Abstract
Journalists have always fiercely protected their sources, but in an era of more intrusive surveillance, journalist
Antoine Deltour stands on stands on life-size sculpture Anything to say? by Italian artist Davide Dormino, which portrays former National Security Agency whistleblower Edward Snowden, Wikileaks founder Julian Assange and former US soldier Chelsea Manning. Deltour and another former employee of accountancy giant Pricewaterhouse Coopers went on trial in Luxembourg in April 2016 accused of leaking details of corporate tax deals
CREDIT: Newzulu/Claude Truong-Ngoc/PA Images
In theory, in our profession, we should go to jail, even resist torture, rather than give up the source of even a trivial story. It is supposed to be a code of honour. But what value is that promise today? With surveillance technology, from drones to police cameras to computer viruses, all so pervasive, is it possible to protect a source?
Thanks particularly to the NSA whistleblower, Edward Snowden, we are acutely aware of the potency of the modern state in deploying technology for “mass surveillance”. And that serves to underline the fragility of any promise of anonymity.
For example, in Britain, while public attention has been consumed by a referendum on European Union membership for the past few months, state sanction to use surveillance methods to identify journalist sources is currently slipping through the UK parliament.
Labelled by critics as a “snooper’s charter”, the Investigatory Powers Bill will compel telecommunications companies to store precise details of everyone’s internet and telephone activity for 12 months – data that can then be scoured later for clues by public authorities.
In the draft bill, journalists do get some extra protection. A “judicial commissioner” must approve requests to discover their sources. But, as the National Union of Journalists and other critics point out, the measure gives no opportunity for the journalist to argue his case.
The problem, though, is not with laws. No writer with a desire to challenge power and authority should rely on the law to protect his sources – no matter where he or she is in the world. The critical challenge to our promise to protect sources comes from technology and, in particular, the way all of our lives are increasingly digitised. This is an age of self-espionage where, with computers and mobile phones, email and social media, people constantly track their own location, hand over their private documents to the cloud, record intimate thoughts online, and publicise their network of contacts.
This cornucopia of data can make it quite trivial for governments or private detectives to piece together a connected journalist’s network and work out how that intersects with people who may have been the journalist’s source. After narrowing the field, more intrusive surveillance (such as actually listening to phone calls or following suspects around) as well as physical searches of computers and documents can finally nail the source.
The danger is magnified by modern journalism practice. Financial cutbacks or just lazy habits can mean that research is increasingly conducted from the desk top: interviews take place by phone or email, leaving behind a stronger trace than chats in a café or on a doorstep.
In the UK, three policeman were dismissed for gross misconduct for their role in leaking to The Sun newspaper an account of an altercation outside No 10 Downing Street, in which a Conservative Party cabinet minister was said to have called police officers “fucking plebs”. A police report, released in 2014, revealed The Sun’s sources were identified by a secret search of phone logs of The Sun’s news desk, its reporters and the mobile phones of police officers.
In the United States in 2013 CIA officer John Kiriakou, who spoke out against torture techniques, was convicted and jailed for 30 months after the seizure of his email records disclosed that he had shared classified information with Matthew Cole, a freelance reporter with ABC News and Scott Shane, a New York Times reporter.
What both cases underlined was that – with electronic communications – there is often no hiding place. But then again those cases also reflect an almost naïve era, prior to the arrival of Snowden, in which ordinarily intelligent people imagined their phone logs and unencrypted emails were somehow unreachable by the state.
To be countered, the nature of electronic surveillance needs to be understood. Despite all the capacity of agencies like the NSA or Russia’s FSB, live-surveillance of any individual is incredibly resource-intensive. It can, for instance, take a team of 20 people to follow one individual. Even drones need pilots, and electronic interception is also demanding: tapes of phone calls, for instance, need to be listened to, transcribed, translated.
It follows that unless the journalist or his source is currently in the spotlight as a prime enemy of a state or some private corporation (which can have the resources to do their own surveillance) then he is unlikely to be worth the effort of keeping under permanent or at least effective watch.
The most common danger is after-the-fact; once the journalist has sent his questions or published his article or otherwise disclosed that he has an inside source. When it is clear which precise secret has been leaked then an authority or company can quickly move to isolate who could have leaked that information and can study their potential connections to a journalist. As detectives say, a crime needs a body (corpus delicti) before an investigation can begin.
The trouble is, as I have found, sources may have incriminated themselves from the beginning. The fault is often with the whistleblower, not the reporter. For example, they may get in touch via an email from a work computer that could be easily searched later. Or they naively insist on trying to make you a friend on Facebook or LinkedIn. All this makes it very hard to protect them.
The good news is that there are counter-measures. Andy Müller-Maguhn is a surveillance expert and member of Germany’s Chaos Computer Club. In the past, he has worked closely with WikiLeaks and other transparency projects. “The trouble is that people often have a limited understanding of how surveillance works and how to protect themselves. That means people are much less willing to come forward with information, or say things of meaning over the phone or by message. It can have a paralysing effect,” he said.
According to Müller-Maguhn, a key revelation of the Snowden papers and of the history of handling both WikiLeaks and Snowden’s escape from US arrest (all of which involved keeping one step ahead of the NSA) is that encryption works.
With properly installed encryption software, journalists and activists and their sources can, if they educate themselves, confidently make phone calls, have chats, and share documents with sources across the globe without real fear of interception.
While hackers and activists tend to communicate by a system known as off-the-record messaging, which can be implemented in a way that is seen as NSA proof for now, such strong encryption can be installed much more widely across consumer devices.
For example, powerful peer-to-peer encryption (meaning no one in the middle can decrypt or has access to the call) is available for phone calls on smart phones via the Snowden-endorsed free Signal app (made by Open Whisper Systems). And in April 2016, WhatsApp, now owned by Facebook, installed the same technology for chats and phones for its billion users, in defiance of law enforcement. As Wired magazine reported: “With end-to-end encryption in place, not even WhatsApp’s employees can read the data that’s sent across its network. In other words, WhatsApp has no way of complying with a court order demanding access to the content of any message, phone call, photo, or video traveling through its service.”
There’s a big catch. These systems may not survive challenges by the FBI in US courts. And, more importantly, while the actual call or chat can now be encrypted, software like both Signal and WhatsApp, fail to protect so-called “meta-data”: they leave a trace of who has been chatting to whom. That’s more than enough to identify a journalist’s source.
And there is another even bigger catch – no amount of special software can protect you if your phone or computer has been infected by computer viruses (malware) that can record keystrokes and switch on a microphone to record a conversation remotely.
As Snowden revealed, intelligence agencies have become adept at deploying malware to bypass encryption. And it does not take the NSA to deploy such technology: as discovered in Egypt after the toppling of President Mubarak and in Libya after Muammar Qaddafi, Western security companies were happy to sell such hacking technology to any dictator that wanted it.
So then we can’t be sure of the clever counter-measures being foolproof. But, amid the alarm, it is worth also remembering that technology has not only proved a means to divulge sources, but also a powerful means to protect anonymity – and slip out secrets from secretive organisations and secretive countries.
Whether using the Tor network or an anonymous Gmail account, it can be possible to establish a connection to a source that leaves no trails for most authorities.
Rather than seeing technology as a threat overall to journalism and sources, it makes more sense to think of the digital landscape as a new battleground in which innovative, often rapidly changing rules apply.
What WikiLeaks started, with their creation of an online anonymous submission platform, others have continued. German newspaper SudDeutsche Zeitung got hold of arguably “the biggest leak in whistleblowing history”, the Panama Papers, by dealing with a source they never met, and talking only over encrypted channels.
So how should we respond to these threats and opportunities? To recklessly ignore the power of surveillance, is to abandon any pretence of trying to protect a source. And the high-tech solution of geekery and encryption is not always a good one. Encryption may not solve the problem of protecting who you are talking to and, in some countries, using encryption may be illegal or at least invite suspicion and attention. Last September, journalists from Vice News were arrested and put in a high-security jail in Turkey after being found using encryption technology.
Instead, based on what I’ve gleaned from speaking to colleagues in some of the hardest locations for investigative reporting, everyone develops special tactics based on experience to help protect their sources – even if none of these methods are foolproof.
One tactic is to spread noise. Aware that their telephone bills and emails will be scrutinised, journalists in Russia make a blizzard of phone calls to numerous public officials to discuss all kinds of minor matters prior to a sensitive article being published: the result is to cast an impossibly wide net of suspicion.
A police surveillance drone flies over a demonstration against the French labour law proposal in Paris, France, May 3, 2016
Credit: Gonzalo Fuentes / Reuters
Another tactic is to go dark. In Greece, where technical surveillance is rife, experienced journalists learn to avoid smart-phones with any internet connection and take care to avoid any phone contact at all with their most important sources. It’s a return to old methods of wearing down shoe leather and talking face to face.
In Angola, outspoken journalist Rafael Marques de Morais, editor of the news site Maka Angola, is the target of almost constant state harassment and monitoring.
Speaking at a journalism conference in Norway, he described how it was above all important not to be cowed by the difficulties of reporting. “One of the main weapons that totalitarian regimes use is fear, and that’s the first weapon we must destroy, fear,” he said. But he does have to avoid engaging with his sources in public, and, above all, be patient. “Sometimes I will have documents that I will not publish for a year or two until the traces to the source are forgotten or erased.”
With old-fashioned guile, there are ways to protect the whistleblower; to do nothing to combat the threat of surveillance is to collaborate in the exposure of your source. At the same time, we have to be honest. All we can say is: “I will try to protect you.”