The recent indictment of former intelligence analyst Daniel Hale offers a cautionary tale to future whistleblowers. In the process of leaking dozens of classified documents to the press, Hale followed the same canned advice that’s been repeated by Edward Snowden and countless other privacy advocates: it’s all about onion routing and strong encryption. For example, Hale used a bootable thumb drive loaded with the ostensibly secure Tails operating system. To communicate with reporters, he employed an encrypted messaging platform.
But his security measures were to no avail. Hale has been arrested and charged under the Espionage Act. He is the third such whistleblower, behind Terry Albury and Reality Winner, to have been snared by the authorities after leaking documents to The Intercept. These cases are a potent reminder that while reporters may be shielded by First Amendment protections, their sources are not.
Future whistleblowers should recognize that disclosing official secrets is a veritable minefield. Using an app which is branded as “secure” to communicate with high-profile reporters will make the corresponding network traffic stand out like a glow stick to security services. Hale, in particular, also made the flagrant mistake of printing out documents that were unrelated to his job function. There’s a whole market segment of insider threat tools that are specifically designed to detect this sort of activity.
Clandestine operations officers have had years of formal training. They pass through selection processes and gain experience stationed overseas in hostile environments. Put bluntly, they’re essentially skilled criminals who successfully break laws in other countries over sustained periods. That’s what clandestine ops are all about. It’s unclear if it’s realistic to expect someone to be able to duplicate the required level of operational expertise with a random collection of digital security platforms (e.g. Tails, Tor, PGP and Signal).
It’s almost as though Edward Snowden was an anomaly. A technical specialist who was in the right place at the right time. Working in an environment which lacked the appropriate security controls and doing so with fairly high-level authorization. Even then, six years later the results have been disappointing. After months of nonstop coverage, countless prime-time interviews and a couple of Hollywood feature films, the Edward Snowden affair has run its course. Policy makers passed empty legislation that former spies have openly mocked. Snowden, cloistered in Russia, has faded into the background.
Tech executives put on a heck of a show, deftly casting themselves as rebels against the big bad government. The Intercept, which maintained a complete copy of the Snowden documents, has officially shuttered its archives and is currently — I kid you not — promoting email servers in a box.
The Intercept’s peculiar foray into the domain of consumer network appliances is based on the premise that the vendor is unlikely to insert a clandestine back door, as doing so would be against the vendor’s financial interests. Yet, the record shows that an industry giant like RSA, which embodies corporate information security, secretly colluded with the National Security Agency (NSA) to backdoor its gear. In other words, it’s not against the vendor’s interests — so long as nobody finds out. Some security services don’t even care if people find out. Legal mandates to facilitate “technical capabilities” (read: back doors) have been formally instituted by governments in Russia, China and the United Kingdom.
In light of all this covert and overt subversion, asking if a product is secure is posing the wrong question. The appropriate question is this: Which faction of clandestine agencies have access?
This question has been studiously avoided. Early on, Silicon Valley grasped that the Snowden affair was a public relations matter: a narrative that they could hijack to sell new tech. Never mind that the stuff they’re selling tends to spy on us. It goes without saying that assurances will be offered: promises that the new and improved tech is more “secure,” and that they’ve turned over a new leaf. They’ve learned their lesson. They’re all about privacy now — just make sure to read the fine print.
Security services, in the meantime, are also swimming in data. The Office of the Director of National Intelligence has just published the intelligence community’s annual transparency report. In 2018, the NSA performed 164,770 queries of Americans’ phone records, which is more than a five-fold increase over the previous year. Likewise at the border in 2018, U.S. Customs and Border Protection conducted more than 33,000 warrantless device searches, nearly seven times the number from 2015.
Former insiders indicate that Snowden’s sacrifice represents little more than a speed bump to intelligence community efforts. Most signal intelligence collection occurs outside of U.S. borders, where it’s no holds barred.
We’re in an age where nations are spending big money to compromise each other’s networks. Every major power is an actor, and no one is immune. Even the heavyweights have had their dirty laundry aired. In the past couple of years, both the NSA and the CIA have suffered catastrophic breaches. High-value targets like Joaquín Guzmán, who try to take the tech-centric approach and build their own private digital networks, do nothing more than create a big juicy bullseye for security services. Once those networks are breached — and they will be — the secrets they guard tumble right out of the ether.
The lesson is simple: You can’t have your cake and eat it too. If you want to achieve higher levels of privacy in high-risk situations, you’ll need to sacrifice digital convenience. It’s a message that Silicon Valley finds repugnant because, above all, executives need to keep selling — selling apps, selling services, selling gadgets, selling bandwidth and selling your personal data. The money’s too good to stop. Trillions of dollars are up for grabs. The political influence that this revenue garners is substantial. Hence, don’t expect lawmakers, judges or the president to save you. The fines being threatened are essentially speeding tickets amounting to a small fraction of what they make.
So don’t listen to the marketing executives. They know what you want to hear, and it isn’t the truth. Security isn’t a commodity that can be bought. Security is a process, especially in high-risk scenarios. Avoiding detection takes discipline, consistency and training. Until whistleblowers stop relying on quick-fix gadgets and start relying on rigorous process, we will likely encounter more Daniel Hales in the future.
Truthout Is Preparing to Meet Trump’s Agenda With Resistance at Every Turn
Dear Truthout Community,
If you feel rage, despondency, confusion and deep fear today, you are not alone. We’re feeling it too. We are heartsick. Facing down Trump’s fascist agenda, we are desperately worried about the most vulnerable people among us, including our loved ones and everyone in the Truthout community, and our minds are racing a million miles a minute to try to map out all that needs to be done.
We must give ourselves space to grieve and feel our fear, feel our rage, and keep in the forefront of our mind the stark truth that millions of real human lives are on the line. And simultaneously, we’ve got to get to work, take stock of our resources, and prepare to throw ourselves full force into the movement.
Journalism is a linchpin of that movement. Even as we are reeling, we’re summoning up all the energy we can to face down what’s coming, because we know that one of the sharpest weapons against fascism is publishing the truth.
There are many terrifying planks to the Trump agenda, and we plan to devote ourselves to reporting thoroughly on each one and, crucially, covering the movements resisting them. We also recognize that Trump is a dire threat to journalism itself, and that we must take this seriously from the outset.
Last week, the four of us sat down to have some hard but necessary conversations about Truthout under a Trump presidency. How would we defend our publication from an avalanche of far right lawsuits that seek to bankrupt us? How would we keep our reporters safe if they need to cover outbreaks of political violence, or if they are targeted by authorities? How will we urgently produce the practical analysis, tools and movement coverage that you need right now — breaking through our normal routines to meet a terrifying moment in ways that best serve you?
It will be a tough, scary four years to produce social justice-driven journalism. We need to deliver news, strategy, liberatory ideas, tools and movement-sparking solutions with a force that we never have had to before. And at the same time, we desperately need to protect our ability to do so.
We know this is such a painful moment and donations may understandably be the last thing on your mind. But we must ask for your support, which is needed in a new and urgent way.
We promise we will kick into an even higher gear to give you truthful news that cuts against the disinformation and vitriol and hate and violence. We promise to publish analyses that will serve the needs of the movements we all rely on to survive the next four years, and even build for the future. We promise to be responsive, to recognize you as members of our community with a vital stake and voice in this work.
Please dig deep if you can, but a donation of any amount will be a truly meaningful and tangible action in this cataclysmic historical moment. We are presently looking for 500 new monthly donors in the next 10 days.
We’re with you. Let’s do all we can to move forward together.
With love, rage, and solidarity,
Maya, Negin, Saima, and Ziggy