The success of Edward Snowden’s disclosure of National Security Agency surveillance hinged on measures he took to prevent government detection of his communications with journalists. His contact, Laura Poitras, describes using similar measures to avoid tipping off authorities, who would have arrested Snowden and seized the evidence he collected from NSA computers.
Other federal agencies, state and local governments, and businesses also conduct surveillance. Our movements, communications and transactions are monitored in great detail, making it essential for whistleblowers who desire anonymity to develop cyber security skills and a bit of spycraft. It’s especially important for national security and qui tam whistleblowers, but potentially beneficial to others, too.
Free software is available to encrypt email and documents, a precaution all whistleblowers should take. For those who are new to encryption, guides are available (here and here). Federal employees with security clearances should use encryption in any communication with journalists, even if it has nothing to do with their jobs. The federal government jailed CIA employee Jeffrey Sterling based on metadata showing that Sterling communicated by phone and email with New York Times journalist James Risen. Although the content of Sterling’s calls were unknown, the government claimed he was the source of Risen’s reporting on a classified CIA program known to Sterling.
The Sterling case revealed a potential end run around encryption. The Justice Department issued a subpoena to try to force the journalist to disclose his source(s) in court. Risen refused, however, to name any sources and the Justice Department backed off. In another case, the result might be different.
Some newspaper websites offer online systems, such as SecureDrop, for making anonymous disclosures. With SecureDrop, the journalist does not know the whistleblower’s true identity, thus could not disclose it if subpoenaed. Whistleblowers must take care, however, to avoid leaving electronic footprints leading to the disclosure webpage. SecureDrop’s website advises users to first connect using Tor, free software that hides a user’s internet footprints. Whistleblowers can download Tor at https://www.torproject.org/. There’s a downside, however; merely using Tor makes one an NSA target. This could be a problem for federal employees and contractors, but private sector whistleblowers may not be affected.
In evaluating security options, it’s important to keep in mind that the full extent of NSA’s surveillance is still unknown. Just last week, news media released new information about NSA programs.
[N]ewly published documents demonstrate that collected communications not only include emails, chats and web-browsing traffic, but also pictures, documents, voice calls, webcam photos, web searches, advertising analytics traffic, social media traffic, botnet traffic, logged keystrokes, computer network exploitation (CNE) targeting, intercepted username and password pairs, file uploads to online services, Skype sessions and more. —The Intercept
The Committee to Protect Journalists is concerned about the ability of journalists to protect their sources.
If a journalist can protect the identity of his or her sources at all, it’s only with the application of incredible expertise and practice, along with expensive tools. Journalists now compete with spooks and spies, and the spooks have the home-field advantage.—Tom Lowenthal, “Surveillance forces journalists to think and act like spies,” Committee to Protect Journalists, 27 Apr 2015.
Many journalists are turning to offline communication methods, including classic spycraft. But, much has changed since Bob Woodward communicated with “Deep Throat” via pre-dawn meetings in a parking garage and a red flag in a flower pot.
Call records, email archives, phone tapping, cell-site location information, smart transit passes, roving bugs, and surveillance cameras–our world defaults to being watched. You can perhaps achieve privacy for a few fleeting moments, but, even then, only with a great deal of effort. (Lowenthal, Committee to Protect Journalists)
Investigative Reporters and Editors reports that a June 2013 presentation of “Spycraft for Journalists,” drew an “overflow crowd.” Since then, more alarming details of NSA surveillance have emerged. Whistleblowers would benefit from training like that developed for journalists, but find it difficult to obtain.
Another challenge whistleblowers face is the secure storage of documents, particularly evidence and litigation documents. Edward Snowden warns that security varies among services that store electronic data uploaded to the Internet. But, storing information offline has potential pitfalls, too. If the information is stored on electronic devices with Internet connections, the connections could be used to conduct attacks remotely. An attacker could monitor computer activities, destroy critical files or wreak other havoc. New research shows that even “air-gapped” computers (unconnected to the internet) are not entirely secure, although more secure.
It may seem that keeping information in paper form is the way to go; but, a whistleblower can be outed in the process of printing or copying documents at the workplace. In 2005, the Electronic Freedom Foundation announced that it had decoded hidden forensic tracking codes embedded in documents printed on Xerox DocuColor color laser printers. Since then, the EFF has identified other color laser printers with tracking codes. Research by Perdue University discovered vulnerabilities in documents produced by still more printers and copiers.
Hidden data (metadata) capable of identifying the source exist in digital photos and digital documents. A number of tools exist for extracting metadata from files. A growing number of “smart” devices in the home, including televisions, thermostats, coffee pots and baby monitors, are vulnerable to remote hacking, letting strangers know details about your activities.
Even rigorous attention to cyber security may be inadequate to ward off a determined attack that may destroy crucial information or use it for retaliation. But, an attacker first needs to identify a target, and good security practices make it less likely that the whistleblower will attract attention. Avoiding targeted attacks is an important benefit of making disclosures anonymously.
Maintaining a high level of security and anonymity can be costly. Whistleblowers who lose their jobs, as many do, may be unable to afford the full array of tools used by Snowden and his media contacts. Hiring a computer security consultant, as some whistleblowers have done, adds another expense.
In conclusion, whistleblowers in both the public and private sector face steep technical and financial challenges in maintaining anonymity in a Big Brother environment. For some, the challenges may seem overwhelming. A program that provides free training and equipment to whistleblowers would go a long way toward leveling the playing field and enabling effective truth telling.
* * *
Photo credit: “u r under surveillance” by bettyx1138 (Flickr Creative Commons)