Post-Snowden, journalists and bloggers – and their sources – are now far more aware about how they need to be tech savvy to circumvent state surveillance. Some anti-surveillance technologies – as well as alternatives to those technologies – via which journalists, bloggers and their sources may evade prosecution – are outlined below. Guides from authoritative sources, covering everything from old-fashioned spycraft procedures, to advanced computer encryption, are provided too. We also take the opportunity to deconstruct what is happening in Australia regarding the new and evolving legislation that attempts to gag not only whistleblowers but also media publishers, mainstream or otherwise.
(Note: In the above video Julia Angwin, Jack Gillum, and Laura Poitras tell anecdotes about how they use crypto and privacy-enhancing technologies, like TAILS and Tor, as high-profile journalists. They also talk about rare crypto successes. To see more on this, download a copy of ‘Encryption Works’ – via section 1C, below.)
BREAKING NEWS: The World Medical Association president Dr Xavier Deau and chair Dr Ardis Hoven have condemned Australia’s new gagging law that could see health and other professionals imprisoned for reporting on the abuse of asylum-seekers in Australia’s offshore detention centres.
1. Anti-surveillance technologies:
Starting with the premise that bulk surveillance is happening whatever supposed safeguards are in place, we look at some of the anti-surveillance technologies that could be employed (by anyone, whatever their location)…
Since Snowden, anonymous submissions facilities are gaining in number, but these should be used wisely. All good anonymous submissions facilities will include detailed instructions on not only how to use the facility, but also tips on how to prepare the material for submission (e.g. limiting the metadata) and other basic ‘spycraft’ measures. Users must abide by these instructions to avoid compromising themselves. Also whistleblowers should ensure they fully analyse the risks and threats to their anonymity before they first make contact with journalists or use any of the technologies listed below.
1.A. Digital mechanisms
For those sources who are able to use encrypted or anti-surveillance tools, there are a range of technologies available, as also advice on more general anti-surveillance measures. Some of the more secure facilities are listed here:
- SecureDrop. An increasing number of media outlets have now incorporated a SecureDrop facility. SecureDrop is considered to be a highly secure, fully-encrypted system that provides total anonymity for those who use it. One media outlet that has a SecureDrop facility and an Australian edition is The Guardian.
- Wikileaks. Perhaps the most famous submission facility is that provided by Wikileaks. It is available to be used by anyone, in any country.
- GlobaLeaks. There are a number of sites that offer GlobaLeaks (open source) submission facilities. One such site is Media Direct, which is Australian based and aims to provide encrypted interactions between anonymous whistleblowers, who access the facility via Tor, and specific journalists. The submission server Media Direct operates does not log anything, so should the Australian authorities seek information about a source, there is nothing that Media Direct can provide. Furthermore, Media Direct automatically deletes unused content within two weeks.
1.B. Analogue mechanisms
Of course, not all sources are able to use encrypted or anti-surveillance tools. They will need to be extra careful in how they pass on information – old-fashioned spycraft techniques will apply (the first of the guides in the sub-section below provides lots of tips).
Similarly, for many journalists faced with a mass surveillance regime – regardless of legislation that claims to protect them – “going back to analogue basics” may well be the new norm when dealing with confidential sources. Alan Rusbridger (former Editor of The Guardian) recently said, “I know investigative journalism happened before the invention of the phone, so I think maybe, literally, we’re going back to that age, when the only safe thing is face-to-face contact, brown envelopes, meetings in parks or whatever”. But the risk of exposure travels with journalists heading to face-to-face meetings with sources if the route they take is subject to security camera surveillance, or they travel with traceable mobile devices that deliver geolocation data.
There are a number of guides on anti-surveillance and spycraft worth examining. Here are the main ones…
- Here is a (UK) guide – tips – for whistleblowers that include a mix of spycraft and more modern methods (once opened, allow the page to automatically refresh).
- Here is the Electronic Frontier Foundation’s ‘Surveillance Self-Defense: Tips, Tools and How-tos for Safer Online Communications’
- Here is an anti-surveillance guide for journalists (sources may find it useful too) from the (UK) Centre for Investigative Journalism.
- Here is an advanced guide on ensuring your PC is secure.
- Here is a copy (pdf download) of Encyption Works from Freedom of the Press.
- Here is Security in a Box (tools & tactics for activists).
- Here is ‘Me & My Shadow’ (explains how to minimise being watched on the Internet)
- Here is The Intercept’s guide (long read, but easy) on internet security.
(Note: some aspects of these guides may need updating,)
See also Section 3 (below) on whistleblowing anomalies.
2. The Australian legal landscape re whistleblowing/disclosure
2.1 Data retention provisions
In Australia, whereas the newly introduced Border Force Act (BFA) gagging oath (see below) purportedly only applies to workers at the offshore refugee detention centres, those journalists or bloggers who publish leaks by those detention centre workers will still have to tread carefully as there are other means by which they can be prosecuted and, consequently, face imprisonment – and not just for publishing leaks about these detention facilities and the abuse of detainees, but about anything that might embarrass the Government.
For example, the mandatory data retention law – more correctly known as the Telecommunications (Interceptions and Access) Amendment (Data Retention) Bill – will mean that all journalists’ sources can be compromised and, consequently, this could have a chilling effect on the exchange of information. This legislation requires telecommunications service providers to retain and secure for two years all telecommunications data. It also establishes a journalist information warrants regime. While the Liberal Government and the Labor opposition agreed to this warranting system such warrants will be obtained in secret and so media organisations will be none the wiser as to whether they have been or are targetted. Warrants to gain access to metadata – to the information about whom a journalist has been talking with and when – must pass a “public interest test”, where a public advocate argues against the warrant, though this too will be kept secret and should journalists report that this warranting process is occurring they can face up to two years jail.
Regardless of how workable this legislation is it is interesting to note that Crikey reported last year that the Australian Federal Police admitted it had been monitoring communications metadata of journalists and MPs and senators to track whistleblowers and other anonymous sources.
In any case, as a member of the “5 Eyes Club” (Australia, New Zealand, Canada, the USA and the UK) Australia is able to access the communications of all Australians via the intercept facilities of its partners – this has been going on for years (as evidenced by the Snowden revelations).
In short, it’s best to assume that surveillance of journalists and their sources is routine and that the new legislation will merely ‘regularise’ or ‘legalise’ certain aspects of that surveillance.
And whilst there is a valid argument that journalists deserve special treatment – protection – there is an equally valid argument that in the spirit of universal transparency all citizens should be free to publish and access information about corruption and other crimes without fear of prosecution.
2.2. Border Force gagging law
The latest Australian Government gagging offering is the Border Force Act, amended in secret with the collusion of the Labor Opposition.
The crucial section of this Act is this:
An “entrusted person” is basically anyone who works or has worked in a detention centre. “Protected information” can mean anything. Two kinds of information relate to asylum seekers held in immigration detention: one is about “documents and information about the identity, immigration history or status, or citizenship history or status of a person”; the other is “documents and information about the provision of services to persons who are not Australian citizens”.
In recent days, after much criticism of this gagging law in the press and by NGOs (and by doctors’ associations in Australia and worldwide) the Abbott Government has been forced on to the defensive, claiming that Section 42 of the Act would not apply if the entrusted person “reasonably believes that the disclosure is necessary to prevent or lessen a serious threat to the life or health of an individual.” This exemption, it should be made clear, is entirely at the discretion of Government ministers – and, of course, discretion can go either way.
The Government also claimed that any disclosure of information “required or authorised by or under a law of the Commonwealth, a State or a Territory,” or by a court or tribunal, is also exempt (e.g. information required by the Royal Commission into Child Sexual Abuse). Further, it was pointed out by the Government that the Public Interest Disclosure Act, which encourages public sector workers to report wrongdoing and protects those who do, overrides the Border Force Act. All very comforting. Or is it…?
The Border Force Act and the Public Interest Disclosure Act provides very limited protection to whistleblowers – namely, they have to disclose wrongdoing only through official channels. The problem here is that there can be no guarantee that anything will be done about the wrongdoing.
There are also many other reasons why recent Government statements on whistleblowing should be viewed cynically – some of which are given here by George Newhouse. In particular, Newhouse points out that the so-called protection of the Australian whistleblower law “does not extend to disclosures made about the conduct of a PNG or Nauran Government official or worker, or of any person who is not an Australian government contractor or officer. That includes detainees, or even a local priest in an offshore immigration detention centre. In addition, the whistleblower law offers no protection to those who make a public disclosure about the actions of an Australian government minister or policy, even if it harms people.”
Newhouse adds that so-called allowable reporting involves extensive bureaucratic requirements, including “the need to exhaust all internal complaints processes before any public disclosure of information occurs, which is likely to substantially delay disclosure and have a chilling effect. Once they go public, disclosure must be limited to the issue which was the subject of the original internal complaint. Too much disclosure is not protected, and there is little guidance about where the boundaries lie.”
Also, he says: “It is true that there is an exemption to the secrecy provisions in the Border Force Act which would allow a medical or allied practitioner or a teacher to report suspected child abuse or neglect inside an Australian immigration detention centre. However this exemption only applies to workers in Australia because they are covered by State and Territory mandatory reporting laws. Unfortunately and relevantly, this exemption is of no use to a doctor, teacher or care worker where Australian mandatory reporting laws do not apply, such as in Nauru or Papua New Guinea.” In short, under the present laws, whistleblowers have to make complex legal assessments about whether their disclosure has been “adequately dealt with” under the internal review procedures before they can speak out.
Nor should we forget that with the Department of Immigration there has been a long history of cover-up. Don’t forget, too, that Save The Children workers on Nauru were deported and referred to police by the Immigration Department for providing evidence of child sexual abuse. Police also investigated journalists reporting on these matters to identify their sources.
3. Some whistleblowing anomalies
Meanwhile, there are some interesting legal and related anomalies (couched mostly in the Australian context, but which have wider applicability) that require answers/comments.
- A newspaper that has an overseas ‘parent’… An example here is the Guardian Australia, which can be accessed from The Guardian UK site, which also includes a link to the Guardian US site. The site as a whole (encompassing the UK, US and Australian editions) includes the submissions dropbox facility, which can be used by anyone in the world. This facility can be used by an Australian whistleblower to provide information to any one of the three editions, or to all three editions. Similarly, a non-Australian whistleblower can submit information of Australian interest via the facility. In either case, would the Australian authorities aim to prosecute the Guardian Australia, regardless of which edition of the Guardian that information appeared in, or the ‘parent’ body?
- Where a dropbox site functions as an intermediary between a source and a journalist (such as Media Direct) is that intermediary regarded as a source (to the journalist) or as a media outlet (i.e. as a recipient that plays a role in the publishing process)?
- What about an Australian blogger who has successfully remained anonymous and uses overseas-hosted sites? Could – would – Australian authorities prosecute such a person?
- And then there are those bloggers – anonymous or not – who are based outside of Australia and receive information of Australian interest via a third party and so publish that information. Can – will – they be prosecuted by the Australian authorities?
- Then there is the small matter of the definition of journalist: contracted, free-lance, blogger?
- If a source of information/data about wrongdoing is a non-Australian citizen (including, say, a detainee in an offshore refugee centre) could – would – that person be prosecuted under existing Australian laws?
- Could tweeting content that has been leaked be perceived as ‘publishing’ that content, in the same way that tweeting (or even re-tweeting) a defamation could result in litigation?
- Could a blogger or a journalist who publishes information provided by a whistleblower (Government worker, citizen, offshore detainee) be accused of conspiring with that whistleblower to disseminate confidential information (though that may depend on the nature of the information and whether that information was solicited)?
- And what about stories from anonymous sources or otherwise, exposing wrongdoings, say, by the Australian Government and published in non-Australia media – e.g. Huffington Post, Liberation, Charlie Hebdo, Wikileaks – you name it: again, could – would – the Australian Government prosecute any of these media outlets?
Clearly, there are some grey areas – or loopholes – here, not just in terms of how current and evolving gagging legislation is applied, but also in terms of the practicalities of tracking and identifying sources and of prosecuting media outside Australian jurisdiction.
Nevertheless, despite or because of these anomalies, the importance of anonymity and the use of encryption tools – which may involve a learning curve for both whistleblowers and journalists/bloggers alike – remains.