Last week, the new whistleblowing platform Afrileaks – a kind of Wikileaks for Africa – hosted journalists at a two-day digital security bootcamp (Disclaimer: the Daily Maverick is an Afrileaks’ media partner. In other words, if you want to leak confidential information to us, do so through the Afrileaks platform to protect your anonymity). The premise was simple: before journalists can look after delicate, confidential sources online, they need to know how to look after themselves online.
Few individuals take digital security very seriously. Yet as we live more and more of our lives online, we all become more vulnerable to increasingly sophisticated hackers and fraudsters who don’t often have our best interests at heart. Not to mention governments, many of whom – including the South African government – are engaged in the widespread and indiscriminate collection of personal data. It doesn’t matter if you have nothing to hide: you’re still vulnerable to fraud, and your security lapses might compromise the security of people who are hiding something (i.e. whistleblowers, journalists, and civil society activists).
As John Oliver argued so memorably in his must-watch interview with Edward Snowden: if for no other reason, look after your digital security to make sure no one can see your ‘dick pics’.
“You might not have anything to hide, but you still communicate. Everything that you do leaves traces. The moment when you, your account, your info is compromised, you can compromise others who have been in touch with you. So even if this doesn’t directly affect you, others with whom you’ve been in touch can be compromised,” said Gillo Cutrupi, a digital security expert with the Hermès Foundation, who led the Afrileaks training.
“It’s not just state surveillance that you need to worry about, or commercial people targeting you with creepy adverts, it’s that organised crime is increasingly becoming incredibly sophisticated with using technology,” added Justin Arenstein, an investigative journalist and digital strategist helping to establish Afrileaks. “So they use it to profile people, to say well am I going to do identity theft which is the simplest of things, or are we actually going to profile someone so we know who to hit, when to hit… right down to the most extreme cases of people getting kidnapped, simply because they’re checking in at places, or their calendar is visible to others. A lot of this is not really meaning that you have to be a super spy, it’s simply understanding what your security settings on your normal social media. So on your Facebook, can people see you posting pictures of your kids and your family, or are you keeping that private?”
In South Africa, we’ve all become pretty good at keeping ourselves safe. We lock our doors, we install burglar bars, and we remain vigilant. If you haven’t already, it’s time to turn that same vigilance to digital security – and here are a few Afrileaks-approved steps to do so. While some of it may sound complicated, this is really just a start; the bare minimum. For more comprehensive advice, visit Security in a Box, a free advisory service which independently tests and rates various security measures.
1. Use a pass phrase, not a password
Passwords are the first line of defence, but they can be ridiculously easy for programmes to guess. A six character password takes a maximum of two minutes to crack, and usually it’s a lot quicker than that (if you are one of the millions of people who uses ‘qwerty’, ‘123456’ or ‘password’, go sit in the naughty corner and hang your head in shame). This is because algorithms are getting fancier as processing power increases. There’s an easy fix, however: make your password longer. A lot longer. Every extra letter makes an exponential difference, so go big or go home. The industry standard these days is pass phrases rather than passwords: strings of words, characters and numbers (even spaces are usually ok) that will keep a password-guessing programme occupied for a very long time.
2. Never use the same password, and keep them fresh
You need a different password for every account. It’s simple, really: if someone gets hold of one of your passwords, you don’t want them to then have access to everything. Remember too that many smaller sites, such as forums, do not store your passwords securely.
This is common sense, of course, but easier said than done. How do you possibly keep track of so many different passwords – especially when you’re meant to change every password regularly? The answer here is to get yourself a password keeper – a secure place to store all your passwords, meaning that you just have to remember the one password to access the password keeper. Afrileaks recommends KeePassX.
3. Secure your browsing
Most major websites use the secure “https” protocol to protect their customers (look for the ‘https’ in the domain name, often accompanied by a little green bar or padlock). This means that it’s difficult for anyone else to see what you’re looking at or what information you’re submitting to those websites. In other words, if you send an email from one Gmail account to another, it’s relatively easy to know that you have sent an email, but not the contents of that email.
It’s important to note that browser security is different from browser anonymity. If you want to mask your online presence entirely, you’ll need to download The Onion Router (Tor), a special browser that routes traffic through multiple nodes to completely disguise your online activity).
4. Don’t always trust the Cloud
Anything stored on the cloud is only as secure as the company that’s storing it, and not all companies offer the same level of digital security. That’s why it’s vital to think carefully about what exactly you choose to store on the cloud; sensitive documents should be encrypted first. It’s also important to use companies with better track records when it comes to digital security: Dropbox and SpiderOak have good reputations on this front.
5. Don’t forget your smartphone
These days, you’re as likely (if not more likely) to access the internet through your smartphone. All the same rules apply here, with an added caution: phones can easily be used to track your physical location, even with SIM cards removed. If you don’t want your movements to be tracked, leave the phone at home.
Most mobile messaging apps such as WhatsApp have their own unique vulnerabilities. These are all highly insecure, and most pull your entire contacts list into your database – potentially putting other people at risk (this is especially true for journalists: never, ever save confidential source information in your address book). For a secure messaging app, use SureSpot or Text Secure/Signal (Android/iOS). DM
"Tactics mean doing what you can with what you have." ~ Saul Alinsky