This is the latest in a series we've done about how to protect your privacy. This post is based on a tip sheet that I prepared for a panel discussion about how journalists can communicate securely with sources at the 2015 Investigative Reporters and Editors Conference.
It's easy to feel hopeless about privacy these days.
In the post-Snowden era, we have learned that nearly every form of communication-from emails, phone calls, to text messages – can leave a digital trace that can and likely will be analyzed by commercial data-gatherers and governments.
Here are some ways to keep those communications private. While these tips were designed for journalists and confidential sources, they're just as useful for protecting any private communications, such as a conversation between family members, or a confidential business dealing.
Some tactics are more difficult than others, but the good news is that not all of them require technical skills. The key is to figure out your communication strategy. First, decide if you are trying to hide WHO you are talking to (metadata) or WHAT you are talking about (content), or BOTH.
In each case, there are both high-tech and low-tech ways to evade surveillance.
If you are trying to mask WHO you are talking to, consider three tactics that I call ACE — which stands for "Add Noise, Cloak or Evade."
- Add noise means fuzzing the metadata by adding false connections or false content to the communications.
A high-tech way to add noise online is to use Tor Web browser which bounces your Internet traffic around to a bunch of locations so that the website you arrive at doesn't know where you are coming from.
You could also add noise in a low-tech way. If, for instance, you are a journalist calling a source in the mayor's office, you could also call everyone in the office, too. That protects the source from being the only one with a record of a call with you. (However, you should talk for a short time and set up another means of communications to avoid creating a data trail of a long conversation).
- Cloak means using alternate identities.
Another way to mask who you are talking to is to set up new accounts – whether it is email, instant messaging or a cellphone – using alternate identities.
For these disposable online accounts, it's best to use Tor when setting up a disposable email (instructions here) or instant messaging account (instructions here for Windows and Mac) so that your location is not revealed during the setup and use of the account.
For disposable cellphones, also known as burner phones, the best practice is to buy them in cash in a location not close to your usual work and home (because your location is a very distinctive giveaway). Give one to your correspondent and set up a time in which you will each go to a location that is not on your usual route in order to make the call.
- Evade means avoiding metadata collection.
This usually means meeting in person, and turning off your phones (or, even better, leaving your phone at home) so there is not a record of your phones being in the same place. The challenge is to avoid using digital forms of communication to arrange the in-person meeting.
If you are trying to mask WHAT you are talking about, I suggest three strategies that I call HEM — which stands for "Hide, Encrypt or Mask."
- Hide means hiding the existence of the content, by placing it in a secret compartment either physically or digitally.
Hiding content can be as low-tech as hiding a USB stick in your pocket (as long as you are not going through a border or airline inspection).
Or it can be as high-tech as creating a hidden volume of encrypted content on your computer (a program called TrueCrypt offers this feature) that is not detectable to a person inspecting your computer.
- Encrypt means to make content unreadable to outsiders using cryptographic techniques.
Encryption scrambles your messages in ways that are extremely difficult for even the most powerful computers to break.
In the post-Snowden era, new encryption services seem to be sprouting every month. To sort out the best services, we ranked many of them last year in a joint project with the Electronic Frontier Foundation.
For encrypted communications to work, both parties must install the same software - whether it is the encrypted iPhone app Signal for text messages and voice, calls or the widely used GPG software for email encryption. (Instructions here for Mac and Windows users).
- Mask means disguising the content as an innocuous other type of content.
Known as steganography, this is the art of hiding a message in plain sight. For example, a teenager may post a song lyric to her Facebook page, which conveys a certain meaning to her friends, but is impenetrable to her parents.
For this to work, both parties must agree on the meaning of their messages in advance - whether it is using code words or physical symbols - such as the famous flower pot on the balcony that "Deep Throat" apparently moved when he wanted to signal a request for a meeting with journalist Bob Woodward.