Skip to content Skip to footer

Whistleblower’s Arrest Shows Even “Secure” Platforms Are Vulnerable

The “secure” digital channel is a lucrative myth marketed by the tech industry.

The "secure" digital channel is a lucrative myth marketed by the tech industry.

The recent indictment of former intelligence analyst Daniel Hale offers a cautionary tale to future whistleblowers. In the process of leaking dozens of classified documents to the press, Hale followed the same canned advice that’s been repeated by Edward Snowden and countless other privacy advocates: it’s all about onion routing and strong encryption. For example, Hale used a bootable thumb drive loaded with the ostensibly secure Tails operating system. To communicate with reporters, he employed an encrypted messaging platform.

But his security measures were to no avail. Hale has been arrested and charged under the Espionage Act. He is the third such whistleblower, behind Terry Albury and Reality Winner, to have been snared by the authorities after leaking documents to The Intercept. These cases are a potent reminder that while reporters may be shielded by First Amendment protections, their sources are not.

Future whistleblowers should recognize that disclosing official secrets is a veritable minefield. Using an app which is branded as “secure” to communicate with high-profile reporters will make the corresponding network traffic stand out like a glow stick to security services. Hale, in particular, also made the flagrant mistake of printing out documents that were unrelated to his job function. There’s a whole market segment of insider threat tools that are specifically designed to detect this sort of activity.

Clandestine operations officers have had years of formal training. They pass through selection processes and gain experience stationed overseas in hostile environments. Put bluntly, they’re essentially skilled criminals who successfully break laws in other countries over sustained periods. That’s what clandestine ops are all about. It’s unclear if it’s realistic to expect someone to be able to duplicate the required level of operational expertise with a random collection of digital security platforms (e.g. Tails, Tor, PGP and Signal).

It’s almost as though Edward Snowden was an anomaly. A technical specialist who was in the right place at the right time. Working in an environment which lacked the appropriate security controls and doing so with fairly high-level authorization. Even then, six years later the results have been disappointing. After months of nonstop coverage, countless prime-time interviews and a couple of Hollywood feature films, the Edward Snowden affair has run its course. Policy makers passed empty legislation that former spies have openly mocked. Snowden, cloistered in Russia, has faded into the background.

Tech executives put on a heck of a show, deftly casting themselves as rebels against the big bad government. The Intercept, which maintained a complete copy of the Snowden documents, has officially shuttered its archives and is currently — I kid you not — promoting email servers in a box.

The Intercept’s peculiar foray into the domain of consumer network appliances is based on the premise that the vendor is unlikely to insert a clandestine back door, as doing so would be against the vendor’s financial interests. Yet, the record shows that an industry giant like RSA, which embodies corporate information security, secretly colluded with the National Security Agency (NSA) to backdoor its gear. In other words, it’s not against the vendor’s interests — so long as nobody finds out. Some security services don’t even care if people find out. Legal mandates to facilitate “technical capabilities” (read: back doors) have been formally instituted by governments in Russia, China and the United Kingdom.

In light of all this covert and overt subversion, asking if a product is secure is posing the wrong question. The appropriate question is this: Which faction of clandestine agencies have access?

This question has been studiously avoided. Early on, Silicon Valley grasped that the Snowden affair was a public relations matter: a narrative that they could hijack to sell new tech. Never mind that the stuff they’re selling tends to spy on us. It goes without saying that assurances will be offered: promises that the new and improved tech is more “secure,” and that they’ve turned over a new leaf. They’ve learned their lesson. They’re all about privacy now — just make sure to read the fine print.

Security services, in the meantime, are also swimming in data. The Office of the Director of National Intelligence has just published the intelligence community’s annual transparency report. In 2018, the NSA performed 164,770 queries of Americans’ phone records, which is more than a five-fold increase over the previous year. Likewise at the border in 2018, U.S. Customs and Border Protection conducted more than 33,000 warrantless device searches, nearly seven times the number from 2015.

Former insiders indicate that Snowden’s sacrifice represents little more than a speed bump to intelligence community efforts. Most signal intelligence collection occurs outside of U.S. borders, where it’s no holds barred.

We’re in an age where nations are spending big money to compromise each other’s networks. Every major power is an actor, and no one is immune. Even the heavyweights have had their dirty laundry aired. In the past couple of years, both the NSA and the CIA have suffered catastrophic breaches. High-value targets like Joaquín Guzmán, who try to take the tech-centric approach and build their own private digital networks, do nothing more than create a big juicy bullseye for security services. Once those networks are breached — and they will be — the secrets they guard tumble right out of the ether.

The lesson is simple: You can’t have your cake and eat it too. If you want to achieve higher levels of privacy in high-risk situations, you’ll need to sacrifice digital convenience. It’s a message that Silicon Valley finds repugnant because, above all, executives need to keep selling — selling apps, selling services, selling gadgets, selling bandwidth and selling your personal data. The money’s too good to stop. Trillions of dollars are up for grabs. The political influence that this revenue garners is substantial. Hence, don’t expect lawmakers, judges or the president to save you. The fines being threatened are essentially speeding tickets amounting to a small fraction of what they make.

So don’t listen to the marketing executives. They know what you want to hear, and it isn’t the truth. Security isn’t a commodity that can be bought. Security is a process, especially in high-risk scenarios. Avoiding detection takes discipline, consistency and training. Until whistleblowers stop relying on quick-fix gadgets and start relying on rigorous process, we will likely encounter more Daniel Hales in the future.