There is no way to secure the absolute protection of a source in the digital world, but Josh Taylor has a few suggestions on what you can try. Cartoon by David Pope.
Are journalists just collateral damage in the ramp-up of the surveillance state, both in Australia and the rest of the world, or are they carefully considered targets?
The mandatory data retention legislation introduced by the Australian government late last year has, rightly, been identified as a major threat to the ability for journalists to go about our job. The legislation requires telecommunications companies to keep logs of the phone calls made, the assigned IP addresses, the mobile device location, email addresses and other identifying data for at least two years. Law enforcement agencies can then access this data without getting a warrant first. All that is required is an approved officer to sign off on it, and the telco will then hand over all the data they want.
For the average citizen, this is a breach of their privacy; for a journalist it is a massive compromise on our ability to just do our jobs. Consider wanting to arrange a meeting with a contact. You can’t call them on your phone, you can’t SMS them, you can’t use your work email address, you can’t take your phone to the meeting.
This data is already available today, and has been used to track down the sources of journalists including Laurie Oakes and Nick McKenzie. But the new legislation locks in a guarantee that when the agencies go knocking on doors for that data, the telco will have it.
What can journalists do about it?
There is, unfortunately, no way to secure the absolute protection of a source in the digital world. There are, however, steps you can take to minimise the risk that whistleblowers take in leaking information to a journalist.
There are a couple of ways to mask how you browse the internet. The simple way is by using a virtual private network (VPN) service. It’s not just for watching Netflix anymore! It is a good way to make your IP address appear to be somewhere else, and avoid logging under mandatory data retention.
Using the Tor Browser goes one step further, allowing you to access ‘dark web’ or ‘deep web’ sites that you can’t access through a normal web browser. Law enforcement has managed to crack down on some of the less legal sites, such as the online marketplace Silk Road, but it is more secure than your run-of-the-mill web browser.
Unfortunately, mandatory data retention means that for journalists, any mobile or fixed line account linked to their name is now compromised. Any source that calls you on a phone linked to your name will have their number made available to Australian law enforcement if officers ask for it.
Over-the-top voice messaging services such as Skype or WhatsApp are excluded from mandatory data retention but could potentially be captured through other surveillance methods deployed either in Australia or through the US.
In the US, many people use ‘burner’ phones they can use once or twice and then get rid of. This is slightly more difficult in Australia because the government requires registration of SIM cards using ID before the service can be activated. This change was also made due to ‘national security concerns’ in 1997.
Call a source if you have to, but try not to do it from anything with an account linked to your name.
SMS isn’t safe. The rise of device-side encryption in iMessage is an improvement, and means Apple shouldn’t be able to see your messages, but if anyone breaks into your phone, they could.
For short messages, you can always find apps that use Off-the-Record encryption, such as ChatSecure for iOS and Android. Or alternatively, you could follow in the footsteps of our very own communications minister Malcolm Turnbull and use an app like Wickr that destroys messages after a set amount of time.
One of the more absurd aspects of the mandatory data retention legislation is that the government wants ISPs to hold records of emails sent by their users, but ISPs only have the ability to record emails sent by their own services. So email@example.com emails will be captured but, by their own admission, firstname.lastname@example.org won’t be caught by the scheme.
So using international email services will be outside the scope of data retention. However, the Edward Snowden leaks have shown that security agencies can get access to emails held by US companies.
Disposable email addresses are also a way to ensure a greater level of anonymity for one-off communications. You can use these one-off emails if sources need to send you a file. But the source should also be sure to use encryption.
Every journalist should also use the PGP – Pretty Good Privacy – email encryption program. This is an encryption method that is a little more complicated to set up, and a little more timeconsuming, but offers a higher level of encryption for those longer communications with sources.
Journalists can even link to their public key in their emails or in their social media profiles so that sources know exactly how to get in contact with that journalist securely.
To use a cliché, there is no silver bullet, and no way to guarantee that sources will be safe. As well, it relies on your sources knowing how to use the same encryption methods as you, and that will ultimately present the biggest hurdle.
Despite token gestures by the parliament to attempt to protect journalists and their sources, there are still enough gaps and loopholes in the legislation to ring alarm bells over the potential for sources to be compromised by government agencies accessing the data of journalists. The Australian Federal Police has also confirmed it has received 13 referrals to trace the source of leaked Commonwealth information in just the last 18 months.
Sadly, the best way to protect your source online is to take all communications with them offline. Car parks and plain envelopes offer much more protection than Gmail and phone calls.
Josh Taylor is the Sydney-based senior journalist for technology news website ZDNet
David Pope is a cartoonist for The Canberra Times