After NSA Scandal, Crop of Whistleblower Communication Tools for Journalists Emerge
BY Carola Frediani | Wednesday, November 13 2013
Among the many questions raised by the NSA scandal, there is one that is especially worrying for journalists: how to have secure communications with sources given the widespread surveillance of emails, phone calls, chats and browsing activities. How should investigative reporting deal with the technological challenges posed by governments’ mass control of Internet and phone traffic? A number of online platforms have now sprouted across the globe with the mission to protect the anonymity of journalists' sources.
The idea of an online system for anonymous submission is not new. But its prospective benefit for journalism has become tangible with WikiLeaks, the leaking organization launched in 2007 by Julian Assange whose document releases have become front-page news worldwide.
However, WikiLeaks’ submission process halted in 2010 and today, there’s no secure form for whistleblowers to upload files on the organization’s website. “The secure dropbox has been closed for some time, but that doesn’t mean we are not receiving submissions in other ways,” WikiLeaks spokesperson Kristinn Hrafnsson told TechPresident on the phone, choosing not to provide details about the ‘other ways’ for security reasons. “We closed the dropbox because we were under attack, and we had information about the possibility of compromising such secure computer protocols. So we weren’t totally confident of its security. At the same time we had to deal with the massive leak of diplomatic cables, while having the financial blockade… the dropbox was not a priority any more.”
However, there have been a few positive signs of late, at least regarding the financial blockade. Last summer an Icelandic court ordered agents of MasterCard and Visa to process payments, held up since 2010, to WikiLeaks; so donations are flowing again to the secret-spilling group. “We are surviving now but in order to scale up and get the organization to the standards we want, we need support from our people,” says Hrafnsson, adding that they intend to set up a new secure dropbox as soon as they have the financial resources to do so.
WikiLeaks was not the only whistleblowing website to suffer from external attacks and financial problems that lead to a shutting down of its submission process. Par:Anoia, a data leaking website set up by Anonymous in 2012, went offline a few months ago after its chat channel on VoxAnon and their Internet Relay Chat (IRC) network were flooded by DDOS attacks. Last October Par:Anoia tweeted a link to its complete archive of the now defunct website until it can get back online. “The project is mothballed until funding and maintenance can be assured again,” one of the anons volunteering on the project, whom techPresident contacted through their Par:Anoia Twitter account, said in a chat conversation. “Our most interesting leak? Definitely the one about the IT service company Innodata Isogen, since it had by far the most interesting documents and was just massive. Most files probably have never been looked at.” Par:Anoia may come back, depending on funding and free time, explained the anon, highlighting that a Bitcoin address is linked on the Par:Anoia Twitter account for donations.
In the meantime other groups and organizations have started working hard to spread the word on other whistleblowing platforms. Last October the Freedom of the Press Foundation took over the management of DeadDrop, an anonymous submission system originally coded by web pioneer and open-data activist Aaron Swartz before his tragic death. Its first implementation, called StrongBox, was launched by the New Yorker in May 2013. Now the Freedom of the Press Foundation, after having re-branded the open source project SecureDrop, is helping media organizations with installation and security. Forbes is also implementing its own. They recently asked for story tips about the crackdown on the massive online black market, Silk Road.
“But in the next few months, at least six other major news organizations will install it as well”, Trevor Timm, co-founder of the Freedom of the Press Foundation, told techPresident. “I think the main reason many newspapers haven't adopted a whistleblower submission system yet is it costs them significant time, money, and effort to build it from scratch, not knowing if it'll work or be used. We try to take the pain out of the process, by making sure our open-source system is audited; have someone to provide them technical advice for both the setup and journalist training.”
SecureDrop is an application that accepts messages and documents from the web, routed through the Tor anonymity network, and GPG-encrypts them for secure storage. It is a more secure alternative to the "contact us" form or via e-mail to a reporter, and it also underwent a comprehensive security audit even if it doesn’t guarantee 100 percent security. “SecureDrop attempts to create a significantly more secure environment for sources to get information than exists through current digital channels, but there are still legal and technical risks any time a source wishes to submit documents to journalists—no matter the service,” writes the Freedom of the Press Foundation on its blog.
Freedom of the Press Foundation is not the only organization that believes in whistleblowing platforms. GlobaLeaks's mission is to spread its own suite of free downloadable software that is accessible to a variety of users who can customize it for their particular needs. The platform is therefore designed with flexibility in mind, providing a secure environment at the same time. Globaleaks is not involved in the management of the leaks, however; it just provides a framework.
“We worked on many security pillars, from anonymity via Tor network to [increasing] users’ awareness. The leakers and the system administrators are constantly advised in the process of submission by alerts and warnings,” Claudio Agosti told techPresident. Agosti is the President of Hermes Center, the organization that coded GlobaLeaks. Also, the files can be GPG-encrypted and the system erases any document older than two weeks. Again, as in the SecureDrop case, that doesn’t “protect against keyloggers [or those who covertly record keystrokes] or any other means that compromise the computer security. Especially it does not protect against human mistakes [sic],” explains GlobaLeaks on their website.
As of September 2013 the GlobaLeaks software has been adopted by a large number of Dutch media outlets for Publeaks.nl, a site that allows whistleblowers and others to leak information to the press in order to shed light on wrongdoings and encourage investigative journalism. The Publeaks organization has no access to the leaked files. It is up to the participating media outlets to verify the leaked materials or to work collaboratively with leakers. GlobaLeaks has been used by various European groups, such as Serbian anti-corruption activists, Hungarian journalists, and a group of Italian reporters.
A few days ago a few anonymous Italian activists launched MafiaLeaks, a GlobaLeaks-based website that intends to collect information from those within the mafia as well as its victims. The website wants to act as a mediator between sources and journalists, who are among those receiving the materials. But MafiaLeaks' administrators, who prefer to remain anonymous for security reasons, have also contacted law enforcement agencies as well as anti-mob associations to ask if they are willing to be "receivers" of the leaks, even if those groups have not yet responded officially.
“We didn’t expect so much exposure, and we have already received many submissions,” one of its administrators, initially contacted through the site’s email platform, told TechPresident over a secure chat. “While we are actually handling the submissions right now, we are planning to build a system where we won’t even be able to see them. But before that we need to build a network of trusted media outlets, law enforcement agencies and anti-mob organizations.” It’s not easy, given the fact that their administrators are anonymous. So far there are about four journalists, either freelance or working inside news organizations, receiving the leaks.
Regardless of the platform or the country where it is adopted, it seems that once set up, information and tips flow quickly to these whistleblowing websites. There are still a number of issues with these platforms, however, from helping users to blow the whistle securely, to the lack of resources for developing, hardening and maintaining these kind of projects. “Many people are asking us to use GlobaLeaks but we don’t have enough resources to help them all, and we are looking for grants,” Fabio Pietrosanti, co-founder of GlobaLeaks, told TechPresident. In any case, whistleblowing tools are here to stay and are going to become an ever-vital tool for journalists.
“For decades, journalists were able to protect their sources by refusing to testify in front of grand juries and judges,” says Trevor Timm, an activist at the Internet-rights nonprofit Electronic Frontier Foundation. “Now, prosecutors don't need a journalist's testimony to go after sources. They can just subpoena metadata of phone calls or emails. It's up to journalists to find ways to protect how they communicate with their sources before they ever get to court.”
Carola Frediani is an Italian journalist and co-founder of the media agency, Effecinque.org. She writes on new technology, digital culture and hacking for a variety of Italian publications, including L’Espresso, Wired.it, Corriere della Sera, Sky.it. She is the author of Inside Anonymous: A Journey into the World of Cyberactivism.
Personal Democracy Media is grateful to the Omidyar Network and the UN Foundation for their generous support of techPresident's WeGov section.