Your phone is a surveillance device, your ISP a surveillance provider…: Pranesh Prakash

The blog post was published by mxmindia.com on May 27, 2015. Pranesh Prakash gave his inputs.

“Even if you don’t care about your own security/privacy, think about you sources. Your sources want privacy,” Prakash said as he began the workshop on how to assess security threats, how to protect sources and how to prevent your ISP from leaking out information. With the growth of the internet since the 1980s, we know we can’t trust everyone; police stations, governments, all engage in surveillance of some sort, he pointed out. Prakash went on to explain the ‘Threat Model’, wherein journalists ought to ask questions like what are you protecting, who are you protecting yourself against, what do you hope to achieve and to what lengths are you willing to go? All of the measures you are going to take to protect your source are going to be inconvenient. Security is always at the cost of convenience he reiterated.

Data threat can be intercepted at two levels, Prakash explained; data in transit and data at rest. The important question to ask is which you wish to secure, because the means to secure both are very different.Emails being sent to someone can be intercepted by an outside source in transit. It is easier to secure you own data on your computer, but an email is so much more difficult to secure because there are multiple points where the information is stored. Targeted surveillance is much more difficult to protect yourself against than mass surveillance.

For WiFi, password protected networks form an encryption, one more barrier to protect you. However, a WEP encrypted network is easy to break through. You need at least a WPAII to be secure enough. Airport networks usually ask for a password after connecting to the WiFi. That too is easy to see through. Avoid using these networks for sensitive work.

One must keep in mind who they want to secure the data from; whether from a casual threat or an Intelligence Agency like the National Security Agency (NSA), National Technical Research Organisation (NTRO) or Intelligence Bureau (IB).Mass surveillance or non-targeted surveillance is not legal in India. However. the NTRO engages in mass surveillance, for which it was criticised in a Mint article, following which they shifted only to the national borders for surveillance. It is also possible for the NSA to tamper with your laptop before delivery.The NSA’s ANT catalogue has been working on a technology that has a device that can fit within the connector that connects to your keyboards and it can last there years and years without detection. Hence Prakash suggests that if a journalist is working on a sensitive story that if leaked could cause a ruckus, he/she would be safer buying a new computer and paying for it in hard cash.

The more important a source is, the less you must use your phone, Prakash pointed out. Phones leak information time and again, information of time and location. The NSA uses it, the police use it. If you are meeting with someone and you both have your phone, then information that you have met is transmitted. Even without GPS it can track your location, when you receive/send a call/message, as your mobile network needs to access the cell tower you are around in order to reach you.

Encrypted emails still leak identities. If the police look into an encrypted email, they will still know who you are communicating with. Background information you are doing on a story can also give away a lot you don’t want to be given away. Even with an encrypted email, they have access to your location, IP address, the sender and the receiver of the email, time stamp, Mac id and IMEI.

End-to-end encryption is the way out here.This means that no one in the middle, including the company can read the emails you send from your company server. End-to-end encryption is the most inconvenient. End-to-end encryption means that you and the party concerned need to come up with a code that the other party needs to be able to decrypt. The software both parties use also needs to be compatible.

“I recommend using WhatsApp over Viber and Line, Skype over other alternatives and Twitter is also safe, but never use Facebook for sensitive conversations that you don’t want to get out,” Prakash said. WhatsApp is safer than normal text messaging he points out. Prakash recommended an app called Conversations to use for messaging on your phone. It is safer than both normal SMSing and WhatsApp. An SMS leaks metadata, he explains, that’s why it is preferable to use data or apps that use the internet.

In the 2G network space, only Airtel and Docomo use at least a weak encryption.All the rest use no encryption. Anyone can snoop in on your conversations. Instead one must use data-enabled apps for calling like RedPhone, he suggested. This is a great way to protect your source.

Most people are known to repeat passwords for various accounts. Never repeat a password, Prakash advised. Maintain different passwords for all your accounts. It is the safest. And if you are unable to remember them all, then use password managementsoftware like LastPass or KeyPass. These enable you to key in and store all your passwords in one place and you only have to remember the password to your LastPass/KeyPass account. But if you forget your master password, then there is no way to recover all your other passwords.

The session concluded with Prakash working hands-on with the journalists, helping them to download the required software on their laptops and mobile phones. This knowledge is vital for all journalists in order to protect themselves and their sources when doing a high profile, sensitive story, Prakash said.