Transport encryption (SSL)

In Barrett Brown’s initial sentencing hearing last month, a prosecutor asked about Jeremy Hammond’s consistent demand that Brown set up SSL (Secure Sockets Layer), which can be used to secure connections to IRC (Internet Relay Chat) servers, in addition to websites. In fact, chat logs which became part of Hammond’s case and are believed to come from Brown’s computer, show that Hammond asked Brown whether he had set up SSL no less than four times in a span of two months — with Brown invariably procrastinating on his promises to set it up or to get someone else to do it for him:

[22:03] you _have_ to start using SSL

[21:42] ssl yet?

[21:42] gotta get on that

[18:26] Still no SSL I see.

[14:31] yes you still not on SSL?

[14:31] you need to get on that shit

[12:58] you should really use SSL

These exchanges aptly illustrate the notorious usability challenges of encryption. If Brown had enabled SSL while connecting to chat servers, it may have shielded his private conversations from surveillance by third parties. For further protection, they could have used OTR to encrypt end-to-end, removing the server's ability to eavesdrop as well.

Minimize retention of logs and stored data

This doesn't preclude the possibility, however, that either participant could be logging their chats, thus creating a record that could be obtained later. The unfortunate truth is that keeping unencrypted records of chats on your computer can inevitably result in them being used against your sources and correspondents if seized, which is also what happened in Brown’s case.

Michelle Garcia, reporting for The Intercept, voiced the opinion that these chat logs were being spun to fit the government's agenda: “The evidence that was discussed was often selectively disclosed by prosecutors, who tore from their original context lengthy chats and emails to depict Brown as a malicious hacker rather than a journalist.”

In practice, many journalists need to keep logs of certain conversations with sources — so in these cases, the logs should always be moved offline and stored on an encrypted drive. The same guidance applies to e-mail archives and other documents save on your computer. If you’re working on a sensitive story then you should reduce the material you keep to only that which you absolutely need. Plus, deleting files actually does not completely erase them from your hard drive, so you need to practice secure deletion which you can learn more about here.

But if such logs are not needed to report the story, journalists should ensure that logging is turned off inside the messaging programs they use. Many clients have logging enabled by default, but it can usually be disabled within the preferences or options.

Use full disk encryption

With the FBI closing in, Brown has said he tried to protect his sources by taking his laptops to his mother’s house, which required them to apply for a second warrant. Brown then hid the computers in a kitchen cabinet. Needless to say, it didn’t work, and the devices were seized. Those actions later triggered obstruction of justice charges for both Brown and his mother.

In general, journalists should always protect others from gaining access to their computer when it's powered off by using full disk encryption (a method of encrypting all of the information stored on your hard drives). If their computer is ever seized by law enforcement, the authorities—at least in the US—would have to attempt to compel the journalist to enter a password, which can be challenged in court. This also allows journalists to raise reporter’s privilege claims on certain information before the government gets a hold of it, and at least gives them a chance to narrow the scope of the government’s demands.