Early in Alan Pearce‘s book on web security, Deep Web for Journalists, a series of statistics appears that tell a striking story about the spread of surveillance in just one country.

199 is the first: the number of data mining programs in the US in 2004 when 16 Federal agencies were “on the look-out for suspicious activity”.

Just six years later there were 1,200 government agencies working on domestic intelligence programs, and 1,900 private companies working on domestic intelligence programs in the same year.

As a result of this spread there are, notes Pearce, 4.8m people with security clearance “that allows them to access all kinds of personal information”. 1.4m have Top Secret clearance.

But the most sobering figure comes at the end: 1,600 – the number of names added to the FBI’s terrorism watchlist each day.

Predictive policing

This is the world of predictive policing that a modern journalist must operate in: where browsing protesters’ websites, making particular searches, or mentioning certain keywords in your emails or tweets can put you on a watchlist, or even a no-fly list. An environment where it is increasingly difficult to protect your sources – or indeed for sources to trust you.

Alan Pearce’s book attempts to map this world – and outline the myriad techniques to avoid compromising your sources.

Chief among these is browsing privately (using Firefox’s privacy mode along with plugins that block cookies and trackers) and anonymously using services such as Tor.

Tor’s ‘deep web’ also doubles as a way of accessing sites blocked by governments during demonstrations or riots, or as a way of taking a smartphone “off-radar”, and communicating securely:

“There are many journalists who use Deep Web tools like the German Privacy Foundation’s PrivacyBox to communicate securely with whistleblowers and dissidents. Aid agencies use similar techniques to keep their staff safe inside of authoritarian regimes.”

Of course we now know that it’s not just ‘authoritarian regimes’ where communications are monitored and encryption compromised.

Other techniques include:

• Creating strong, long passwords (try using acronyms based on phrases that are memorable to you but hard to hack, and including unusual characters like the £ sign)
• Not showing images or opening attachments in emails (which can be used to install trackers, key-loggers or a beacon on your device). “If you must open a suspicious attachment, disconnect from the Internet first and run it through an anti-virus ‘sandbox'”. Even files found online should be treated with caution – use the View as HTML option where possible.
• Use LongURL.org to check suspicious links in tweets and emails around major news stories
• Force HTTPS to secure communication (this Firefox plugin does it for you)
• Encrypt USB sticks and hard drives.
• If you are deleting data, wipe it properly using a cleaning tool.
• Upload large files such as sensitive documentary footage in split parts to different servers/hosts.
• Viruses are “commonly hidden inside smartphone security software. Only install programs from the industry leaders like Avast, Trend Micro and Kaspersky etc.”
• Watch out for unsecure wifi networks (always use 3G if possible): Lookout protects iOS and Android phones from these and “malicious apps, fraudulent links etc”. Turn off geotagging and GPS.
• Strip EXIF data from photos and other media where it might compromise sources

Instructions are given for each technique, as well as tips on checking your system and securing other devices such as wifi routers, and anticipating work being confiscated (many authorities can remove computers and smartphones. In the UK and Australia refusing to hand over a password can mean a prison term “comparable to that of carrying an illegal firearm”).

There are even instructions on how to bypass admin restrictions on a work PC if you need to run Tor from a USB stick.

Not just online

This is not just an ‘internet thing‘. Pearce notes that the Community Comprehensive National Cybersecurity Initiative Data Center in Utah will capture

“all communication globally, including the complete contents of private emails, cell phone calls … personal data trails from parking receipts, bank transfers, travel itineraries and bookstore purchases.”

(James Bridle‘s longform article Ring of Steel also notes how automated numberplate recognition (ANPR) is used for surveillance and profiling by both the police and the private sector).

Less defensively, Pearce lists tools that can be used to secretly record mobile audio or video, scramble calls, and even how to set up a phone as a CCTV camera that can be controlled by an editor.

He also notes that many of these techniques also provide access to a ‘dark web’ that provides potential leads, contacts and documents not found elsewhere.

Tor, Pearce notes, “has its own websites, chat rooms, forums, blogs, file hosts, social networks and other features of the Surface Web.”

Following on from that, Pearce also adds a whole section of tips on advanced search which is useful for any journalist regardless of their security concerns.

But for any journalist who expects to have to make searches which may trigger a suspicious algorithm, to communicate with campaigners who may be under surveillance themselves, or just wants to be able to protect a source – however innocuous their information may appear – this is an essential read.

For more on surveillance and security:

• Bruce Schneier’s article on How to remain secure against NSA surveillance,
• This Machine Kills Secrets deals with the history of leaks but includes many details about surveillance and security. I reviewed and summarised some key points here.
• Secret Manoeuvres in the Dark looks at how private companies and police have used infiltration, surveillance, and fake online personas to develop counterstrategies against campaigners which have implications for journalists. I reviewed it here.