New America Foundation, New Tools for Today’s Investigative Journalist

14/10/2011 New America Foundation, New Tools for Today’s Investigative Journalist
by Dan Meredith

Originally posted on

While I am by no means a seasoned investigative journalist, I have the good fortune to work with some. Looking ten years back I couldn’t imagine a media organization considering geek qualifications a core part of an investigative team. In 2011, turning a geek into an investigative journalist is a no-brainer.

The information landscape a journalist lives in today is very different than ten years ago. People share more information on the Internet about themselves than ever before. Journalists have access to large quantities of free information stored in social networks, government databases, and Freedom of Information requests. In response, the traditional journalist is evolving quickly. Today’s journalist is not only sitting in the court room or town hall meeting with pen and paper but with a laptop sifting through relevant online information, filling FOIA requests, and chatting with their editors. With journalism, the market for tools and methods to collect, analyze, and present this information is growing fast.

The days of Excel spreadsheets and HTML tables are gone. Whether we’re watching on TV, reading online, or in a newspaper we expect beautiful and easy to understand representations of important information, no matter how large the underlying data is. DocumentCloud, Information is Beautiful, Piwik, Mining of Massive Datasets, PACER, Google Refine, Google Fusion Tables, Google Public Data Explorer, IBM’s Many Eyes, and ScraperWiki are just some of the data driven journalism tools widely used by mainstream media today.

There already exists a wealth of awesome write-ups documenting methods and tools for journalists creating data driven stories.[1] [2] [3] Rather than add to it, my focus is on another important and evolving component of investigative journalism: sources, communication, and protection of privacy.

The journalists of yesterday and today care deeply about protecting the identity of sources. Having a private conversation with a source used to be easier. The days of meeting sources confidentially in a dark lit parking garage are disappearing. Today things are very different. In our digital world, journalists interview sources half a world away or across town using Skype. And just like every generation of journalists, today’s are developing tradecraft with new techniques and tools on top of tried and true traditional gumshoe journalism.

Investigative and Field journalists reporting the recent revolutions in the Middle-East and Northern Africa exposed surveillance technology deployed by now toppled and currently active regimes. It has been reported that Libya was using a system developed by Amesys, a French company (though the company has argued its dealings with the regime were limited). [1] [2] The BBC reported that Iran is using a system developed by Nokia-Siemans Networks, a Finnish and German company. Syria is reportedly using a system developed by Bluecoat, an American company though it was not likely sold directly to the regime[1] [2] [3] The Guardian reported that The Gamma Group, a U.K. company, offered to sell a system to Egypt. Surveillance technology is the new hot weapon in a cyber-arms race with journalist-source confidentially in the crossfire.

Government operators of these surveillance systems are able to monitor in real time an entire populations mobile phone conversations, text messages, emails, and Instant Messages. Operators watch individuals visit websites and receive alerts for concerning activity. In some cases, operators can retrieve passwords for social network and email websites. Who are these government operators targeting? Often, it is government opponents, journalists, and their sources.

If Western developed surveillance technology can do all this for a developing Middle-East or North Africa government, what are the capabilities of developed Western government’s surveillance technology? In an arms race, what we know today was outdated yesterday.

Paraphrasing statements made by Lucy Dalglish of the Reporters Committee for Freedom of Press at the Investigative Reporters and Editors conference: No longer do governments always need court orders to obtain a journalist’s source. Lucy points to how pervasive “lawful” surveillance technology has become worldwide. The amount of information collected by today’s governments and corporations is beyond Orwell’s imagination. In response, today’s investigative journalist must develop their tradecraft with new tools and skills. Journalists must be conscious about existing surveillance technology and take steps to guard against it.

Take off the tin foil hat. It’s not going to help.

Fortunately, tools exist to keep Big Brother’s eyes and ears at bay and maintain source confidentiality. Some of these tools are accessible. They can be download and used today for secure communication between two people without requiring super geek credentials. For brevity’s sake, I’m only providing an introduction with links to more information.

Visit a Website’s Secure Address: HTTPS Everywhere
Take a look at your web browser’s address bar. The HTTP at the beginning of every web address stands for Hyper Text Transfer Protocol and is a vital component of the World Wide Web. It is also a non-secure connection. Replacing HTTP with HTTPS adds additional security. While it is often default for banks, it is not for many important sites we use to communicate amongst ourselves. The HTTPS Everywhere extension increases security by making HTTPS the default connection between you and Gmail, Facebook, Twitter, and many other websites.

From the Electronic Frontier Foundation’s website: “Many sites on the web offer some limited support for encryption over HTTPS, but make it difficult to use. For instance, they may default to unencrypted HTTP, or fill encrypted pages with links that go back to the unencrypted site. The HTTPS Everywhere extension fixes these problems by rewriting all requests to these sites to HTTPS.”

Secure Encrypted Chat:, Off-the-Record
From Julius Caesar to the Enigma Machine, cryptography has been using encryption to keep communication between two parties private for a millennia. Using modern cryptography,, allows for encrypted private chats between two individuals today. Grab a person with a computer nearest to you and visit Agree on a chat room and you are both engaged in a secure conversation requiring only a web browser. It’s that easy. is new, using recent methods to secure your communication. A mature tried and true method is called Off-the-record, or OTR. OTR extends the capabilities of your Gtalk, AIM, or any other Instant Messaging service to make sure only you and the person you’re talking to can read the messages.

If you’re using Windows or Linux, download and install Pidgin with the OTR plugin. If you’re using a Mac, download and install Adium. If you’ve an Android, download Gibberbot from the Android Market. Note, both parties in the conversation need to have one of these applications installed for secure chat.

Secure Encrypted Email: PGP,
Email is like a post card, even if you are using a secure https connection to Gmail. Without your permission, I could forward your message on to someone else. After 6 months, U.S. law enforcement can read your email without a warrant. They may not wait that long. According to Google’s Transparency Report, in 2010 94% of the time Google complied with U.S. government data requests. Never assume email is private, period.

Assuming all of your email is public, you could try and write each avoiding language that would impose self-harm or offend anyone. You would have to look beyond the present to the future as well. Or you could encrypt the email you want private with Pretty Good Privacy or PGP.

For Windows and Linux, download and install Mozilla’s Thunderbird and the Enigmail extension. For Mac, you can download GPGTools which supports Apple’s Mail app or my recommendation of Thunderbird. Just like secure chat, both parties need to have PGP enabled email configured for a secure email communication.

Another good and easy solution is “PrivacyBox provides non-tracked (and also anonymous) contact forms. It is running primarily for journalists, bloggers and other publishers.” You or your team can setup an account assuring your contacts a secure way to communicate with you for free right now.

Secure Encrypted Voice: Skype, Redphone, CryptoPhone
It is much easier than you might think to listen in on your mobile phone conversations. Skype with encrypted voice is a step in the right direction. Though unlike OTR chat’s or PGP email, it’s not a trusted solution. You put all of your trust in Skype not to listen in, manage the security of your communication, and not turn information over to a government. Microsoft owned Skype does not offer a Transparency Report like Google. Thus, we have no idea how often they comply with government data requests. It’s likely they are under similar pressure as Blackberry maker RIM is in the Middle-East, who’ve likely “granted some access to communications passed between devices to the UAE government”.

If both you and your contact have Android phones in the U.S., check out Whisper System’s RedPhone: “RedPhone provides end-to-end encryption for your calls, securing your conversations so that nobody can listen in. It’s easy to use, and functions just like the normal dialer you’re accustomed to.”

If you can afford it, a good solution is GSMK’s CryptoPhone. It looks and operates like a standard mobile phone, except when two CryptoPhones call each other. With a CryptoPhones on each end of a they create a “completely confidential encrypted telephone call”.

Secure Your Everything: Tor
The above tools do a fine job of protecting specific communications methods, but what about web browsing and everything else? What if you don’t want anyone to know you are visiting a specific website, uploading files to Wikileaks, talking to a specific person, or have censored/restricted Internet access? The answer is Tor.

You have to meet a very secret informant named Deep Throat in the bottom level of an underground garage across town. If it was anyone else, you’d jump into your bright yellow VW Beetle convertible. You decide it’s a bit conspicuous for this trip. Conveniently, your buddy lends you the worlds most popular car in it’s most common color, a white Toyota Corolla. Even better, the Toyota’s windows are darkly tinted. Rather than drive straight to the parking garage, you take a longer indirect route making it hard to know your destination.

This is what Tor does to your Internet connection. Like a Toyota with encrypted windows criss crossing town, Tor makes the traffic look inconspicuous, encrypts your information making it very difficult for anyone to know what you’re doing or saying, and routes your Internet traffic through other Tor users making it difficult for anyone to know who you are, who you are talking to, or what you’re doing online.

Tor is an amazing piece of technology and easy to use. “The Tor Browser Bundle lets you use Tor on Windows, Mac OS X, or Linux without needing to install any software.” Download and run. If you’ve an Android phone, download and run The Guardian Project’s Orbot from the Android Market.

This next set of tools are as important as the aforementioned for modern investigative teams. Unfortunately, they require a fair amount of technology experience to implement. If you are not a geek and work for a larger media organization, bring these tools to the attention of your IT and Security support staff. If you’re an independent journalist, show them to your geeky friend. If you need to make a geeky friend, try your local hackerspace.

Anonymous Online Dead Drop: Globaleaks
There is social value in providing a secure space for people to expose confidential information that is in the public interest, as seen recently by Wikileaks and those before it. In the post 9/11 U.S., more than 4.2 million people have access to confidential information with a government security clearance. Over one million of the 4.2 million have access to Top Secret information. If you can provide an online dead drop with reasonable assurance of anonymity and deniability for the conscientious, it will get used.

These whistleblower services are on the rise from main stream sites like the Wall Street Journal’s Safe House to the region specific FrenchLeaks. The technology co-opted by them strives to keep one step ahead of those who would keep socially valuable information from the public eye. Internet policy and free speech advocate, Marvin Ammori states “The right to free speech is meaningless without some place to exercise it. “ Recently, Wikileaks has exposed the urgent issue of protecting Marvin’s “digital speech spaces”. Just like the Crypto Wars of the past, lawyers creating forward thinking policy and geeks creating innovative technology are required.

Creating a website to accept files and text is not a complex task for an average geek. Including technology assuring deniability, anonymity, information security, and privacy embracing the same tradecraft as a traditional dead drop is something else entirely.

Leak Directory may be the most comprehensive set of information on the topic. You’ll be quickly reminded that whistle blowing websites didn’t start with Wikileaks. From old school telephone hotlines, online forms hosted by national security agencies, to Cryptome tools and services for receiving and disclosing leaked information have been around for a while.

Unfortunately, most are bespoke and proprietary. Globaleaks is one to pull out of the haystack, an open source project worth keeping an eye on.

Encrypted Cloud Storage for Teams: Dropbox, Encfs
When dealing with large diverse files such as audio, video, and various documents, it’s not practical for colleagues to share files via email or snail mail. You could use a company VPN and centralized storage but it’s often to slow in the field. Cloud services such as Dropbox make it their business to get as close to you as possible ensuring the fastest upload and download speeds as possible. While Dropbox is easy to use, it is not reliably a private option without an additional layer of security.

A tech savvy solution is to encrypt your content before Dropbox sees it. Pairing Encfs with Dropbox results in file based encryption that only you and your colleagues can decrypt. It’s cross platform with existing instructions to get you and your team collaboratively editing files in a shared secure folder with OS X, Windows, Linux, and Android.

While the adoption of these tools goes a long way in reducing the ability to “listen in” on your communication, it doesn’t address all the issues a journalist will confront. What if your laptop gets stolen or confiscated and searched at a border, what if you are detained and required to give out your passwords, what if someone you trusted gives out your passwords, or you are being actively harassed by intelligence officers? Even in the United States some states argue that a mobile phone can be searched without a warrant.

You should follow those links. These are common situations investigative and field journalists encounter today. The above situations aside, your laptop or phone will break. When it does, it will likely have information you need and need to keep private. What then?

If you work for a large media organization, hopefully you’ve already been approached or gone through some information and operation security trainings. If not, go find your Chief Security Officer or Director of IT. Ask them what your organizational policies are for the above situations.

In general, there is an empty void of resources tailored specifically for journalist on information and operation security. eQuality, “a collective of technology and security experts working with organized civil society and independent media.”, is a good place to look for formal trainings and policy development.

If you’re an independent journalist with little technology experience, there are some resources out there for you. The Tactical Technology Collective’s Security in-a-box is an excellent reference with tools. EFF’s Surveillance Self-Defence. RiseUp’s Communication Security, and MobileActive’s Guide to Mobile Security Risk Assessment are three recommended primers.

Finally, utilizing and supporting technology providers that understand the importance of privacy and security will make things easier for you. The EFF’s “Who Has Your Back” campaign rates large providers. Google and Twitter lead the way. A recent Wired and Ars Technica article, “Secret memo reveals which telecoms store your data the longest”, give T-Mobile a slight edge in the U.S. In all cases, they are storing information and often handing it out without your prior consent. Do you trust them with your private information that exposes your sources?

Personally, I use and support The Riseup Collective. They don’t provide Internet access, but they provide trusted secure services including E-mail, Instant Messaging chat, VPN, and support to the Tor project. They will also fight for your right to privacy.

Recently, Google and Riseup both received subpoenas from a judge to hand over user account records. With the help of EFF and the National Lawyers Guild, Riseup fought and won to have the subpoena’s overturned. Unlike Riseup, Google complied with the order handing over the requested information about its users.

I covered more than intended and left out a whole lot. I look forward to comments on what’s missing, what’s more secure, what’s easier to use, other good references, and your general thoughts. “After all, it is not the diagnosis of a disease that cures the patient.” said Mr. Fish

Read the original article here.

La Stampa, E’ nato un nuovo sito per creare tanti Wikileaks a costo zero

E’ nato un nuovo sito per creare tanti Wikileaks a costo zero
Dopo Openleaks arriva questo software open source per divulgare rivelazioni testato da poco da un gruppo di hacker italiani

Un amico hacker mi ha girato una mail che annuncia il rilascio della demo con il prototipo di GlobaLeaks.

Invita tutti a dargli un’occhiata e provarlo con un amministratore di nodo, una fonte riservata e un obiettivo ricevente.

La demo è qui:

GlobaLeaks si autodefinisce come “la prima struttura aperta (“open source”) per la pratica di rivelazioni di notizie e documenti riservati o legali (definita già con Wikileaks “whistleblowing”, che in inglese significa letteralmente “usare il fischietto” ma è un’espressione idiomatica che significa “fare una soffiata”). La differenza con Wikileaks sta appunto nel suo codice sorgente aperto. Evidentemente è un’alternativa a Openleaks, fondato in Germania da una costola di Wikileaks, che – nonostante il nome fuorviante – non è propriamente “open source”.

Chiunque, recita la mail, potrà così mettere in piedi e gestirsi la propria piattaforma di rivelazioni alla Wikileaks. Non solo: offre anche una collezione delle “best practices” per chi voglia ricevere o sottoporre documenti nel modo migliore collaudato. GlobaLeaks punta a funzionare in tutti gli ambienti: media, attivismo, aziende, enti pubblici.

Per saperne di più:

GlobaLeaks è stato testato “da oltre 50 hacker veneziani ubriachi”, annuncia con tono divertito la mail, e include il link a una presentazione che è stata data all’hacker camp italiano ESC:

Ma il progetto è internazionale, perchè il team è composto da persone provenienti nono solo dall’Italia, ma anche dall’Egitto, Germania, Stati Uniti, Francia e Taiwan.

Per chi volesse unirsi all’esperimento, l’appuntamento online è qui:

Read the original article here.

Memeburn, The other WikiLeaks: 8 whistleblowing sites you probably don’t know about

The other WikiLeaks: 8 whistleblowing sites you probably don’t know about

By Amanda Sevasti Fairweather

Last year a website called WikiLeaks and a man called Julian Assange made the world’s most powerful governments quiver in fear. No army or diplomacy could stop revelation after revelation, as classified communiqués and documents were placed online for the world to read.
The goal of WikiLeaks, to reveal the truth, may have been noble, but it was criticised for putting lives at risk by revealing sensitive information. The dubious rape charges against Assange also dented the organisation’s image. But the idea of WikiLeaks has taken hold in the online sphere and a number of spinoff and imitation sites have started springing up.
Founded by ex-WikiLeaks spokesperson Daniel Domscheit-Berg after his falling out with Julian Assange, this site shares the same transparency ideals as WikiLeaks. Many of its collaborators were part of the original organisation until they and Domscheit-Berg became frustrated with Assange’s despotic style. One of these key players is a brilliant programmer known only as “the architect”. The key difference between the two organisations is that OpenLeaks aims to verify and filter the information at its disposal rather than letting the public and journalists sort through it.
This site is focused on the dealings behind closed doors at the European Union headquarters, where lobbyists and diplomats jostle for position and prestige. Its organisers have remained anonymous — probably for good reason. As they state on the site, “There are plenty of good people in powerful positions who too often see shocking information pass them by. How do we know this? We’ve been there.”
Owned and run by the Russian Pirate Party, RuLeaks is a WikiLeaks-affiliate that began as a home for WikiLeaks documents to be translated into Russian. This year, it started leaking its own information too, including pictures of a US$1-billion mansion built on the shore of the Black Sea and allegedly owned by Prime Minister Vladimir Putin. Within a day of publishing it, the site suffered a denial of service attack. It has subsequently posted a number of KGB and KNB, the Kazakhstan equivalent, archives.
Launched in January, the Al Jazeera Transparency Unit provides a secure platform where whistleblowers in the Arab world can submit information for Al Jazeera to investigate: “From human rights to poverty to official corruption, AJTU will fairly evaluate and pursue all leads and content submitted, without geographical, political, cultural, or religious bias.” Its first big leak was “the Palestine Papers“, more than 1 600 documents detailing negotiations between the Israeli government and Palestinian Authority.
Founded way back in 1996 by independent scholars John Young and Deborah Natsios, Cryptome is not really a spinoff but rather a proto-WikiLeaks. It advocates freedom of speech with a focus on uncovering surveillance techniques used by governments and corporations, stating, “Cryptome welcomes documents for publication that are prohibited by governments worldwide.”
Its 65 000 files include the names of suspected MI6 agents and photographs of American soldiers killed in Iraq. The site was temporarily shut down last year when it revealed a 22-page Microsoft document that told government agencies how to access the private data of all Microsoft customers.
Launching with the slogan, “the Balkans are not keeping secrets anymore”, Balkan Leaks is very much modelled on WikiLeaks, but is particularly concerned with exposing organised crime and political corruption. Unlike WikiLeaks, it only publishes documents once it has reviewed and checked them. Balkan Leaks was founded by Bulgarian expatriate Atanas Chobanov, a journalist and blogger who lives in Paris.
Institutions of higher learning have a proud history when it comes to scandals. Now deans and chancellors will have an even harder time covering up problems on campus thanks to UniLeaks. Launched by an anonymous group of Australians, the site’s pay-off line is, “Keeping education honest”. UniLeaks argues that because universities receive a large amount of public funding, the public and its students have a right to know how and why decisions are made. Although UniLeaks hasn’t broken a big story yet, it has already received the “entire email repository” of a prominent university in the UK.
Unlike WikiLeaks and OpenLeaks, GlobaLeaks doesn’t host a massive collection of documents on its site. Instead, it facilitates a distributed network of “nodes” that anonymously pass information between them, therefore obscuring the original source. It’s like Bit Torrent for leaked documents — no single node has all the information so investigating or shutting down an individual node is pointless. It also has an additional layer of anonymity provided by the Tor Project, open source software that allows for anonymous internet transactions, so individual computer users can participate safely and easily.

Read the original article here.

Forbes, GlobaLeaks Wants To Be The Bittorrent To WikiLeaks’ Napster

26/01/2011  Forbes, GlobaLeaks Wants To Be The Bittorrent To WikiLeaks’ Napster

GlobaLeaks Wants To Be The Bittorrent To WikiLeaks’ Napster
by Andy Greenberg

WikiLeak-alikes are popping up around the globe, from regional sites focused on the Czech Republic to Indonesia. Even mainstream media like Al Jazeera and potentially the New York Times are getting in on the secret-spilling action. But few of these copycats and spinoffs can claim quite as much wild, conceptual ambition as an early-stage project called GlobaLeaks, which bills itself as “a worldwide distributed leak amplification network.”

GlobaLeaks, whose half dozen creators are based in Italy and the Netherlands, has yet to launch and is still hammering out some of its plans. But Fabio Pietrosanti, a spokesperson for the group, tells me it will ultimately invite volunteers around the world to install GlobaLeaks’ software, turning their home computers into hundreds or thousands of leaking “nodes”–miniature, local WikiLeak-type dropboxes designed to share information with media sites with the minimum amount of exposure to potential legal or political enemies.

Those nodes will accept submissions of documents through the anonymity service Tor, ensuring that the node owner will have no knowledge of the source. A GlobaLeak node’s owner filters submissions for spam and publishes them to a private site on Freenet or Tor’s Hidden Services, two anonymity networks designed to keep the locations of  sites private and protect them from anyone who doesn’t have password access. Then the leak node administrator will notify a list he or she maintains of local media or NGOs, inviting them to peruse, verify and publicize the leaked material.

The result, Pietrosanti argues, may be best described with an analogy to pirate-friendly filesharing systems. Unlike WikiLeaks, GlobaLeaks will look less like Napster–the original centralized, legally-questionable source of controversial data–and more like Bittorrent, a more distributed and robust system of data distribution.

GlobaLeaks’ chart of its proposed architecture. Click to enlarge.

Specifically, Pietrosanti says GlobaLeaks won’t publish to the public, and won’t have any central point of failure, so it may be less vulnerable to the sort of cyber- and legal attacks that WikiLeaks has faced. “Some people may be like Assange, and say ok, we’ll publish and fight and whatever,” says Pietrosanti.  ”But lots of people want to fight corruption without taking that much responsibility. If the risk profile of everyone who runs a leak node is reduced, there will be lot more leak nodes.”

GlobaLeaks’ other distinction over WikiLeaks, in theory, may be its ability to receive and publicize local leaks. Because the nodes can be run by individuals who speak a local language and track local media, it should be able to find outlets for regionally-relevant whistleblowing material–information that WikiLeaks and its international partners like the Guardian and the New York Times would likely ignore.

“Small cities have plenty of corruption, and WikiLeaks would never reach the local people, the local media,” says Pietrosanti. “That’ s one of the most important thing for us.”

One clear challenge to GlobaLeaks’ ability to obtain insider information may be the ability of those local leaking nodes to gain the notoriety necessary to attract potential leakers. But Pietrosanti says each node owner will be responsible for doing his or her own publicity, and GlobaLeaks may also keep a central list of trustworthy nodes.

In some respects, GlobaLeaks resembles a more distributed version of OpenLeaks, the WikiLeaks spinoff created by former WikiLeaker Daniel Domscheit-Berg and intended to create secure drop boxes on the websites of media partners. In fact, Pietrosanti says that GlobaLeaks first registered, but gave up the name when Domscheit-Berg’s higher-profile project went public.

Also like OpenLeaks, GlobaLeaks remains mostly a pipe dream for now. (OpenLeaks still hasn’t actually put anything on its site, more than a month after its intended launch date.) The group hasn’t even decided what platform its software will run on. Its website is littered with spelling errors and “TO DO” notes. But if the project can plant its seeds in time to catch the current season of web users bent on opening governments and corporations worldwide, its grassroots network may just take hold.

Check out GlobaLeaks’ site, with many more details of its plans, here.

Read the original article here