The Tactical Technology Collective, an organisation dedicated to the use of information in activism, offers useful guides on secure alternatives for standard software for browsing, searching the web, writing emails and chatting. It has also compiled a great collection of tools and tactics for more digital security. “It is important that you understand how you are communicating and inform yourself on secure alternatives,” says Anne Roth, researcher for the Tactical Technology Collective.

Following the interview with Anne Roth in our previous post, here are her essential tips on how journalists can stay secure online and when they are using smartphones and tablets.

1. Always use a secure internet connection

This rule is especially important when you’re filling out forms on the web: https:// (not http://) should be displayed in your browser bar.

2. Make your browsing experience more secure

Use different pseudonyms and different browsers with different add-ons for different services. The add-ons recommended by the Tactical Technology Collective can be found in the Shadow Tracers Kit. Always secure your WiFi router at home and in the office.

3. Know what you are downloading

Malware can be either contained in files which you download from the website or in browser scripts. So firstly check the files you are going to download with a virus scanner. Never open files directly in your browser. Better to first download the file, then check it with a virus scanner, then open it. Secondly, make sure you install the add-on NoScript for your Firefox browser. This add-on prevents scripts, which are important for the display of certain contents in your browser from transporting malware.

4. Adjust your browser settings

Go to “Settings” and tell your browser to save no cookies from third-party service providers. Cookies are small text files which are saved on your device and help identify you when you are visiting the same page again. Cookies can be helpful when you need to log in, so it’s not necessarily recommended to deactivate them completely. If you use the Firefox browser, you can adjust browser settings so that you are asked each time when a cookie is going to be installed. That significantly reduces the overall number of cookies.

5. Don’t let your search be tracked

To make sure your search queries aren’t being tracked, use search engines DuckDuckGo and Startpage. However, note that DuckDuckGo is based in the US.

6. Use special cloud services

There are many cloud services like Dropbox out there, but you can’t expect total security from them. Alternatively, you can host your own cloud with the software by OwnCloud. Always encrypt the data on your device before sending them into the cloud. However, that still means your metadata (file name, place and time of the upload) is visible.

7. Use complex passwords

Also, never use the same password for different services. You can resort to a password manager like KeePass for Windows or KeePassX for Mac.

8. Encrypt your hard drive

You can do it with standard software on your computer. That will help you secure your data should your device be lost or stolen. Don’t forget to regularly backup your data.

9. Secure your communication

It’s not a secret any more that Skype, Google, Facebook and other US companies are cooperating with the secret services. So think if you really need to use voice or video chat, especially in case of important conversations.
Use different email addresses for different purposes. It is recommended to use an email client like Thunderbird with an add-on Enigmail instead of a webmail. Here’s how you install it. If you do use webmail, make sure the data is being transferred per secure protocol SSL. Try to avoid using Facebook or Twitter messaging services, traditional email is still more secure.

10. Secure your mobile devices

Users should use a tablet or a laptop with open source – or free – software rather than a smartphone to secure your communication. To avoid tracking of any kind, UMTS, GPS and geolocation features should be deactivated.
Have a look at this introduction on secure use of smartphones and check the Guardian project which offers security apps for mobile devices.

11. Prevent interception of phone calls

There’re encrypted mobile phones out there with a respective price tag. There’re apps like RedPhone, OStel or Jitsi which encrypt your phone calls. Internet telephony is also a good option, which allows you to avoid using phone lines and mobile phone networks.

12. Don’t let others locate your mobile phone

To avoid the identification of your mobile phone location, deactivate the GPS function. But you can avoid being located completely only if you deactivate the phone and take out the sim card -your phone automatically checks in at mobile towers to be able to make calls.

The revelations of the surveillance program of the US

DW Akademie’s Natalia Karbasova spoke to Roth about the biggest risks journalists face online, and about the parties interested in gathering all relevant and irrelevant information: from local authorities to national secret services.

Is it possible for journalists to completely protect their online privacy?

Complete protection is not really possible. It will not be possible in the future either, since we need to supply our data to an internet provider to go online in the first place. The question is rather: what do you want to be secure from? If you want to be sure you are not being tracked by the advertising industry, you can use an adblocker as a browser plugin and configure it manually. If you want to shop online and at the same time protect your identity, you can use secure online payment services like Paysafecard or UKash. If you want to use internet services without disclosing your IP address, you should use the software Tor. Still, this personal anonymity is only guaranteed if you don’t use your personal log-in data while browsing the web.

What are the biggest security vulnerabilities online?

There’s no general answer to this question. It depends on whether you are a big company, a journalist or just a normal user. Access to data which are being transferred unencrypted through email or other internet services pose a big problem. If data transfer isn’t SSL-encrypted (you can see this encryption in your browser address bar which says “https://” instead of “http://”), it can be easily intercepted in an open WiFi network.

It is especially Windows users who face security problems. There’re numerous viruses and malware for Windows out there since this operating system is wide spread. They use unknown security weaknesses of Windows or install standard software and browser plug-ins to get daily access to the computer. That’s why is it is extremely important that you install the latest updates and the latest software.

You should also be really careful and limit yourself to the software, plug-ins and add-ons you really need. You can also protect yourself by installing a personal firewall and a virus scanner.

How do I know I’m being spied upon?

Normally you won’t discover if you’re being kept under surveillance by the authorities. In Germany, you have the right to request this information from the German Federal Intelligence Service and other services. The question is, if you get the answer. Foreign secret services like the NSA don’t provide any information to non-US citizens.

Who is interested in gathering my private information in the first place?

On the one hand, we talk about authorities, on the other hand, about companies. Their motives and methods differ of course. Secret services gather information on internet usage and on users not only to protect their country against terror attacks, but also to exchange this information with foreign secret services which are not necessarily able to track the global internet traffic on their own. The approach of the secret services can be described as “full take”: you take so much information as you can. Edward Snowden and other whistleblowers have shown that secret services often use special interfaces, which global companies have provided them with. Secret services also use intercontinental internet lines.

You have to be extremely cautious when it comes to using free services on the web. Remember that you still pay for it, but in a different manner, that is, not with money but with your data. That’s when you stop being a client and become a product.

What do companies do with the data they collect?

The data are collected through third-party cookies – little text files – users accept by browsing the web. Most users are not aware that they interact with other, third, parties when reading a news or any other website. These sites get paid to let the third parties have access to their users’ data. The more information is known about a user, the more valuable and up-to-date is his or her profile.

The advertising industry uses profiles for individual ads. Financial and insurance industries use your profile data to give predictions and to calculate how expensive their services should be for the end customers. By the way, the German registry office also sells your data, which many of us don’t know.

What’s so bad about it?

The problem of such data pools is, data collectors want more and more data. The intended use is often expanded later without updating those affected. That’s why I would recommend to be very careful with requests to share your address, you date of birth or the data of your children.

There’s an ongoing discussion in Germany following the data retention directive of the European Union. It regards retention of communication meta data. It is basically the same as gathering of metadata which is being intensely debated in the light of Prism. You can easily generate motion profiles and networks with the help of these data, which show who knows whom, who makes calls with whom and how long these calls last. The initial purpose of the initiative was counter-terrorism, but it’s obvious that even here others are interested to extend access options.

A secure password is one of the first steps towards more digital security. If your password has been cracked, hackers can get access to valuable personal information, steal your money and damage your reputation by distributing harmful content in your name. DW Akademie’s Natalia Karbasova offers some basic rules to help you create secure passwords and checks out selection of tools for password management and security check.

How to create a secure password

1. Your password must be complex. There’s no need to say that such passwords as QWERTY, 1234 or “password” can be cracked in a couple of seconds. And you don’t want to see you password on the list of worst passwords of the year. So don’t use passwords which are easy to guess, such as names or dates of birth of your relatives and friends. Your password should contain lower as well as upper case characters, numbers and punctuation marks. The rule of thumbs is: the longer your password is, the better. Eight characters are the minimum requirement for a good password. To remember your passwords more easily, also read these suggestions from Microsoft.

The Diceware Passphrase website also offers a good method which can help you construct a strong password.

2. Don’t use the same password for multiple websites. You should follow the rule of “One password – one website”. By doing this, you will prevent hackers from easily accessing other services and accounts for which you use the same password.

3. Don’t reveal your password to anybody else. If you still had to share your password with a third person, make sure to change it immediately afterwards.

4. Don’t write your password down. If you have to, then never place the paper at your desk for everyone to see. Also, avoid writing down the website for which the password should be used.

5. Change your passwords regularly. By doing this you will avoid problems if you password was revealed by a third person.

Check the strength of your password

After you have created a password, you can use a number of online services to check how secure it really is. Microsoft suggests checking your password’s strength – all you need to do is to type in your password and see the rating below. You can also try this online tool to check the security of your password.

Also, the website howsecureismypassword.net not only lets you check the security of your password, but also tells you how much time it would take to crack it. The website also provides comments on your password such as its length and character variety or if there are repeated patterns which make the password easy to guess.

Password generators

To create sophisticated passwords, you can also resort to specialized websites.

• WolframAlfa is actually an answer engine, but the scope of tasks it can cope with is truly impressive. Type in “password” and it will generate a random combination for you.
• Password generator – you can choose between different types of passwords, such as Internet or server passwords.
• Secure password generator by Symantec allows you to create random passwords.

Password managers: Tools to keep track of your passwords

Password managers help you keep track of your passwords without having to remember them all. Mashable offers a list of useful tools for password management. Let’s have a look at the tools that have proved to be effective and can be used free of charge:

• KeePass and KeePassX are a free, open-source password managers which can also be used in a portable mode and run off a USB drive. At the moment, they seem to be the most popular free tools. They allow you to save passwords using only one primary password to unlock them.
• LastPass is a free tool for Windows and Mac stores all of its data in the cloud. It can automatically save your logins, help you generate passwords and automatically fill in your passwords when you visit a site.
• Firefox Sync syncs and protects your passwords, bookmarks and browser tabs.
• Firefox users can also resort to a browser add-on Keefox, for which you only need to remember a master password.

More to read:

• Five tools journalists can use to protect their privacy
• Probably the Best Free Security List in the World
• Journalist Security Guide by the Committee to Protect Journalists: Chapter on Information security

In many countries, journalists are confronted with security problems. We are starting a series of posts devoted to digital security. We will cover such issues as messaging services, IP address and how you can change it, how you can make yourself anonymous on the web and much more. For this post, we have interviewed Fabian von Keudell, technology & security editor at the renowned German technology magazine CHIP about how secure Skype is and which alternatives are out there.

How secure is Skype? Is there a possibility that audio and video talks as well as chat messages can be saved and later used by Skype itself or intercepted by third parties?

Fabian von Keudell

In 2011 Microsoft, the owner of Skype, patented a technology that allows the company to intercept secure calls over the Skype network. Since then security specialist fear that Microsoft is secretly implementing such technology in the Skype source code. Since no one has access to the original source code, it is quite difficult to say whether a Skype call is interceptable or not. For now, most experts believe, that governments have already access to Skype calls.

Are users still secure when they make calls from Skype to normal phone numbers?

All calls are made through so called Skype supernodes. Therefore it is possible to record even these Skype-to-landline calls.

What about Google Talk and FaceTime?

Every VoIP software that is proprietary has the same security problem: The user never knows what exactly is written in the source code. So there is always a risk of a backdoor in the program which allows the company or governments to access to your data.

Which alternative messaging service would you recommend to use? e,.g, Jitsi, off-the-record-encryption services such as Psi, Miranda IM and Adium?

Jitsi and other open source programs are always a better solution when it comes to secure data and voice transmissions. Be sure to download the Software from a reliable source.

Is it enough to use a secure messaging service in order to protect yourself against third parties?

There is always a chance that you have unknowingly installed a trojan on your PC. Such virus could record everything, even secure and encrypted transmissions. So be sure to have all necessary Windows updates and a state-of-the-art virus protection installed on your PC.

What should journalists do to make sure their calls and messages are protected against any intervention and interception?

There is no 100 procent protection against call interceptions, especially when someone with a lot of manpower and money is interested in your calls and data. But these cases are very rare. For everyone else, open-source software like Jitsi is the way to go. You should try other tools as well. For example, the TOR browser lets you hide your IP address, that is, where you are, but your activity can still be intercepted. The tool TrueCrypt lets you encrypt your data. By using a combination of tools journalists can ensure better security.