Digital Security can be a complex thing. Especially if you think you’re doing something securely while the opposite is true. In this section, we take the most popular “dangerous errors” that we hear in our work – and explain how things really work.
"Encryption makes me invisible."
No. Encryption just protects the content of your communication, but the communication itself and the metadata of it is still visible. What does that mean?
Let's say you open a new chat on WhatsApp, which then says: "Messages you send to this chat and calls are now secured with end-to-end encryption." End-to-end encryption is powerful, because only the sender and recipient are now able to read the messages. Even WhatsApp is excluded due to the encryption. However, it is still visible that the sender and recipient are communicating, when and how often they exchange messages, and what size the messages have.
Encryption only hides what you communicate, but not that you and your partner are communicating.
"Encryption makes me suspicious."
Indeed, this can be true, but really depends on your personal threat model. There are countries that try to ban encryption on a large scale or accuse people of wrongdoing only because they use encryption. This is an illegitimate view, because freedom of expression and privacy are human rights, and encryption can be necessary to protect that. Today, a lot of popular services like WhatsApp, Signal, Google, and Facebook use (different kinds of) encryption. In these cases, the encryption would not make you suspicious, because almost everybody uses it.
Only if encryption is really likely to make you suspicious should you at least be careful in adding encryption to your communication. For example, if you never encrypt an email, but encrypted only one email to a potential source, you could draw attention. Or if everybody in your country uses a certain chat app, but only you used a very secure one, you could also cause some problems. For these cases, you should think of different ways. Mostly, it's not the encryption itself that makes people suspicious, but unusual behaviours.
"The incognito mode of the browser makes me anonymous."
No. The incognito mode basically only prevents you from making a browsing history, storing cookies and other information that is stored in the browser itself. So if you have reason to suspect that someone with access to your device is interested in your surf history, the incognito mode could indeed help.
But be aware: The incognito mode does nothing more. Your internet service provider, governments, or commercial tracking companies can still easily see what you are doing on the internet. To prevent that, you should use additional tools for anonymity.
"A VPN makes me invisible."
No. A VPN – Virtual Private Network – just works as a "bridge" into the internet. It helps you ensure that your Internet Service Provider (ISP) and Websites cannot easily see your IP address. An IP address can be used to identify you. However, the VPN provider sees your IP address as well as what you are doing on the internet. You and your online activity are still visible. The question is not whether you are visible, but: "visible for whom?"
Normally, you connect yourself to the internet via your ISP. You tell your ISP where you would like to go, and the ISP connects you to a service. The "bridge" in that case is the ISP. Using a VPN means that you only tell your ISP that you want to be connected to your VPN provider. In that case, your ISP only sees that you are connected to a VPN, but not where you would like to go from there. This is what you tell only the VPN. But be aware: Now the VPN knows your IP address and where you’re going.
Consequently, a VPN is neither good nor bad. If you do not trust your ISP, because it may give your data to your government, a VPN could be a way to circumvent that. But you still have to trust the VPN provider. It might also be legally bound by your government or might share your data for commercial purposes. If you do not want to trust anybody, you should rely on Tor.
"I don't use Two Factor Authentication, because I don't want to provide my phone number."
Two Factor Authentication (2FA) means that you need a second credential to log in to your account, additional to your password. This is powerful, because even if an adversary gets your password, it cannot automatically log in. Reporters Without Borders recommends everybody to use 2FA on all accounts that offer it!
Some people are hesitant to enable 2FA because the services can ask for a phone number. In that procedure, a code is sent via SMS every time when you want to log in. Two things on that: Firstly, most of the services have your phone number already anyway, according to their terms of service or because others shared their telephone books with your number in it. Secondly, there are also other ways to enable 2FA without providing a phone number, for example with a code generator app or a physical key.
"As a journalist, I don't care about the data that Facebook and Google collect about me."
Well… commercial services and the big technology companies collect data about their users mostly to use for advertising. That is their business model. In that regard, it is, in the first place, unlikely that they track journalists especially or try to compromise their confidentiality.
However, journalists should be aware that these companies can be legally bound to hand over information to governments, or to share user data with other services. They might also get hacked and have their users' data revealed to the broader public.
"Journalists shouldn’t use Google, Facebook, Twitter (...)"
Realistically, a lot of journalists rely on these big services more than ever: they are free, offer innovative solutions, could help journalists reach more people, and help find new sources. In many cases, journalists do not really have a choice. And although these services collect a lot of data, they are not bad per se. In countries with a censored internet, Facebook, for example, can be one of the very few ways to get independent information.
But journalists have to be aware that the companies might be legally obliged to share data about their users with the governments. So journalists should not ban these services, but limit and protect their sensitive data, like chats and photos, as much as possible.
"To be secure, I switch off the internet on my smartphone."
This might not be an error, but the question is: Why should you do that? Indeed, if you switch off the internet and GPS, apps cannot connect to the internet anymore and might not track you. However, your smartphone would still be connected to the network of your telecommunication service provider (TSP). This is necessary to receive calls. It means, however, that the TSP – and therefore possibly also your government – still know who you are, where you are, and whether or not you communicate with someone over the phone. To prevent that, you should switch off the phone completely or – even better – not take it with you.
Disclaimer: There is also malware that makes you believe that you switched off your smartphone, but still lets it work in the background. Without advanced technical knowledge, it is nearly impossible to know whether your smartphone is infected or not. To protect yourself against that, do not take the smartphone with you if you really want to be sure that your location or your conversation is not recorded.
"Analogue phone calls are safer than internet calls."
In almost every case, this is not true. A regular phone call is operated by a telecommunication service provider (TSP). They "own" the infrastructure and are mostly regulated on a national level by national governments. The TSPs are technical able to intercept communication and are also legally bound by governments to provide access to calls.
Calls over the internet, however, offer more ways for users to encrypt it. If you take a service that offers end-to-end encryption like Signal or Wire, you exclude both the TSP and the service itself from intercepting your conversations. Consequently, a call over the internet is better to avoid wiretapping, if you use a service with end-to-end encryption.
"A cloud is not safe."
Cloud computing is very practical: You can easily upload and download files, share them with others and access them everywhere, even when you do not have your personal devices with you. But this also means that everybody who is able to log in to your account of a cloud service could access your files. This is indeed risky. Moreover, the cloud service provider might also have access to your files and could be legally bound to hand it over to governments. So yes, there are a lot of reasons to be careful in using clouds.
However, there are also arguments for clouds. For example, when you use an additional tool to upload your files encrypted into the cloud, others would have problems to decrypt them even with access to the cloud. Also, there are ways to protect your account, such as two-step verification, so that getting access to your cloud at all becomes difficult for an intruder. And especially, a cloud service has many more financial resources to protect the service against hacking and social engineering than a single user for their computer.
"Open Source is dangerous, because governments can see vulnerabilities."
"Open Source" means that the code of a program is publicly available. Everybody can review it, search for vulnerabilities, and develop it further. The opposite is "Closed Source", so that no one but the developer – e.g. a company developing an app – can review it.
The idea of "Open Source" is that a community controls itself by being completely transparent. Of course, malicious actors can be part of that community as well. For example, an intelligence agency could find vulnerabilities and exploit them instead of improving the code for everybody. But the more independent people review it, the less likely it is that the intelligence agency succeeds. The argument for "Open Source" for journalists is that they do not have to trust anybody that a service is safe, but could (theoretically) review it on their own.
Especially when it comes to very popular services that are constantly reviewed by a large community, "Open Source" can serve as an argument for journalists to trust a service that it really does what it claims to do.