Providing Secure Anonymity for Journalists & Their Sources
Encrypted communications - not nearly enough to keep journalists and their sources secure or safe, says invisible.im. That’s why a group of infosec experts have banded together to create a simple-to-use, anonymous Internet messenger and file transfer client designed for whistleblowers and others that need a way to securely expose information to the public while keeping their identities unknown.
invisible.im hopes to provide that secure channel of communication. As they state on their website, encrypted communications aren’t enough because metadata alone can not only incriminate sources/journalists, but also result in more serious consequences, including firing, arrests, torture, kidnapping and murder. Meaning, the content of the message isn’t always as important as the anonymity of the senders/receivers.
And, as has been seen in the past, it’s easy for governments and law enforcement agencies to request and get records containing metadata for any number of individuals from Internet Service Providers (ISPs), telecommunication service providers and other companies that regularly log the information of their customers.
But allowing the lack of anonymity to defer would-be whistleblowers would be a disservice to an unknowing public. While invisible.im strives to leave as little as a metadata trail as possible, they still can’t promise an entirely anonymous messaging service, as DriftedMass.co.uk reports.
invisible.im also references similar existing tools in their FAQ, such as Tor, which has launched an instant messaging project to make chats safer, but still doesn’t address the key issue of leaving behind a potentially incriminating metadata trail, in addition to requiring users to sign up for a registered IM account with Google, MSN, Yahoo, AOL, etc.
While it could be used for a variety of purposes, invisible.im states the main intent of the system is to protect journalists and the anonymity of their sources. How would it work? According to invisible.im:
A journalist … using this technology will generate a cryptographically verifiable identity that is used, in turn, to verify their Tor hidden service, as well as their OTR and PGP keys. If someone wishes to contact them, they simply download the software, choose to connect in "anonymous mode," which generates single-use, ephemeral OTR keys, and then enter the hidden service address of the person they wish to communicate with.
OTR encryption involves a combination of the AES symmetric-key algorithm, the Diffie–Hellman key exchange, and the SHA-1 hash function, as the XMPP Wiki page reports.
To further streamline the project, the developers are also considering creating a ‘help bot’ that would work to anonymously connect sources to verified journalists and public interest groups, making it even easier for sources to more accurately and directly report information.
The site calls out a few security risks to invisible.im, including private key jacking, SPAM, malware and phishing. Phishing remains a viable security threat, particularly for targeted journalists or public organizations, as is addressed by different security guides for journalists.
Individual journalists and news organizations at large need more standardized and best practice security guidelines in order to avoid the unsophisticated and successful breaches that occur as a result of phishing attacks, or other credential exploitation attacks.
One example of an attempt at a set of journalist security guidelines is the CPJ Journalist Security Guide that provides a number of password policy recommendations for strong authentication. Read more in Redefining Information Security for Journalists & the Media.
However, passwords alone aren’t strong enough to stop for remote attackers. With two-factor authentication integrated with any type of login, it makes it much more difficult for remote attackers to access journalist email accounts without the use of their actual smartphone or other authentication device.
Modern two-factor solutions have evolved to support new, complex technology models that change how we use data, including cloud computing and BYOD (Bring Your Own Device). Download our Two-Factor Authentication Evaluation Guide to learn more about the five key differentiators between two-factor authentication solutions available today.