Can We Emulate DeadDrops in the Virtual World?

An example of a real-world dead drop - spies used the carcasses of animals to hide communications within.This blog is intended for the Southampton Cybersecurity site, but at present I thought I’d put it on here, as there are some good Web Science questions involved. It also fits in with my research on crime social machines, as whistleblowing is one of the ways in which people and technology can come together to fight crime and deviance.

In a democratic regime, transparency allows people to see that they are being governed wisely and that governments are held to account for their actions. When individuals come across evidence of governments acting outside their authority, in non-transparent ways, then whistleblowing is one of the ways in which this knowledge can come to the attention of the populace, often disseminated via the media.

Dominic Hobson suggests that we “imagine a pie chart, where the whole pie represents accountability information, or information that is needed in order to hold a government to account. In a reasonably healthy and open country, this pie chart contains two slices – information gained through transparency and information gained through whistleblowing.” We can predict that if transparency information is low, the likelihood of whistleblowing will increase, and that the more open and accountable governments are (or appear to be) then the smaller the whistleblowing slice of the pie will be.

Can we create a digital platform for those who wish to whistleblow? Or does the online digital world lure us in with the promise of anonymity and then produce unintended consequences? Despite the untimely death of Aaron Swartz, a whistleblowing project, DeadDrop, that Aaron initiated with Wired reporter Kevin Poulsen, and that has been very thoroughly documented by James Dolan, is now completed. This online whistleblowing platform, also variously called SecureDrop, or StrongBox at its The New Yorker installation, is a “Python application that accepts messages and documents from the Web and encrypts them for secure storage. Each source…is assigned a unique codename that lets the source establish a relationship with the news organisation without having to reveal her real identity or resort to email.” The system is fascinating and complex, involving Tor, an anonymity-preserving network, seven flash drives, three computers with hard drives, and one without.

https://raw.github.com/deaddrop/DeadDropDocs/master/Design.jpg

As the DeadDrop audit suggests, although the open source software has been subject to rigorous review and testing, there are a number of potential issues, not least that the installation requires a certain degree of competence on the part of the journalists who are using it – The New Yorker seem not to even check for submissions, according to the report. (Probably partly as a result of there being no notification system to indicate when something has arrived, and the checking process being arduous). However this blog focuses on the threat model and the notion of provenance, in two domains.

In the physical world, the dead drop is commonly used to clandestinely channel information by agents working out in the field on behalf of governments. As part of keeping such channels secure, sensible use means ensuring that visits to the drop are shielded from observation, and that visits are part of a set of regular activities. If there is a suspicion of an agent being followed, the dead drop used to channel meaningful information could be any one of a number of other drops, where less meaningful information is left. So that if the fact of someone being an agent is exposed it is still not clear where they are actually depositing crucial information. Physical dead drops can in fact be used to flag surveillance, i.e. as counter-surveillance measures.

How do these points translate to the digital world? Has this very different threat model, been intelligently transferred from the physical to the digital? Can we make the physical to digital transition between agents reporting in to their governments, to whistleblowers reporting on their governments?

It is difficult to assess whether digital interception of communications is taking place, without a great deal of expertise in scrutinising this question. Is this the expertise or “fieldcraft” that a whistleblower is likely to have? If a newspaper advertises the existence of a digital dead drop then won’t that attract surveillance from governments suspicious of being reported on? They have nation-state capabilities; the putative whistleblower might have none; just be driven by a strong conscience, or possibly a myriad other fascinating and psychologically darker motivations (-a whole research topic right here!)

So, advertising the existence of a dead drop undermines advice given to agents in the physical world. But perhaps because it’s digital it doesn’t matter that its existence is known – visits are still shielded. In this instance, shielding means that the identity of the source is not digitally “known” to the paper, thus ensuring that the paper cannot be legally forced to reveal its source because the source is anonymous to them. What does this anonymity actually mean?

On the technical/authentication side, it is suggested that contributed documents are swept to remove metadata; this then preserves the source’s anonymity. However, if this is done, how can a document be authenticated? It is an accepted part of establishing authenticity to follow a trail from a source to its creator. This leads to the problem of trust – in Computer Science, some of this can be addressed by the idea of parcelling out the various tasks involved in establishing a “chain of truth” so that one has to consider who knows what at any one point in the whistleblowing process, and ultimately, in non-Computer Science terms what knowledge actually means in this case. Essentially in the activity of real-world whistleblowing an “anonymous source” is not anonymous to the journalist involved. Here, it has correctly been recognised that anonymity is an inducement to whistleblowing, but machines are no substitute for a journalist’s knowledge of their source, their behaviour, their motivations and ultimately their credibility. This rapidly becomes a circular problem when the need for anonymity becomes greater with the greater severity of the information to be disclosed – but this severity in turn means that there is a greater need for authentication. Removing meta-data from a document, in order to shield an informant, actually then negates the credibility and ultimately the value of the document, without a lot of further work.

All this comes under the provenance banner; what then if we apply this thinking on a larger scale? When we follow the trail that led to the information being released in order to assess its authenticity, how about the authenticity or the source of the platform itself? Who ultimately owns it, or is accountable for its use? The original idea came from Swartz, working in conjunction with Poulsen, and The New Yorker was the first magazine to deploy this particular platform. If we follow the money, as any good journalist should, we must ask, who owns and is accountable for Wired and The New Yorker? In fact, this trail ends with the Newhouses, who own Advance Publications.

How much can we trust a whistleblowing technology that is owned by a global media empire controlled by one of America’s richest families? Where we are counting on the media to act as a means of ensuring that governments are accountable, how likely is it that this technology would not be subject, at some point, to scrutiny by the person who really is ultimately deploying it? One of the Newhouses’ employees is known to have worked for the STASI (the former Condé Nast CEO for Germany), and they were known to be closely linked to Roy Cohn, the infamous lawyer, linked himself to McCarthyism. If we consider the entire ecosystem that the threat model sits within again – how much would the Newhouses be motivated to protect this platform, if caught up in a Government-versus-the people firefight, other than to an extent that produces a good news story?

In summary, while the presence of platforms to aid whistleblowing are in principle a good idea that aid democracy, it seems unclear how their use is a) to be evaluated and b) transferred efficiently into the digital domain without further consideration of these problems. As the audit says, “we do not believe that DeadDrop is yet ready for deployment in an ecosystem with nation-state capable adversaries and non-expert users.”

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *