Client Notes

By Cleland Thom

Cleland Thom is director and is also recognised as one of the UKs leading media and communications trainers. He is a member of the Society of Editors and the Chartered Institute of Journalists and is legal blogger for the Press Gazette. He is also a member of the CIOJs Professional Practices Board. Since 2003, his legal clients have included the Manchester Evening News, The Local Radio Company, GMG Radio, TNT magazine, the Government and Public Sector Journal, and the Veterinary Journal group. He has trained more than 2,000 people from all of the UKs main media groups GMG, Archant, Newsquest, Trinity Mirror, Tindle Newspapers, Northcliffe and Johnston Press. He was group editor and senior executive of nine UK regional paper titles in London and was appraised as being their best all-round editor for nearly 50 years. He holds the National Council for the Training of Journalists National Certificate, the Certificate of Education from La Sainte Union College for Higher Education, Guildhall School of Music and Drama Grade 8 qualifications in Speech and Drama and Public Speaking and is an NVQ assessor, and moderator.

The problem
Government legislation that gives the police and security services powers to monitor details of peoples emails, web history, phone calls and text messages means that journalists must learn how to work online anonymously and invisibly. When the Communications Capabilities Development Programme comes into force, communications companies will have to store the who, when and where of every electronic message you send. That includes direct messages on Facebook and Twitter. Security services may be granted live access to records belonging to people under surveillance. They will also be able to access databases held by Facebook, BT and mobile phone operators to run a trace on people. This will enable them to track peoples geographical movements, who they were in touch with, where and when. The measures are part of the government's anti-terrorism strategy that is going through Parliament at the moment. But photographers know only too well how the police have frequently used 'antiterrorism powers' to stop them doing their jobs. Journalists must learn new online habits, or risk compromising their sources and investigations. Most journalists dont even take basics steps to secure their online privacy. And many editorial servers dont allow them to theyre not wired that way. If your office web browser doesnt allow you to do anonymous searches, and automatically encrypt your emails, youve got a problem. And so have your sources. How will a confidential source feel about your companys webmaster reading his emails to you? The techniques in this eBook should be applied all the time, so they become normal practice. And media organisations may need alter the way their networking, email systems and internet browsers work to ensure editorial staff can work safely and fulfil their moral and legal duty to protect their sources. The media already faces greater scrutiny from the government and other authorities than any time in history. This is likely to intensity in the fall-out from the Leveson Inquiry and the phone hacking trials. We need to learn to protect ourselves fast.

The solutions
It is not difficult for journalists to work anonymously and safely online. These simple steps should become normal practice techniques you use all the time, both at work and at home. Private browsing All web browsers have a private browsing tool. But you usually have to switch it on. However you can install Toggle Private Browsing so the private browsing feature starts automatically. Encrypted browsing HTTPS everywhere and HTTPtoHTTPS add-ons automatically find and enforce HTTPS connections when they are available. This saves you from having to take the steps yourself. Anything you do on a protected website will then be hidden. Encrypt Facebook HTTPS Facebook 0.4 add-on forces Facebook to use an encrypted connection which keeps your activities private. Anonymous browsing The secure-browsing tool Tor keeps your location and private data concealed by sending it through a network of virtual tunnels so servers cant pinpoint your location. This means you can visit sites and communicate with other people without revealing who or where you are. Tor is available for Windows, Mac, OS X and Linux, and as an Android app called Orbot bit.ly/orbot298 Hotspot Shield and hidemyass offer similar services. Secure your home network, step-by-step 4

1.

Change default administrator passwords and usernames Most Wi-Fi networks have an access point or router linked to web pages that allow owners to enter their network address and account information. These web tools are protected with a login screen. But make sure you change the username and password, as the default ones are widely known to snoopers. More Info 2. Turn on (compatible) WPA / WEP encryption More Info 3. Change the default SSID Access points and routers all use a network name called the SSID and most of these are preset. Change the default SSID on your network to stop snoopers getting near your network. More Info 4. Enable MAC address filtering Each piece of Wi-Fi equipment possesses a unique identifier called the MAC address which is logged by routers. Make sure you set your own MAC address rather than use the default option. More Info 5. Disable SSID Broadcast The wireless access point or router on Wi-Fi networks regularly broadcast the network name and increase the likelihood someone will try to log into your home network. Set the SSID broadcast feature to be disabled by the network administrator. More Info 6. Do not auto-connect to open Wi-Fi networks

Your security can be put at risk if you connect to an open Wi-Fi network through a wireless hotspot. Most computers connect automatically without notifying you. So make sure you disable the automatic connect feature on your computer or smart phone. More Info 7. Assign static IP addresses to devices Most home networkers gravitate towards using dynamic IP addresses. So make sure you turn off DHCP on the router and set a fixed IP address range instead. Then configure each connected device to match. Use a private IP address range like 10.0.0.x to prevent computers from being directly reached from the internet. More Info 8. Enable firewalls on each computer and the router Modern network routers contain built-in firewall capability, but you can disable them. Ensure that your router's firewall is turned on. For extra protection, consider installing and running personal firewall software on each computer connected to the router. More Info 9. Position the router safely Your Wi-Fi signals can reach through neighbouring homes and into the street. So position your router in the centre of your home rather than near windows. More Info 10. Turn off the network if youre away Your wireless network will be 100% safe if you switch it off. Its best not to do this all the time, but certainly consider it if youre on holiday etc.

Scramble your social networking posts Anything you say on Facebook, Twitter and Google+ etc can be easily viewed by snoopers police are already using data to get information for court cases. Scrambls encodes, or scrambles, the text you post on social networks, so only other Scrambls users can read it. Everyone else will just see a random mix of characters, and you can even make your posts expire and disappear. To scramble only selected words, bracket them using @@ symbols, for example I am only scrambling @@ these words @@. The tool is useful if youre dealing with a contact through Facebook. To encrypt Facebook Chat, you can either use Pidgin or install Abines free tool To use it, just drag the bookmark to your browsers bookmarks bar and click it whenever you want to talk to someone privately. Encrypt your webmail messages Gmail, Hotmail and other webmail services use HTTPS by default, but that only encrypts emails at your end. If you send a message to someone who is using an unencrypted server, it could be intercepted and read. lockbin is a free and easy way to send encrypted messages over the web. Just enter your name and email address, along with those of the recipient, then choose a password and type your message. Tell the other person the password and they will be able to decrypt the email. There is a mobile version and an add-in for Microsoft Outlook. Stop social networks following you Facebook, Twitter and Google+ all track your browsing activity, even after youve left their site. You can prevent this by installing the browser add-on Disconnect, which is available for Firefox, Chrome and Safari.

It automatically disables tracking by the main social networks and block identifying cookies, without logging you out of those services altogether. There are also separate tools for Facebook, Twitter and Google https://disconnect.me/tools

Use a different browsers for social networking Its best to keep your social networking separate from other web activity. Or even better, use a social-networking browser in a sandboxing tool such as Sandboxie This will isolate your likes, Tweets and updates from the rest of your PC, and vice versa. Similarly, use separate Twitter and Facebook accounts for personal use and never mention anything work-related on your personal feeds. Even saying you are going to meet a certain contact can compromise privacy. Encrypt your online conversations IM conversations are encrypted but they are also recorded and could be unencrypted and passed on to snoopers. This can be prevented by using a universal instant messenger such as Pidgin or Miranda IM with an Off-the-Record plug-in. This will stop your IM provider from seeing, and storing, your chats. Use a temporary email address If you want to remain anonymous when dealing with a contact, you can use a temporary email address. They are available from: www.guerrillamail.com www.10minutemail.com Keeping your contacts safe It is essential to protect your sources especially those who speak to you off the record or anonymously. So :

Do not list key contacts in your contacts book. Either memorise their details, or store them somewhere else maybe on a password protected data stick, or in an online vault that is password secured and encrypts the data. If you must write them down, never list the names and phone numbers together invent fictitious names, put the numbers next to them, and keep a key somewhere else, in case you forget whos who.

Make sensitive telephone calls from landlines mobile phones are insecure. If you have to use a mobile, then use a pay-as-you-go phone. Buy it with cash or with an Amazon gift card, and do not register your details, either with the shop or the phone company.

If you cannot guarantee to protect a contacts safety and anonymity, drop the story, or get the information from someone else.

Tell your contacts not to pass on story ideas on a public social media pages eg, your Facebook wall, or Twitter. Make sure they send you a direct message. Teach whistle-blowers how to encrypt messages, using the techniques above.

Make sure you dont copy an email to someone else by mistake, or insert the wrong name in the name field using auto-insert.

Just being connected to someone on LinkedIn or a similar site acknowledges that you have a connection with them. Do they want their colleagues, employer etc to know that?

Beware tweeting that youre meeting someone if its a sensitive story especially if you have an app that automatically adds your GPS location to your Tweets.

Check before your privacy settings on any work-related social media site, in case you end up communicating information to your friends and friends of friends, by mistake. Restrict who is able to access your information.

Keep separate accounts for work and personal life and refuse to engage with contacts on your personal feed otherwise you could say things to them that could be seen by others.

Do not to criticise your contacts or sound off about work on your personal social media pages. Contacts may see it. Employers are not legally obliged to disregard an employees conduct simply because it occurs outside the work place.

In one case, a pub manager made offensive comments about a regular pub customer on her Facebook profile. Customers heard about it, complained, and the manager was dismissed. She claimed unfair dismissal at an employment tribunal, but lost her case, even though her comments could only be viewed by 40-50 close friends. Dont criticise anybody in an email. Assume it will be passed on. If it is, it could be anything from embarrassing to defamatory. Anything you write on a social media site could be used against you, in a court case.

Stop Skype from eavesdropping Investigative journalists face yet another obstacle after a policy change by Skype, the internet phone, video and message service. Many journalists favour Skype IM because it uses encrypted software that cannot be intercepted. But now the communications giant is able to store chats for up to 30 days, and has confirmed it will pass data on to law enforcement agencies when appropriate. The changes also give authorities access to addresses and credit card numbers. Skype says that changes were made solely to improve user experience and reliability. But it confirmed it would pass on messages to law enforcement agencies. Skype has been a safe haven for terrorists and criminals, and journalists are indirectly affected by the new rules. However, there are still legitimate ways of preserving your security on Skype: 1. The journalist and the contact should create new Skype accounts, taking care not to reveal any personal details in their profile. 2. When communicating, the journalist and the contact should use a proxy server - e.g. Hotspot Shield, Anonymouse etc. These enable you to use the web without leaving traces of personal information, particularly your computers IP address. Both sides can then chat safely, provided they dont reveal anything about their identities in their messages.

10

Useful websites Home Office pages about the new powers Privacy International Wired.co.uk

Copyright This eBook remains the copyright of CTJTS Ltd under Creative Commons License. This means it can be downloaded and redistributed freely for non-commercial use only, provided the following acknowledgement displayed with due prominence: By Cleland Thom, director, CTJT

Members of:

11