graphic Cameras graphic Progress: 50 percent heading level 3 Chapter 3 heading level 1 En Garde: Digital Security for the Undercover Whistleblower LEGAL DISCLAIMER: The material in this e course is provided for informational purposes only. Nothing in this email should be construed as legal advice. Before you act on any of the material in this guide, the authors STRONGLY urge you to seek legal counsel. heading level 3 Think first, click second Technology can be a useful tool for exposing wrongdoing, but it can also make it easier to expose your identity. The good news is that there are plenty of tools out there that can help maintain the anonymity of your conversations, your behavior, and your data. Overall, the digital security space is constantly evolving what was secure even a couple of days ago may be vulnerable today but here are a few general guidelines, tools to consider, and best practices to follow. REMEMBER: No system is foolproof. graphic camera heading level 2 If the walls could talk… they would Your digital activities at work are very likely being monitored. And even if they aren't, it's better to assume anything you do on work time, networks, or equipment is being watched and logged. Even arguably innocuous activity for example, reading about whistleblowing or leaking could draw scrutiny, so it's best to use your personal devices outside of work hours to do research on whistleblowing or non work related tasks, whenever possible. heading level 2 Beyond the office walls, they’re still watching Because of previous whistleblowers, including Edward Snowden, we know the government’s vast digital surveillance capabilities include collecting information about Americans’ communications. Many companies whose products you likely use in your daily life for example, email providers, social networks, and internet providers can collect not only the contents of your communications, but also other identifying data such as who you've contacted, sites you've visited, when you visited and how often, among other information. While the government may not have direct access to this information, it may be able to use legal methods to compel companies to turn over any or all of the information they have on you. Try to mitigate your risk by never using your personal equipment or your employer’s equipment to transmit information when you’re blowing the whistle. Consider using a distant public computer at a library or internet cafe that is not likely to be connected to or associated with you. You could also consider using the Tor Browser or Tails operating system described later in this chapter, which can help to better protect your digital activity. heading level 2 A digital check up It’s good practice to review your digital hygiene regularly in any case, so the more of these practices that you can implement, the better secured all of your information will be and not just information that you could use to blow the whistle. list with 5 items bullet Always use strong, unique passwords or better yet, a password manager. Malicious programs like keyloggers, which can record everything you're typing, clicking on, or viewing on your monitor, can render even the most secure password useless. bullet Lock down your accounts with multi factor authentication. This means when signing into an account, you'll also be asked to verify your identity with a different method, such as an app, an additional code, or a text message. This can help secure your account in the event your login information has been compromised. bullet Assess your digital risk. The University of Toronto's Citizen Lab, for example, runs an interactive link Security Planner that will give you a customized action plan around your specific devices, online usage, and needs. bullet Brush up on the basics of digital security. The link Electronic Frontier Foundation and the link Freedom link of the Press Foundation each provide comprehensive overviews of the digital security landscape today and guides on how to choose and use various secure applications. bullet Think before you click. Assume your behavior is being monitored because it probably is, by your work, your internet provider, or any of the apps and software you use. out of list heading level 2 Encryption is the key The strongest defenses against digital snooping at this time are technologies that incorporate strong encryption, both for communication and stored data. (If you've never heard of encryption before, POGO's Andrea Peterson has a link great write up from her time at The Washington Post that's well worth a read.) Always keep in mind that even the most advanced protection now may be weak or irrelevant in the near future, and that any time you use third party applications or software you are trusting them with your data. Encryption does not stop the party you’re sharing the information with from sharing your information accidentally or intentionally. Encryption mitigates risk, but does not eliminate it. heading level 2 The current toolbox Below is a brief overview of some of the current best resources for digital security. We note, however, that many of these tools have at various times suffered security vulnerabilities, which is why you should always do research on your own to see what the current state of play is for these tools and what emerging alternatives are available. REMEMBER: In almost all cases, using a digital method will create some sort of trail. heading level 3 Encrypted email: PGP This is the most commonly recommended way of encrypting email, and relies on public key encryption. This method secures the content of email messages, but leaves the metadata (including the subject line, sender, the recipient, and the date) exposed. PGP has had some security vulnerabilities in its past, however, and its setup can be tricky for the average user to navigate. heading level 3 Texting, voice calling, and document sharing: Signal Signal provides end to end encrypted messaging and voice calls, and is generally more user friendly than PGP. Be sure to read up on Signal's basics, such as link safety numbers , and its history, as the app has had some security problems before. heading level 3 Web browsing: Tor Tor is a network that masks your online activities by encrypting your traffic and routing it through different servers around the world to make tracking activity more difficult. The Tor Browser, based on Firefox, is one accessible way to use this network. Be aware that Tor has suffered some security failures in the past, and that some experts believe that using the Tor network can in and of itself raise flags for law enforcement or intelligence agencies. heading level 3 General computer use: Tails Tails is an operating system (like, e dot g dot , Windows) that is free, open source, and automatically incorporates encryption and other privacy protecting tools. It can be run on most computers through a flash drive. It is worth brushing up on the developer's warnings about what Tails cannot protect against, however, as no system is perfect. heading level 3 Sharing digital documents: Secure Drop Secure Drop, managed by the Freedom of the Press Foundation, was designed to facilitate anonymous communication between sources and non governmental organizations, like nonprofits or media outlets, and is generally considered to be the most secure method to contact those groups. Secure Drop requires users to install and send information through the Tor Browser. heading level 2 The old fashioned way In some cases, digital may not be the best or most secure way to share information. In person meetings, for example, may be less risky. Some things to consider if you set up a face to face meeting: list with 4 items 1. Transportation Can your mode of transportation be traced back to you, e dot g dot , through the license plate on the car, through your public transit card or station cameras, or a ride sharing app? 2. Surveillance Are there likely to be cameras en route to or at your location? 3. Meeting location Are you or the person you are meeting likely to be recognized at your meeting location? Will you be prompted to sign in or log your meeting? 4. Devices What do you, and the person you're meeting, have on your person? Cell phones, smartwatches, laptops, and other digital devices, for example, can be used to help identify who you've interacted with or where you’ve been, even if you turned off the device. out of list heading level 2 Let the user beware In the ever shifting landscape of digital security, what seems secure today may be revealed to have an open door or even a backdoor tomorrow. For this reason, we highly recommend that you always research recent security news about a tool before deciding to use it for any sensitive information. link READ CHAPTER 3 right arrow This is just the tip of the iceberg on digital security. For more detail on how to protect yourself, read our full survival guide, Caught Between Conscience and Career. link Jump into Chapter 3 link now dot table with 1 rows and 2 columns row 1 column 1 link View in browser link Unsubscribe Material for this e course is pulled from link Caught Between Conscience and Career , a joint effort of the Project On Government Oversight (POGO), Government Accountability Project, and Public Employees for Environmental Responsibiltiy (PEER). column 2 The Project On Government Oversight (POGO) is a nonpartisan independent watchdog that investigates and exposes waste, corruption, abuse of power, and when the government fails to serve the public or silences those who report wrongdoing. We champion reforms to achieve a more effective, ethical, and accountable federal government that safeguards constitutional principles. Enjoying this course? link Let us know here. out of table link graphic Facebook Messenger link graphic Facebook link graphic Twitter link graphic Donate Project On Government Oversight (POGO) 1100 G Street NW Suite 500, Washington, DC