How this cybersecurity researcher is helping secure journalists in Ukraine

As Russia invaded Ukraine, the hackers—cybercriminal or otherwise—took sides, with many white-hat hackers looking to help provide digital security from afar for people in Ukraine. One of them is Runa Sandvik, who is working to provide free access to virtual private networks (VPNs) which can help shield online activities from internet service providers and make it appear as though users are connecting from somewhere else, as well as other remote tech help to journalists on the ground. 

Sandvik is a privacy and security expert with a long track record of protecting reporters around the world through technical means, including securing journalists at The New York Times and with the Freedom of the Press Foundation. Journalists seeking access to a VPN or other help may send Sandvik a Direct Message on Twitter.

Sandvik spoke with The Record Friday about the work she’s doing to support journalists in Ukraine and what basic security steps—such as shifting communications to end-to-end encrypted services like Signal and checking privacy on services like Twitter and Facebook—everyone can do to upgrade their social network’s security baseline. This interview has been lightly edited for length and clarity.

Andrea Peterson: What have you been doing to support journalists in the evolving situation in Ukraine this week?

Runa Sandvik: I have friends in Ukraine. It just feels good to try and do something, anything, rather than just sit here and scroll Twitter all day and just watch what's going on. Given all the work that I've historically done in my background in securing newsrooms and freelance reporters, I've put out one call for pro bono digital security assistance to any journalists in Ukraine. I'm also now able to provide journalists in the Ukraine with free VPNs if they need that.

AP: Why should journalists be especially worried about their security?

RS: I think that there are people who stay in the country to report on what's happening on the ground. Some of these are experienced reporters with established media orgs who have everything that they need, both in terms of physical safety gear and any digital security stuff that they might need.

But some are going to work for smaller NGOs. Some are just freelancers just figuring things out.

Some were perhaps not even reporters yesterday or the day before who are now just trying to get the word out. The least I can do is support them with tools and guidance.

I think it's just really important to ensure that they can continue doing what they're doing, but in a safe way. At that point, we can look at physical and emotional safety. We can look at securing online accounts. 

We can look at using a VPN to give them location privacy, so at the very least, their Internet communications between their device and their laptop and their phone is encrypted. Is that clear?

AP: Can you explain why a VPN is important for areas in conflict for everyone, but also especially journalists?

RS: Sure. In a normal scenario where you're not using a VPN, you just have your laptop or your phone and just connected to the Internet, it is technically possible then for either a Wi-Fi administrator or for the internet service provider to see which sites you're connecting to. Now because a lot of these sites already encrypt the traffic between your browser and the site, the provider can't necessarily see, say, what you're searching for on Google, or what you're typing into an email in Gmail, or what you're saying to someone in a Twitter direct message.

But they are able to see that you are visiting google.com—that you are reading about news in Ukraine, for example, that you are on The New York Times or the Washington Post website.

By using a VPN, you give yourself location privacy in the sense that the Internet service provider in the country can see that you're connected to a VPN and that's it. But they're not going to know if you're on Google, if you're on Twitter, if you're on the Washington Post website, or whatever else that you're doing. 

It does provide you with this ability to continue doing your work safely without as much of a risk of surveillance. [Editor's note: This is a technical and privacy shift that happened on the internet over the course of the past decade.]

AP: How should journalists apply that same approach across their communication channels? What are the other tools you would recommend?

RS: It is just important to be aware of, as you're using, say, social media or as you're in a hotel or on the road you're using the internet, I think it is just important to be aware of who can potentially figure out what it is that you're doing, and what you're interested in, and which accounts you're using, and who you're communicating with, and then just take steps to ensure that you can, for example, encrypt that in some way. 

More specifically, though, to your question, I think that using an app like Signal for end-to-end encrypted communications on mobile phones is a great option. I think WhatsApp is another good option. Facebook Messenger supports end-to-end encryption in something called Secret Conversations that you can use as well.

I think that all of those are really good options to ensure that your communication speeds, your messages, or your phone calls are encrypted from your phone and to the phone of the person that you're talking to.

AP: Another thing that has definitely been raised specifically in regards to Ukraine is the prominence of belief that Telegram is encrypted by default and popularity of the app. For instance, Moxie Marlinspike, who has a stake in the game because he is the founder of Signal—which is a competitor—has argued the media does an injustice to people in Ukraine by referring to it as an “encrypted" app when it is not end-to-end encrypted by default, because it made people believe their communications are secure when they remain at risk if Telegram is compromised. Do you agree with that assessment?

RS: Absolutely. Telegram has, for years, been described as this secure messenger or encrypted messenger, and often in the same context as Signal and WhatsApp. I think that if you dig into the slight nuance there, Telegram is not encrypted by default. It does not encrypt group chats. That is a setting that you have to turn on yourself within the app versus within Signal and WhatsApp, that is done for you by default for every single chat that you have.

I think that when that nuance, that slight difference is not communicated, we, unfortunately, do continue to spread this idea that the Telegram is as secure as these other apps and it's at the same level as these other apps.

AP: Does relying on Facebook Messenger have some of the same risks for security instead of going to Signal or another option that is end-to-end encrypted by default?

RS: Yeah. I think that when you're just chatting with people on Facebook Messenger at that point, your connection, the connection between, say, your computer and facebook.com is encrypted. 

But the messages that you're sending back and forth to your friends are not encrypted in the sense that Facebook, the company, could access that chat, and could see who you're talking to, and when, and how often, and about what. If that conversation was encrypted end-to-end, which is the case within, say, WhatsApp, Facebook can still then see who you're talking to, and when, and how often, but cannot see the content because the content is end-to-end encrypted.

Now if you open Facebook Messenger on your phone and select a new conversation in the top right corner, there's an option to enable what they call Secret Conversations, which is end-to-end encryption within Facebook Messenger.

AP: If you are a journalist, should you be using end-to-end encrypted communications with your entire network in order to avoid the same sort of network analysis at play with VPNs exposing your sources?

RS. Yes. I think at this point, it's 2022. It's not hard to use Signal or WhatsApp. You have apps for your phone. You have the desktop app for your computer. It is easy to set up and use and it is far more secure than just regular phone calls or SMS. There's no reason not to use these tools.

AP: What else could journalists or others be doing to improve their community’s digital resilience, or more specifically with regards to Ukraine? 

RS: Another thing that you can do, if you have friends in Ukraine, for example, what you can do is to review the security and privacy settings that you have for your social media account so that, for example, if you and I are friends on Facebook and your privacy settings is that anyone anywhere in the world can view all of your friends, and all of your photos, and all of your messages, then that does allow someone to, through your profile, your public profile, figure things out about me, because we're friends and your settings are just set that way. 

By ensuring that you are reviewing the privacy and security settings that you have on your Facebook account, you are also then taking steps to secure the privacy and security of any of your friends on the platform as well.