This tutorial is meant for journalists with little or no understanding of chat encryption. It covers setting up an encrypted live chat conversation, so you can start communicating privately with sources on Google Chat, Facebook or a wide variety of other common chat tools.
One of the toughest things about investigative journalism is protecting sources. While privacy or anonymity is something that has traditionally been promised by journalists, today’s track-everything technology makes this a hard thing to guarantee.
Every field or industry worth covering as a journalist has secrets. As a journalist, it is of utmost importance to make yourself approachable by those who need protection (major scoops, including Glenn Greenwald’s NSA revelations, were almost lost because the reporter was not familiar with Edward Snowden’s chat encryption). That’s why every journalist should have three basic tools ready to go at any time, just in case: Secure chat, secure email and secure storage.
In this lesson, we’ll learn how to set up a secure, encrypted chat tool called OTR to talk with sources in real time. You can encrypt the chat feature on Google Chat, Facebook, AIM, IRC, and several other chat systems. OTR isn’t a program, but an advanced random mathematical calculation that jumbles messages unless the recipient has the key. (More on this later.) Instead of encrypting the whole chat by itself, each individual line you send is encrypted. (As you’ll be sending lots of short messages, a potential eavesdropper would have to decrypt each individual message, which can each take weeks or months to crack even on the world’s most powerful computers.)
Skip to section:
OTR is perhaps easiest to install on Windows, as it will walk you through the entire setup process. We’ll need to download two files, a handy open-source all-in-one chat program called Pidgin, and a plug-in for Pidgin called OTR that allows encryption.
1. Download Pidgin here.
2. Run the Pidgin Installer, using the default, pre-selected settings.
3. Once installed, the Installer will prompt you to run Pidgin, but don’t open it yet. Click Finish.
4. The next tool we’ll need is OTR, the plug-in that will allow us to have off-the-record conversations. You can download that here. The website is a little hard to navigate, but you’ll want to download the “Primary download: Win32 installer” which should be titled “pidgin-otr.”
5. Once downloaded, run the OTR installer, using the default, pre-selected settings.
6. Open Pidgin.
7. Go to Accounts > Manage Accounts > Add. Add the type of account you want. Most of the connection settings will fill by default.
8. If you have contacts already, start a new conversation. Notice in the box that pops up there is an OTR menu on the toolbar. Select Start Private Conversation.
9. If you haven’t used OTR before, Pidgin will generate the private key that will secure the conversation. Like all encryption, you messages will not be secure unless the other user also is using OTR.
10. The bottom right should indicate whether your conversation is Verified or Unverified. If unverified, your recipient will not be able to read your messages. To verify the conversation, go to OTR > Authenticate Buddy, which will pop up a new window. You’ll be asked to provide a “Question and answer” for your conversation. Anyone who wants to see the conversation will need to provide the answer you set here, so use something that is little-known and hard to guess. (You can also connect using a “Fingerprint,” if you want to verify the same code by phone, etc.)
11. Once the recipient enters your answer correctly, you’ll notice the chat will become “Verified.” You’re not ready to begin chatting off-the-record with sources!
Here’s an excellent tutorial video by YouTube user gveloper that walks you through the entire process.
Secure chat on Mac OS X
Open-source chat program Adium comes standard with OTR encryption tools, so it’s easy to install. The benefits of Adium’s OTR encryption are many, but perhaps the simplest way to explaining is that no one else can read your messages, during or after your conversation. Period.
1. Download open-source chat program Adium here.
2. Install Adium and drag it into your Applications folder on your Mac.
3. Open Adium and connect a chat service, such as Google chat or Facebook messaging.
4. Once you have an account set up, you’ll need to generate an OTR fingerprint. This is essentially a way of identifying you are who you say you are to the person you’ll be chatting with. In the menu bar, go to Adium > Preferences and select the Advanced tab at the top right, and then the Encryption tab on the left sidebar.
5. Select the account you wish to chat privately with from the dropdown list, and click the Generate button. Once a fingerprint is generated, close the Preferences pane.
6. Open a new chat with a buddy you wish to chat with using OTR. (If you don’t have one, you may try to initiate a chat with me, firstname.lastname@example.org on Google.) Notice the lock icon on the top toolbar. Click this, and select Initiate Encrypted OTR Chat.
7. You should notice the lock icon has now locked, indicating your chat is now secure. Generally, you can begin chatting now.
8. You may see a pop-up window that prompts you for the fingerprint of your buddy. Verify this with your buddy (who can see his fingerprint in the same Preferences menu we just came from) and then click Accept if you have confirmed it is correct. This fingerprint will be remembered by Adium, so you don’t have to go through the same process every time.
9. Lastly, decide whether you want Adium to remember all your chats. If you don’t want Adium to log your OTR chats (which I recommend), go to Adium > Preferences and select the General tab. Uncheck the box that says “Log OTR-secured chats.” You’re all set to start live-chatting privately with sources!