How to Keep Sources Secure from Surveillance

In an encrypted Q&A with The New York Times Magazine, National Security Agency leaker Edward Snowden warned that journalists have been slow to properly respond to the threat of government surveillance. "I was surprised to realize that there were people in news organizations who didn’t recognize any unencrypted message sent over the Internet is being delivered to every intelligence service in the world," he wrote to Peter Maass about his initial attempts to communicate with Guardian reporter Glenn Greenwald. "In the wake of this year’s disclosures, it should be clear that unencrypted journalist-source communication is unforgivably reckless." Revelations over the last few months have made it clear that the U.S. government is willing and able to use telephone and Internet records to pursue sources who leak secrets to the media, and to do so by targeting reporters, if necessary.


The government has accused Edward Snowden, a former contractor with the National Security Agency, of leaking classified documents. Image from a video by Glenn Greenwald and Laura Poitras/The Guardian



In an encrypted Q&A with The New York Times Magazine, National Security Agency leaker Edward Snowden warned that journalists have been slow to properly respond to the threat of government surveillance. "I was surprised to realize that there were people in news organizations who didn’t recognize any unencrypted message sent over the Internet is being delivered to every intelligence service in the world," he wrote to Peter Maass about his initial attempts to communicate with Guardian reporter Glenn Greenwald. "In the wake of this year’s disclosures, it should be clear that unencrypted journalist-source communication is unforgivably reckless."



Revelations over the last few months have made it clear that the U.S. government is willing and able to use telephone and Internet records to pursue sources who leak secrets to the media, and to do so by targeting reporters, if necessary.



First came news in May that the Justice Department had secretly obtained two months of telephone records of reporters and editors for the Associated Press as part of an investigation into the disclosure of details of a CIA operation in Yemen that foiled a plot to blow up a U.S.-bound airplane. Then came a report that the Justice Department had secretly searched Google's servers for Fox News reporter James Rosen's emails, using a warrant that identified him as a co-conspirator in the leak case they were pursuing related to classified information about North Korea.



Snowden has been responsible for one extraordinary story after another all summer long in the Guardian, illustrating the reach of the National Security Agency. A federal appellate court ruled in July that there is no such thing as reporter's privilege, in a case where New York Times reporter James Risen is refusing to testify against a former CIA agent charged with leaking classified information about a botched plot against the Iranian government.



"The threat is coming from everywhere, and it's clearly getting worse every month," says Kevin Poulsen, the investigation editor for Wired News.



"The government's surveillance of both reporters and potential sources has made it much more difficult to do investigative reporting," says the Times' Risen. "Above all, it's had a chilling effect on people in the government who are now afraid to talk to reporters. The climate has gotten much worse during the Obama administration."



Government surveillance of communications means that the weak link when it comes to protecting sources is now technological. "I don’t think most news organizations have remotely considered the threat to journalism potentially posed by the methods revealed in the Snowden documents," Guardian editor Alan Rusbridger wrote during a recent Q&A on the social media site Reddit. "One basic question: How are we going to have secure communication with sources in future—by phone, by chat, by email, by anything except face to face contact?"



At a July conference on whistleblowing and the press sponsored by the Government Accountability Project (GAP), Julian Sanchez, a research fellow at the Cato Institute, said reporters simply aren't adapting fast enough to the new environment: "If we expect whistleblowers to take these sorts of enormous risks, the journalists need to step up and have the capabilities that are necessary to ensure that … the technology is not going to give up their sources. You see a lot of reporters who are admirably, as a matter of principle, willing to do whatever it takes—if necessary go to jail—to protect their sources, but don't have the kind of basic tradecraft … that would enable them to have secure communications."



He proposes that journalism schools teach secure communication strategies: "Here’s how you use Tor and PGP and OTR encrypted chat, and here's how you verify the fingerprints and avoid man-in-the-middle attacks and avoid traffic analysis."



Primers on tools that anybody, including journalists, can use to blunt the effects of mass surveillance are increasingly common. Some steps take only a few seconds. But others are more onerous. New York Magazine writer Kevin Roose recently chronicled his laborious attempt to go surveillance-free for a whole day. "It's taken hours to set up an encrypted Hushmail account, install HideMyAss, Wickr, Seecrypt, and Tor (the apps I'm using to foil would-be snoops)," he complained. He also chose to "wrap my cell phones in aluminum-foil Faraday cages to avoid unwanted transmissions; and wire my red baseball hat with infrared LEDs to make myself invisible on security cameras."



Some sources are in a position to help reporters get up to speed on security, like  Thomas Drake. Drake, an NSA whistleblower, provided information about his agency to a Baltimore Sun reporter in 2007 and was subjected to a failed four-year federal prosecution the trial judge called "unconscionable." "It's fair to say that I knew that NSA had penetrated the heart of the Internet infrastructure in the United States and I knew that any attempt to communicate with a reporter was going to be fraught with surveillance peril," he told the GAP conference. "I had to think long and hard, given my own technical background, about what means I had at my disposal that would at least make it much more difficult in terms of real-time decryption or real-time monitoring surveillance, knowing that even on the Internet you at least have to get a message out to somebody and the fact that you're communicating can still be detected."



He ended up guiding the reporter through a number of steps. And even today, he said, "I’m having to educate. I will not communicate with certain people unless they put encryption packages on their computers and on their phones. It’s just prudent."



Christopher Soghoian, a longtime privacy researcher now at the ACLU, recently tweeted a question to his 20,000 or so followers: "News orgs that do original investigative national security reporting should have full time information security staff. Does yours?"



The answer, he says, is that they do not: "News organizations currently push all the hard work in figuring out how to communicate securely down to the journalist talking to the source. Every journalist is supposed to be their own information security experts, and the results are not surprising."



A chief information security officer at a news organization would "lower the barrier for the journalists to do the right thing," he said. For instance, they would "make sure that when a new journalist arrives, the laptop they're given has the right tools installed and enabled by default." There would be orientations, and refresher courses, and tech support. "As long as we expect journalists to be experts in information security, we're going to see stories about sources being identified through communications records," Soghoian says.



Sanchez said whistleblowers need to know which journalists they can trust: "You may have a sense of who has the integrity to protect their sources, but you probably don’t have a very clear way of knowing who has the technical savvy to be able to effectively use the tools necessary to engage in secure communications, certainly if the national security establishment is going to be the adversary trying to track down those communications."



One promising new tool is the New Yorker's Strongbox, an online system for anonymous submissions built by Poulsen, who was a hacker before becoming a journalist, and Aaron Swartz, the programmer and Internet activist who committed suicide in January while under federal investigation for allegedly gaining illegal access to computer files at the Massachusetts Institute of Technology. The system, which is open-source, offers end-to-end encryption, records no identifying information, and allows sources to leave files or messages in complete anonymity. Strongbox launched in May.



Even news organizations that don't think they have an immediate need to offer sources such a tool should know "it's going to happen eventually," Poulsen says. "So what are you doing to roll out the welcome mat in a secure way?"



Nicholas Thompson, editor of newyorker.com, says Strongbox has turned out to be even more useful than anticipated: "Not only is it a good tool for people we didn't know about to send us information we don't know, it's also a good tool for just communicating with sources who don't want to meet in a park."



Not that there's anything wrong with meeting in a park. In fact, meeting face to face remains a very secure, if not particularly convenient, way to exchange information.



Washington Post lawyers advise reporters not to use emails or the phone for sensitive conversations, and to give sources code names, according to Jeff Stein, the former Spy Talk blogger there. In an article in Computing Now magazine, Stein recalls being told in his orientation in 2010: "Go back to park benches and parking garages." Stein didn't take all the advice he was given. "I can't have some sort of double coded system here, it would drive me nuts," he says. But "I very rarely ask people—my kinds of sources, intelligence sources—sensitive questions in email." His emails are more likely to say something like "How about a beer at the usual place, at the usual time?"



New York Times national security reporter David Sanger thinks of it as old school. "The wonder in this electronic age, which depersonalizes most interchanges, is that thanks to the technique used by the U.S. government and others, we've actually restored the old tradition of meeting people for a drink," Sanger says.



But in a high tech world where so much communication takes place online, and surveillance is so omnipresent, how can sources even make that first contact? Says Poulsen: "They can't even get near your transom to throw anything over it without leaving some sort of record." That's precisely what systems like Strongbox are for.



Poulsen and Thompson both foresee a time when some sources will choose to remain anonymous even to the reporters to whom they leak. Historically, most news organizations have insisted that the reporter and at least an editor or two know the true identity of anonymous sources. "I think the way things are going, we have to reevaluate that and be more open to completely anonymous sources that are even anonymous to us," says Paulson.



One result of that will be that the burden of verifying the substance of the leaks then falls entirely on the news organization. "There's a lot more work for the reporter," Poulsen says. "But being able to keep the promise that we'll protect the anonymous source, that's starting to become a very ambitious promise."



Once news organizations use the best technical means to keep sources' identities secret, Poulsen says, "you as the reporters would wind up being the weakest link."



Dan Froomkin
, former senior Washington correspondent for The Huffington Post, writes about accountability journalism for Nieman Reports.