mirror of
https://github.com/privacyguides/privacyguides.org.git
synced 2025-07-22 19:31:07 +00:00
Compare commits
1 Commits
kpham42-ge
...
kpham42-ge
| Author | SHA1 | Date | |
|---|---|---|---|
|
37068aa587 |
@@ -2,53 +2,3 @@
|
||||
title: Publishing Information
|
||||
icon: material/book
|
||||
---
|
||||
---
|
||||
title: Publishing Information
|
||||
icon: material/book
|
||||
---
|
||||
|
||||
In 2021, a whistleblower named Frances Haugen leaked internal documents from Facebook, revealing how the company knowingly allowed misinformation and assisted in state-sponsored censorship. Known as the [Facebook Files](https://www.wsj.com/articles/the-facebook-files-11631713039), this leak was notable in how successful it was in preventing retaliation before Haugen publicly identified herself. While not confirmed, she most likely shared documents with the Wall Street Journal through [SecureDrop](https://securedrop.org/).
|
||||
|
||||
Her case is not unique. Whether you are a whistleblower, an investigative journalist, or an amateur blogger, the ability to publish safely is essential to a transparent society.
|
||||
|
||||
## Why Publish Anonymously?
|
||||
|
||||
In some countries, simply speaking out can result in criminal charges or loss-of-life. Even in relatively "free" societies, publishing critical information can attract legal threats, online harassment, or unwanted media attention. For example, [this hobbyist security researcher was sued](https://arstechnica.com/security/2024/08/city-of-columbus-sues-man-after-he-discloses-severity-of-ransomware-attack/) for documenting a ransomware attack on his own blog!
|
||||
|
||||
Anonymity enables freedom of speech by separating your voice from your identity. It helps protect you from retaliation while keeping the focus on the message.
|
||||
|
||||
## Best Practices
|
||||
|
||||
### 1. Use a Pseudonym
|
||||
|
||||
A pseudonym empowers you to maintain a consistent identity while separating your real-world persona from your published work. Choose a name (or Username) that has not been linked to you and use it exclusively for anonymous publishing.
|
||||
|
||||
Register [new accounts](https://www.privacyguides.org/en/basics/account-creation/) and [email](https://www.privacyguides.org/en/email/) addresses from devices and internet connections not associated with your identity. Avoid using the same writing style, login behavior, or online habits that could de-anonymize you. Remember that a pseudonym is only as strong as your ability to keep it separate.
|
||||
|
||||
In some cases, like in large newsrooms, you may need a public identity to establish credibility. If that is the case, shift your focus toward secure communication with confidential sources and protecting your operational security. Consider setting up a secure tipline instance for your organization.
|
||||
|
||||
### 2. Find a Platform
|
||||
|
||||
Where and how you publish matters. Here are a few options:
|
||||
|
||||
#### Create your Blog
|
||||
|
||||
Depending on your situation, you may be deciding between creating a website or using a third party platform like Substack or Medium. If you go with the former, [Ghost](https://ghost.org/) is an excellent open-source alternative to Substack. You can also create your own website through services like Wix or SquareSpace if your threat model allows it.
|
||||
|
||||
You can also consider running a Tor hidden service for an informal blog. This gives you control over hosting and minimizes reliance on third-party platforms. See [self-hosting resources](PLACEHOLDER) for guidance.
|
||||
|
||||
#### Use Alternative Social Media
|
||||
|
||||
[Social networks](https://www.privacyguides.org/en/social-networks/) can help you connect with a potential audience and gather feedback. Instead of X or Facebook, a decentralized and federated alternative like [Mastodon](https://joinmastodon.org/) can resist censorship from government actors. If you need help creating your first Mastodon account, read this resource here.
|
||||
|
||||
### Seek External Publishers
|
||||
|
||||
Many media outlets accept tips through a tipline, a system designed to receive anonymous submissions via Tor. This can be safer than publishing independently if you are sharing sensitive documents or exposing wrongdoing.
|
||||
|
||||
### 3. Compartmentalization
|
||||
|
||||
Compartmentalization involves isolating your publishing work from everything else. Whether you’re using a pseudonym or your real name, never mix your activities. Instead of using apersonal laptop, purchase a dedicated laptop for your publishing work. When you decide to publish your final draft or upload your documents, do not log in from home or work networks. Instead, use an anonymous network like [Tor](https://www.privacyguides.org/en/tor/) over public wifi.
|
||||
|
||||
Furthermore, you should also install a anonymity or security-focused operatin system. When doing sensitive activities, boot from [Tails OS](https://www.privacyguides.org/en/desktop/#tails), an amnesiac Linux distribution that leaves no trace. For high-security daily usage, [Qubes OS](https://www.privacyguides.org/en/desktop/qubes) lets you compartmentalize your personal and work tasks in isolated virtual machines called qubes. If one of these virtual machines becomes compromised, you can always dispose of them.
|
||||
|
||||
Do not reuse passwords, emails, or browsing habits across different identities. Each project or pseudonym should exist in its own bubble. Compartmentalization ensures that you can safely publish your work without endangering your safety.
|
||||
|
||||
@@ -2,3 +2,42 @@
|
||||
title: Targeted Attacks
|
||||
icon: material/target-account
|
||||
---
|
||||
title: Avoiding Targeted Surveillance
|
||||
icon: material/domain
|
||||
---
|
||||
|
||||
While mass surveillance collects vast amounts of data from the general population, [targeted attacks](https://www.amnesty.org/en/latest/campaigns/2020/10/stopspying/) are different. it focuses specifically on individuals or groups deemed "persons of interest" by governments, corporations, or malicious actors. This kind of surveillance can be far more invasive and precise; however, it is also less likely to occur for most people.
|
||||
|
||||
# How Do Targeted Attacks Work?
|
||||
|
||||
Targeted attacks uses several techniques to infiltrate a person's digital and physical life. It often involves direct attacks on devices, network interception, and even human intelligence.
|
||||
|
||||
[Device Exploitation](https://www.kaspersky.com/resource-center/definitions/what-is-zero-click-malware) is one of the most common methods. Attackers might use malware, spyware, or vulnerabilities in your phone, computer, or IoT devices to gain persistent access. Tools like [Pegasus](https://www.theverge.com/2021/7/18/22582532/pegasus-nso-spyware-target-phones-journalists-activists-investigation) have shown how even encrypted apps can be compromised once the device itself is under control.
|
||||
|
||||
[Network surveillance](https://www.rapid7.com/fundamentals/man-in-the-middle-attacks/) targets the transmission of your data. By attacking the infrastructure between you and your services, adversaries can conduct man-in-the-middle attacks, monitor unencrypted traffic, or inject malicious payloads.
|
||||
|
||||
[Social engineering](https://www.crowdstrike.com/en-us/cybersecurity-101/social-engineering/) remains one of the most effective ways to target a device. Phishing emails, malicious attachments, impersonation, and psychological manipulation are used to trick targets into handing over sensitive information or installing malware themselves.
|
||||
|
||||
# Who Is At Risk?
|
||||
|
||||
Targeted attacks can be devastating. It can expose sensitive conversations, reveal confidential information, endanger lives, and destroy trust. Whether you are a journalist communicating with sources, a whistleblower exposing corruption, or simply someone advocating for civil rights, protecting yourself against targeted attacks is essential to maintaining your freedom and safety.
|
||||
|
||||
Victims often suffer from feelings of helplessness and anxiety. Recognizing your risk before a targeted attack and preparing accordingly is crucial for this threat model.
|
||||
|
||||
# Best Practices
|
||||
|
||||
## 1. Harden Your Devices
|
||||
|
||||
Ensure that your devices are secure: Keep your operating systems and apps up to date with the latest security patches. Ideally, you should purchase the latest [mobile devices](https://www.privacyguides.org/en/mobile-phones/) that are known for security, such as Pixel phones with GrapheneOS or iPhones with lockdown mode enabled. Install only trusted apps and limit permissions as much as possible.
|
||||
|
||||
As for your desktop and laptop computers, full-disk encryption should be enabled everywhere. For sensitive tasks, you should consider installing [Linux](https://www.privacyguides.org/en/desktop/). An amnesiac distribution like [Tails OS](https://www.privacyguides.org/en/desktop/#tails), or a security-focused distribution like [Qubes OS](https://www.privacyguides.org/en/desktop/#qubes-os) works well in this threat model. This step reduces the severity of a potential malware infection.
|
||||
|
||||
## 2. Encrypt Everything
|
||||
|
||||
Communicate using [end-to-end encrypted services](https://www.privacyguides.org/en/real-time-communication/) whenever possible. For messaging, rely on tools like [Signal](https://www.privacyguides.org/en/real-time-communication/#signal) or [SimpleX Chat](https://www.privacyguides.org/en/real-time-communication/#simplex-chat). For [emails](https://www.privacyguides.org/en/email/), prefer PGP-encrypted communications or use privacy-focused providers like [Proton Mail](https://www.privacyguides.org/en/email/#proton-mail) and [Tuta](https://www.privacyguides.org/en/email/#tuta). Use encrypted software such as [Cryptomator](https://www.privacyguides.org/en/encryption/#cryptomator-cloud) or [VeraCrypt](https://www.privacyguides.org/en/encryption/#veracrypt-disk) for sensitive files, and always [verify the identities](https://www.privacyguides.org/articles/2022/07/07/signal-configuration-and-hardening/?h=contact#signal-pin) of your contacts before sending anything.
|
||||
|
||||
## 3. Be Skeptical and Vigilant
|
||||
|
||||
Be suspicious of unexpected messages, links, and attachments that can be used to deploy zero-click attacks. Use [multi-factor authentication](https://www.privacyguides.org/en/multi-factor-authentication/) (preferably hardware tokens like [YubiKey](https://www.privacyguides.org/en/security-keys/)) to secure accounts. Regularly audit your [digital footprint](https://www.privacyguides.org/en/basics/account-deletion/): check what information about you is public, remove unnecessary exposure, and practice good operational security (OpSec) principles like minimizing what you share online.
|
||||
|
||||
This approach also applies to your family members and colleagues. Often, a threat actor will also target the [associates of their victims](https://www.pbs.org/wgbh/frontline/article/pegasus-spyware-jamal-khashoggi-wife-phone-washington-post/) even if the intended target practices good OpSec. If you believe that this could happen to you, communicate this possibility to potential victims and [educate them](https://www.privacyguides.org/en/basics/why-privacy-matters/) on mitigation steps.
|
||||
|
||||
Reference in New Issue
Block a user