New America
Open Technology Institute

New Tools for Today's Investigative Journalist

Blog Post
By 

Dan Meredith

Oct. 14, 2011

Originally posted on DanBlah.com

While I am by no means a seasoned investigative journalist, I have the good fortune to work with some. Looking ten years back I couldn't imagine a media organization considering geek qualifications a core part of an investigative team. In 2011, turning a geek into an investigative journalist is a no-brainer.

The information landscape a journalist lives in today is very different than ten years ago. People share more information on the Internet about themselves than ever before. Journalists have access to large quantities of free information stored in social networks, government databases, and Freedom of Information requests. In response, the traditional journalist is evolving quickly. Today's journalist is not only sitting in the court room or town hall meeting with pen and paper but with a laptop sifting through relevant online information, filling FOIA requests, and chatting with their editors. With journalism, the market for tools and methods to collect, analyze, and present this information is growing fast.

The days of Excel spreadsheets and HTML tables are gone. Whether we're watching on TV, reading online, or in a newspaper we expect beautiful and easy to understand representations of important information, no matter how large the underlying data is. DocumentCloud, Information is Beautiful, Piwik, Mining of Massive Datasets, PACER, Google Refine, Google Fusion Tables, Google Public Data Explorer, IBM's Many Eyes, and ScraperWiki are just some of the data driven journalism tools widely used by mainstream media today.

There already exists a wealth of awesome write-ups documenting methods and tools for journalists creating data driven stories.[1] [2] [3] Rather than add to it, my focus is on another important and evolving component of investigative journalism: sources, communication, and protection of privacy.

The journalists of yesterday and today care deeply about protecting the identity of sources. Having a private conversation with a source used to be easier. The days of meeting sources confidentially in a dark lit parking garage are disappearing. Today things are very different. In our digital world, journalists interview sources half a world away or across town using Skype. And just like every generation of journalists, today's are developing tradecraft with new techniques and tools on top of tried and true traditional gumshoe journalism.

Investigative and Field journalists reporting the recent revolutions in the Middle-East and Northern Africa exposed surveillance technology deployed by now toppled and currently active regimes. It has been reported that Libya was using a system developed by Amesys, a French company (though the company has argued its dealings with the regime were limited). [1] [2] The BBC reported that Iran is using a system developed by Nokia-Siemans Networks, a Finnish and German company. Syria is reportedly using a system developed by Bluecoat, an American company though it was not likely sold directly to the regime[1] [2] [3] The Guardian reported that The Gamma Group, a U.K. company, offered to sell a system to Egypt. Surveillance technology is the new hot weapon in a cyber-arms race with journalist-source confidentially in the crossfire.

Government operators of these surveillance systems are able to monitor in real time an entire populations mobile phone conversations, text messages, emails, and Instant Messages. Operators watch individuals visit websites and receive alerts for concerning activity. In some cases, operators can retrieve passwords for social network and email websites. Who are these government operators targeting? Often, it is government opponents, journalists, and their sources.

If Western developed surveillance technology can do all this for a developing Middle-East or North Africa government, what are the capabilities of developed Western government's surveillance technology? In an arms race, what we know today was outdated yesterday.

Paraphrasing statements made by Lucy Dalglish of the Reporters Committee for Freedom of Press at the Investigative Reporters and Editors conference: No longer do governments always need court orders to obtain a journalist's source. Lucy points to how pervasive "lawful" surveillance technology has become worldwide. The amount of information collected by today's governments and corporations is beyond Orwell's imagination. In response, today's investigative journalist must develop their tradecraft with new tools and skills. Journalists must be conscious about existing surveillance technology and take steps to guard against it.

Take off the tin foil hat. It's not going to help.

Fortunately, tools exist to keep Big Brother's eyes and ears at bay and maintain source confidentiality. Some of these tools are accessible. They can be download and used today for secure communication between two people without requiring super geek credentials. For brevity's sake, I'm only providing an introduction with links to more information.

Visit a Website's Secure Address: HTTPS Everywhere Take a look at your web browser's address bar. The HTTP at the beginning of every web address stands for Hyper Text Transfer Protocol and is a vital component of the World Wide Web. It is also a non-secure connection. Replacing HTTP with HTTPS adds additional security. While it is often default for banks, it is not for many important sites we use to communicate amongst ourselves. The HTTPS Everywhere extension increases security by making HTTPS the default connection between you and Gmail, Facebook, Twitter, and many other websites.

From the Electronic Frontier Foundation's website: "Many sites on the web offer some limited support for encryption over HTTPS, but make it difficult to use. For instance, they may default to unencrypted HTTP, or fill encrypted pages with links that go back to the unencrypted site. The HTTPS Everywhere extension fixes these problems by rewriting all requests to these sites to HTTPS."

Secure Encrypted Chat: Crypto.cat, Off-the-Record From Julius Caesar to the Enigma Machine, cryptography has been using encryption to keep communication between two parties private for a millennia. Using modern cryptography, crypto.cat, allows for encrypted private chats between two individuals today. Grab a person with a computer nearest to you and visit crypto.cat. Agree on a chat room and you are both engaged in a secure conversation requiring only a web browser. It's that easy.

Crypto.cat is new, using recent methods to secure your communication. A mature tried and true method is called Off-the-record, or OTR. OTR extends the capabilities of your Gtalk, AIM, or any other Instant Messaging service to make sure only you and the person you're talking to can read the messages.

If you're using Windows or Linux, download and install Pidgin with the OTR plugin. If you're using a Mac, download and install Adium. If you've an Android, download Gibberbot from the Android Market. Note, both parties in the conversation need to have one of these applications installed for secure chat.

Secure Encrypted Email: PGP, PrivacyBox.de Email is like a post card, even if you are using a secure https connection to Gmail. Without your permission, I could forward your message on to someone else. After 6 months, U.S. law enforcement can read your email without a warrant. They may not wait that long. According to Google's Transparency Report, in 2010 94% of the time Google complied with U.S. government data requests. Never assume email is private, period.

Assuming all of your email is public, you could try and write each avoiding language that would impose self-harm or offend anyone. You would have to look beyond the present to the future as well. Or you could encrypt the email you want private with Pretty Good Privacy or PGP.

For Windows and Linux, download and install Mozilla's Thunderbird and the Enigmail extension. For Mac, you can download GPGTools which supports Apple's Mail app or my recommendation of Thunderbird. Just like secure chat, both parties need to have PGP enabled email configured for a secure email communication.

Another good and easy solution is PrivacyBox.de. "PrivacyBox provides non-tracked (and also anonymous) contact forms. It is running primarily for journalists, bloggers and other publishers." You or your team can setup an account assuring your contacts a secure way to communicate with you for free right now.

Secure Encrypted Voice: Skype, Redphone, CryptoPhone It is much easier than you might think to listen in on your mobile phone conversations. Skype with encrypted voice is a step in the right direction. Though unlike OTR chat's or PGP email, it's not a trusted solution. You put all of your trust in Skype not to listen in, manage the security of your communication, and not turn information over to a government. Microsoft owned Skype does not offer a Transparency Report like Google. Thus, we have no idea how often they comply with government data requests. It's likely they are under similar pressure as Blackberry maker RIM is in the Middle-East, who've likely "granted some access to communications passed between devices to the UAE government".

If both you and your contact have Android phones in the U.S., check out Whisper System's RedPhone: "RedPhone provides end-to-end encryption for your calls, securing your conversations so that nobody can listen in. It's easy to use, and functions just like the normal dialer you're accustomed to."

If you can afford it, a good solution is GSMK's CryptoPhone. It looks and operates like a standard mobile phone, except when two CryptoPhones call each other. With a CryptoPhones on each end of a they create a "completely confidential encrypted telephone call".

Secure Your Everything: Tor The above tools do a fine job of protecting specific communications methods, but what about web browsing and everything else? What if you don't want anyone to know you are visiting a specific website, uploading files to Wikileaks, talking to a specific person, or have censored/restricted Internet access? The answer is Tor.

You have to meet a very secret informant named Deep Throat in the bottom level of an underground garage across town. If it was anyone else, you'd jump into your bright yellow VW Beetle convertible. You decide it's a bit conspicuous for this trip. Conveniently, your buddy lends you the worlds most popular car in it's most common color, a white Toyota Corolla. Even better, the Toyota's windows are darkly tinted. Rather than drive straight to the parking garage, you take a longer indirect route making it hard to know your destination.

This is what Tor does to your Internet connection. Like a Toyota with encrypted windows criss crossing town, Tor makes the traffic look inconspicuous, encrypts your information making it very difficult for anyone to know what you're doing or saying, and routes your Internet traffic through other Tor users making it difficult for anyone to know who you are, who you are talking to, or what you're doing online.

Tor is an amazing piece of technology and easy to use. "The Tor Browser Bundle lets you use Tor on Windows, Mac OS X, or Linux without needing to install any software." Download and run. If you've an Android phone, download and run The Guardian Project's Orbot from the Android Market.

This next set of tools are as important as the aforementioned for modern investigative teams. Unfortunately, they require a fair amount of technology experience to implement. If you are not a geek and work for a larger media organization, bring these tools to the attention of your IT and Security support staff. If you're an independent journalist, show them to your geeky friend. If you need to make a geeky friend, try your local hackerspace.

Anonymous Online Dead Drop: Globaleaks There is social value in providing a secure space for people to expose confidential information that is in the public interest, as seen recently by Wikileaks and those before it. In the post 9/11 U.S., more than 4.2 million people have access to confidential information with a government security clearance. Over one million of the 4.2 million have access to Top Secret information. If you can provide an online dead drop with reasonable assurance of anonymity and deniability for the conscientious, it will get used.

These whistleblower services are on the rise from main stream sites like the Wall Street Journal's Safe House to the region specific FrenchLeaks. The technology co-opted by them strives to keep one step ahead of those who would keep socially valuable information from the public eye. Internet policy and free speech advocate, Marvin Ammori states “The right to free speech is meaningless without some place to exercise it. “ Recently, Wikileaks has exposed the urgent issue of protecting Marvin's “digital speech spaces”. Just like the Crypto Wars of the past, lawyers creating forward thinking policy and geeks creating innovative technology are required.

Creating a website to accept files and text is not a complex task for an average geek. Including technology assuring deniability, anonymity, information security, and privacy embracing the same tradecraft as a traditional dead drop is something else entirely.

Leak Directory may be the most comprehensive set of information on the topic. You'll be quickly reminded that whistle blowing websites didn't start with Wikileaks. From old school telephone hotlines, online forms hosted by national security agencies, to Cryptome tools and services for receiving and disclosing leaked information have been around for a while.

Unfortunately, most are bespoke and proprietary. Globaleaks is one to pull out of the haystack, an open source project worth keeping an eye on.

Encrypted Cloud Storage for Teams: Dropbox, Encfs When dealing with large diverse files such as audio, video, and various documents, it's not practical for colleagues to share files via email or snail mail. You could use a company VPN and centralized storage but it's often to slow in the field. Cloud services such as Dropbox make it their business to get as close to you as possible ensuring the fastest upload and download speeds as possible. While Dropbox is easy to use, it is not reliably a private option without an additional layer of security.

A tech savvy solution is to encrypt your content before Dropbox sees it. Pairing Encfs with Dropbox results in file based encryption that only you and your colleagues can decrypt. It's cross platform with existing instructions to get you and your team collaboratively editing files in a shared secure folder with OS X, Windows, Linux, and Android.

While the adoption of these tools goes a long way in reducing the ability to "listen in" on your communication, it doesn't address all the issues a journalist will confront. What if your laptop gets stolen or confiscated and searched at a border, what if you are detained and required to give out your passwords, what if someone you trusted gives out your passwords, or you are being actively harassed by intelligence officers? Even in the United States some states argue that a mobile phone can be searched without a warrant.

You should follow those links. These are common situations investigative and field journalists encounter today. The above situations aside, your laptop or phone will break. When it does, it will likely have information you need and need to keep private. What then?

If you work for a large media organization, hopefully you've already been approached or gone through some information and operation security trainings. If not, go find your Chief Security Officer or Director of IT. Ask them what your organizational policies are for the above situations.

In general, there is an empty void of resources tailored specifically for journalist on information and operation security. eQuality, “a collective of technology and security experts working with organized civil society and independent media.”, is a good place to look for formal trainings and policy development.

If you're an independent journalist with little technology experience, there are some resources out there for you. The Tactical Technology Collective's Security in-a-box is an excellent reference with tools. EFF's Surveillance Self-Defence. RiseUp's Communication Security, and MobileActive's Guide to Mobile Security Risk Assessment are three recommended primers.

Finally, utilizing and supporting technology providers that understand the importance of privacy and security will make things easier for you. The EFF's "Who Has Your Back" campaign rates large providers. Google and Twitter lead the way. A recent Wired and Ars Technica article, "Secret memo reveals which telecoms store your data the longest", give T-Mobile a slight edge in the U.S. In all cases, they are storing information and often handing it out without your prior consent. Do you trust them with your private information that exposes your sources?

Personally, I use and support The Riseup Collective. They don't provide Internet access, but they provide trusted secure services including E-mail, Instant Messaging chat, VPN, and support to the Tor project. They will also fight for your right to privacy.

Recently, Google and Riseup both received subpoenas from a judge to hand over user account records. With the help of EFF and the National Lawyers Guild, Riseup fought and won to have the subpoena's overturned. Unlike Riseup, Google complied with the order handing over the requested information about its users.

I covered more than intended and left out a whole lot. I look forward to comments on what's missing, what's more secure, what's easier to use, other good references, and your general thoughts. “After all, it is not the diagnosis of a disease that cures the patient.” said Mr. Fish