Protecting Sources and Whistleblowers in the Digital Age
I recently had the pleasure of participating in the Walkley Foundation panel discussion on "Protecting Sources and Whistleblowers in the Digital Age". My co-panelists were Paul Farrell (Buzzfeed, ex-Guardian), Elise Worthington (ABC), with Julie Posetti (ex-Fairfax/ABC) as commère. As well as providing a forum for the panel discussion, the event served as the official release of Julie’s UNESCO study “Protecting Journalism Sources in the Digital Age”.
As the only non-journalist on the panel, I offered a technical perspective on the challenges that journalists face. Over the past few years, I have provided practical technical solutions for several journalists and Australian news organisations to protect their sources and themselves.
Julie Posetti opened the event with a brief summary of her UNESCO study and invited panelists to share their initial thoughts on her report. For me, the report underscored the bleak situation journalists face in attempting to protect themselves and their sources. Mass surveillance of Australian journalists and citizens is multifaceted. Among the most prominent forms of Australian mass surveillance are:
- Governmental – mandatory data retention: where all telecommunications metadata is being stored for two years;
- Governmental – the “5 Eyes” intelligence alliance, between the US, UK, Canada, Australia and New Zealand, where governments outsource surveillance of their citizens through alliance members, and share that surveillance with their counterparts;
- Corporate – such as Facebook, Google and Twitter, organisations who have a voracious appetite Hoovering up even the smallest details about their users.
Governmental surveillance is increasing each year; the tightening of national security and anti-terrorism legislation is continually used as justification to erode citizens’ rights. Prima facie, governmental surveillance breaches Article 17 of the International Covenant on Civil and Political Rights, guaranteeing privacy. Article 17 specifies, “individuals have the right to share information and ideas with one another without interference by the State, secure in the knowledge that their communication will reach and be read by the intended recipients alone.”
Corporate entities make whistleblowing difficult by disincentivising anonymity. Facebook has a ‘real name’ policy, where ‘pretending to be anything or anyone’ is not allowed1. Twitter only gives accounts a ‘verified’ status if they have provided a verified email address, phone number, and birth date2. Furthermore, these corporate policies foster suspicion and prompt members of society to shun, or question those who use anonymity. Together with the overt effects, corporates often insinuate those who use anonymising networks, such as Tor, are up to no good, simply because they choose not to reveal their true identity.
Society has stigmatised protection of privacy, such that, those who are pseudonymous, and use privacy protection tools—such as Tor— are labelled pejoratively as ‘paranoid’, at the very least. The collarary is, those who are labelled as paranoid, can only be so labelled if they are not being actively surveiled. With government metadata retention, and wholesale capture of data by the 5EYES agreement, all citizens and journalists are rightly justified in protecting their identity and using anonymity systems.
In Australia journalists are theoretically protected by ‘shield laws’3, which protect them from government interference that forces them to reveal confidential sources. Ideally, shield laws also protect whistleblowers by proxy, however shield laws have lost their efficacy in today’s environment of mass surveillance. Mass surveillance facilitates accessing suspected whistleblowers metadata and examining it for interactions with the publishing journalist, allowing whistleblowers to be outed. Current mass surveillance practices do not simply create an exception where communications to or from a journalist are expunged. For example, the Australian Federal Police accessed Paul Farrell’s metadata, without a warrant, to seek his sources4.
The current narrow legal definitions of the term ‘journalist’ further diminish the effectiveness of shield laws. In the past ten years, the journalism industry has been disrupted, with a massive increase in the number of journalists who freelance, not to mention the fine line that has appeared between professional journalists and bloggers/tweeters like Behrouz Boochani.
Julie Posetti asked how I would respond to a potential whistleblower wanting to maximise their chances of remaining protected from exposure. While each scenario is different, ranging from a worker blowing the whistle on poor governance within council, to explosive releases such as those released by Edward Snowden, there are a few tips:
- Whistleblow to a journalist that has a proven history of protecting sources, such as Paul Farrell, or the ABC Four Corners team. At the very least, contact journalists who provide secure channels for initial contact—I notice ever increasingly journalists on Twitter have added Signal or Wikr contact details in their Twitter bios.
- Minimise your digital footprint. Try to use analogue methods of communication, such as dead drops, transmission of material through the post, or meeting in person (without electronic devices/phones being present).
Citizens and journalists need to provide ‘herd immunity’, by using anonymising and privacy enhancing technologies all or most of the time, not just when requiring privacy. Increasing use of these technologies also results in:
- Normalising these technologies, resulting a reduction, and hopefully a removal in the stigma that only ne’er-do-wells use these technologies.
- Ensuring that journalists and citizens can use these technologies with a high degree of confidence—with that high degree of confidence, improved productivity will result.
- Increasing expertise throughout the journalistic profession. This expertise will facilitate journalists teaching their peers, filling an ever-increasing hole in training capabilities in media organisations due to ever diminishing income for media organisations.
Other aspects of using technology to protect sources that were mentioned by the panel were:
- Tails - The Amnesic Incognito Live System. Tails is an operating system designed from the ground up for anonymity and privacy. Tails can be used in most PC’s, and can run from a USB stick. The significance of using a USB stick means that Tails users don’t have to reformat their computer to use Tails. Tails has the Tor anonymising browser, encryption utilities, as well as utilities for cleaning and working on sensitive documents.
- Journalists using a dedicated phone for Signal, without a SIM card, that sits in the journalists’ office, ready for contact by whistleblowers.
On a final note, during the panel discussion, Paul mentioned that the privacy of Australian journalists is less compromised than in other jurisdictions. To some extent I agree with Paul, however, journalists and citizens must remain vigilant to ensure the situation in Australia does not descend to the poor standards faced in other jurisdictions.
Matthew Da Silva