Mobile Media Toolkit

Mobile Security Overview

Journalists use mobile devices for creating, editing, and sharing content, as well as for communicating with sources, newsrooms, and colleagues. Mobile phones provide countless benefits — they are portable, discreet, and a growing number of high-quality apps make them great tools for reporting — but they also present significant security risks. 

Think: What if you lost your mobile device right now? What potentially sensitive information is on it? Do you have the names or contact information of anonymous or protected sources? Do you have story notes or leads, or unpublished multimedia images from an event that would place participants in danger if their identify and role becomes known? Do you have the time and location of upcoming events or interviews? What about remote access to your newsroom editorial schedule or other internal systems?

Your location and beat are considerations as well. Where are you working? Is the network controlled by the state? What is the surveillance environment? Is there evidence of surveillance against journalists? It’s not just the information on your phone but also your communications that are potentially compromised.

For reporters and citizen journalists to be more safe in insecure regions, careful planning and strategic considerations are required.

We have resources to help professional reporters or photojournalists, citizen journalists, bloggers, and media assess the risks they face in regard to their mobile communications.  We also have tips and tactics to help lower these risks. There is no ‘security’ in mobile - but there are ways to be smarter and safer.  This is especially applicable for those working in insecure environments: consider these resources as helpful starters while understanding that mobile communications is fundamentally insecure.

We draw much of the content here from SaferMobile, a project of MobileActive.org that helps activists, human rights defenders, and journalists assess and mitigate mobile communications risks. The Mobile Media Toolkit will highlight and link to SaferMobile materials most relevant for mobile journalists, but for the most exhaustive and up-to-date content on general mobile security, please visit SaferMobile often.

Not all risks or tips will apply to your work and the way in which you use your mobile phone as a journalist or blogger. But, the more you know, the more you can make smart choices regarding your mobile communications safety.

There are three resources in this section:

1. The Mobile Security Primer will help you identify and understand the risks involved with your specific mobile use -- as a trained reporter, photojournalist, citizen journalist, blogger, or for anyone who witnesses and documents a news event on a mobile phone.
2. Protecting Yourself offers use cases and tips you can take today to better protect yourself as you use your mobile phone as a reporting tool.
3. The Security Apps and Reviews section will highlight helpful, quality security apps that you can add to your reporting tool bag.

Mobile Security Primer

Journalists use mobile devices for creating, editing, and sharing content, as well as for communicating with sources, newsrooms, and colleagues. Mobile phones provide countless benefits — they are portable, discreet, and a growing number of high-quality apps make them great tools for reporting, for example — but they also present enormous risks.  The SaferMobile Primer covers many areas of vulnerability, including:

• General Mobile Risks
• Voice: This Call May Be Recorded
• SMS/Text Messaging
• Web Browsing
• Photos, Video, and MMS
• Mobile Email
• Storing Data
• Security for Smartphones

General Mobile Risks

Particularly if you are a journalist working in an insecure region or covering sensitive issues, you will want to be aware of general mobile risks you face. Here is a snapshot:

Your mobile service is operated by your mobile network operator. As it manages your communication, it is also able to record certain types of messages you send, as well as information about your communication activities and your device.

When your phone is switched on, the network knows your location, triangulated from the cell towers nearby that record your phone’s signal. Your location might be accurate to as much as a few meters in a densely populated area. For more explanation of general risks facing you, check out SaferMobile.

Photos, Video, and MMS

Whether you are a trained reporter, photojournalist, citizen journalist, or if you simply witness and record a news event, you may face risk if you use your phone to capture and share multimedia content.

The date and time you took a photo or video, as well as location information, may be saved as part of the descriptive information, or EXIF data. If you upload photos or videos to a news site or blog, the descriptive information may be preserved. Anyone viewing your media could see where, when, and with what phone you created the image.

There are, however, steps you can take to better protect yourself when using your mobile to capture news content. One tip is to remove identifying information from your mobile images. We offer a step by step guide and video tutorial on how to do this. Another option is to change certain account settings when uploading images. For more tips, check out this Photo Risk Primer section of SaferMobile. 

Voice: This Call May Be Recorded

As a reporter or citizen journalist, you likely use your phone for basic actions like calling your sources to check a quote or to stay in touch on story assignments with editors or colleagues. If you work in insecure regions or report on sensitive topics or issues, you need to be aware of the risks you face when placing such seemingly innocuous calls.

As with any conversation, you could be overheard or recorded by someone nearby. Your conversation could be eavesdropped or recorded by an app installed on your phone without your knowledge. Calls can be monitored and recorded by network personnel, and recordings may be passed (legally or illegally) to someone outside the operator.

But, there are steps you can take to better protect yourself. For instance, use a basic phone, without apps, rather than a smartphone. If you must use a smartphone, use an encrypted VOIP application instead of calling through the mobile network. For more tips, see this SaferMobile section on Voice Call Risks.

SMS/Text Messaging

Like voice, SMS is used by mobile journalists to set up meetings with sources, to share story notes, or to communicate with editors, newsrooms, or colleagues. But, there are security risks in using SMS in your work. SMS messages are sent in plain text. They are not encrypted, so the content is not hidden or disguised in any way. Anyone who intercepts the messages can read your SMS. Sent or received messages stored on a phone or SIM are vulnerable if the phone or SIM is lost or stolen.

To better protect yourself, set the SMS storage to very low or none. Turn off the option to save outbound messages and delete messages regularly. Also, consider using an encrypted messaging app instead of SMS. See this section of SaferMobile to learn more about encrypted messaging apps and tips to better protect your SMS communication.

Protecting Yourself

In this section of the Mobile Media Toolkit, we highlight SaferMobile guides and tactical tips you can take today to better protect yourself when using your mobile phone as a reporting tool. For even more guides and tips, consult the Protect section on SaferMobile.

For Journalists Covering Protests, Peaceful Assemblies, or Events
If you are participating in a protest, peaceful assembly, or covering an event as a journalist, your mobile phone is an invaluable asset. It allows you to communicate with allies, to document the event, and to bear witness to what is happening around you. At the same time, you should take certain precautions.

In most public assemblies, you face risks from loss and seizure of your mobile phone, disruptions to service from hardware or network failures, or surveillance of your communications.

We offer suggestions on what you can do before you travel to and cover an event to stay more safe, including:

1. Back Up Your Mobile Content
2. Carry a Spare Mobile Battery
3. Keep Important Information on a Piece of Paper
4. Recharge your Credit
5. Explore Network Strength
6. Cross-Post
7. Bookmark

If you use your phone frequently in your work, whether at a planned event or in more spontaneous situations, it’s also important to get to know the device. You can minimize the risk of being observed using your phone if you know how the letters and numbers are distributed on your phone’s buttons. Many people can type “hi, how are you” on the computer keyboard while chatting without looking to the keyboard. You also need to know how to type a short text message (SMS) without looking to your mobile keypad. If you become more familiar with your mobile keypad, you will be able to send a message without looking at the keypad -- perhaps while it is hidden in your pocket.

The SaferMobile guide offers an additional Ten Tips to keep in mind when using your mobile phone to cover events. You can also listen to an audio recording of this guide, here.

For Journalists Using Twitter to Cover News
Twitter is a great tool for journalists or anyone who happens to be on the scene as news is breaking. With Twitter, you can broadcast news updates to a wide audience and help cover events as they unfold, in near real-time. However, you should know that whether you use a computer or mobile phone, Twitter is not a secure method of communicating sensitive information.

When you use Twitter from a mobile phone, you may be exposed to additional risks, and should plan your activities accordingly. There are three ways to access Twitter from your mobile phone:

• In countries where Twitter text messaging (SMS) is supported, you can send and receive Tweets via text message, and may also be able to manage other aspects of your account such as follower lists.
• If your phone supports web browsing, you can access Twitter’s mobile website through your phone’s browser.
• Some phones (particularly smartphones) may have a Twitter application installed, or allow you to download one.

Your Tweets should only contain information you want to widely and publicly share. This should be public information that can be freely distributed by you. Even if you protect your Tweets so that only followers can see them, followers can easily retweet your messages, or access them over an insecure connection.

In general, if you are using a mobile browser to access Twitter or perform any other activity -- including research or fact-checking for a story -- you should strive to do so more safely. Check out this video from SaferMobile, which explains safer mobile browsing via HTTPS.

SaferMobile offers Seven Twitter Security Tips, which are summarized here. Many of these tips apply to general use of other apps or platforms, too.

1. Protect your account from unauthorized use.
2. Use a strong password for your account, and keep it safe. For more on this, see this SaferMobile article on Setting Strong Passwords for Security and Privacy, as well as this video:
3. Don’t be fooled by fake login pages.
4. Instead of an app, use your phone’s web browser to access Twitter’s secure site (https://mobile.twitter.com/).
5. Be aware of what information your use of Twitter reveals – to you followers, to your mobile network operator, and to Twitter itself. Remember, Tweeting reveals identifying information.
6. Twitter can decide to or be forced to hand over information about your account to third parties.
7. Always have a backup plan, as Twitter can be blocked or experience extended downtime.

For many working reporters or citizen journalists, mobile devices are an indispensable tool for storing and sharing sensitive information. Contacts, emails, and mobile browsing history can easily be compromised without taking the proper measures to ensure that that information is safely in the right hands… and out of the wrong ones. You may find these SaferMobile resources helpful -- and important -- as you continue to use your mobile phone in your own reporting:

• Mobile Anonymity and Censorship Circumvention: How to Browse the Web Anonymously On Your Phone - A companion guide to Using HTTPS for Secure Mobile Browsing, this article details two tactics for keeping your identity hidden when using a mobile browser. The first is to browse through a proxy, and the second is to use a circumvention tool called Tor. The guide offers an extensive explanation of both methods along with alternatives for anonymous content uploads. Also check out our guide on Orbot, the Android client officially promoted by the Tor Project.
• Securing Your Mobile Email: This guide catalogs the different tactics you can take to keep mobile email safe. It covers email security basics, TLS/SSL enabling, and email encryption. The guide also provides customized tactics and suggestions for Android, Blackberry, iPhone, and Nokia/Symbian phones.

Security Apps and Reviews

Mobile phones are increasingly becoming an integral part of a reporter’s tool bag. By now, you hopefully understand some of the risks you may face in your work, as well as some basic tips to better protect yourself.

There are many tools and apps to help the mobile reporter. Check out, for instance, the section of the Toolkit on reporting on a smartphone. Before you download and use just any app, however, you should understand the security risks posed by apps. Apps and other software may have access to information stored on or generated by your phone, as well as the ability to transmit this information using your phone’s Internet connection. In addition, malicious apps can allow others to listen to and record your conversations, monitor and log your texts and emails, and track your location, even when your phone is turned off.

So, before you download that helpful new note-taking or image editing app, ask yourself the following questions:

1. What features of your phone are available to apps?
2. What phone features should this app need to use? Does this match the permissions it requests?
3. Who is the developer?
4. Who are the users?
5. Is the code publicly available?
6. Is your data being stored and transmitted securely?

For more, consult this article from SaferMobile on selecting trustworthy apps.

Additionally, and particularly for smartphones, there are security apps that promise improved privacy and security in using your mobile phone while reporting. Like all apps, some are very good, but others are poorly written or overprices, and may even be malicious. SaferMobile’s Evaluating Security Apps article will help you evaluate whether you should trust their promises.

Here is one recent example, about the app Vibe. For more security app reviews, visit SaferMobile.

Vibe burst onto the scene following reports that protesters were using it to coordinate with each other at the recent Occupy Wall Street demonstrations and camps.

As a smartphone app for anonymous broadcast messaging, Vibe is going after an important idea. In fact, it’s been promoted as an anonymous version of Twitter. Anyone with the app can post – there are no accounts – and users are able to limit the lifetime of the messages (from a few minutes to a few days) and the location to which they are broadcast (from a few meters to anywhere).

Vibe is clearly a useful tool. Some of the ways it has apparently been used include asking anonymous questions at a conference, and communicating with neighbours about local events. The ‘anonymity’ of not having to create an account may be perfectly adequate for these situations. However, when it comes to its use by activists – where it is being promoted as an appropriate tool for people with serious security implications should their identify be revealed – we need to delve deeper into promises of anonymity.

In the case of Vibe, our analysis revealed some serious concerns. Some of these have come up in other reviews as well.

• First, we have no information on whether messages that expire (and are therefore no longer visible to vibe users) are actually removed from Vibe’s servers and server logs. If they aren’t, this is a permanent record subject to requests from law enforcement.
• Second, all communication between the app and the server is unencrypted (HTTP), and vulnerable to eavesdropping on insecure WiFi networks, or by mobile network operators or Internet service providers.
• Third, the app stores and transmits an internal user ID alongside each message. This is what the messages look like. Even if you can’t immediately link a user ID to a specific person, the mobile network operator (MNO) or someone eavesdropping on a WiFi network probably can, and someone who has even brief access to a phone with the app installed certainly can.

The good news is, we can suggest a few tools to help you stay more safe when using your mobile to cover sensitive issues or to report from insecure regions.

Here is a good place to start to be better prepared for any potential theft, loss, or damage to your device while you are reporting from the field:

• Backup and restore tools allow you to save a backup of contacts and other data stored on your phone.
• Data deletion tools can be used to ‘clean’ a phone completely before disposing of it, giving it away or travelling to a location where you are worried it could be stolen or confiscated.
• Remote wipe tools are set up so that if your phone is lost or stolen, you are able to clean it remotely, deleting sensitive data. Many remote wipe tools also allow you to track the phone provided it has not been turned off.

Additionally, InTheClear is a beta data-wipe application for human rights defenders and activists that will send an emergency SMS with a on-push command, as well as wipe data and media off your phone with a set of pre-configured options. It is available for Android, Symbian and Blackberry.