Key questions about encryption | Helpdesk - Digital Security for Journalists

Key questions about encryption tools

It is not easy to decide whether a tool is useful or not. As encryption can be essential for journalists and their sources, the questions as follows should help make an assessment about specific tools.

Is the product Open Source?

Open Source means that the code of a programme is publicly available. Everybody can review it, search for vulnerabilities and develop it further. The opposite is “Closed Source”, so that no one but the developer – e.g. a company developing an app – can review it. Especially if a service is popular, Open Source is of a real benefit. A lot of experts review the code and constantly improve it. Journalists do not have to trust a service as to whether or not it really does what it claims –- they can see in the code, how the system works.

Does the service offer end-to-end encryption?

End-to-end encryption means that even the service provider can not access the content and only the sender and the recipient can read it. Especially for communication tools such as chat apps, voice calls or emails, end-to-end encryption is highly recommended for journalists and their sources.

Does the service offer end-to-end encryption by default?

Some services offer end-to-end encryption, but only if a user switches it on. Many people do not know that and only rely on advertisement. Journalists and their sources should be aware of that while using a service.

Does the service offer end-to-end encryption for all communication features on all devices?

More and more services offer more than only one communication channel nowadays. For example, journalists can send text messages, make phone or video calls and send documents using the same app. They should check whether for all channels end-to-end encryption is enabled, both for computers and smartphones.

In which jurisdiction is the service legally based?

Although the service itself may not have access to the content of user messages due to end-to-end encryption, it might have to hand over certain information about user. For example, metadata about communication – who sent what to whom, when and where – are often stored on servers. Journalists and their sources should check whether a service is legally bound to cooperate with a government that they identified as a potential adversary in their threat model.