Protecting your sources

The provisions of the new Terrorism Act and of the Regulation of Investigatory Powers (RIP) Act 2000 give the authorities wide-ranging powers to seize computer files and to imprison you if you fail to produce "plain text" for any that are protected by "encryption".

The Foundation for Information Policy Research (www.fipr.org) published a comprehensive briefing that ended up recommending moving files onto a floppy disk, and then hiding the disk in a box under a stone in your granny's greenhouse. [1] You'll still need some software to remove lingering traces from your own machine - deleted files do not go away!

Why bother?

People who want to do wicked things may be interested in keeping confidential documents about those things. Contrary to what you may hear from some politicians, this does not mean that non-politicians who keep confidential documents are wicked.

Journalists, in particular, have a duty to investigate wicked things and to protect the confidentiality of their sources. That might, for example, include investigating allegations of wickedness by the organisations officially entrusted with the suppression of vice. An example that unavoidably comes to mind in December 2001 is the allegation that the security services may have colluded in murder in the north of the island of Ireland. Who should investigate the rather serious question of whether this is true or not, if not journalists? And how could the case for keeping sources confidential be made more powerfully than by the murders of journalist Martin O'Hagan in September, and that a few weeks later of one of his key sources, William Stobie?

So it is absolutely necessary for some journalists to descend into the double murk of secret communication and the inner workings of their computers.

How to do it?

Imagine that you have received an email from a slightly naïve whistleblower. If the security services showed up with a warrant under the Terrorism Act 2000 and obtained a copy of that email, or for that matter if unofficial thugs showed up with baseball bats, the consequences would be dire. Obviously you want to protect her or him, and yourself. What do you do?

There are (at least) two separate questions here.

• One issue is protecting documents against those that wish ill to your investigation or your source. Obviously, you may be concerned about them knowing what you know. Most important, however, may be the clues that the contents of your documents may give to the identity of your source.
• The other is communicating without the fact of the communication immediately leading back from you to your source.

Stopping snoopers reading your documents & stored emails

If you're well comfortable with computers, there are sophisticated techniques you can use to keep a copy of the email - or any other computer file - while preventing anyone else reading it.

"Encryption" software such as PGP (Pretty Good Privacy) can use interesting results in mathematics to transform your computer files - including emails - so that no-one can read the contents without a password. Properly used, PGP is secure. [2]

Then you can hide the encrypted file inside another file, a process called "steganography". A file the size of a recording of Beethoven's Ode to Joy could comfortably and thoroughly conceal that secret draft of Microsoft's strategy for fighting off EU monopoly investigations. You can read more about steganography and the programs that do it from fabien a. p. petitcolas at Cambridge. [3]

The trouble with these techniques is that they are sophisticated. Setting up PGP so it works as advertised, for example, requires you to take some time to understand how and why it works. Get it wrong, and you may be left with investigators crowing "the accused tried to conceal this document, which says..." And in some instances the penalty for refusing to hand over the password to get into an encrypted document that they do find is higher than the penalty for posessing the document.

So Ian Brown and Brian Gladman, in their paper Ways to Defeat the Snooping Provisions in the Regulation of Investigatory Powers Bill, published by FIPR, propose "physical steganography". [1] That's a geek joke: it simply means that you should copy sensitive documents onto a floppy disk (or a Zip disk or a writable CD-ROM), delete the original, and hide that disk. Working out how to hide a disk documenting corruption in the Security Service where the Security Service won't find it is left as an exercise for the reader.

There is more that you need to do, though. When you tell your computer to delete a document, it doesn't go away. White House aide Oliver North found this to his great embarrassment when investigators produced sheaves of deleted files recovered from his hard disk.

Do take a moment to remember where deleted documents can leave traces.

• Deleted files are not erased: your computer merely makes a note for itself, "not in use". The information is still on your hard disk, it's just left out of the directory of files that you see.
• Your computer gradually over-writes the contents of deleted files, as you create new files. But the security services can still retrieve the underlying file. Think of how they do it like this: You write a scurrilous note on paper, in pencil. Then you rub it out. Then you write this text all over it. Because they know what this text says, investigators with time on their hands can "subtract" it from the image on the piece of paper, revealing the faint traces left underneath. (Don't take the paper analogy any further, or you'll get more confused than you are now.)
• When computer files shrink, they leave traces of their old contents in the "deleted" space at the end. Particularly, when you tell the program you use to read email to "compact folders", the last message you received is still there on your disk, where the end of the file used to be.
• Your computer makes private copies of information, that it doesn't show you: in particular the "swap file". When you open a large document and your computer runs out of Random Access Memory (RAM), it "parks" some of the contents of RAM in the so-called "swap file" on your hard disk, then swaps that back into RAM when it is needed later, writing something else to the swap file to make space. The result is "virtual memory": your computer can act as though it has more RAM than is physically present. And the result of that is that bits of anything you've been viewing may be in the swap file on your hard disk.
• If you know in advance that you will be dealing with deeply confidential documents, the unanimous advice from people who know about computer security is that you should buy more real RAM, and disable your computer's "virtual memory" feature. (In Windows: go to Control Panel, then to System, then to Performance, then to Change next to "Virtual memory".)

So, to remove all traces of that email from a naïve whistleblower mentioned above, you need to run programs that thoroughly erase the contents both of your "deleted file space" and of your "swap file".

The Freelance is still researching such "file shredder" programs. Suggestions and reviews from technically competent readers are welcome. For the moment, I recommend:

• Eraser by Sami Tolvanen
• Disk and File Shredders: A Comparison by Sarah Dean

Anonymous communication

According to some historians, Mary Queen of Scots and several of her confidential contacts were executed in 1587 because they used encrypted communication and the security services broke the code. Encryption has got a lot more sophisticated since then, but so have the security services.

If you're conducting an investigation in which the protection of your sources is at all important, you may well conclude that it's best to avoid all technology that has become available since, say, the Early Middle Ages - until it comes to producing the version for publication or broadcast. You'd almost certainly be right.

In fact, it's amazing what you can do with Late Bronze Age technology and modes of organisation. For secure communication with a trusted source, nothing beats a face-to-face meeting in the middle of a large field. Organising to get there without being nicked is outside the scope of this article.

This may, however, not always be practical. There are ways of sending emails with a reasonable level of anoymity. What you have to overcome is a journalistic problem, not a technical one: how can you be sure that anonymous messages come from an actual source that you can identify, while making sure that no-one else can identify them without their permission?

Avoiding reams of PhDs in communications theory on how to do this online, we suggest the following scenario:

• You arrange with your source through some secure means - remember that large open field - that you will both use email accounts at hushmail.com

You may imagine why it may be a good idea to send many people, frequently, a recommendation to read this page.

You need to bear in mind all the following points:

• You send and receive Hushmail from your Web browser, not from your normal email program.
• For Hushmail to work, you need to use a Web browser with "Java" scripting enabled. This is not the same as "Javascript". It is enabled by default for MS Internet Explorer.
• You could use Hushmail from computers in cybercafés. But then you have the journalistic problem that it's probably not a good idea to depend solely on your memory of what your source said.
• You do not have to provide a real name to get a free Hushmail account. The account will be deleted, however, if you do not use it for three weeks.
• It is important that you use a long "passphrase" that you can remember: eight words is good.
• If you and your source are both using Hushmail, all messages between you are "encrypted" all the way from your computer to theirs and back.
• You should arrange, however, that nothing in the content of the emails your source sends will identify them, and that nothing in the content of the emails you send proves that they have written to you. This is because it is still possible that the "decrypted" plaintext of the messages will leave traces on your computers - e.g. in the "swapfile" described above.
• If the above rule is broken, you should follow the advice above for erasing deleted messages and files.
• If you are interesting to the security services, they may be obtaining logs of when you connected to the Hushmail site. So once you start using, it, use it for lots of messages, several in each of many different sessions.

All that said, I've been having trouble with the free Hushmail server recently. It sends messages, then fails to report back that it has done so. More news, later.

© 2001 Mike Holderness