How can whistleblowers and journalists protect themselves from casual snooping by security agencies? A new secure whistleblowing site offers some answers to the challenge of providing better security for media sources.
One of the most significant but under discussed problems in contemporary journalism, especially in Australia, is the threat to whistleblowers.
Put simply, few Australian journalists can guarantee sources who wish to remain anonymous that their confidence will be protected, if governments are sufficiently determined to track them down. Nor can sympathetic politicians. As Crikey reported last year, the Australian Federal Police has already admitted it has used communications metadata of both journalists and MPs and senators in order to track down whistleblowers and anonymous sources.
It doesn’t matter if a journalist is prepared to go to jail rather than reveal a source, or if they’re backed by their editor and company, if their phone data can be obtained by the AFP (without needing judicial authorisation) it can lead directly to a source. And that’s before you get to the threat posed by National Security Agency-style mass surveillance. Even Glenn Greenwald had to be coached remotely by Edward Snowden to install data encryption software PGP in order to exchange encrypted emails.
Whistleblowers are a critical resource for a watchdog press, which is why mass surveillance mechanisms like data retention pose such a fundamental threat not just to privacy, but to the quality of our civil society.
Improving basic IT hygiene and making encryption a default practice within the media should be a priority for the media. Encrypting communications and using anonymity tools significantly complicates the task of intelligence and law enforcement agencies in trying to hunt down whistleblowers. But this is an industry that has higher priorities currently, like trying to stay in business.
Following the closure of WikiLeaks’ anonymous whistleblower system, outlets like the Wall Street Journal and Al Jazeera tried to establish their own anonymous dropboxes. The News Corporation version was plagued both by security flaws and the basic legal problem that News Corp admitted it would hand over whatever information it had, if forced to. Last year, The New Yorker launched Strongbox, based on code developed by the late Aaron Swartz.
And a fortnight ago, Media Direct was launched in Australia, based on the GlobaLeaks platform, developed primarily in Italy (there’s already a working system in the Netherlands).
In essence, Media Direct seeks to enable encrypted interactions between anonymous whistleblowers, who access it via the Tor relay network, and specified journalists, with the submission server itself not logging anything, thus meaning it has no information to provide should it be targeted by the government of its host country (which remains secret, even from the administrators to the Media Direct site here in Australia). The site automatically deletes material that isn’t used within two weeks, and the keys whistleblowers use to access the server also have a limited lifespan. It’s close to plug-and-play for whistleblowers, as long as they can install Tor.
Luke McMahon, the Australian co-ordinator of the project, said the site differed from Strongbox in its goals:
“While we use a significantly modified version of similar open source software, unlike Strongbox we are not backed by a corporate entity. Strongbox is financed by the New Yorker — we are not a publisher out to monopolise information for a profit, they are.”
McMahon said they considered adopting a publishing model but decided not to:
“Journalists are backed institutionally in a way that we are not. They also have various protections such as shield laws in most jurisdictions. By providing a passive communication service journalists can either direct a source to use it, or it’s just there … The legal onus, as is always the case in situations where unsolicited information is handed to a journalist, especially in cases where the info has been obtained unlawfully, is placed on the whistleblower. They must abide by our terms and conditions. That means they should not break the law.”
“Most corporate entities won’t go that road of TheNew Yorker,” McMahon said. “Legal and other institutional barriers prevent them from taking those steps. That’s why we don’t make agreements with corporate entities, we make agreements with journalists.”
The list of signed up journalists includes top Fairfax investigative journalist Richard Baker and gun business journalist Adele Ferguson, The Australian’s higher education reporter Andrew Trounson and myself and Crikey editor Marni Cordell.
In the post-Snowden era, no system can guarantee online anonymity for whistleblowers. But currently, journalists are at the other end of scale, struggling to offer even basic protection from casual, warrantless snooping by the endless list of agencies that can obtain metadata on them in Australia. Part of the benefit of a system like Media Direct should be to concentrate media minds on viable ways of better protecting sources.