Main content

Cyber security for journalists: Secure communications

Alan Pearce

is a journalist and author specialising in cyber security

All digital communications can be intercepted in transit and read by anyone with the appropriate skills. This includes all emails, texts, personal messages and video calls such as with Skype.

There are two exceptions to this rule. While encrypted communications can be intercepted, they cannot be easily read. Equally, an adversary cannot read your communications if they know nothing about them.

While it’s acceptable to use unencrypted email for general use, it’s a good idea to set up a more secure option just in case you need it. One day a source might ask you to communicate using PGP (pretty good privacy): the gold-standard for email encryption.

Famously, Glen Greenwald nearly lost out on his scoop with Edward Snowden because he could not get his head around the problems of setting up PGP. He wasn’t alone in this. A study found that - aside from serious geeks - most people struggle with even the basics.

With PGP you need to generate two keys: a public key that you give out to people who want to communicate with you, and a private key that you use to scramble and unscramble the messages. There are various free programs for those brave enough to try.

Luckily, things have moved on in the past two years and there are now easier options.

By far the simplest solution is to open a free email account with a service offering built-in PGP encryption, such as the Icelandic company Unseen.is. Here you can generate both sets of keys and import public keys via the key manager facility.

While this will offer arguably the best means of encrypting your emails, it may also open you to inspection, as this is the surest sign that you have something to hide. It’s no secret that intelligence agencies like the NSA and GCHQ employ programs that actively seek out encrypted communications.

Additionally, some countries - including the United Kingdom - have introduced mandatory key disclosure laws that compel users to hand over their encryption keys on demand or face a jail sentence.

So avoid using an email program like Outlook or Thunderbird, or smartphone email apps, as these are the first places a spy will look.

Rather, access your secure email account via a web browser in private mode while employing a VPN, or with the Tor anonymising network, preferably on a device not associated with you. Memorise the login details and never write them down.

If you need to send an email that positively cannot be traced back to you, there are temporary 10-minute emails and re-mailing services such as AnonyMouse.

Re-mailers strip off any codes that identify you and add new ones along a multiple journey. When the email arrives at its destination it cannot be traced back to you. This of course means they cannot reply. However, you can then give them an alternative means of contact.

PrivNote is a free service that allows you to send top secret, self-destructing notes over the internet. Simply write a note and it will generate a link that you cut and paste into an email and send. The recipient then clicks the link to see the note in their browser. The note then automatically self-destructs.

For mobile devices, text messages can be end-to-end encrypted and phone calls scrambled. Secure alternatives to Skype (VoIP services) abound:

  • Symphony is a new encrypted messaging system for all devices
  • SureSpot is an encrypted messaging system for Android and iOS that also allows you to send photos and audio clips. Delete a message and it is also deleted on the recipient’s phone
  • Telegram is a free, open-source messaging app for Android and iOS with end-to-end encryption and a self-destruct feature
  • Tox, free instant messaging and VoIP service
  • Jitsi, free, open-source encrypted VoIP service for audio/video and chat that supports protocols such as Jabber, Windows Live and Yahoo!
  • Signal is also free, providing end-to-end encrypted text and VoIP calls for both iOS and Android
  • Silent Phone allows you to make secure encrypted phone calls all over the world, over any network - 3G, 4G and wi-fi. Each subscriber receives a private encrypted 10-digit phone number. It easily integrates existing contacts on your device and works on smartphones and tablets.

Always bear in mind that very few security tools are 100% safe. If you were under observation an adversary’s first move would be to gain control over your digital devices, either physically or remotely. This means they could access all your messaging systems as well as your PGP keys; allowing them to read your encrypted communications and even pretend to be you.

Above all, keep all sensitive correspondence and contacts off your digital devices and secure all email programs with a strong password.

Alan Pearce is a newspaper journalist, broadcaster, former BBC foreign correspondent and the author of Deep Web for Journalists: Comms, Counter-Surveillance, Search.

The BBC has no specific guidelines for its journalists on using the Tor network. It does not endorse Tor, nor any of the other services referred to in this article.

Cyber security for journalists: How to keep your browsing private

Cyber security for journalists: How to devise the perfect password

Cyber security for journalists: The internet is a hostile environment too

Online security: Protecting private data

Investigative journalism blogs by web research specialist Paul Myers

Our investigative journalism section

Searching for people online: Advanced techniques

Searching for company data: Advanced techniques

Information security for journalists

Blog comments will be available here in future. Find out more.