Intelligence and security services have more or less admitted that the terrorists have won by insisting not only should targeted surveillance of UK journalists and their sources continue, but that, according to recently revealed documents, these journalists, in terms of perceived threats, equate to terrorists and hackers. In doing so, they – particularly GCHQ – are forcing UK journalists and their sources, including whistleblowers, to adopt unnecessary ‘cloak and dagger’ methods for communicating and sharing information. Below we provide some examples of these cloak and dagger methods.
New Snowden documents reported in the Guardian have revealed that GCHQ has been collecting emails to and from journalists working for some of the US and UK’s largest media organisations – including the BBC, Reuters, the Guardian, the New York Times, Le Monde, the Sun, NBC and the Washington Post – for many years. These documents also showed that a GCHQ information security assessment listed “investigative journalists” as a threat alongside terrorists or hackers. One such document warned that “journalists and reporters represent a potential threat to security” and “of specific concern are ‘investigative journalists’ who specialise in defence-related exposés either for profit or what they deem to be of the public interest. Consequently journalists in the UK have little choice but to adopt highly sophisticated encryption technologies so as to protect their sources. Here are three examples of methods avoiding monitoring that can be used. (Note: none are 100% perfect.)
Method 1: Secure Drop
Secure drops are becoming more commonly available. “It’s like a Wikileaks-type system that can prevent the reporter from knowing who their source is if the source chooses,” Trevor Timm of Freedom of the Press Foundation (FPF) explains. The system is integrated into news organizations’ websites and enables sources to upload a document, which will then be securely transferred to a journalist at the media organization. However, even though Secure Drop has been tested for sound security, sources and journalists still need to be careful when communicating online. Many leading news papers have secure dropboxes based on designs by encryption specialists, such as FPF. As examples, here are the secure drops for the Guardian newspaper: https://securedrop.theguardian.com/ (key = 33y6fjyhs3phzfjj.onion) and The Intercept: https://firstlook.org/theintercept/securedrop (key = y6xjgkgwj47us5ca.onion).
Method 2 – highly secured encryption:
There are a number of other secure technologies available, including pgp, end-to-end encryption, OTR chat, use of Tor, etc. However these technologies won’t necessarily suit every situation or every source. Here are some guides: Freedom of the Press, Tactical Technology Collective, Committee to Protect Journalists.
Method 3 – old-fashioned method:
This is where it gets a bit theatrical. A source – say, a whistleblower – might decide that in order to avoid being monitored the first contact made with a journalist should not be via email, phone or snail mail but face-to-face at the offices at which that journalist is based (and not by prior arrangement). This could be problematic as offices may be bugged. Alternatively, a ‘deep throat’ means of initial contact may be preferred. Once initial contact has been made any information can then be handed over providing basic precautions are taken: including lack of fingerprints on print documents and USB sticks, and the removal of identifying properties on a USB stick and all files contained on it. Further precautions for future liaisons – including via digital means – can then be agreed.
Whichever method is used sources should ensure that: a) they upload files from a PC not used for anything else (and so will not contain surveillance codes) and b) upload files via an internet cafe or similar.
Meanwhile, more than 100 editors, including those from all national UK newspapers and other media organisations, including Rachel Oldroyd, managing editor of the Bureau for Investigative Journalism, have signed an open letter to British prime minister David Cameron protesting at the snooping of journalistic communications. The Bureau argues that UK legislation governing mass surveillance and interception programmes does not protect journalists’ sources and as such is in breach, under Article 8 and 10, of the European Convention on Human Rights. Under the Convention covert state surveillance and accessing of journalistic information cannot be used to circumvent these important rights.
Here is a summary of the Bureau’s submission to the European Court of Human Rights – of which the United Kingdom is a signatory – to see a ruling against these prohibitive practices.
Finally, only two days ago, the former head of MI6, Sir John Sawers – otherwise known as ‘C’ – called for a new surveillance compact between internet companies and the security services in the UK and US. At a private meeting he admitted that “informal co-operation… between most technology companies and communication companies and security services [had existed but] was broken by the Snowden revelations…” He added that prior to Snowden “… the public did not know that GCHQ and the National Security Agency in the US could monitor traffic on the internet in the way they could.”