WEOS Finger Lakes Public Radio

How The Media Are Using Encryption Tools To Collect Anonymous Tips

Feb 27, 2017
Originally published on February 27, 2017 3:43 pm

There was a time when a whistleblower had to rely on the Postal Service, or a pay phone, or an underground parking garage to leak to the press.

This is a different time.

A renewed interest in leaks since Donald Trump's surprise election victory last fall, and a growth in the use of end-to-end encryption technology, have led news organizations across the country to highlight the multiple high-tech ways you can now send them anonymous tips.

The Washington Post, The New York Times and ProPublica have launched webpages outlining all the ways you can leak to them. ProPublica highlights three high-tech options on its page (in addition to the Postal Service): the encrypted messaging app Signal, an encrypted email program called PGP (or GPG) and an anonymous file sharing system for desktop computers called SecureDrop. The Washington Post goes even further, highlighting six digital options.

Jeff Larson, a reporter at ProPublica, says of all this, "We're living in almost a golden age for leaks."

Some tools like SecureDrop, created by the Freedom of the Press Foundation, were made just for newsrooms to accept anonymous tips. Others, like Signal, the premier encrypted messaging app on the market right now, were created with a different, and more universal purpose.

Moxie Marlinspike, one of the creators of Signal, says it's for everyone who might not be aware that a lot of their communication might not actually be private.

"What we're really trying to do is bring people's existing reality in line with people's expectations," Marlinspike says. "Most of the time when people send someone a message, their assumption is that that message is only visible to themselves and the intended recipient. It's always disappointing when that turns out not to be true."

Trevor Timm, executive director of the Freedom of the Press Foundation, says newsrooms' and leakers' reliance on these tools also speaks to a new reality.

"We're living in a golden age of leaks but we're also living in a golden age of surveillance," Timm says. "It is very easy for the government, for example, to subpoena a Google, or a Verizon, or an AT&T to get a journalist's phone records, or email records, that tells them who they talked to, when they talked to them, and for how long. Over the past eight or 10 years, the government has been able to prosecute a record number of sources, and the primary way they've been able to do this is because of their increased surveillance capabilities."

That heavier scrutiny of the press and its sources has come from both sides of the aisle. This month, President Trump directed the Justice Department to investigate what he calls "criminal leaks" coming from the federal government, and in a speech Friday at the Conservative Political Action Conference, he said journalists should not be allowed to use unnamed sources.

The Obama administration used the Espionage Act multiple times to prosecute leaks (more than any other administration, according to PolitiFact), as well as secretly seizing Associated Press reporters' phone records.

While many encryption apps are used to bypass such surveillance of communications between leakers and the press, some apps are being used by staffers within the government to communicate with each other. A recent Washington Post article stated that some White House staffers are relying on an encrypted messaging app called Confide to communicate with each other without using official phones or email, out of a fear of leaks.

But using an app like that — to make official White House communications private — raises red flags for Chris Lu, former deputy labor secretary under President Barack Obama.

"At the White House and at the Department of Labor," Lu says, "we were given very clear training and guidance about the Presidential Records Acts and maintaining documents." The Washington Post story, he says, "instantly raised red flags whether it was in compliance with the Presidential Records Act. And it clearly is not." (That law is meant to ensure that communications in the White House are maintained for historical purposes.)

Confide CEO Jon Brod says his company advises all users to follow the rules of their employers, if they're using Confide to talk to co-workers.

"There are certain industries and sectors where specific people and certain types of conversations are regulated," Brod says, pointing to financial services, health care and parts of the government. "If you are in one of those industries or sectors, it's important that you use Confide in a way that conforms to any of those regulations that may be relevant to you."

Of course, the legality and ethics of such communications between government workers, as well as between the press and government leakers, often depends on whom you ask.

For Moxie Marlinspike of Signal, there is no question on one thing: whether apps such as his are good for society. "I think what we're seeing is things like Signal almost democratizing that ability (to leak)," he says. "So people who are not necessarily at these high-level posts, but just ordinary workers, are able to communicate what's going on to people outside of government. If you're the director of the CIA, you don't need Signal."

But with the growth of apps like Signal and encryption technology, there might not ever be a way to tell just how ubiquitous all this high-tech leaking becomes. Often the data is so secret that there are few metrics to read, if there are any at all. "We don't have any information about our users," Marlinspike says. "That's how end-to-end encryption works: Even us, we don't have that kind of information."

Copyright 2017 NPR. To see more, visit http://www.npr.org/.

DAVID GREENE, HOST:

So in these early days of the Trump administration, there have been a lot of leaks. For example, this weekend, the news site Politico ran a story featuring leaked accounts of White House Press Secretary Sean Spicer lecturing his staff on the need to prevent leaks. As NPR's Sam Sanders reports, thanks to technology, we really are living in the golden age of the leak.

SAM SANDERS, BYLINE: Back in the day, if you wanted to leak a big scoop to a newspaper, you had to rely on things like the U.S. Postal Service or pay phones or an underground parking garage. Now there's an app for that.

MOXIE MARLINSPIKE: Signal is a messaging and calling app, and it works just like any other messaging and calling app except it uses end-to-end encryption.

SANDERS: That's Moxie Marlinspike. That name is a pseudonym. Marlinspike is one of the founders of Signal, the premier app for leakers. I will let him explain just what end-to-end encryption means.

MARLINSPIKE: You can ensure that when you send a message to someone or you call someone that the thing that you write or say is only visible to yourself and the intended recipient.

SANDERS: Basically, end-the-end encryption means your messages travel to their recipient with a lock on them, and only the intended recipient has the key. The investigative news organization ProPublica actually has a webpage with a list of all the different methods you can leak with. It's called, quote, "How To Leak To ProPublica." Jeff Larson is a reporter there. He went down the list.

There's a file-sharing system called SecureDrop.

JEFF LARSON: Which is an open-source system that allows us not to even know who the person is who leaked to us.

SANDERS: There's also a special encrypted email called GPG. Larson says there are so many high-tech ways to leak now.

LARSON: We're living in a golden age for leaks.

TREVOR TIMM: We're living in a golden age of leaks, but we're also living in a golden age of surveillance.

SANDERS: That's Trevor Timm. He's the executive director of the Freedom of the Press Foundation. That's the group that made SecureDrop. Timm says part of the reason all these new ways to leak exist is because it's harder now, more than ever, to really ensure that you're having a private conversation with a journalist.

TIMM: So it is very easy for the government, for example, to subpoena a Google or a Verizon or an AT&T to get a journalist's phone records or email records that tells them who they talked to, when they talked to them and for how long.

SANDERS: And Timm says the government is prosecuting leakers more. Increasingly, encrypted apps aren't just being used to leak to the press. They're being used within organizations, like the White House. A recent Washington Post article said that White House staffers have begun to use an app called Confide just to talk to each other because they're so afraid of leaks.

JON BROD: Sam?

SANDERS: OK.

BROD: How are you doing?

SANDERS: I'm good. I'm sure you've had...

I had Jon Brod show me how Confide works. He's the co-founder and president of the company. Brod says Confide does more than just encrypt messages. Little bricks cover the words in the message so you can never see the entire message all at once.

BROD: And the way I read the message is by wanding my fingers over the bricks, which unveils a sliver of the message at a time.

SANDERS: And once you've read it, the message disappears. I tried it. It was pretty cool.

(SOUNDBITE OF CELLPHONE CHIME)

SANDERS: Oh - I see it.

BROD: (Laughter).

SANDERS: And now it's gone.

BROD: Now it's gone.

SANDERS: (Laughter) That was so cool. It's like an invisible marker or something.

In spite of Confide's cool factor, some say the app should be more secure. One BuzzFeed reporter says she found White House Press Secretary Sean Spicer's phone number through the app, and other experts say Confide's encryption needs further review.

Confide app CEO Jon Brod told NPR the app does not show phone numbers or email addresses. And he said Confide's encryption matches a standard many people use for their emails. Whatever the case, Moxie Marlinspike from Signal - he says, overall, leaking going digital is good because it's democratizing leaks, making it easier for who he calls the low-level government employee.

MARLINSPIKE: If you're the director of the CIA, like, you don't need Signal.

SANDERS: Or maybe you do.

Sam Sanders, NPR News. Transcript provided by NPR, Copyright NPR.