information among five people or fewer (assuming you don’t need to send many files)

Depending on the nature of what you are exchanging, having five people or fewer means sharing information via email is still manageable (but it does still create a large amount of duplicate text when referring and refining because email programs often just paste replies above the original messages).

First, make security a special responsibility. If you have a team leader – good. If not, choose one person to have the last word about security – a security “first among equals,” if you like. If unsure about who to chose, pick the person who’s the most sane and the most paranoid at the same time. If you share responsibility, it will degrade security, trust me.

If you’re not all working within the same company and are on different mail servers (meaning you have different email addresses – like mike@yahoo.com and claire@web.de), you should set up extra accounts on another mail server especially for your project.

The best would be a server you can trust to not be accessible to law-enforcement agencies. In Germany, for example, all email providers with more than 1,000 users are required to allow such agencies direct access to mail accounts without users knowing.

This means you will have to set up a server yourself or get a managed server (where you have the problem of having to trust the admin). You need to have that machine in a physical space which you trust won’t be compromised easily.

You can then set up the server to accept only secure (SSL) connections and use forward secrecy (also called perfect forward secrecy – you can read more about how to configure it here). This will also cost money to run – around US$25-50 a month plus the hardware lease. Security isn’t cheap if you want to have it done right. But this ensures that as you exchange information, none of the metadata is accessible to the NSA and other snoopers (read more about metadata here).

The server will be a “central point of failure” – meaning if your information there is accessed by a third party, unless it is already deleted, the invader gets it all. So you need to add a third layer of protection just in case – encryption. This will keep things secret. GPG, the open source implementation of the cryptographic software PGP, is fine for that.

Since you’re all using the same server, again, metadata will be the least of your worries because it’ll only be available to outsiders if they get on the server.

I recently started to work with PGP V2-Smartcards. These are physical cards you can use to store GPG cryptographic keys. The sweet thing about them is that you can set them up, send them to someone and people then have the encryption keys “outside” their computers protected with a pin or passphrase that is most unlikely to be brute-forced, since it locks down after three false access attempts. It also works within companies with a central IT department; they only need to set up your computer – Windows, Mac or Linux with a GPG version higher then 2.0.8 and a common reader and you can encrypt on your own.

Since we’re talking about computers – if you work in an environment where virtual and real break-ins are likely, here are some more tips.

Buy a computer in a store rather than ordering it online because the NSA is known to have diverted online purchases to install spyware on machines. Select the computer for its modularity – how easy it is to take apart because you might want to do things like remove the camera or the microphone (see www.ifixit.com for tips on taking apart devices). Set up the computer afresh with full disk encryption (here are some links to setting it up on Windows, Mac and Ubuntu).

Here are some basic pointers to setting up systems but as I have already emphasized, you need to have or acquire some skills and/or trust other people to make it really safe.

– securing one of many Linux Distributions
– hardening OS X (if you run a Mac client) –
– setting up a secure system. Note that with this, as with any other tutorial, you really need to know what you’re doing

If you set up your system like this, your activity will have very limited visibility and no metadata about the information exchange will be revealed unless the “other side” gets hold of the server.

However, if you need to send a lot of files and/or you are collaborating on a project with ever-changing information, this isn’t the correct scenario for you. See Scenario B instead. 

Scenario B. Exchanging information among six or more people and/or collaborating on a data-intensive topic over an extended period of time

A larger collaboration makes email a burden rather than a useful tool. Since it is likely different people will be communicating on different topics, and you also might have people joining and leaving the project, you need a different method of setting up secure communications.

I recommend setting up a web forum with enhanced encryption and file storage capability on a dedicated secure server. Start with a root/managed server as described above. Then set up a forum like fud-forum and harden the system. If the machine has the necessary CPU power, you can also reuse it as a mail server as seen above. On top of this, you could enable a VPN (Virtual Private Network), which will add an encryption layer.

By doing this, you can then communicate and keep records in a central location while also being able to control the level of information accessed by those involved. In the offshore-leaks collaboration, we had a core group who were able to access all information as well as a reporter group who only had specific access to certain information relevant to their areas of expertise or their countries. People who were new to the forum could read all communications on their access level chronologically as well as in “thread-mode,” meaning that they could see questions and answers.

If we had needed to, we would have been able to shut down the whole system and make the data disappear at any point. An advantage of such a system is that you can also make a complete “private” copy at the end of the project as a reference.

I know this post has only scratched the surface of some of your secure communication needs. The good news is that there is a wealth of great information out there on the internet about making your communication server even more secure.

One more thing – there is no such thing as perfect security. Forget it! But you can reduce the chances of being snooped on or your information compromised. Once you have some knowledge and set up the system, you need to maintain your level of security and keep an eye out for any possible breaches.

If you have any questions or need more pointers, I’m happy to help – I just might need some time to respond. You can email me on kappuchino@h2h.de or you can get in touch with me on Twitter at @kappuchino.

Sebastian Mondial is a freelance data journalist who works mainly for German state broadcaster NDR in the investigative research team. He is also one of the founders of the first full-time data team in Europe – the regiondata desk at German press agency dpa. When he’s not busy crunching data, he also trains journalists on security and data journalism.