How the media are using encryption tools to collect anonymous tips

The Washington Post
The Washington Post and other media organizations have launched web pages outlining ways you can leak information to them confidentially.
Brendan Smialowski | AFP | Getty Images
The Washington Post and other media organizations have launched webpages outlining ways you can leak information to them confidentially.
The Washington Post and other media organizations have launched webpages outlining ways you can leak information to them confidentially.
Brendan Smialowski

There was a time when a whistleblower had to rely on the Postal Service, or a pay phone, or an underground parking garage to leak to the press.

This is a different time.

A renewed interest in leaks since Donald Trump's surprise election victory last fall, and a growth in the use of end-to-end encryption technology, have led news organizations across the country to highlight the multiple high-tech ways you can now send them anonymous tips.

The Washington Post, The New York Times and ProPublica have launched webpages outlining all the ways you can leak to them. ProPublica highlights three high-tech options on its page (in addition to the Postal Service): the encrypted messaging app Signal, an encrypted email program called PGP (or GPG) and an anonymous file sharing system for desktop computers called SecureDrop. The Washington Post goes even further, highlighting six digital options.

Jeff Larson, a reporter at ProPublica, says of all this, "We're living in almost a golden age for leaks."

Some tools like SecureDrop, created by the Freedom of the Press Foundation, were made just for newsrooms to accept anonymous tips. Others, like Signal, the premier encrypted messaging app on the market right now, were created with a different, and more universal purpose.

Moxie Marlinspike, one of the creators of Signal, says it's for everyone who might not be aware that a lot of their communication might not actually be private.

"What we're really trying to do is bring people's existing reality in line with people's expectations," Marlinspike says. "Most of the time when people send someone a message, their assumption is that that message is only visible to themselves and the intended recipient. It's always disappointing when that turns out not to be true."

SecureDrop, created by the Freedom of the Press Foundation, was designed for newsrooms to accept anonymous tips.
SecureDrop, created by the Freedom of the Press Foundation, was designed for newsrooms to accept anonymous tips.

Trevor Timm, executive director of the Freedom of the Press Foundation, says newsrooms' and leakers' reliance on these tools also speaks to a new reality.

"We're living in a golden age of leaks but we're also living in a golden age of surveillance," Timm says. "It is very easy for the government, for example, to subpoena a Google, or a Verizon, or an AT&T to get a journalist's phone records, or email records, that tells them who they talked to, when they talked to them, and for how long. Over the past eight or 10 years, the government has been able to prosecute a record number of sources, and the primary way they've been able to do this is because of their increased surveillance capabilities."

That heavier scrutiny of the press and its sources has come from both sides of the aisle. This month, President Trump directed the Justice Department to investigate what he calls "criminal leaks" coming from the federal government, and in a speech Friday at the Conservative Political Action Conference, he said journalists should not be allowed to use unnamed sources. The Obama administration used the Espionage Act multiple times to prosecute leaks (more than any other administration, according to PolitiFact), as well as secretly seizing Associated Press reporters' phone records. While many encryption apps are used to bypass such surveillance of communications between leakers and the press, some apps are being used by staffers within the government to communicate with each other. A recent Washington Post article stated that some White House staffers are relying on an encrypted messaging app called Confide to communicate with each other without using official phones or email, out of a fear of leaks.

But using an app like that — to make official White House communications private — raises red flags for Chris Lu, former deputy labor secretary under President Barack Obama.

"At the White House and at the Department of Labor," Lu says, "we were given very clear training and guidance about the Presidential Records Acts and maintaining documents." The Washington Post story, he says, "instantly raised red flags whether it was in compliance with the Presidential Records Act. And it clearly is not." (That law is meant to ensure that communications in the White House are maintained for historical purposes.)

Confide CEO Jon Brod says his company advises all users to follow the rules of their employers, if they're using Confide to talk to co-workers.

"There are certain industries and sectors where specific people and certain types of conversations are regulated," Brod says, pointing to financial services, health care and parts of the government. "If you are in one of those industries or sectors, it's important that you use Confide in a way that conforms to any of those regulations that may be relevant to you."

Of course, the legality and ethics of such communications between government workers, as well as between the press and government leakers, often depends on whom you ask.

For Moxie Marlinspike of Signal, there is no question on one thing: whether apps such as his are good for society. "I think what we're seeing is things like Signal almost democratizing that ability (to leak)," he says. "So people who are not necessarily at these high-level posts, but just ordinary workers, are able to communicate what's going on to people outside of government. If you're the director of the CIA, you don't need Signal."

But with the growth of apps like Signal and encryption technology, there might not ever be a way to tell just how ubiquitous all this high-tech leaking becomes. Often the data is so secret that there are few metrics to read, if there are any at all. "We don't have any information about our users," Marlinspike says. "That's how end-to-end encryption works: Even us, we don't have that kind of information." Copyright 2019 NPR. To see more, visit https://www.npr.org.

(2017-02-27 05:00:00 UTC):

A previous Web version of this story quoted Trevor Timm as saying a record number of journalists had been prosecuted over the past eight to 10 years. Timm subsequently informed us that he had misspoken and had meant to say a record number of sources.