Brazilian site teaches journalists how to protect sources and personal data from digital attacks

Metadata? Encryption? Backdoor? Tor Browser? VPN? PGP? When it comes to digital security for journalists, the amount of technical terms and acronyms can be scary. But tools to ensure online privacy can be crucial to protecting sources, which is why the site Privacidade para Jornalistas (Privacy for Journalists) has been launched in Brazil.

On the site, a threat analysis helps you understand the best ways to combat surveillance, hacking, and the collection and retention of data from various adversaries, from governments to casual gossipers, to corporations and criminals. The initiative is based on Australia’s Privacy for Journalists, a project from the non-profit organization CryptoAustralia.

Since Brazilian journalist Raphael Hernandes launched his platform on March 6, 2017, he has been sought by colleagues in the newsroom who need tips on how to protect themselves in their investigations. Hernandes is data journalist at Folha de S. Paulo, where he offered a small workshop on the subject. According to him, the issue of privacy has aroused interest among colleagues.

"You can see that whoever accesses [the site] is interested. They spend a lot of time on pages and sees multiple pages per visit (average of 6), which shows interest in content. There are a lot of things we do not look at everyday, at how exposed we are," Hernandes told the Knight Center.

The site that served as inspiration for Hernandes came from the personal initiative of information security specialist Gabor Szathmari, president of CryptoAustralia. He worked with the Walkley Foundation at CryptoParty Sydney, an event to teach digital safety rules to journalists.

“I thought if I had to develop the training materials for the workshop, why I should not publish them for the benefit of the whole journalist community in Australia and beyond? I have looked around, and although I found heaps of valuable materials online, I did not find any privacy and security tutorials that were addressing the specifics in Australia,” Szathmari told the Knight Center.

Raphael Hernandes explained to the Knight Center that it is important to understand what protection to use in each case.

“The secrecy of our sources is one of the most important things we have. If it’s a person we talk to every day, there’s no need to hide him or her, but maybe the source is sending something sensitive and it’s important to encrypt. We should not live in paranoia, but think about our sources and what they need. It’s treating a cold with cold medicine, not with a cannonball,” he said.

According to Hernandes, the discussion is especially relevant in Brazil. In the country’s Civil Framework for the Internet, providers are supposed to collect and retain navigation data for one year. A court order is required to access these metadata, but a bill in the Chamber of Deputies wants to remove this requirement.

For Hernandes, this scenario leaves a situation where journalists and individuals should leave as few traces as possible – which he assures is not a difficult task.

“In fact, there are things that are more advanced, such as setting up GlobaLeaks (a secure file and message exchange tool). But we’re here to help. And apart from that, most are tools we can use at home anytime. It may seem difficult at first, but more so because it has words that we do not use every day, such as back door (software that allows remote access to the computer),” he said.

According to Szathmari, the most basic security measures include replacing messaging programs like Messenger and Skype for encrypted platforms, like Signal and Wire. In more sensitive cases, other measures are necessary. “Finally, leave your smartphone home if you are meeting with the source, as it is a spying machine. I suggest avoiding a computer altogether and dusting off that good old reporter’s notebook for very sensitive notes,” he said.

Concerns about digital security are not unique to Brazil or Australia. Several journalism organizations around the world, such as the Committee to Protect Journalists (CPJ), have sections dedicated to the topic. Other organizations dedicated to digital security, such as the Electronic Frontier Foundation, offer specific tips and guides for journalists and their sources.

Here are some basic protection tools, according to Raphael Hernandes:

Encryption of HD and flash drives - Encryption places a password on hard drives and USB devices, which protect sources and personal files in case the equipment is lost or stolen.

Two-Step Authentication - Used for online banking access, it can be configured in your email and social networks. Login is done with something you know (your password) and something you have (a code sent to your smartphone, for example). This avoids problems even if you have compromised passwords.

Signal - Application available for encrypted message smartphones. If the cell phone is intercepted, no one can understand what was written there.

Sync.com - Free cloud storage system. It uses the zero-knowledge protocol, meaning it stores information but does not know what is being stored. As a rule, the websites we use commonly scan the files and pass reports to the authorities. Sync is encrypted and more secure, very simple to use.

PGP - Pretty Good Privacy acronym. It's a way to encrypt emails. Like a kind of chest, but with two keys: one to lock and the other to unlock. You give the key that locks the chest so people can send you files and messages. But only you have the keys to unlock the content.

Note from the editor: This story was originally published by the Knight Center’s blog Journalism in the Americas, the predecessor of LatAm Journalism Review.