Resource available in Chinese here.
Welcome! By reading this guide are you taking an important first step in keeping yourself, your colleagues, and your sources safe. Just as a journalist can take steps to protect themselves from physical harm while doing their job, they can protect themselves from digital harm. A helmet is a good idea if you plan to ride a motorbike, and a secure chat app is a good idea if you plan to do reporting.
Journalists work publicly, but that does not mean that everything they do should be public. Think about all the private information in your life: your personal notes, your financial and health information, and all of your private conversations that should not be shared with other people. Maybe such conversations should not be shared with your boss, your colleagues, your family, other friends, specific companies, or certain authorities. Or perhaps you feel that it is not possible to keep messages or information private, so you do not even try to do certain types of stories.
Security is about being safer when you do the things you already do, and it is also about being able to do things that would otherwise be impossible.
The first rule of security is: if a piece of information could harm you, don’t tell anyone! Resist the urge to share an exciting secret. Don’t even give hints. If you don’t follow that basic advice, nothing in this guide can help you. But your digital devices may also be revealing important information about you, your colleagues, and your sources.
China is a difficult digital security environment for a several reasons. Chinese cybercrime is common, and computer criminals may try steal your information or money. But journalists are specific targets because it is their job to tell the truth. A business owner might try to embarrass or intimidate you to prevent the publication of a story that makes them look bad. Corrupt police or government officials may try to prevent you from reporting a story, by tracking your movements or the information you access.
China is one of the most closely monitored countries in the world. Chinese citizens, including journalists, may have their communications and location monitored. Chinese telecommunication companies are controlled by the state, but your data is also stored by internet companies who may be required to give it to authorities. China lacks the legal safeguards of many other countries which require a court order before police can examine your personal data. Therefore, you must assume that everything you type into a computer, send over the internet, or transmit with your phone is available to government agents.
There is no perfect security, but just like wearing a helmet on your motorbike reduces your chance of serious injury, there are things you can do that make you much safer. There are safer “recipes” for how to communicate with colleagues, keep a source anonymous, store confidential information, protect your location, use the web anonymously, cross borders, and so on.
How to communicate securely
Summary: WeChat, QQ, Weibo, SMS, Skype, etc. are definitely not safe! They are monitored even in “private” conversations and journalists have been sent to jail because of the information revealed by these systems. Instead, use a secure messaging app every day and you will never have to worry about it.· Use the Signal app to communicate. It is available on Android, iPhone, and on your computer.
· Or use iMessage to communicate between iPhones.
· If these don’t work, use a VPN to access any foreign service such as Facebook, WhatsApp, or Twitter messages.When you send a message, who could read it? Your message may pass through many computers along its way to the receiver, including computers owned by your employer and the company who produces the app you are using. All Chinese companies and apps, including those based in Hong Kong and Macau, are also required to turn over information to Chinese authorities
It’s not just Skype. All Chinese messaging systems are monitored, including WeChat, QQ, Weibo, etc. Foreign apps such as WhatsApp, Viber, etc. might be better, but you don’t know if they have also made a deal with the Chinese government. Ordinary SMS messages – the kind you can send from any phone with no special app – are even more insecure. They are very easy for criminals or authorities to monitor. But it is possible to have private conversations with your colleagues or sources, using apps that encrypt your message before it leaves your phone or computer. This is called “end to end encryption,” and it makes it impossible for anyone else to read your messages. Even the company that makes the app cannot read your messages, nor can any government. This also means your messages cannot be censored no matter what words they include.
The best secure app is called Signal, which is available for Android from the Google Play store, and for iPhone from the App Store. There is also a desktop version you can run on your Windows or Mac computer.
Signal is very easy to install and use and is highly recommended for secure communication. Be sure to delete old messages once a month, or your phone may one day be used as evidence against you.
You can also send end-to-end encrypted messages with the built-in iMessages app on iPhones, if all of your colleagues also have iPhones. Make sure you turn “iMesssage” on and “Send as SMS” off in the Messages settings, otherwise you will accidentally send an ordinary unencrypted text message if you do no have a data connection.
A correctly encrypted iMessage will appear with blue text in the messages app, while other types of messages will be green. iMessages cannot be read by Apple or the Chinese government. You can also send files through iMessage, and access your messages on a Mac computer if you have one. Both iMessage and Signal are very easy to use, and support features like sending files and group chat. They key to making them work for you is consistency. Everyone who is working together must use them 100% of the time. Sometimes using Signal and sometimes using WeChat is very dangerous, like sometimes driving drunk. You can usually tell what a conversation is about even if you only see half of it.
You may also have heard of an app called Telegram. This is a better choice than WeChat or email, but the security is not as good as Signal or iMessage. Make sure to use the secret chat function or you will not get end-to-end encryption. It is also useful to set messages to self-destruct.Facebook, WhatsApp, and Twitter messages are also difficult for the Chinese government to intercept, though these will require a VPN for both the sender and receiver. These systems are not end-to-end encrypted, which means these companies will be able to read your messages. However, these companies have so far not cooperated with Chinese requests for user information.
Summary: Email is very dangerous to use, unless both the sender and receiver use a secure email system like Gmail, ProtonMail, or Hushmail.
Email is difficult to use securely. It is closely monitored and not encrypted. You should think of an email like a postcard, with no envelope, that can be read by anyone along the way. The best plan is not to use it at all for any sensitive communication, even internal communication between journalists. If you begin a conversation on email that becomes more sensitive, you should ask your colleague to switch to a secure app, then delete the emails you have sent before. Put them in the trash of you email program, and empty the trash.
Email can be secure if both the sender and receiver use a secure email system such as ProtonMail.com. ProtonMail is easy to use, free, and works on Android and iPhone as well as within your web browser. Hushmail.com is another good secure alternative.
Or, do not use email at all. If you need to write messages on your computer instead of your phone, use the Signal desktop app that you can find in the Google Chrome browser store. You may need to use a VPN to download Chrome from Google.
Summary: Ordinary voice phone calls are very easy to monitor. Never use them.
- Call through a secure messaging app instead.
- Make phone calls through the Signal app.
- Or, use Apple Facetime or Google Hangouts.
- Do not use Skype, WeChat or QQ.
Ordinary voice phone calls are very easy to monitor. Even if no one listens to your conversation, there will be a phone company record of who you called and how long you talked. Instead you need to use an app for voice calls, but not just any app. Again, WeChat, QQ, and Skype are monitored.
Instead, you must use a secure communication app just like you do for test messages. Signal works for voice calls, or you can use Apple Facetime or Google Hangouts (may require VPN) instead of Skype.
Communicating with sources
Summary: sources may be even more vulnerable than journalists. Help keep them safe!
- Do not talk to them using WeChat, QQ, Skype, etc.
- Help them install secure messaging apps as soon as possible.
- Do not give them a way to contact you that is not secure.
When you meet a source, you should tell them what app to use to communicate with you securely. Do not use regular phone calls, email, SMS text messages, WeChat, QQ, or Skype. All are easily intercepted by the Chinese government or corrupt officials. Do not use them to communicate with sources who may get in trouble if they talk to a journalist! Although WeChat is convenient, the safety of your sources is much more important than convenience.
The same techniques for communicating securely with colleagues also work for communicating with sources. You can use the Signal app or iMessage, or ProtonMail or Gmail on both ends (not just one end.)
Try to have the first meeting with a new source in person. It is much easier to set up secure communication in person, because you can help someone set up and test the apps. Also, this gives you a chance to verify that the person is really who they say they are. It is wise to practice setting up secure communication with sources who are in no danger, so that you will get it perfect with sensitive sources later. Also, any source may one day start providing you with sensitive information, and if you always use secure communication it won't make any source look more suspicious than others.
You probably must use your phone or other electronic communication method to set up the first meeting. Say as little as you can about why you are meeting them or what you will talk about. Save everything interesting for the face to face conversation, and the secure messaging app.
Note that if you use any non-secure method of communication to set up the meeting, it will be difficult to hide the identity of your source from authorities. You must take additional steps if you wish to keep your source anonymous (see below.)
Summary: keeping someone's name secret is not the same as keeping what you said secret. It is much harder. When working with an anonymous source,
- Do not ever send them a message over email, SMS, WeChat, QQ, Skype, etc.
- Meet them for the first time in person and without your phone.
- Protect your notes and address book.
Privacy is not the same thing as anonymity. Privacy means no one can read what you send to your source, but anonymity means no one can find out who your source is. Anonymity is difficult, because there are many ways your source could be identified through data - or in other ways that have nothing to do with data.
If you trade just one insecure message with your source by WeChat, email, text message, etc. it will be very easy for authorities to find your source later. They don't have to break into your computer or look at your phone, they can just examine the records of transmitted messages that are kept by Tencent and the phone company.
Your mobile phone company also stores a continuous record of your phone's location, down to a few meters accuracy, even if your GPS is turned off. Because there is also a record of the location of your source's phone, anyone who can access phone company records can determine who you met and when you met them. (see "protecting your location" below.)
Also, if someone can look at your address book, or the address book of your source, they will see that you have communicated.
Therefore, if you wish to keep a source anonymous you must ensure that the very first message between you is secure, that you never bring your phone to meet them, and that no one is able to view the contents of your phone or their phone.
You must communicate for the first time face to face, without your phone. You can also have someone else go in person to set up the meeting for you. This person should not be a journalist or family member, and it's best if they also know the source.
When you meet them, get them to use either Signal or iMessage to communicate with your further. The easiest way to make sure that a source never talks to you using an insecure app is just to make it impossible. Do not ever give the source your WeChat or QQ username or add them as a friend on these apps. The secure channel should be the only way the source knows how to reach you. Ask your source to send you one message before you leave, to make sure they know how to do it and everything is set up correctly.
Both you and your source should erase your messages frequently, in case you are forced to hand over your phone. Definitely delete your chat history after any important conversation. Get into the habit of deleting all your messages monthly.
If your source gives you files to publish, such as documents or pictures, be aware that they may contain identifying information which is called metadata. Microsoft Word stores your name in any document you edit on your computer, and most phones store GPS coordinates in every photograph.
The simplest and most reliable way to remove metadata is to load the photo or document on your own computer, then take a screen shot. This creates a new file with your metadata, not the source's. There are special metadata remover programs if the screen shot method is not suitable, such as Metability Quickfix for photos and DocScrubber for Microsoft Word documents.
Of course, none of these digital techniques will help if your source tells someone they are talking to a reporter, or you tell someone you are talking to this source.
How to use your computer securely
Protect yourself from phishingSummary: Phishing emails are the most common way that computer criminals and governments can get into a journalist’s files.
- Beware of suspicious emails that ask you to click on a link, enter your password, run a program, or view a document.
- Look for bad grammar or strange language that seems out of place.
- Do not open any file you were not expecting to receive.
This is an example of a phishing message sent to journalists in Taiwan (more information here). How many suspicious things can you see in this message?
Phishing works by deception, not by any special technical method. It is a request from a dishonest person. Because of this, there is no software that can protect you 100% from phishing. But you can learn to spot fake emails. You should be suspicious if you see:
- Requests to enter your password or other private information.
- Bad writing or grammar. The email may look like it was translated by a computer, or may use strange words that don’t fit.
- Attachments from people you don’t know, or even from people you do know when you were not expecting any files.
- Short messages that do not contain any information but ask you to click on a link or open a file. For example, “important, please read” or “check out this photo of you!”
- An unusual or unofficial email address. For example the sender might claim to work in a bank, but the email was sent from a hotmail.com address.
- Links that do not go where they say they go. To see where a link goes before clicking on it, point to it with your mouse or hold your finger on it.
You may even receive phishing messages the appear to come from a trusted friend or colleague. An attacker may have compromised their account first and used it to send a fake message to you. Although unknown senders are more suspicious, if you receive a strange message from someone you know you should contact them with a different method (like using a different email address or a different app) and ask them “did you really send this?”
Summary: Passwords are the main digital security protection for most people. But many people use them badly. Here is how to use passwords properly:
- Turn passwords on! It should not possible to use your phone or your laptop without a passcode or password.
- Use 2-step logins whenever possible.
- Use strong passwords, and not the same password everywhere.
Recently, many apps and sites have enabled a much more secure 2-step login feature. This requires both a password and a code that is generated on your phone or sent to you by text message. That way, no one else can login even if they do figure out your password. Most major email, cloud storage, and social networking sites have an option for 2-step logins, including Gmail, Hotmail, iCloud and Facebook.
Turn on 2-step logins today for all your accounts. It’s simple, and it’s very convenient since you don’t need to log into an app very often. This provides enormously improved security for very little effort. Turn on 2-step login right now!
It is also important to use good passwords. An amazing number of people use passwords like “123456” or “password” or “mima.” Obviously this is insecure, but a good password is not even in the dictionary. Computer programs can guess thousands of passwords per second, so any word that is in the dictionary is not a good password. This is why many apps require numbers or special symbols in their passwords.
Be careful of using the same password for different apps, devices, and websites. Companies are hacked every day and these sorts of leaks frequently reveal customer passwords. If you use the same password everywhere, sooner or later someone else will have access to all of your data.
Do not share passwords, or give your password to someone else. No competent computer administrator will ever ask you for your password. If you receive a request for your password, it is probably a phishing scam.
Disable the “remember me” or “remember password” option when logging into any computer or phone other than your own.
Be especially careful with your email password. Someone who has access to your email has access to every other website and app, because they can use your email to reset your other passwords.
You should reset your email password every year, or if you suspect that someone might have gotten into your account.
Summary: Malware (流氓软件) is harmful software that runs without your permission, including viruses and spying software (间谍软件). Avoiding it is mostly a matter of good habits.
- Don’t run any program that someone emails to you as an attachment.
- Keep your operating system and apps up to date, and don’t use pirated software.
- Use an anti-virus program.
- If the authorities take your device away and give it back, consider it contaminated.
Spyware on your phone or computer can copy your files, reveal your location, or even listen to you through your phone’s microphone or watch you through your laptop’s camera.
Malware can be installed by anyone who is able to download a program or app onto your computer. Or, someone may try to send you malware in a phishing message, or try to trick you into downloading something that seems safe but is really malware.
It is possible that the Jinan police installed spyware on this journalist’s computer during the time it was not in his possession. Any phone or computer that has been in the possession of the authorities could be contaminated with malware, and should be erased as soon as possible (see the recipe below.)
Message attachments are the main way that malware spreads. Never run a program that someone sends to you as an attachment to a message! Program files end with .exe and you should never run a program file that someone emails to you, or asks you to download. PDF files, Microsoft Word .doc files, or any other kind can also contain malware that can infect your computer if you open them, especially with old versions of Acrobat or Word.
Use the most recent version of your operating system and apps and keep them up to date. Turn on automatic updates if possible. New security problems are constantly being discovered and fixed, so old versions of software are very insecure because they contain many widely known vulnerabilities. To update your Android phone, go to Settings -> About Phone -> Software Update. To update your iPhone, go to Settings -> General -> Software Update. Try it now!
Similarly, do not use pirated software if it is at all possible. Fake versions of software are not only old, they are very often infected with malware. Even with legitimately free software, do not download from an unusual server. Always use the app store or other official source, even if it is slower.
It helps to use antivirus software such as AVG or 360 Security for Windows and Lookout for Android. However, antivirus software cannot protect from every type of malware. It is not a perfect solution.
It can be difficult to tell if your phone or computer is infected. The only way to be sure is to take it to a computer security expert, and even then sophisticated malware may be difficult to detect. However, there is one simple way to remove all malware: you can erase your device, after backing up only your most important document files.
Surfing the web anonymously
Summary: using a web browser leaves a record both on your computer and with the telecommunications companies.
- To avoid authorities tracking what you do online, use a VPN.
- You can use private browsing to prevent your browser from remembering where you’ve been.
- To prevent leaving any evidence on your computer when visiting web sites, use the Tor browser.
There are several ways that someone could see what web sites you have visited or what documents you have read online, and possibly even what you have written or sent.
First, your browser stores a list of every site you have visited. You can clear this history manually, and you can also use InPrivate browsing (Internet Explorer), Private browsing (Safari), or Incognito mode (Chrome) to prevent your browser form remembering where you have been.
But this does not prevent the telecommunications company from keeping track of what you did on the web, because they must route your communications to whichever server you visit. The best answer is to use a VPN, which routes all your data to a computer outside of China first before sending it over the broader internet.
There are many VPN apps, including Astrill, Psiphon, Betternet, flyvpn, Freedome, VyprVPN, strongvpn.com, PureVPN, Ironsocket, and more. Usually not all of them work all the time, and you will sometimes have to switch between VPNs. This is annoying, but it is a small price to pay for very good protection against government surveillance. Not only do VPNs enable browsing that is invisible to Chinese authorities, but they provide access to many secure services outside of China such as Gmail.
Your web browser may also store temporary copies of the files you view on your computer. Sometimes it is very important to leave no trace of your activity on a computer, for example if you are working on someone else’s computer, or you are worried that your computer may be taken from you. You can use the Tor Browser which is guaranteed to leave no temporary files, and has a built-in VPN too. The Tor Browser can be downloaded from https://www.torproject.org/projects/torbrowser.html.en. This site is often blocked in mainland China. If it is, you can get a working download link by emailing gettor(at)torproject(dot)org. Write “windows” or “osx” or “linux” in the message depending on which type of computer you have.
How to report securely
Summary: Do not use Chinese file sharing services. Use iCloud or Google Drive, or send files using Signal or ProtonMail or Gmail.
Chinese file sharing services like Baidu Pan are monitored. The best solution is to use iCloud or Google Drive (may require a VPN) to share files. Or, you can send files between two phones using Signal or iMessage. You can also email files securely between two Gmail or ProtonMail accounts.
Do not email sensitive files. Email is a very insecure communication method. You should consider anything emailed to be in the hands if the authorities, unless both ends of the conversation use ProtonMail or Gmail.
Storing confidential information
Summary: To store confidential files,
- Keep track of how many copies you have and where they are.
- Turn on passcodes and encrypt your phone and computer so no one else can use them if they are stolen.
- Consider using external storage such as USB drives, memory cards, etc.
Journalists must often keep data safe. This includes information like your address book, and also documents, photos, and other files.
First, be sure that your phone has a passcode and your computer has a password. It is truly incredible how many people do not take this basic precaution! It should not be possible for anyone to learn anything from a stolen or lost device. Also, your phone and computer should both be set to lock automatically after a few minutes.
After that, the most basic rule of storing data securely is this: know how many copies there are and where each copy is stored. Emails you have sent might be both on your computer and in the cloud somewhere. You should also have at least one backup copy of important files, and you must protect the security of the backups too.
Stored data must be protected both digitally and physically. Digital protection means the data must be encrypted, so that it cannot be accessed without your password. Physical protection means that storage hardware must be protected from theft or tampering. Storage hardware includes your phone, your computer, USB sticks, memory cards, external drives, etc.
iPhones and Android phones running Android 6 Marshmallow and above automatically encrypt all data. To turn on encryption for older Android versions, go to Settings -> More -> Security -> Encrypt Device.
Computers do not have disk encryption enabled by default, so you may need to turn it on. Windows computers have a built in disk encryption system called BitLocker, and Mac computers use FileVault. If you do not turn on disk encryption, then your password will not protect your data. Anyone can remove the drive from your computer with a screwdriver, and read your files on another computer.
It is also possible to encrypt a USB drive or memory card. On Windows, use BitLocker To Go.
Protecting your location
Summary: authorities can track your movements through your phone.
- If this is a problem, leave your phone at home.
- Putting a new SIM card in your phone will not help.
- If you need to make calls without your phone, use a chat app on your computer.
- Be careful of social media apps that post your location.
You may need to hide your location to protect your ability to move freely, to prevent authorities from talking to your sources before you meet them, or to protect the identity of the people you meet.
The biggest threat to location privacy is your phone. Do you know which apps are recording your location and possibly sending it to servers elsewhere? You can see this in the settings on your phone. On Android, go to Settings -> More -> Permission. On iPhone, go to Settings -> Privacy -> Location. But even if you turn your GPS off using these settings your phone company still records the position of your phone in their records, accurate to a few dozen meters, because they know which radio tower your phone is communicating with. These records can be accessed by the authorities. If you need to hide your location, your only good option is to leave your phone at home.It may also be useful to borrow a different phone, one that is registered to someone else. However, do not put your SIM card into someone else’s phone – the phone company will still know it is you. Putting someone else’s SIM card into your phone won’t work either, because your phone has an independent hardware identification number.
Summary: prepare to be searched at borders, or have your equipment taken away.
- Turn on passwords and encryption.
- Back up your data somewhere else in case your equipment is taken.
- Consider traveling with “clean” devices that have nothing interesting on them.
- You can send files home using online file sharing, or copy data to USB drives and memory sticks.
Journalists are frequently stopped and searched at borders and checkpoints, so it useful to prepare.
Authorities could take your phone or computer away and install malware on it, as happened in the case study above. Any device that has been out of your sight even for a short while must be considered compromised and should be erased (see below.)
Or someone could look for sensitive information on your computer. Even if your phone and computer are locked they might force you reveal the passwords or use forensic analysis techniques to extract information. If this is a possibility you should consider traveling with “clean” phones and computers that have nothing on them except what you absolutely need to do your work.
The risk of crossing borders means you need to plan how to get data home. You may have to bring back small files like notes or large files like video footage. Consider storing this data on removable media devices instead of your laptop or phone. USB drives and memory cards are small and easy to hide or give to someone else to transport. They should be encrypted using BitLocker to Go so that they cannot be accessed if discovered.
You can also send files home before you cross a border. See the section on sharing files, above.
The border authorities might also just take your equipment away forever, which is another reason to keep copies elsewhere.
Erasing a computer of phone
Summary: Erasing a device is the most certain way to get rid of malware. You may also wish to travel with a “clean” computer or phone, or rapidly delete sensitive information.
- On your phone, use factory reset.
- On your computer, reinstall the operating system.
- If you need to get rid of malware, back up your document files before erasing (but do not back up application or program files!)
There are several situations where you may need to erase a device completely and irreversibly.
If you suspect that your device has malware on it – for example if it was taken away from you and then returned – the easiest way to be sure to get rid of the malware is to erase everything. If there are files you need to keep, copy just those files to a backup location first. Do not save program or application files! These may be infected with malware.
If you are traveling somewhere dangerous, or you suspect you will encounter trouble, you may wish to carry only “clean” phones and computers. Erase the device then transfer only the minimum amount of data you need to get your work done. For example, do not put your entire address book on a clean phone. That way if your phone is taken away your contact list is still safe.
You may also need to erase a device if you are worried that it might be searched or confiscated. You definitely need to erase it before throwing it out or giving it to someone else.
To erase all data quickly and permanently, first your phone or computer must be encrypted (see the section on storing confidential data, above.) To reset an Android phone, go to Settings -> Personal -> Backup & Reset -> Factory Data Reset -> Reset Phone. On iPhone, go to Settings -> General -> Reset -> Erase All Content and Settings. To erase a Windows or Mac computer, reinstall the operating system and tell the computer to erase everything that is already on the computer.
This will also work if your phone or computer is not encrypted, but then it may be possible to recover some data using forensic tools.