Securing voice communication for lawyers, clients, journalists, and sources

Introduction

Lawyers need to talk to their clients securely. Journalists need to talk to their sources securely. It is through good security tools and good security practices that privacy can be achieved. Securing the conversation (content) is important. Revelations made possible by Edward Snowden show the dangers of unsecured content and metadata. This guide does not aim to create an anonymous communication device by way of anonymizing either content or metadata, only securing the content by way of employing Open Whisper Systems Signal (iOS or Android).

In February 2014, documents publicized by James Risen and Laura Poitras revealed proof of the United States explicit and illegal action of spying on lawyers. The National Security Agency’s technological capabilities, also being made public, provide facts that the public needs in order to understand the complex threats that alone chill freedom of association. Even though you might not be a law firm “representing a foreign government in trade disputes with the United States,” the threat and probability of occurrence are clear. Your voice communication can be passively swept up into a global surveillance dragnet.

This guide’s target audience are people needing to protect their day-to-day phone calls and thus the privacy of the people involved. If you want to be successful at using technology to perform your work, you need to be open to learning some technical information and theory. Without sacrificing too many comforts when it comes to communicating via phones, this guide aims to bridge the gap between easy-to-use, state-of-the-art encryption and tools that are readily available.

Prior but related guides

Notes for Signal

Signal threat modeling

Create an anonymous Signal phone number w/ Android

Goals

Provide a public or private phone number that:

1. Uses an iOS or Android device with Signal to securely communicate with your clients or sources. “Security” is gained by having an independent device that is only used for encrypted communication. Calls will be end-to-end encrypted for protecting the content of your conversations.

2. Falls back on a voicemail recording so normal (unencrypted) telephone callers hear an automated message to install Signal and to remake the call after getting it installed.

Additionally this guide will discuss basic operational security to protect the physical device and thus its contents.

Signal simply needs a telephone number to get setup. You do not need a cell phone with active cell service. When done correctly, your voicemail will be reachable by a regular phone caller but said caller and Signal calls will be routed to your Signal device.

Your options:

– A new or used iPod Touch (5th generation with iOS 8), a new or used iPhone 5, 5S, or 6 (iOS 8), or Android (OS version 5, or “L”, is ideal). The Motorola “Moto E” is inexpensive and the Google Nexus line runs “pure” Android and gets updates the quickest. Operating the phone in airplane mode with Wi-Fi enabled creates a similar device as the iPod Touch in terms of which communication networks it uses.

– Any voice-over-internet-protocol (VoIP) service that gives you a long-term phone number. I also suggest a service that provides voicemail in order to warn normal callers to call again with Signal.

Register a land line, cell phone, or VoIP number?

Installing Signal on to your iOS or Android device simply requires a phone number that can either receive a text message confirmation code or an automated telephone/audio confirmation code. Open Whisper Systems’ software does not care what type of phone number it is, they just need to be able to call it for setup confirmation. It is possible for you to do any number of the following:

1. Register a land-line phone number with Signal. Doing so will automatically route Signal callers to your Signal device. Regular, unencrypted callers will still reach your land-line phone.

2. Register a cell phone number on the same device as the SIM-registered number. This is what most people do when they install and use Signal, and it is the common scenario that your callers will implement.

3. Register a cell phone number on a different device as the SIM-registered number. The original, SIM-registered cell phone will continue to receive normal, unencrypted phone calls, but Signal calls will get automatically routed to the secondary device. Doing this compartmentalizes the communications metadata and device exploitation risk.

4. Register a VoIP phone number on a new iOS or Android device. This guide focuses on this scenario to benefit from voicemail options to alert normal, unencrypted callers to install Signal and call again.

Instead of a VoIP service, you could, in fact, use your work land-line phone number to register Signal. I advise against that based merely on the fact that using the same number may confuse your clients/sources on what is and is not a secured line. Giving them a separate Signal phone number creates cognitive dissonance. However, maybe your target audience is aware of the differences between unsecured and secured (Signal) calls. You must assess the risks involved.

Clients/sources will undoubtedly save your Signal number in to their phones. This name-number association will end up on Google’s, Apple’s, Facebook’s, Twitter’s (they steal contact databases from phones), etc servers, so keeping the number private is not probable. What you have to focus on is making it easiest for your clients/sources to contact you securely, with them knowing that the content of the call is private. Maybe you have a combination of 1+4 or 2+4, where 4 in either scenario is a private, non-publicized Signal number. Maybe you give out business cards with this number with explicit directions not to save this number into the client’s/source’s phone book. Keeping a number completely private can be difficult.

Requirements

– At least one lock-and-key safe, ideally a fireproof/waterproof safe with alphanumeric keypad entry.

Unavoidable information and metadata leakage

As stated above, without explicit direction, your clients/sources will likely store your contact number digitally. This digital database, on their iOS or Android smart phone, is continuously copied by other applications that people use, either out of convenience (to backup contact lists) or because of capitalism (direct marketing, relationship linking). Either way, state-actors make it a point to obtain these databases so that they can know who communicates with whom. As a lawyer or journalist, the likelihood that a state actor wants to know whom you work with is much higher than normal.

Apple (or Google if you use an Android) will have a name-to-device information. This means that US surveillance agencies will probably have the same information. This guide does not attempt to create an anonymous phone number (where the device is not linked to you or your company’s identity).

Even though this guide is written to use an iPod Touch which requires the use of a wireless access point and thus at least one internet service provider, and even though Signal network traffic is end-to-end encrypted, encrypted network traffic creates metadata that indicates:

A) you’re using the Internet at all, and
B) that you’re generating encrypted network traffic.

It is possible, with deep packet inspection, that your adversary will be able to identify what kind of encrypted traffic that it is, maybe even as specific as the application being used. So, theoretically, you will, for sure, create metadata, recorded by the internet service provider, that you (or your company) is making Signal calls, when, and for how long. A state actor such as the NSA, with global dragnet surveillance capabilities, may even be able to associate that traffic to the destination. These are critical issues if your threat is a well-funded surveillance agency with legal/political/global reach. A simple minimization procedure, to avoid network metadata leakage, would be to only use the Wi-Fi of at public locations such as coffee shops or libraries. But doing so is not a silver bullet.

A supplementary read: Cell Phone Opsec

If you choose to purchase a registered cell phone instead, which may be required for your work/reach-ability, you must be aware that state actors can track the physical locations of said device whenever the device is on. Movements and non-movements are very informative to adversaries. Cell phone tracking is made painless with IMSI-catchers when governments and companies can afford it.

Guide

1. Purchase and setup your device. Download and install Signal by Open Whisper Systems.

2. Choose a VoIP service.

To test Signal calling from an iPod Touch, I bought a Microsoft Skype phone number that is registered to my long-time Skype account. Skype is convenient because you simply purchase a Skype phone number with a debit/credit card, install Skype, install Signal, and you use Skype to receive the confirmation code. Yes, Skype, is a PRISM participant, and records (of you purchasing a Skype number and receiving a confirmation call from Open Whisper Systems) are guaranteed to end up in the hands of any government agency. Yes, Skype is backdoored by design. But Registering a Skype number with Signal makes the routing of said calls managed by completely different infrastructure. Skype calls are not end-to-end encrypted. Signal calls are.

An alternative to Microsoft Skype is Google Voice. Google Voice, by way of a Gmail address, has the added benefit of 2-factor authentication (2FA). Skype does not offer 2FA, so your account is remotely accessible if your password is stolen. Voice gives you a perpetual phone number that is tied to your Gmail address. Yes, Google is a PRISM participant, too. Like with Skype, calls made by Signal using a Google Voice phone number will not use Google infrastructure.

3. Setup voicemail

The value of using a dedicated, VoIP-based phone number is the ability to setup voicemail. This way, when people call with a normal, unencrypted phone number, they can get the automated message to call back after they’ve installed Signal.

Signal does not have voicemail. If they call you with either and you do not answer, it will only ring.

4. Physically secure your device.

Make sure that your iPod password is secure. Use a strong passphrase and not a simple, 4-digit “Simple Passcode”.

It is critical that you habitually store your device(s) anytime they are not in use. If your work requires that you be available 24/7, you may need to purchase a second, isolated safe for home use for when you bathe/sleep/etc. Never leave your device unattended or in the possession of someone you do not trust.

5. Share your contact number.

Depending on the nature of your work, you should decide how you want to share your number. If you’re a lawyer, you would want to share your public phone number on your website. In this case it is prudent to ensure your website is serving content via HTTPS (data in motion) so that an adversary cannot inject/disinform your clients/sources with a bad number. Similarly, having a secure website (data at rest) is equally important so that the integrity of the public information is unchanged.

It is also prudent to include minimal directions on installing and using Signal. Guiding them to EFF’s Surveillance Self Defense guide is a good option.