Building an Infrastructure for Whistleblowing
The disclosures of ex-NSA contractor Edward Snowden reveal vast data collection activities of Internet traffic. American, German, British and other secret services have been exposed to partake in large scale surveillance programs devoid of transparency or democratic oversight. Democracy can’t function properly if voters are kept in the dark, therefore whistleblowing plays a pivotal role in the democratic process by providing the public with information.
Despite their importance there are very few protection mechanisms in place for whistleblowers. They risk harsh treatment and legal prosecution of which the case of Pfc. Bradley Manning is only one example. Manning, who was motivated to leak military and diplomatic documents to instigate a public debate about the wars in Iraq and Afghanistan, was held in an isolation cell for nine months prior to his trial. He was recently convicted of 20 charges and faces up to 90 years in prison. (The sentencing had not yet taken place at time of this writing.)
The journalists, bloggers and media organizations responsible for disseminating the information are increasingly under pressure too.
In light of all this, whistleblowing featured as an important topic at OHM2013, the biggest outdoor hacker festival in Europe. I spoke with people of several organizations that have started initiatives to build a better whistleblowing infrastructure. Globaleaks provides a technical infrastructure to make it possible for anyone to set up their own whistleblowing platform. The Associated Whistleblowing Press is a decentralized whistleblower platform and the International Modern Media Institute is advocating protective laws for whistleblowers the world over.
International Modern Media Institute
“We’re trying to raise the bar on information legislation globally. So we talk to parties in different jurisdictions such as Europe and North African countries. But the progress we have made in Iceland is important. Our aim is to create a role model country, once you have an example it is easier to propagate the idea.”
Tessel: What are the legal problems with respect to whistleblowing?
McCarthy: “There are a lot of different things. Most countries don’t have any laws to protect whistleblowers. There are some who have a low level of protection but they are bypassed when governments feel the need to. The conviction of Bradley Manning under the Espionage Act is proof of that.
We have seen attempts to silence press as well. The American investigative journalist Barrett Brown is a good example. The private security firms Stratfor and HBGary were hacked by Anonymous and the data retrieved was published online. Brown started to use that database as a source for research on the national security state. He is currently in jail awaiting trial. If convicted he could be sentenced up to 105 years in prison. He did not break into the system but took a data dump that was available online and that is now being criminalized.
Globaleaks
“We provide the technical infrastructure, we don't run a whistleblowing platform ourselves. The technical part is definitely only one part of running a successful platform. You need to campaign it, review the leaks and create a publishing platform or collaborate with one. But we contribute to this ecosystem by enabling other people to run successful initiatives.”
On the front end the software provides a straightforward user interface for leakers. Through a series of clicks they can securely and anonymously submit documents to one or more receivers of their choosing. Receivers can be anyone from journalists to human rights organizations who have made themselves available for the whistleblowing platform. When the leaker decides to include a particular receiver into the submission, he or she will get an email with the documents.
Tessel: Which security measures does Globaleaks provide to protect the people involved?
Filastò: “Globaleaks uses Tor to provide anonymity.” [Tor is free software and an open network that anonymizes Internet traffic; neither the receiver nor anyone intercepting the data packets can observe the identity of the sender. This is accomplished by sending the traffic through a series of encrypted connections over a network run by volunteers.] “It runs a hidden Tor service to ensure the anonymity of the whistleblower and also that of the person or organization running the server. The location of the server is unknown so it can’t be raided. The receivers should not be anonymous because nobody is going to submit anything if you do not know who is on the receiving end.
“Also, the submission is encrypted. The file is sent to the receiver using PGP [Pretty Good Privacy, a program used for encrypting email]. The file itself is encrypted as well.”
Tessel: Why did you start this project?
“After the whole Wikileaks Cablegate drama we decided to work on this”. [In 2010 Wikileaks started a controlled release of United States diplomatic cables. In collaboration with media partners the documents were redacted to omit sensitive information such as names. After a security breach the entire database became available online.] “After that a lot of leaksites sprouted up. Most of them had poor security, we saw a lot of these things fail.” The Wall Street Journal's whistleblowing dropbox SafeHouse, for instance, had its security vulnerabilities exposed only hours after it went online. Filastò: “We saw that there is a user base but the developers were doing it wrong. We said: ‘we are security people, we can do this better’. So two years ago we came up with an advanced prototype: Globaleaks 0.1. It was an initial experiment but it went quite well. We then redid it from scratch and we’re now at version 2.24.
“Globaleaks is part of the non-profit organization Hermes, center for transparency and digital human rights. We also work on other software projects which promote freedom of speech online.
Associated Whistleblowing Press
“AWP is located in Belgium because it is one of the few countries that provides a legal framework for the protection of sources. It isn't full protection, if knowing the source is deemed a matter of national security and there is no other way to find the source, [the Belgium government] can oblige us to disclose the source. Therefore we have put mechanisms in place to keep the identity of the leaker unknown even to ourselves. We instruct sources not to reveal their identity and we use software like Tor and Globaleaks for secure communications.
“We are a decentralized platform. We work with local nodes who run their own whistleblowing sites. They have autonomy and total power of decision and organization. If you want people to participate you have to work within a local context. Someone may have information about illegal waste dumps in a river but if they submit that to a global leaksite it may not be deemed of global importance. Whereas locally, there would be immediate interest. Also, centralized platforms do not scale. The people running it will be overcharged in terms of amount of information submitted, political pressure and psychological toll.
“The only centralization of AWP is the legal structure so we can function as an umbrella organization for the international nodes.”
Tessel: In what sense is AWP a press organization?
“AWP also works on analyzing the content submitted. The aim is to share the analysis of these materials received locally in a newsletter. We want to create a global news wire that publishes unbiased news based on scientifically sound journalism. Running our own news provider is important because it is problematic to count on mainstream media. They are companies seeking profits and cannot avoid having political and economical agenda’s. There can, however, be collaborations to increase social impact.
“The centralized legal structure of AWP provides a protection for journalists because the responsibility lies with the editorial staff. So if a journalist writes an article the liability lies with the editors. The editors, in turn, are protected by the Belgian legal framework. At least, that's what we hope.”
Images: Matteo G.P. Flora. CC license: BY-NC-SA 3.0 (Arturo Filastò & Pedro Noel)
SHAREconference. CC license: BY-SA 2.0 (Smári McCarthy)