Got A Hot Tip? Here’s How To Leak Securely To The Press

By Steven Melendez

Even before President Donald Trump took office, much of the public’s understanding of the inner workings of his administration has come from what’s been called an unusually large wave of leaks to the press.

Many of the leaks undoubtedly come from insiders with existing relationships with reporters—the anonymous senior administration officials familiar to readers of political journalism. But media organizations have also rolled out digital tools designed to allow would-be whistleblowers within the Trump administration, other layers of government, and private industry to communicate anonymously and securely with reporters. The stakes are potentially high for would-be sources, as Trump increasingly rails against leaks and vows to track down their sources.

The tools, such as the Freedom of the Press Foundation’s SecureDrop and the GlobaLeaks platform backed by Italy’s Hermes Center for Transparency and Digital Human Rights, harness encryption and the anonymizing network called Tor to let sources send secret messages and files to reporters without revealing their identities, locations, or IP addresses. And since Trump’s election, a wave of media organizations have deployed this new infrastructure for secure communication, a kind of modern-day answer to the clandestine meetings in parking garages and secret signals made famous by such movies as All the President’s Men.

“We’ve seen a massive increase in news organizations that want to run a SecureDrop since the election—so much so that we are trying mightily to keep up,” says Trevor Timm, executive director of the Freedom of the Press Foundation. According to a directory maintained by the foundation, SecureDrop (which traces its history back to code written by the late internet activist Aaron Swartz) is being used by long-established publications, including The New Yorker, The New York Times, and The Washington Post, and by newer outlets like Vice, ProPublica, and BuzzFeed.

Univision’s Gizmodo Media Group, which includes the millennial-focused Fusion and former Gawker properties Deadspin and Jezebel, has even taken out Facebook ads that target government officials and urge them to visit a site called TellOnTrump.com, The Wall Street Journal recently reported. The site offers sources a variety of ways to leak to Gizmodo’s investigative reporters, including SecureDrop, encrypted email, and encrypted messaging tools.

The recent wave of interest was spurred on by Trump’s openly hostile attitude toward the press and his early restrictions on public statements by many federal officials, Timm says. And, he adds, many outlets took a serious look at SecureDrop after seeing The New York Times adopt the platform soon after Trump’s election. “Generally, when The New York Times does something, a lot of news organizations follow,” he says.

Even before Trump, consequences for sources of even well-intentioned leaks can be quite serious. Former National Security Agency contractor Edward Snowden was essentially forced into exile in Russia for whistleblowing, and at the time of Chelsea Manning’s scheduled release in July, the former soldier will have spent seven years in custody for transmitting a massive trove of documents to WikiLeaks. President Barack Obama commuted Manning’s sentence from an initial 35-year term, but his administration presided over what transparency experts have said was an unusual number of leak prosecutions under the federal Espionage Act.

That’s a trend that may continue under Trump, who has already received support from Congressional Republicans for potential plans to root out who’s been leaking within his administration and who, years before taking office, had called for Snowden’s execution.

“There’s a high risk of retaliation when someone becomes a whistleblower,” says Betsy Reed, editor-in-chief of The Intercept, an early adopter of SecureDrop. “It can rise to the level of an Espionage Act prosecution, but it can also be the loss of a job in the private sector.”

Using a platform like SecureDrop or GlobaLeaks doesn’t eliminate the risk that leak sources can be discovered, advocates stress. And developers urge sources to take extra precautions beyond Tor, like only transmitting files over a public wireless network and using Tails, a secure operating system that comes bundled with Tor and can be launched from a USB stick or DVD, leaving no trace on a source’s laptop. Some people may also wish to use a cheap throwaway laptop to make contact, says Matthew Green, assistant professor of computer science at Johns Hopkins University’s Information Security Institute.

Sources should also consider the fact that particular documents or facts might only be accessible to a few people, potentially making the identity of whoever leaked them easier to determine, Green says. And sources should consider printing and scanning digital documents before leaking them, or at least generating PDFs from original files like spreadsheets and word processing documents, he says. “Never give out a direct electronic copy of the document,” Green says. “Things like Microsoft Word documents can have [identifying] metadata.”

But using Tor ensures that journalists, and even internet service providers who could get search warrants or subpoenas from authorities, can’t detect who’s transmitting data and documents.

“The reality is that when a reporter’s source can be identified through digital traces, the prosecution does not even need that reporter to testify,” wrote Charles Berret, a fellow at Columbia Journalism School’s Tow Center for Digital Journalism, in a report on SecureDrop.

Organizations using SecureDrop don’t even open documents they receive on internet-connected computers, instead moving them to a second disconnected machine before decrypting them, so there’s less chance of them being stolen by cyber eavesdroppers.

SecureDrop and GlobaLeaks also gives journalists and sources the option of sending messages back and forth, which users say can be more valuable than one-off drops. And while publications don’t always disclose which stories were reported through leaking tools, outlets including the Associated Press and The Intercept have credited stories to SecureDrop leaks. GlobaLeaks has been used by outlets across Europe, Africa, and Latin America to develop stories, says Fabio Pietrosanti, president of the Hermes Center.

“GlobaLeaks play an essential role for AWP in what regards technological empowerment,” says Pedro Noel, editor of the Brussels-based Associated Whistleblowing Press, in an email to Fast Company. “Without them, our organization would have very different, probably weaker, potential of action.”

The AWP operates sites around the world, including Ecuador Transparente, which has reported on homegrown state surveillance, and Iceland’s Ljost, which published reports of police surveillance in the country and loans to insiders at Iceland’s failed bank Glitnir.

“There are maybe 40 well-known installations of GlobaLeaks that are managed by different organizations,” says Hermes Center fellow Marco Calamari. That number includes the installations used for internal anonymous whistleblowing at government agencies and private companies. He emphasizes, though, that the tool’s developers may not know the full list of organizations using it.

There’s also no way to definitively say whether journalists overall have received more tips through whistleblowing tools since Trump was elected or since he took office. But the Freedom of the Press Foundation’s Timm says he’s heard anecdotal reports from journalists that they’re receiving more messages through SecureDrop. The foundation is planning fundraising efforts to effectively double the current staff of five working on the tool in order to roll out new features and support existing users.

And while Reed declined to reveal the number of leaks received through SecureDrop at The Intercept, she says the type of leaks has changed with Trump in the White House.

“I definitely can say that the quality of information is greater,” she says. “It’s consistently more interesting and in the public interest.”

 

Fast Company , Read Full Story

(19)