‘Tradecraft’ for journalists in the digital age
Hack -vs- spook
THE MAY London Freelance Branch meeting was one of the highest-powered we've had. Veteran security affairs reporter Duncan Campbell and Professor Ross Anderson discussed the Investigatory Powers Bill that's still before parliament - and, perhaps even more pertinent, "tradecraft" for journalists wanting to protect the anonymity of our sources in this digital age.
Professor Ross Anderson (l) & Duncan Campbell (r)
Our first speaker was Ross Anderson, Professor of Security Engineering at the University of Cambridge and one of the best-informed people on the planet about how interception of computer communications works - outside of spook-world, at least. He opened by reminding us that surveillance and the threat to reveal confidenial sources affect everybody who's doing investigation - journalists of course, but also academics and campaigners.
Professor Ross Anderson
The purpose of the Investigatory Powers Bill now before parliament is, he said, to "make legal a lot of the dodgy things that Ed Snowden told us that GCHQ were up to". Snowden was a contractor working for the US National Security Agency (NSA), who leaked a mass of documents about its activities, including those carried out hand-in-glove with the UK's Government Communications Headquarters (GCHQ). (For an example of the resulting campaigning see the January 2015 online Freelance; for an account of why Snowden did not trust his superiors to protect him as a whistleblower-through-normal-channels see the Guardian's How the Pentagon punished NSA whistleblowers)
Ross said there were three things to watch out for in particular, here:
- Retention of internet connection records - the new phraseology for internet service providers (ISPs) being compelled to keep records of what websites and other internet services you connected to, when and where;
- Equipment interference - warrants empowering the security services to plant surveillance software, such as a "keylogger" that records everything you do, on your computer; and
- Powers to "compel assistance". In the old days they threatened someone like Bill Goodwin with jail unless he revealed his source. These powers would let them instead threaten someone like his ISP, which "doesn't have so much skin in the game" and is much more likely to fold.
Bill Goodwin, present at the meeting, famously went to the European Court of Human Rights to win the right to protect the source of a story (and spoke about it at the December 2002 meeting).
"What we want to do," Ross suggested, "is to protect our sources, expose wrongdoing and occasionally set an elephant trap for the government of the day."
That means, above all, sources being able to contact us in the knowledge that they will not be prosecuted or persecuted. So:
- We want people to be able to contact you without leaving a trace. You could consider letting them know what pub you can be found in, when, rather than giving a specific time and place;
- We need to think about the "shoe-leather stuff" - making sure we're not followed on the way there;
- If dealing with a particularly high-value source, we could consider a new phone for the purpose, as anonymous as possible (recently popularised as a "burner phone"). The old adage about using payphones is now wrong: all are likely to be tapped, just because British Telecom can sign one piece of paper giving permission and charge the government for the service.
Speak to old hands and pick up the "tradecraft"... it's even worth reading spy novels - the word "tradecraft" describing ways of contacting sources and so forth was coined by ex-spy David Cornwell, writing fiction as John le Carré, and then picked up by real spies.
Don't over-react. An NHS nurse coming in to tell you about financial skullduggery is unlikely to have their laptop hacked by GCHQ - though of course they deserve basic care from you. But if it's someone who is seriously politically exposed... take maximum care.
All sorts of people will be affected...
Two or three years ago Ross was contacted by a missionary in Texas, who wanted to be able to communicate with converts to Christianity in Pakistan - where converting is a capital offence. So: how would you go aboutt communicating with then, safely? Would you use so-called PGP encryption on emails? Or Skype? Millions use Skype and few use PGP. The authorities can very easily trace everyone who uses PGP.
The fundamental point here is that "anonymity loves company". PGP may be technically ever so good, but it stands out. Meeting your contact at 3am in Trafalgar Square is not a good idea; 3pm is.
Then there was Damian Green, the Conservative MP for Ashford, who received a leak about something that embarrassed the government. The then Prime Minister, Gordon Brown, wanted to know who the leaker was, and sent police into Green's office in parliament and carted him off from his home. Now, the security services could just do a "snowball search" - using that who-called-who "metadata" to trace the contacts of Green's contacts and so on. Even if Green hadn't talked to his source directly, just "two layers out" they'd find that he'd called Fred Smith, and two minutes later Smith had called Jones... who would be under suspicion.
Ross does mention one technical measure for allowing sources to communicate with you. He has a blog called Light Blue Touchpaper. Connections to it are encrypted, and the contents are encrypted. The software that runs the blog, and the database of messages, live on a computer that Ross controls - rather than on a commercial service such as Blogger.com (which is owned by Google). It is therefore possible for someone to say "I have a story" as a comment "to an out-of-date comment on a blog no-one reads" and it'd be difficult, if not impossible, to trace that message.
Another recommendation: if you're dealing with a really serious case, keep a computer specially for that case - one that is "airgapped", which is spook-speak for it never being connected to the internet or any other network. Consider using an operating system that fires up from a DVD, such as Tails, so that any other attempt at "equipment interfernce" will be futile.
Ross repeated: communicating securely is not about using special technology. It is about using things that everyone uses, intelligently.
So what what are the other side doing?
Since digital telephone exchanges ("System X") were introduced in the 1980s , GCHQ have had call detail records, and since 90s mobile records that allow them to work out the phone's location. That gave them the capability to do "snowball searches" and to search for people who were at locations A B and C. That would be legitimate law enforcement in the case, say, of finding a serial rapist.
In the old days it cost police £200 to do a "cell site location dump". Now it is cheap. Now the spooks want "traffic data" - information on who contacted who and when - not only for voice calls and text messages but for email and every other channel. Such connection records do not only show who visited a website - but everyone else who visited the same site. Hence they too permit "snowball" searches - who visited the same site as a target, implying they may be in contact, and who may be connected to them, and so on out.
In fact the security services have been collecting this information anyway. Snowden's leaks demonstrated that when past efforts at legislation to legitimise this, initiated by Home Secretaries Jacqui Smith and Teresa May, fell, GCHQ decided to go ahead and do it anyway.
As Ross had already mentioned, one of the key provisions of the Bill is a mechanism for granting warrants for "equipment interference". This goes well beyond putting bugs on computers, tablets and phones. It's possible, Ross mentioned, to "hack the emergency assist button in a car". He mentioned a case where a suspected gangster's granddaughter had a talking Barbie Doll. The microphone in it feeds everything going on in the room back to speech recognition software on a computer somewhere in the US. You can guess the rest...
The Home Secretary would be able to serve notice requiring any company to do anything - such as installing malware on one PC, or a class of PCs or phones or toys...
The Bill reveals that GCHQ would run the "evil app store" and all a police officer would have to do would be to click here and there to, for example, turn your phone into a device that can track you and listen to everything around you, even when it appears to be turned off.
The power to compel
The Barbie story brings us to the power to compel firms to assist, by means of a "technical capability notice". They would of course be heavily fined if they revealed the existence of a warrant compelling them to do this. Unusually, directors and senior management would also be personally liable and could be imprisoned - for up to 5 years.
Ross observes that this provision means that no customer can ever trust a UK-based software company or service provider ever again. A friend of his runs a company that writes banking softwrare - who says that if they're up against competitors from Brazil or Singapore, customers are likely to say "there's no way we'll buy the UK product, because of this power".
From the point of view of corporations like Google and Apple all this is toxic. It is one of the reasons they have started encrypting everything end to end - so they can say they have no knowledge of or responsibility for any message conveyed through their systems.
All this seems to be an example of what Ross called "the capture of dark powers by lobbies". Once the Home Secretary has the power to do dark things to stop evil people, its use will spread.
So, when dealing with a confidential contact, the tradecraft you should consider includes:
- Don't take any phone with you to face-to-face meetings;
- Keep all notes on an "airgapped" PC as above;
- Run that PC from an operating system that comes on a DVD, as above;
- If you're dealing with really interesting sources like Panama lawyers or defectors from the NSA, you need to do all the above and more.
Do not put your faith in technical fixes. Some people have proposed, or even built, special systems for whistleblowers to use to communicate. Being found to use such a system will draw attention to anyone, who "will be in manacles by dinner time".. Again: privacy loves company.
A final question to ask yourself in all cases: "who is going to be harmed by my data?" Who else will it be "shared" with and used against? Will all those bits hoovered up from the network be passed to Saudi Arabia and used to behead people, or what?
Duncan Campbell shares his experience
Duncan Campbell opened by saying "I am glad to be here - as I prepared to talk I was struck by the pivotal role of the National Union of Journalists in protecting journalism, journalists and freedom of expression". He recalled the union's Delegate Meeting in Whitley Bay, after he, his colleague the late Crispin Aubrey and a source, ex-soldier John Berry, had been arrested under the Official Secrets Act (see note). "It was a lot of nonsense - and the resistance started in the sands of Whitley, as NUJ members stamped out the name of a secret witness against them on the beach. Later four MPs, including NUJ members, spoke the sacred name on the first live broadcast of Prime Minister's Questions.
"When Crispin and I went up to meet John in Muswell Hill in 1976, the security services were outside secretly. They may have bugged the phones, they may have followed us - and they arrested us and our source under Section 2 of the Official Secrets Act - a provision that Harold Wilson had promised to repeal. We were eventually convicted on one of the charges. That was close to the beginning of Duncan Campbell's career reporting on the security state.
Since then, technological capabilities for phone tapping and tracing have increased massively, as Edward Snowden's leaks confirmed. And, as Duncan says, "One effect of Snowden is that government have decided that openness can be a kind of weapon." When it's challenged about doing something illegal, it simply says "oh yes". To start with, to justify phone-tapping the UK government invoked the power of the monarchy. It was only the work of journalists such as Duncan that forced the first Act of Parliament to legitimise it.
Defence by avowal
One example of this "defence by avowal" is that in November 2015 Duncan was scooped - by the Home Secretary. She admitted in parliament the extent of phone record retention. "We are dealing with a slightly changed world," Duncan noted, "But the body politic is so anaesthetised that no-one has actually reacted with shock and horror."
Police in Scotland have "recklessly" used existing powers under the Regulation of Investigatory Powers Act 2000 (RIPA) to try to uncover journalists' sources. The Interception of Communications Commissioner has identified 400 potential sources being picked off through the gathering of communications data that you and I know as itemised phone bills, Duncan says. (This report is somewhat obfuscatory and mentions 608 applications by police relating to 242 journalistic sources - out of some 600,000 total applications).
This year we are faced with a new law that will legitimate extraordinary new levels of surveillance. As journalists we should understand why the security services like bulk data: we do, too. Sometimes we end up following lists of someone's contacts, and their contacts... And, having obtained data on hundreds of thousands of individual bank records Duncan used essentially the same tools as GCHQ would use, to find out who was doing what by way, for example, of tax evasion.
Something Must Be Done
This Bill is an example of a Something Must Be Done Law. The pressure for it comes from the terrorists, mediated by the journalists, making politicians fearful - and they turn to the spooks to allay their fears. The spooks may have underhand motives, and they may be diligent public servants.
Home Secretary Teresa May's onslaught in November showed that she had learned from the previous attempts to legitimise surveillance practices that Ross mentioned. It leaves very little time for building opposition or even for parliamentary Committees to consider it. (At the time of writing no date or timetable has been set for the House of Lords Committee - which bizarrely, is more likely to exercise democratic scrutiny than is the democratically elected House of Commons.)
And there was a PR blitz. The Times got invited to see inside GCHQ - a nice big polished apple handed to the editor and journalists to support the Bill - "Oooh, I got to talk to the Head of Tradecraft and he says it's all necessary and proportionate!"
Various dutiful committees have looked at drafts of this Bill and decided privacy was rather important. All the government did in response is to write the word "privacy" into the first section. They didn't change any of the substantive measures. (The Freelance observes also the drafters' cunning in framing early sections of the Bill in terms of penalties for unauthorised interception of communications. That's the easily-confused MPs sorted, right there.)
The exotica like equipment interference are a bit hard. The easy thing is to take phone records and browsing records and crunch the data. Even easier is to exploit people's ignorance and laziness.
How many of you in the room, Duncan asked, have knowingly or unknowingly shared all your contacts with Google or Microsoft?
In the belly of the beast
Last year Duncan was invited to Ditchley Park - an establishment once known to radical journalists as the centre of CIA infiltration of UK government. He sat down with the new head of GCHQ to open a conference. This, given his history, was a bizarre experience.
But it did provoke thought about the even bigger picture. Those of us who care about freedom and free reporting "have to give the securocrats support when there is blood on the streets - because there is no way that this is not going to happen," Duncan concludes.
Again, don't put your faith in technology
Duncan reinforced the message that Ross gave about tradecraft, not technology, being the key to protecting your sources. "If your source is a nurse they need reassurance, and they do not need to be asked to install some gizmo."
Duncan has "seen professors of journalism ask for 'the best possible technology to contact whistleblowers'... that's silly." He's been at meetings with a former MI5 agent and a former Military Intelligence person where he was invited to suggest the best way to contact a journalist. No. This is not the point. Training for journalists in ways to avoid detection may be a good plan.
And: "don't let the Tories distract you from reporting: keep on exposing what needs to be exposed."
Questions from the Branch
I (Mike Holderness) asked Ross and Duncan about the international implications. The US "Patriot Act" was the UK's RIPA Act, rewritten to be even less comprehensible. Did either know of plans for a similar export?
Both agreed that security services - particularly the US and UK - talk to each other all the time.
To reinforced the view that looking for technical fixes for technical surveillance is a waste of time, the branch was referred to the observation in the wake of RIPA that "it's amazing what you can do with Late Bronze Age technology and modes of organisation. For secure communication with a trusted source, nothing beats a face-to-face meeting..." (January 2002).
A member nevertheless asked Ross what he thought of WhatsApp security. He replied that it was good enough to hide stuff from his family. Another asked about "popular collective actions" such as working to raise the level of encrypted traffic and swamp the surveillance capability.
Ross was sure that wasn't going to work. The more salient point was what the big technology companies are doing. The moment Google discovered that the transatlantic cables carrying internet traffic were hacked by CHHQ it switched all its services to secure communication - hence the "s" now appearing in "https://google.com". That was a big "fuck you" from Silicon Valley to the spooks.
Duncan will use the Signal program to talk to people - but "I will only let it run on a phone where it can't see any of my contacts" because they've never been on that phone. "You have to be working on very hard targets against very hard people to bother with this. I do that, I have the kit, and month in month out it's never used."
A member asked about the use of drones in surveillance. Duncan confessed that he has one - he reckons there's a 2-year window to have fun (responsibly) before someone Does Something about drones in private hands.
Ross asked "what's not t like about police drones? Look at US university campuses with their panic buttons all over the shop. Press it, 27 seconds later there's a drone with a taser... and 17 minutes later a fat person in a car cruises up to turn over the body."
And, the same member asked, what are the implications of the privatisation of OpenReach, the arm of BT that runs cable and fibre down our streets?
Duncan responded that BT has been completely compromised - integrated into the security state - since before it was BT. "The idea that anything that started life in BT could get more corrupt..."
What were the chances of defeating the Bill, a member asked.
Ross observed that in his view "there's no realistic chance of defeating it because we have no functioning Opposition." The bounds on all this are more likely to be set by judges than by parliamentarians. For example there's the Judicial Review of government proposals sought by MPs David Davis (Con, Haltemprice and Howden) and Tom Watson (Lab, West Bromwich East) which is heading to the Court of Justice of the European Union.
Why, a member wanted to know, has no one gone after Christopher Graham, the Information Commissioner. It's his job to protect privacy....
Ross replied: "No it's not". Maggie Thatcher didn't approve of this Data Protection thing - she saw it as a German idea. He thought of her saying "mark my words I'll make sure it doesn't cause any trouble" - and succeeding. "It wouldn't surprise me if somewhere in CGHQ's files is a letter from some junior Data Protection official saying the US Prism data hoover is OK."
Duncan observed that the US doesn't treat citizens of other countries as having equal rights - and the UK is the same. So they steal what they can from their own corporations. Again: the Bill says in flashing red letters "don't trust anything British".
Several members wanted to know our speakers' views on the Apple Corporation's standoff with the US authorities over an order to break the encryption on an iPhone. (Since the meeting the Federal Bureau of Investigation has said that it broke into the phone independently of Apple.)
Ross returned to the theme that this is a global issue: "When some court in India rules that Apple must release data from someone in Pakistan, it can say - because of that 'end-to-end encryption' - 'sod off'."
Did he trust Apple?
"Apple has more of an incentive to be honest than the other corporations. Google has a different business model - it sells you to the advertisers . Microsoft makes most of its money selling software to large corporations."
Finally: is investigative journalism dead, another member wanted to know.
Duncan responded that editors and managers can kill it stone dead by "mindlessly wanting the same space filled day after day. If they are prepared to hire good people and allow them to produce erratic results, they'll be excellent over time."
An historical note
Duncan mentioned the ABC trial. The short version goes like this:
- In the beginning was the Agee-Hosenball Defence Committee (AHDC), opposing Mervyn Rees' plans to deport Phil Agee and Mark Hosenball following their 1976 revelation of the existence of GCHQ in Time Out.
- The late Crispin Aubrey and Duncan Campbell joined AHDC. They were contacted by ex-soldier John Berry - and arrested, and thus the AHDC begat the ABC Defence Committee.
- At ABC's committal hearing the government announced its intention to impress the jury of the Deep Secrecy that had been breached - by bringing an expert witness whose very name was a Deep Secret - "Colonel B". He was persuaded to demonstrate his expertise by listing his postings.
- Colonel Hugh Anthony Johnstone was therefore easy to identify from a close reading of the Signals Regiment house journal Signal. His name was published and those who did so were charged with Contempt of Court. (One made a trip to the library to consult Halsbury's Laws of England: "There is no limit to the penalty..." ... feels collar...) Thus the ABC Defence Committee begat the Colonel B Defence Committee. You just don't get third-order Defence Committees these days.
- The Journalist republished the name. Poor Hugh had his name inscribed in various beaches as Duncan mentioned, was paged at Heathrow, sneakily referenced in diary columns and discussed in pubs by journalists almost all of whom knew who he was and were annoyed at not being able to mention him. Then four MPs named him under parliamentary privilege. The next morning all the papers named him on their front pages except the Telegraph - which ran a leader denouncing all the papers that had named him and a news story on page 10 naming him.
- A finding of contempt was made against all who had named him, though Lord Widgery opted "not to make martyrs" and imposed a penalty only on the NUJ, which he fined £100. Everyone appealed to the House of Lords (then the Supreme Court for England and Wales) anyway. The Lords found that there had been no contempt: unlike Widgery they believed the Clerk of the Magistrates Court where the committal hearing had taken place, who had testified that "no such order was made in my court" forbidding the naming of Colonel B.
- Thus the Colonel B Defence Committee begat the Contempt of Court Act 1981 (which clarified how an order to keep a witness anonymous must be made)... and, it has just ocurred to me, thus indirectly superinjunctions. Oh well.