Laura Tingle has an article in the AFR today about how to securely leak and there’s some seriously bad advice in there. Let’s unpack this.
First of all, the new laws can’t apply to overseas based providers. When you think about it, that was obviously always going to be the case. How on earth, for example, can Australian law apply to a communications service provider based in another country like the United States or Estonia?
Your traffic is transited from your ISP to those services, so the metadata that you connected to these services, interacted, for how long and at what times are all collected.
That means that if you use an overseas provider for you email, like Gmail or Yahoo! or Hotmail, the security agencies can’t access your metadata. (Mind you, some of us would observe that using Gmail actually also makes it quite hard to access one’s own emails so there are swings and roundabouts in all these things).
I don’t understand what this means other than boomer.gif
Senator Ludlam also suggested you could use Facebook Messenger or Twitter direct mail. But I’d prefer if you are going to leak like Edward Snowden, you don’t break it down into lots of 140 character messages.
Don’t use DMs or Facebook Messenger to leak information to Journalists. Please do not do this. UPDATE: ‘Both accounts could potentially be linked to you and facebook and twitter both respond to data requests. If you’re trying to minimise consequences, don’t use them’
Apparently the only really dumb thing to do if you are a potential leaker is ring direct from your phone to my mobile (after the first call). And don’t send a text messages.
No, there are plenty of dumb things you can do, most of which are recommended in this article.
Instead, phone me via a provider like Skype (based in Estonia) and the metadata doesn’t show up.
No, the call is routed, the metadata does show up saying a skype session between IP ONE and IP TWO happened at X TIME for X Length. So don’t do this.
(I should also point out that for some years the Fairfax VOIP landlines have worked on a system where our numbers don’t show up when we ring out, and thus neither does our metadata. Just saying)
That’s beyond stupid. If the metadata didn’t exist the calls couldn’t be routed. Come on, technology isn’t fucking magic.
There is the option of private-key cryptography (no I don’t what that means either but includes apps like Wickr and Snapchat) which keeps no metadata. But to be successful, with this you have to be able to remember your password. Which not all of us have successfully done.
Private Key Cryptography DOES have metadata, again, or it couldn’t be routed. Come on. Come on.
“Virtual private networks, available at a very reasonable subscription rate, make it impossible to tell where in the world you are when you are using the internet—also not illegal. Anonymity is not illegal, circumvention is not illegal and cryptography is not illegal.”
VPN providers can and do work with LEAs but yes, it would just show a huge amount of traffic to a particular endpoint, your VPN, but the browsing data would be contained within the tunnel (if you have configured it correctly) and thus would not be eavesdroppable from the Australian standpoint. Again, you’d want a VPN hosted outside of Australia for this.
Of course, there are also other ways of leaking to journalists even if they are fashionably old-fashioned.
There is snail mail, for example, and let’s face it Australia Post needs the money.
This is a good point, but again, make sure it’s not sent from the postbox near you, so it’s not easy to trace the item to the source.
But probably the suggestion that you should put your mobile in the fridge should not be relied upon. And we all know that the Cone of Silence doesn’t work.
A fridge is a faraday cage, if you’re going to go leak to a journalist in person, leave the phone at home.
So yeah, apart from being laughably inaccurate, there isn’t really any good advice on how to leak. So here’s what to do to leak securely, or at least to massively reduce the risk of being caught and getting in trouble
How To Leak
- This might seem obvious, but think about it, don’t leak information only you have access to. If you’re the only one that has the information then it’s pretty bloody easy to figure out who leaked the info. Find or create a situation in which you can have plausible deniability that someone else accessed the data
- Don’t leak data from your home computer, from your personal devices or anywhere at home or at work. You will get caught, and if there are legal ramifications of the leak they will rain down on you like fire.
- Don’t leak data from personal accounts or accounts linked to family or friends or that can in any way be traced back to you. Create a hushmail or a gmail account, don’t put in your phone number and create this account on a computer you do not normally use, say an internet cafe.
- Don’t provide any personal information in the stuff you leak. Redact as you need to.
- Don’t store copies of leaked information on personal devices or home devices.
- If you use a USB device or something similar to access or copy data, be aware of corporate policies or monitoring. If you’re copying from your office computer, logged in under your account to a device, corporate IT systems can easily track you down and figure out who copied what and when.
- Destroy any items or devices you use to transit the information to be leaked to a third party area. Dispose of them, again, somewhere you wouldn’t normally dispose of items so someone going through your rubbish can’t find them.
- Only leak to places that have SecureDrop, like the Guardian.
- DON’T TELL ANYONE WHAT YOU DID. DO NOT TELL A SINGLE SOUL WHAT YOU DID. LOOSE LIPS SINK SHIPS AND BLABBING YOUR BIG STUPID MOUTH ABOUT YOUR LEAK IS GOING TO LAND YOU IN THE SLAMMER YOU STUPID DUMB BABY SO DON’T DO IT.
If you have any other recommendations or ideas, ping me a line on twitter
Take care of yourselves.