In several years of training journalists, I have seen that most journalists agree with the need for encryption to protect their information, but only a few of them really embrace the technology. At first, I thought it was a problem of awareness, but I have since come to realize that the complexity of technology also plays a role.
Journalists often fail to protect their information because encryption systems are complicated and not very friendly to non-technical users. Most journalists have multiple assignments, little time and limited technological skills. They sometimes prefer to accept risks rather than go through the hassle of learning difficult tools.
Even experienced reporters, dealing with confidential sources, working on high-risk stories and visiting dangerous places, are willing to take the risk of using regular email to send plain text messages rather than hassling with what they consider complicated and time-consuming encryption tools.
The consequences of this problem might be disastrous: I know cases of journalists who lost years of research; sources whose online identity got compromised; and reporters who were physically attacked because an adversary intercepted their communications and discovered the subject of their investigations.
Today, with drug traffickers, ruthless terrorists and even corrupt officials trying to intercept and read the emails of investigative journalists, it is more important than ever to encrypt information and send it securely through email.
Here are a few options for securing email that are more user-friendly, along with the pros and cons of using them. Also, I would like to give you one bit of advice: If you are at extreme risk and require privacy, do not transmit information via email at all. Otherwise, please take the time and effort to adopt one of the following tools:
Pros: This is based on the classical Pretty Good Privacy (PGP) asymmetric encryption technology. There is practically no way for an adversary to crack and read a message carefully encrypted with OpenPGP. Once installed, it is pretty easy to use.
Cons: Setting up OpenPGP properly is not very easy. You need to follow carefully the instructions to install the software. You will have two keys, one private, and one public. Everybody can have your public key, but only you must have access to your private key. You can encrypt files with PGP technology.
- How to: Use PGP for Mac OS X
- How to: Use PGO for Windows
- Thunderbird, Enigmail and OpenPGP for Mac OS X – Secure email
- Thunderbird, Enigmail and OpenPGP for Windows – Secure email
- Email Self-Defense
Pros: This is a secure and free email service supported by a network of advocates of Internet privacy. It allows the use of the most important security features such as https and operates only over the Secure Socket Layer (SSL). You can open an account without providing your personal information.
Cons: Because RiseUp is identified with human rights and privacy activists, having a RiseUp account can attract attention from adversaries. You need to get codes for two existing RiseUp users to open an account.
Pros: This is a free tool with highly protected servers in Switzerland. Emails are secured with end-to-end encryption. You can create an account anonymously without putting your personal information to open an account. There is no need to download software. ProtonMail does not have access to users’ decryption keys. It uses open source PGP encryption standard. It is easy to use.
Cons: You need to wait some weeks to get a ProtonMail account.
Pros: This is a browser extension that allows users to exchange encrypted emails following the OpenPGP encryption standard. It is an open-source free tool. Encryption is strong. You will need to create a pair of keys, one private and one public. You may share your public key with your contacts and keep the private one secret, just for yourself. It is recommended to use a strong passphrase to decrypt messages.
Cons: If your computer or your browser is hacked, adversaries can eventually get access to your private key and try to crack your passphrase to decrypt your emails. Your passphrase is your last line of defense and you need to store it safely. The Mailvelope keys are not usable to encrypt and decrypt files.
Pros: This is a proprietary source tool with a free option. It uses both asymmetric and symmetric encryption and is easy to use.
Cons: You need to provide a regular email account and cannot hide your original IP to open a Hushmail account. Your password will be stored at the Hushmail servers. With a judicial order, a government may request access to the user data. Subject of the email, headers and metadata are not encrypted. If you want to send an encrypted message to a non-Hushmail user, you will need to share the key through other means. Hushmail requires users to sign in at least once every three weeks to keep the account active.
Pros: Peerio is an easy-to-use open-source software that offers a high-level encryption system. Peerio creates a pair of keys, one public, and one private and use them automatically for the user to send or read encrypted messages. Users can also can encrypt files and send them securely over Peerio. The platform can be used as a repository of encrypted files. Files are not only encrypted to travel securely from end to end, but are also encrypted specifically to the receiver’s public key. This way, nobody else but the intended recipient could decrypt and read it.
There are other features that can be attractive to journalists. Peerio produces a unique avatar for each user, so you can recognize if the person you want to exchange messages with is an impersonator. Peerio produces passcodes very difficult to crack. To enhance the user’s privacy, Peerio does not store the passcode. It is a major difference from popular email services where the company knows and stores both the username and the password. Peerio also enables a two-factor authentication, pairing the user’s mobile device to the account to provide more security.
Cons: Peerio is still in beta. If you want to send extremely sensitive documents or messages now, you may want to try OpenPGP instead.
This post is also published on IJNet, which is produced by ICFJ.
Main image CC-licensed by Flickr via Yuri Samoilov.