Protecting your sources
The provisions of the new Terrorism Act and of the Regulation of Investigatory Powers (RIP) Act 2000 give the authorities wide-ranging powers to seize computer files and to imprison you if you fail to produce "plain text" for any that are protected by "encryption".
The Foundation for Information Policy Research
(www.fipr.org)
published a comprehensive
briefing
that ended up recommending moving files onto a floppy disk, and then hiding the disk in a box under a
stone in your granny's greenhouse. [1] You'll still need some software to remove
lingering traces from your own machine - deleted files do not go away!
Why bother?
People who want to do wicked things may be interested in keeping confidential
documents about those things. Contrary to what you may hear from some politicians, this does not
mean that non-politicians who keep confidential documents are wicked.
Journalists, in particular, have a duty to investigate wicked things and to protect the
confidentiality of their sources. That might, for example, include investigating allegations
of wickedness by the organisations officially entrusted with the suppression
of vice. An example that unavoidably comes to mind in December 2001 is the
allegation that the security services may have colluded in murder in
the north of the island of Ireland. Who should investigate the rather serious question of
whether this is true or not, if not journalists? And how could the case for keeping
sources confidential be made more powerfully than by the murders of
journalist Martin O'Hagan in September, and that
a few weeks later of one of his key sources, William Stobie?
So it is absolutely necessary for some journalists to descend into the double murk of
secret communication and the inner workings of their computers.
How to do it?
Imagine that you have received an email from a slightly naïve whistleblower. If
the security services showed up with a warrant under the Terrorism Act 2000 and obtained
a copy of that email, or for that matter if unofficial thugs showed up with baseball bats, the
consequences would be dire. Obviously you want to protect her or him, and yourself. What do you do?
There are (at least) two separate questions here.
- One issue is protecting documents
against those that wish ill to your investigation or your source. Obviously, you may be concerned
about them knowing what you know. Most important, however, may be the clues that the contents
of your documents may give to the identity of your source.
- The other is communicating without the fact of the communication immediately leading back
from you to your source.
Stopping snoopers reading your documents & stored emails
If you're well comfortable with computers, there are sophisticated techniques you can
use to keep a copy of the email - or any other computer file - while preventing anyone else
reading it.
"Encryption" software such as
PGP
(Pretty Good Privacy) can use interesting results in mathematics to transform your computer files
- including emails - so that no-one can read the contents without a password.
Properly used, PGP is secure. [2]
Then you can hide the encrypted file inside another file, a process called "steganography". A file the size of a recording of Beethoven's Ode to Joy could comfortably and thoroughly conceal that secret draft of Microsoft's strategy for fighting off EU monopoly investigations. You can read more about steganography and the programs that do it from
fabien a. p. petitcolas at Cambridge. [3]
The trouble with these techniques is that they are sophisticated. Setting up PGP so it works as
advertised, for example, requires you to take some time to understand how and why it works. Get
it wrong, and you may be left with investigators crowing "the accused tried to conceal
this document, which says..." And in some instances the penalty for refusing to hand over the password to get into an encrypted document that they do find is higher than the penalty for posessing the document.
So Ian Brown and Brian Gladman, in their paper
Ways to Defeat the Snooping
Provisions in the Regulation of Investigatory Powers Bill,
published by
FIPR, propose
"physical steganography". [1] That's a geek joke: it simply means
that you should copy sensitive documents onto a floppy disk (or a Zip disk or a writable CD-ROM), delete the original, and
hide that disk. Working out how to hide a disk documenting corruption in the Security Service
where the Security Service won't find it is left as an exercise for the reader.
Out, damn bits!
There is more that you need to do, though. When you tell your computer to delete a document,
it doesn't go away. White House aide Oliver North found this to his great embarrassment
when investigators produced sheaves of deleted files recovered from his hard disk.
Do take a moment to remember where deleted documents can leave traces.
- Deleted files are not erased: your computer merely
makes a note for itself, "not in use". The information is still on your hard disk, it's just
left out of the directory of files that you see.
- Your computer gradually over-writes the contents of deleted files, as you create new files.
But the security services can still retrieve the underlying file. Think of how they do it like this:
You write a scurrilous note on paper, in pencil. Then you rub it out. Then you write this text all
over it. Because they know what this text says, investigators with time on their hands can
"subtract" it from the image on the piece of paper, revealing the faint traces left
underneath. (Don't take the paper analogy any further, or you'll get more confused than you are now.)
- When computer files shrink, they leave traces of their old contents in the "deleted"
space at the end. Particularly, when you tell the program you use to read email to "compact
folders", the last message you received is still there on your disk, where the end of the file
used to be.
- Your computer makes private copies of information, that it doesn't show you:
in particular the "swap file". When you open a large document and your computer
runs out of Random Access Memory (RAM), it "parks" some of the contents of RAM
in the so-called "swap file" on your hard disk, then swaps that back into RAM when
it is needed later, writing something else to the swap file to make space. The result is "virtual
memory": your computer can act as though it has more RAM than is physically present. And
the result of that is that bits of anything you've been viewing may be in the swap file on your hard disk.
- If you know in advance that you will be dealing with deeply confidential documents, the
unanimous advice from people who know about computer security is that you should buy more
real RAM, and disable your computer's "virtual memory" feature. (In Windows: go to
Control Panel, then to System, then to Performance, then to Change next to "Virtual memory".)
So, to remove all traces of that email from a naïve whistleblower mentioned above,
you need to run programs that thoroughly erase the contents both of your "deleted
file space" and of your "swap file".
The Freelance is still researching such "file shredder" programs.
Suggestions and reviews from technically competent readers are welcome. For the moment, I
recommend:
Anonymous communication
According to some historians, Mary Queen of Scots and several of her confidential
contacts were executed in 1587 because they used encrypted communication and the security services
broke the code. Encryption has got a lot more sophisticated since then, but so have the
security services.
If you're conducting an investigation in which the protection of your sources is at all important,
you may well conclude that it's best to avoid all technology that has become available since, say, the
Early Middle Ages - until it comes to producing the version for publication or broadcast. You'd almost
certainly be right.
In fact, it's amazing what you can do with Late Bronze Age technology and modes of
organisation. For secure communication with a trusted source, nothing beats a face-to-face
meeting in the middle of a large field. Organising to get there without being nicked is outside
the scope of this article.
This may, however, not always be practical. There are ways of sending emails with a reasonable level of anoymity. What you have to overcome is a
journalistic problem, not a technical one: how can you be sure that anonymous
messages come from an actual source that you can identify, while making sure
that no-one else can identify them without their permission?
Avoiding reams of PhDs in communications theory on how to do this online, we suggest the
following scenario:
- You arrange with your source through some secure means - remember that large
open field - that you will both use email accounts at
hushmail.com
You may imagine why it may be a good idea to send many people, frequently, a recommendation to read this page.
You need to bear in mind all the following points:
- You send and receive Hushmail from your Web browser, not from your normal email program.
- For Hushmail to work, you need to use a Web browser with "Java" scripting enabled. This is not the same as "Javascript". It is enabled by default for MS Internet Explorer.
- You could use Hushmail from computers in cybercafés. But then you have the
journalistic problem that it's probably not a good idea to depend solely on your memory of
what your source said.
- You do not have to provide a real name to get a free Hushmail account. The account will be
deleted, however, if you do not use it for three weeks.
- It is important that you use a long "passphrase" that you can remember:
eight words is good.
- If you and your source are both using Hushmail, all messages between you are "encrypted" all the way from your computer to theirs and back.
- You should arrange, however, that nothing in the content of the emails your source sends will
identify them, and that nothing in the content of the emails you send proves that they have written
to you. This is because it is still possible that the "decrypted" plaintext of the messages will
leave traces on your computers - e.g. in the "swapfile" described above.
- If the above rule is broken, you should follow the advice above for erasing deleted messages and files.
- If you are interesting to the security services, they may be obtaining logs of when
you connected to the Hushmail site. So once you start using, it, use it for lots of
messages, several in each of many different sessions.
All that said, I've been having trouble with the free Hushmail server recently.
It sends messages, then fails to report back that it has done so. More news, later.
© 2001 Mike Holderness
|