Opening Secure Channels for Confidential Tips by Martin Shelton.
From the post:
In Shields Up, security user researcher Martin Shelton writes about security threats and defenses for journalists. Below, his first installment. —eds
To make it easier for tipsters to share sensitive information, a growing number of news organizations are launching resources for confidential tips. While there is some overlap between the communication channels that each news organization supports, it’s not always clear which channels are the most practical for routine use. This short guide will describe some basics around how to think about security on behalf of your sources before thinking about tools and practices. I’ll also describe common communication channels for accepting sensitive tips and tradeoffs when using each channel. When thinking about tradeoffs, consider which channels are right for you.
… (emphasis in original)
Martin does a great job of surveying your current security options but doesn’t address the allocation of risk between leakers and news organizations that I covered in U.S. Leaking Law: You Go To Jail – I Win A Pulitzer and/or the option of leaking access rather than the risk of leaking data/documents, How-To: Leaking In Two Steps.
Here’s the comment I’m posting to his post and I will report back on his response, probably in a separate post:
Martin, great job on covering the security options for tips and their tradeoffs!
I do have a question though about the current model of leaking, which puts all of the risk on the leaker. A leaker undertakes the burden of liberating data and/or documents, takes the risk of copying/removing them and then the risk of getting them securely to a news organization.
All of which requires technical skills that aren’t common.
As an alternative, why shouldn’t leakers leak access to such networks/servers and enable news organizations, who have greater technical resources, to undertake the risks of retrieval of such documents?
I mentioned this to another news person and they quickly pointed out the dangers of the Computer Fraud and Abuse Act (CFAA) for a news organization but the same holds true for the leaker. Who very likely has fewer technical skills than any news organization.
Thinking that news organizations can decide to serve the interests of government (follow the CFAA) or they can decided to serve the public interest. In my view, those are not synonymous.
I am still refining ways that leakers could securely leak access but at present, using standard subscription forms with access information instead of identifying properties, offers both a trustworthy target (the news organization) and a multiplicity of places to leak, which prevents effective monitoring of them. I have written more than once about this topic but two of particular interest: U.S. Leaking Law: You Go To Jail – I Win A Pulitzer, and, How-To: Leaking In Two Steps.
Before anyone protests the “ethics” of breaking laws such as the CFAA, recall governments broke faith with their citizens first. Laws like the CFAA are monuments to that breach of faith. Nothing more.