Category Archives: SecureDrop

Planning For This Year’s World-Wide Hackathon on November 5th

Update October 28th: This year’s focus, as always, will be SecureDrop.

We were going to try to do a post quantum crypto track, in parallel, but it didn’t work out.

Here’s the rest of this original blogpost:

Chelsea Manning has taken a special interest in participating in this year’s Aaron Swartz Day Hackathons.

As Chelsea explains herself in a blog post this morning:

It’s important to keep our encryption safe in the post-quantum world. Luckily, you don’t need to be a quantum math or quantum computer expert in order to be able design stronger algorithms to protect our current encryption methods against quantum attacks. These algorithms are classical, and don’t require any kind of complex understanding of anything quantum. We can let the PhDs deal with that.

I am putting together a collection of materials on this topic, and I thought perhaps we could all explore this together during this year’s Aaron Swartz Day Hackathons.

Using SageMath, an open source python-like mathematics software system, I am hoping to start things off with a generic construct that anyone can easily start working from.

I’ll be putting up pages soon for the different participating cities. Please write me at lisa(at)lisarein.com if you’re putting on a hackathon in your town, and I’ll make a page for it here that you can populate accordingly, as your event develops.

I’m lining up some incredible speakers for San Francisco, and I’ll make sure they get questions from all the hackathoners participating all over the world.

Chelsea is putting together some materials that I will be distributing to everyone a few months before the hackathon, to get us all ramped up. This isn’t like the year 2000 problem –> there’s no ticking time bomb yet, as far as we know. (Although when advances are made, they will undoubtedly happen quickly :) To be clear:  We’re approaching this problem way before it gets to that point.

That’s the whole point of starting this conversation now in our community, while it’s still a fun thing we have lots of time to prepare for, so it’s not only huge government institutions and multi-national corporations that have a handle on the implications of this technology.

Also, rest assured, there will be lots of other things to work on if post-quantum cryptography isn’t your bag. But I encourage you to please not write it off yet, as it’s a lot of fun to think about hypothetically, even if you are not a programmer. (Boy was I relieved to find that out when Chelsea started down this path :-)

Snowden Explains “Opsec” – Operational Security for Everybody

Micah Lee and Edward Snowden, in Moscow, Russia. Photo: Sue GardnerMicah Lee and Edward Snowden, in Moscow, Russia. Photo: Sue Gardner

A few weeks ago, Micah Lee, Technologist for The Intercept and   Co-Founder and Board Member of the Freedom of the Press Foundation, went to Moscow to meet Edward Snowden (who is on the Freedom of the Press Foundation’s Board).

They had been in close contact online, since January of 2013, albeit anonymously, on Ed’s end, for the first six months.

Snowden took the opportunity to explain some technical details about what he has come to refer to as “Opsec,” or “Operational Security,” a collection of a few simple best practices for security that folks can use to protect the privacy of their day to day communications.

Engaging in Opsec helps protect one’s privacy, not only against the threat of what is, to some, the merely abstract notion of “government surveillance,” but also against much scarier threats that are not so abstract. For instance, abusive relationship victims, stalking victims, or children who are at risk of being monitored by pedophiles. There are many scary scenarios, all made possible by the current lack of basic encryption on most people’s emails and text messages. In these cases, being a victim of online surveillance often translates into physical harassment or abuse in the “real world.”

Using Opsec to “reclaim your privacy” may seem confusing at first, especially to those who have not realized that their privacy is already compromised daily. But as Micah explains, “This doesn’t need to be an extraordinary lifestyle change. It doesn’t have to be something that is disruptive. It should be invisible, it should be atmospheric, it should be something that happens painlessly, effortlessly.”

In the article, Snowden outlines some Opsec basics, including:

  • Using “Signal” (“Text Secure” on Android), by Open Whisper Systems, to encrypt your text messages and phone calls. It’s very easy to install and use, instantly, on your Android or iPhone device.
  • Encrypting your laptop hard drive, so if your computer is stolen, the thief won’t also have access to all of your private data. (Micah has already written a guide for this.)
  • Using a password manager (here’s Bruce Schneier’s favorite) that helps you generate unique passwords for all of your different services and stores them for you, so you don’t have to remember them.
  • Using two-factor authentication to provide an additional level of security on your accounts.
  • Using browser plugins like HTTPS Everywhere by the EFF, to try to enforce secure encrypted communications so your data is not being passed while “electronically naked,” in transit.
  • Using adblocking software, such as Privacy Badger, by the EFF.
  • Using Tor and TorBrowser to anonymize your browsing.

A few relevant quotes from the article:

On Tor:

Lee: What do you think about Tor? Do you think that everyone should be familiar with it, or do you think that it’s only a use-it-if-you-need-it thing?

Snowden: I think Tor is the most important privacy-enhancing technology project being used today. I use Tor personally all the time. We know it works from at least one anecdotal case that’s fairly familiar to most people at this point. That’s not to say that Tor is bulletproof. What Tor does is it provides a measure of security and allows you to disassociate your physical location…

But the basic idea, the concept of Tor that is so valuable, is that it’s run by volunteers. Anyone can create a new node on the network, whether it’s an entry node, a middle router, or an exit point, on the basis of their willingness to accept some risk. The voluntary nature of this network means that it is survivable, it’s resistant, it’s flexible.

Micah: [Tor Browser is a great way to selectively use Tor to look something up and not leave a trace that you did it. It can also help bypass censorship when you’re on a network where certain sites are blocked. If you want to get more involved, you can volunteer to run your own Tor node, as I do, and support the diversity of the Tor network.]…

On Whistleblowing:

Snowden: What we do need to protect are the facts of our activities, our beliefs, and our lives that could be used against us in manners that are contrary to our interests. So when we think about this for whistleblowers, for example, if you witnessed some kind of wrongdoing and you need to reveal this information, and you believe there are people that want to interfere with that, you need to think about how to compartmentalize that.

Tell no one who doesn’t need to know.

Micah: [Lindsay Mills, Snowden’s girlfriend of several years, didn’t know that he had been collecting documents to leak to journalists until she heard about it on the news, like everyone else.]

Snowden: When we talk about whistleblowers and what to do, you want to think about tools for protecting your identity, protecting the existence of the relationship from any type of conventional communication system. You want to use something like SecureDrop, over the Tor network, so there is no connection between the computer that you are using at the time — preferably with a non-persistent operating system like Tails, so you’ve left no forensic trace on the machine you’re using, which hopefully is a disposable machine that you can get rid of afterward, that can’t be found in a raid, that can’t be analyzed or anything like that — so that the only outcome of your operational activities are the stories reported by the journalists.

Micah: [SecureDrop is a whistleblower submission system. Here is a guide to using The Intercept’s SecureDrop server as safely as possible.]…

On Simple and Practical Threat Modeling:

Snowden: …You can drive yourself crazy thinking about bugs in the walls and cameras in the ceiling. Or you can think about what are the most realistic threats in your current situation? And on that basis take some activity to mitigate the most realistic threats.

In that case, for most people, that’s going to be very simple things. That’s going to be using a safe browser. That’s going to be disabling scripts and active content…And making sure that your regular day-to-day communications are being selectively shared through encrypted means…

On How Cell Phones Track Us By Default:

Micah: People use smartphones a lot. What do you think about using a smartphone for secure communications?

Snowden: Something that people forget about cellphones in general, of any type, is that you’re leaving a permanent record of all of your physical locations as you move around. … The problem with cellphones is they’re basically always talking about you, even when you’re not using them. That’s not to say that everyone should burn their cellphones … but you have to think about the context for your usage. Are you carrying a device that, by virtue of simply having it on your person, places you in a historic record in a place that you don’t want to be associated with, even if it’s something as simple as your place of worship?

 

 

The Securus Hack and SecureDrop Upload Explained: Interview with Alex Friedmann of Prison Legal News

The recent article by The Intercept, and Wired‘s coverage of The Intercept‘s announcement, told us that Securus, a prison phone company here in the U.S., had been hacked, and that the hacker then uploaded the data obtained to The Intercept via SecureDrop.

It really provided a perfect example of a whistleblower releasing information in order to help the common man. In this case, assisting inmates and their families by drawing attention to:

1) Their sensitive data not being stored properly.

2) Recordings of attorney-inmate “privileged” calls that should never have been recorded.

3) “Kickbacks” the government agencies awarding the phone contracts were getting that these families were funding with their overcharged calls.

This article provided me with a real world example for my movie, “From DeadDrop to SecureDrop,” which was pretty exciting, because I had originally given up hope on having a real world example, mainly because there are lots of different reasons why it often might not be in the whistleblower’s best interest to make any of the details surrounding any one particular leak public. (Mainly out of fear of releasing information that could potentially identify the whistleblower, especially if they were an insider.)

In this case though, although Securus is claiming that it was a leak from an insider, rather than a hack (see the bottom of The Intercept article), the folks at The Intercept make it pretty clear in their article that they believe it to be a hack, saying “an anonymous hacker who believes Securus is violating the constitutional rights of inmates” uploaded the data.

It appears that, of the 70 million records, at least 14,000 of these calls were made by detainees to their attorneys, and therefore should NOT have been recorded. However, although most legal experts agree that Securus has violated those inmates’ rights by recording those calls, it’s hard prove and calculate damages, should an inmate choose to challenge it. The burden is on the inmate to prove that such improperly recorded calls were also accessed by a prosecutor and then resulted directly in some kind of damage to the inmate (for instance, a longer sentence).

But as The Intercept article explains, prosecutors are not always forthcoming about accessing such calls. For example, in a lawsuit brought by the Austin Lawyers Guild, “four named attorneys, and a prisoner advocacy group … alleges that”:

“…despite official assurances to the contrary, privileged communications between lawyers and clients housed in the county jails have been taped, stored, “procured,” and listened to by prosecutors. The plaintiffs say that while some prosecutors have disclosed copies of recordings to defense attorneys as part of the regular evidential discovery process, other prosecutors have not, choosing instead to use their knowledge of what is in individual recordings to their “tactical advantage” in the courtroom “without admitting they obtained or listened to the recordings.”

Over the last few weeks we’ve all learned how Securus, GTL, CenturyLink, Telmate, NCIC and other companies overcharge prison inmates for calling their families. But to learn, via a Prison Legal News article from 2011, referenced in The Intercept article, that the overcharging was specifically to pay “kickbacks” to the prison executives that awarded the contracts, and that this had already been written about extensively for many years, kinda blew my mind.

So what’s Securus’ side of the story? A Securus Press Release from October 2014 seems like it was published in order for Securus to make it clear to its government agency clients that it tried to keep the commission system alive. Although it’s hard to believe the release made it out of the company’s PR department, with statements like:

“We have been a vocal advocate of maintaining commissions and have spent approximately $5 million in legal fees and other costs on behalf of our facility customers over the last decade to maintain commissions, but the FCC maintains that it is not good public policy to have the poorest in society help to fund government operations, even though the programs funded are worthwhile.”

The press release also has Securus’ CEO giving an explanation regarding where the money from the overcharges is going:

“Part of the heritage of our business is that we calculate, bill, and collect commissions and pay those to jails, prisons, and local, county, and state governments,” said Richard A. (“Rick”) Smith, Chief Executive Officer of Securus Technologies, Inc.  “Clearly these commission payments that have been used to fund critical inmate welfare programs and support facility operations and infrastructure have improved the lives of inmates, victims, witnesses and individuals working in the correctional environment, and helped to fund government operations.  And it appears, sadly, that regime may come to an end in the not too distant future,” said Smith.

This quote suggests that money from the overcharges benefits the prisoners, in the long run. But this raised even more questions in my mind. Why are prisoners’ families paying for their own “facility operations and infrastructure” costs? As addressed in the interview with Alex Friedmann, it turns out that the budgets these overcharges go into have little or no government oversight, be they at the Local (Municipal), State, or Federal level.

I contacted Alex Friedmann, Managing Editor of Prison Legal News, to get some answers. Prison Legal News has reported on criminal justice-related issues since 1990 and is a project of the Human Rights Defense Center.

Lisa: Let’s talk about the SecureDrop upload that was announced on November 12th. What were your first impressions, when you read about the upload?

Alex: It wasn’t terribly surprising. Nor was it surprising that they were apparently recording attorney-inmate calls. There are already some lawsuits in Texas and other places over these issues.  Although the volume of recorded calls was somewhat surprising.

Really, the most surprising thing was that somebody actually cared enough to release the records. That was rare, that someone decided this was an issue, and decided to do it, and did it.

Lisa: What do you feel is the takeaway on this?

Alex: The important thing about the SecureDrop dump was that it showed what data was being collected, and that it’s not being stored securely.

Storing such sensitive data insecurely is a privacy violation. Much in the same way that Target was responsible when all the private data of its customers was released, due to not being properly protected. For this reason, it doesn’t matter whether the leak came from inside or outside; the sensitive data was not being properly protected. Securus claiming it was an insider, and not a hack, doesn’t explain away this issue; their data was still insecure.

Lisa: Let’s talk about the attorney-client privilege issue. It looks like at least 14,000 of the phone calls recorded “shouldn’t have been.” So, walk me through this. A call is “improperly recorded,” lets say as a result of recording a call to a number on “the list” of attorney numbers (that should therefore not be recorded). Could you explain why you think that it would be hard for an inmate to show they were harmed by these calls being merely recorded?

Alex: Okay. So the onus is on the prisoner to prove that 1) the call was accessed by a prosecutor and 2) that the prosecutor acted on the information that was heard in those phone calls, and then used that information in some way harmful to the prisoner. To show damages, you’d have to show that the prosecutor listened to the call, and then took action based on that call, and that doing so resulted in a longer sentence, or something else adverse directly happening to the prisoner as a result.

Lisa: So, at that point, it would have interfered with the prisoner’s 6th Amendment “Right to Counsel?”

Alex: Yes. But they would have to show injury. Though there can be injury in the form of chilling their right of access to counsel, if they know that calls to their attorneys are being recorded.

Lisa: So, moving forward, post-upload. Now that the fact that these calls were being improperly recorded, there could be a chilling effect, but for calls that took place before the upload, the argument would be “how could their speech be chilled if they didn’t know they were being recorded?”

Alex: Correct. In effect, it’s like giving officials one free bite at the constitutional apple. They’re not supposed to record attorney-client phone calls, but if they do, it’s hard to hold them accountable.

Lisa: Let’s talk about the “kickbacks. These “kickbacks” have been reported on for years, without anyone doing anything about them?

Alex: Well, yes. Because it may be that no laws are actually being violated, due to general lack of accountability of these programs. There tends to be a lot of “wiggle room” in prison and jail budgets and very little oversight. The practice of prison phone service providers giving kickbacks to corrections agencies – up to 94% of gross revenue in some cases – is perfectly legal. And that’s the problem, that it’s legal.

Lisa: Is this happening primarily at the local (Municipal), State, or Federal level?

Alex: When we talk about prison and jail phone “commissions,” in general, we are talking about a multi-level, local (municipal), state, federal commission kickback model that exists at all three levels.

Lisa: Why is it so hard to follow the money?

Alex: Oh you can follow the money, it’s just that there is little actual oversight of the budgets themselves, and few regulations defining allowable expenditures in most cases.

Lisa: So no one’s checking that it’s spent properly, and no one defining what “properly” is?

Alex: Yes. Due to the way the money is mixed up in the funds. It’s all mixed up and hard to track. Once it gets to something like a county’s general fund or a state’s general fund, its impossible to track completely. Once the money finds its way to the general budget of an agency. For instance, the Sheriff’s office. They can often do whatever they want with it.

Lisa: Please explain how, once the money goes into something called the IWF (Inmate Welfare Fund), you can put in a “public records request,” and get a breakdown of what went in and out.

Alex: For a number of years we have submitted public records requests to corrections agencies nationwide, and obtained copies of prison phone contracts, rate data and commission data, which are posted on our data site, www.prisonphonejustice.org. In some cases we have also requested records related to how IWF funds are spent; for example, at one county jail we found that IWF funds were used to pay for prisoners’ meals, as well as a variety of other things, such as server upgrades, that either do not benefit prisoners or should be paid from the jail’s general fund, not the IWF.

Lisa: So, it’s the position of the Human Rights Defense Center that there should be no commissions, no matter what the money is used for?

Alex: Right. Let’s say that most of the money from the excessive phone charges does go back into prisoner programs. So what? The state is supposed to be paying for prisoner programs, not the families of prisoners. Hence, our stance is that there should be no commissions. It’s not a question of what they should be spent on.

Overcharging the families of prisoners in this way would be like charging taxes for schools only on households with children. These services should be funded by everyone, because they benefit everyone. Just like schools, roads, and other public services. Similarly, programs and services for prisoners need to be funded through the general tax base. Otherwise, it’s a tax solely on prisoners’ families, which is unfair.

Lisa: In the Intercept article, an example is given of a couple deciding between phone time and food. It struck me that no one should have to make those kinds of choices.

Alex: Right, prison phone rates shouldn’t be much higher than anyone else’s phone rates. And if it costs more to make such calls “secure,” that should hardly be an expense that the families are expected to cover, any more than prisoners’ families should have to pay for razor wire, security cameras or guards’ salaries at prisons and jails. Again, incarceration is a public service and those costs should be paid by all members of the public, not just prisoners’ families.

Take the county jail I mentioned, where one can actually access the actual expenditures for the IWF funds, which were used to pay for food and server upgrades, among other things. Why are prisoners’ families paying higher phone rates to cover such expenses?

Lisa: Arguably, how do “server upgrades” help the prisoners directly anyway?

Alex: They don’t, unless you really stretch the language for how IWF funds should be used. But even for expenditures that do directly benefit prisoners, so what? Why are the prisoners’ families paying for things that should be covered by the corrections agency? These are the most basic of necessities that should be paid for by the prison system itself, not by the families of those being incarcerated.

The simple fact remains that prisoners’ families are being exploited and have been for some time, and that the various agencies (Bureau of Prisons, state Departments of Corrections) allow it to happen. This amounts to an estimated $460 million in phone commission kickbacks each year, as it involves not just state or federal prisons, but also immigration facilities, county jails and other detention centers. Nor does this address the many other ways that prisoners and their families are price gouged.

Lisa: A report from the FCC explains (on page 12, paragraph 23) that, although these unfair price hikes only represent somewhere between 0.3% and 0.4% of the budgets the money collected from them go into, “What appears to be of limited relative importance to the combined budgets of correctional facilities has potentially life-altering impacts on prisoners and their families.”

Alex: It depends on the agency and its budget, but in general, prison and jail phone commissions are just a drop in the government’s bucket of taxpayer funds. Yet prisoners’ families face real hardships when they have to pay inflated phone rates to stay in touch – money spent on calls could otherwise be spent on rent, food, healthcare needs, and so on. But what mother doesn’t want to speak with her incarcerated son? Or what wife wouldn’t take a call from her imprisoned husband? Keep in mind that prison and jail phone contracts are monopoly contracts; families have no choice and can’t choose a less expensive option for accepting phone calls from their incarcerated loved ones.

One of the main problems with all of these scenarios in which prisoners and their families are exploited is they have no voice in our legal or political systems. It’s easy for those in charge to take advantage of these families who have no one looking out for them or protecting their interests. Both prisoners and their family members are easy targets for greedy prison telecommunications companies and their government partners. There are currently around 2.2 million people locked up in prisons and jails in the United States, which means 2.2 million families are affected by these exploitive prison and jail phone rates.

The FCC has recently taken action on this issue, after more than a decade of efforts by advocacy organizations, including Prison Legal News/Human Rights Defense Center, but more needs to be done. The two largest ICS providers, GTL and Securus, are owned by private equity firms, and as such are only interested in financial returns, not fair and equitable phone rates for families.

Lisa: Would you say this whole scenario of having private companies, whose bottom line is profit, rather than servicing the needs of their customers, is just another example of why privatizing the prison industry is a bad idea – especially with little or no government oversight, which seems to always be the case?

Alex: Removing for-profit incentives from our criminal justice system would certainly help shift the focus away from providing various correctional services – including operating prisons and jails – for the purpose of making money. We tend to monetize almost everything in the United States, but I submit our criminal justice shouldn’t be included. That being said, our public corrections agencies aren’t that great either; the entire system is in need of reform, from the top down.

Lisa: But you think prison and jail phone rates will be going down, for sure, next year?

Alex: The FCC order has already been issued. Once it’s published in the Federal Register, it will go into effect after 90 days. So that’s a done deal, though ICS providers will likely challenge it in court. Thus, there is no guarantee the rates will go down on a date certain, but eventually they will go down.

Lisa: So the big question is “what can prisoners and their families do to protect their privacy, now that they know calls are being recorded, and perhaps stored for months or years into the future? And insecurely?

Alex: They, through their elected lawmakers, need to demand accountability from the prison and jail officials who enter into contracts for phone services, to ensure their privacy interests are respected to the same extent as all other citizens.

There isn’t much families can do right now to make things better, particularly with respect to privacy. There is a combined class-action suit pending against GTL, but it doesn’t focus on privacy issues. They could complain to their state Public Utility Commission (or similar agency that regulates in-state phone services). In many states, the telecom industry has been deregulated, however. But really, how does anyone protect their privacy given that our own government spies on its citizens through the NSA?

References:

1. Not So Securus – Massive Hack of 70 Million Prisoner Phone Calls Indicates Violations of Attorney-Client Privilege
November 11, 2015. By Jordon Smith and Micah Lee for The Intercept. https://theintercept.com/2015/11/11/securus-hack-prison-phone-company-exposes-thousands-of-calls-lawyers-and-clients

2. SecureDrop Leak Tool Produces a Massive Trove of Prison Docs November 11, 2015. By Andy Greenberg for Wired. http://www.wired.com/2015/11/securedrop-leak-tool-produces-a-massive-trove-of-prison-docs/

3. Nationwide PLN Survey Examines Prison Phone Contracts, Kickbacks. April 15, 2011. by John Dannenberg for Prison Legal News. https://www.prisonlegalnews.org/news/2011/apr/15/nationwide-pln-survey-examines-prison-phone-contracts-kickbacks/

4. Prison Legal News, Complete Issue, December 2013. https://www.prisonlegalnews.org/media/issues/12pln13.pdf

5. Securus Press Release, October 2014.
http://www.prnewswire.com/news-releases/securus-provides-over-13-billion-in-prison-jail-and-government-funding-over-the-last-10-years-281105252.html

6. Securus Press Release, March 2015.
http://www.prnewswire.com/news-releases/securus-provides-over-13-billion-in-prison-jail-and-government-funding-over-the-last-10-years-300043861.html

7. GTL on reducing rates (From October 2015):
http://www.gtl.net/global-tel-link-gtl-grave-concern-with-proposed-fcc-decision-on-inmate-calling-services/

8. Jail’s Inmate Welfare Fund Gets Rich .
http://www.independent.com/news/2014/sep/29/jails-inmate-welfare-fund-gets-rich/

9. From HRDC executive director Paul Wright, October 23, 2015, FCC Caps the Cost of Prison Phone Calls .
https://www.prisonlegalnews.org/news/2015/oct/23/hrdc-executive-director-paul-wright-october-23-2015-fcc-caps-cost-prison-phone-calls/

12. FCC Second Further Notice of Proposed Rulemaking, October 22, 2014. https://apps.fcc.gov/edocs_public/attachmatch/FCC-14-158A1.pdf

11. Authorities Listen in on Attorney-Client Calls at Jails in FL, CA and TX, by David Reutter for Prison Legal News. Aug. 15, 2008 https://www.prisonlegalnews.org/news/2008/aug/15/authorities-listen-in-on-attorney-client-calls-at-jails-in-fl-ca-and-tx/

12. Suit Filed Over Minnesota Jail’s Secret Recording of Privileged Phone Calls, by Matthew Clarke for Prison Legal News. April 15, 2009 https://www.prisonlegalnews.org/news/2009/apr/15/suit-filed-over-minnesota-jails-secret-8232recording-of-privileged-phone-calls/

13. Recording of Nashville, Tennessee Jail Prisoners’ Attorney Calls Criticized, published in Prison Legal News, Dec. 15, 2011. https://www.prisonlegalnews.org/news/2011/dec/15/recording-of-nashville-tennessee-jail-prisoners-attorney-calls-criticized/

 

Micah Lee at Aaron Swartz Day 2015

Download mp4      Hi-res files of entire event
CC0

Note: I’m including a full transcription at the bottom of this post, for safekeeping. Thanks to OpenTranscripts.org for their transcriptions of these talks.

Micha Lee gave a charming first person account of how Ed Snowden first contacted him anonymously, looking for Laura Poitras’ PGP key, and then asked him to please get Glenn Greenwald get set up on PGP.

Next, he explains how SecureDrop enables sources to connect with journalists without having to learn PGP, and how Aaron’s core design is still in use today.

Micah has also written about this entertaining story in much more  splendid detail at The Intercept.

Quotes from Micah’s Talk:

“…two years before Edward Snowden decided to start becoming a whistleblower, Aaron had already done a lot of development work on DeadDrop and was well on his way to making it so that rather than having someone like Ed have to try and send a bunch of plaintext emails to journalists he wants to talk to to convince them to learn how to use PGP and stuff, he made it so that whistleblowers could talk to journalists in less than six months. I think that was pretty amazing…

The one thing is that SecureDrop has come a very long way and it’s really easy to use for sources now. So now if you’re a whistleblower and you want to leak documents, it’s really easy. All you need to do is go and download Tor Browser, go to a web site, click “I’m a new source,” and upload a document. Then you’re done…

…he (Aaron) made it so that whistleblowers could talk to journalists in less than six months. I think that was pretty amazing. And like what Garrett was saying earlier, the core design of DeadDrop is still exactly the same in SecureDrop, and that’s pretty amazing I think that he had such good foresight to figure out what all these technical problems were and try and solve them.– Micah Lee, Co-Founder, Freedom of the Press Foundation, Technologist at The Intercept.

 

***Complete Transcript Below****

Hello. I don’t have a whole lot to say.

When I was thinking about what I would talk about last night, I was reading more about Aaron. Unfortunately, I never got to meet him before he died, but I realized that he passed away on January 11, 2013, and that was actually the same day that I first heard from Edward Snowden.

At the time I didn’t know that it was Edward Snowden. He was anonymous. He sent me an email and it was encrypted. And he was trying to get Laura Poitras’ PGP key and he was saying that—you know, he couldn’t tell me what it was for but I should help Glenn Greenwald learn how to use PGP and it was important.

So I helped out as I could, and it took several months. I kept talking to Glenn and Glenn was into it, but he was also really impatient with learning anything new on the computer and he didn’t really know why it was so important. I didn’t really know why it was so important. There were a couple of false attempts at teaching Glenn PGP, and finally I had a Skype call with him where I helped him set up Pidgin and off-the-record encryption. That was like, five and a half, six months later after I first got that encrypted anonymous email from Snowden. And that was the first time that Snowden was able to have a secure conversation with Glenn Greenwald.

And I was thinking about it. Aaron had already kind of done a lot of work to solve this problem. The year, two years before Edward Snowden decided to start becoming a whistleblower, Aaron had already done a lot of development work on DeadDrop and was well on his way to making it so that rather than having someone like Ed have to try and send a bunch of plaintext emails to journalists he wants to talk to to convince them to learn how to use PGP and stuff, he made it so that whistleblowers could talk to journalists in less than six months. I think that was pretty amazing. And like what Garrett was saying earlier, the core design of DeadDrop is still exactly the same in SecureDrop, and that’s pretty amazing I think that he had such good foresight to figure out what all these technical problems were and try and solve them.

I guess the one thing is that SecureDrop has come a very long way and it’s really easy to use for sources now. So now if you’re a whistleblower and you want to leak documents, it’s really easy. All you need to do is go and download Tor Browser, go to a web site, click “I’m a new source,” and upload a document. Then you’re done, and you don’t have to go through all of this having to be a technical expert and having to train the journalists and all this stuff. But the hard part is that it’s still not nearly as easy for journalists to use. So, in fact, Glenn Greenwald doesn’t use SecureDrop himself. Instead, other people who have more time and patience with technical stuff use it and talk to him about it if there’s stuff for him.

So there’s still a lot more work to be done in this area, and I just really wish that Aaron were still around to help with this, because I think that he would contribute greatly on his project.

And that’s all that I have to say.

Wired: SecureDrop Leak Tool Produces a Massive Trove of Prison Docs

SecureDrop Leak Tool Produces a Massive Trove of Prison Docs

by Andy Greenberg for Wired, November 11, 2015

This is really exciting, and what great timing!

The whole purpose of last weekend’s event was to get the word out about SecureDrop‘s usefulness to the common man, and yet I couldn’t point directly to an example of it in action.

Then, low and behold, when I woke up yesterday afternoon (heh, been a long week), I could not believe my eyes! A real world, shining example of SecureDrop in action. A hacker obtained over 70 million phone records that exposed some first class corruption: exploiting  those who are already underprivileged and underserved in the community. In this case, prisoners and their families, which often barely have enough money for the essentials.

I’ll be posting a summary of The Intercept article that fully explains what the hack, and subsequent anonymous upload, exposed, shortly. It’s a little complicated, and therefore took me a minute to be able to summarize it – but it will be up soon… :-)

From the article:

“It’s been more than two years since the debut of SecureDrop, a piece of software designed to help whistleblowers easily and anonymously leak secrets to media outlets over the Tor anonymity network. Now, that system is finally bearing fruit, in the form of a massive dump of files from one of the country’s largest prison phone companies…”

“Just as significant as those revelations, perhaps, is how the Intercept obtained the documents that enabled them: The news site has confirmed that it first made contact with the anonymous source who provided the Securus files through the Intercept’s SecureDrop platform, starting with an initial sample of the Securus database uploaded around the beginning of 2015.

That Tor-enabled leak marks a landmark for a still-evolving form of journalism that takes a page out of the playbook invented by WikiLeaks: Like Julian Assange’s secret-spilling organization, SecureDrop allows anyone to run a cryptographically anonymous submission system for leaks and tips. Because that upload site runs as a Tor “hidden service,” anyone who visits has to run Tor too, making it very difficult for anyone to trace his or her location or identity—even the news outlet on the receiving end.

The Intercept’s lead security technologist—and a co-author of the Securus story—Micah Lee says SecureDrop’s benefit isn’t just anonymity, it’s ease of use. Instead of carefully using Tor to create an anonymous email address and figuring out how to encrypt email so that service can’t read their leaked secrets, sources can upload their leak or message using SecureDrop in seconds.

Lee says that this is far from the first time the Intercept has received useful leaks through the SecureDrop system. But the Securus revelations represent the first story of national significance where a news outlet has publicly revealed that the story’s source used SecureDrop anonymous submissions.

“We use SecureDrop on a regular basis, but this story is a little exceptional because we decided it was safe for us to mention that it came from SecureDrop,” Lee says. “This is exactly why we decided to run SecureDrop: to get juicy stories like this and do it in a way where we protect our sources.”

EFF: Aaron Swartz Hackathon This Weekend Is Your Chance To Hack for a Better World

Aaron Swartz Hackathon This Weekend Is Your Chance To Hack for a Better World

 From the post:

This weekend marks the third annual Aaron Swartz Day hackathon, and a chance for you to meet up with other people working to use technology to make the world a better place. Once again, cities around the world will host two days of meetups.

The Internet Archive in San Francisco is the main event hub, with film screenings, talks from developers working on projects started or inspired by Aaron, a mini-conference of privacy-enhancing technologies, and a two-day hackathon.

The hackathon will focus on SecureDrop, an anonymous whistleblower document submission system originally developed by Aaron, and now maintained by the Freedom of the Press Foundation. SecureDrop has grown significantly in the years since Aaron began the project—it is now installed in newsrooms around the world—and it benefits from a robust community of developers and supporters who help build and document the project. Lead developer Garrett Robinson will lead the hackathon and explain where people with different skillsets can pitch in.

SecureDrop will not be the only thing to work on. The founder of the OpenArchive project will also be there to lead prospective hackers on developing that app. Developers from our own Privacy Badger browser tool will be there hacking, and EFF staff technologist Cooper Quintin will present during the privacy mini-conference.

Also at the privacy mini-conference on Saturday: presentations on Keybase; former EFF staffer Micah Lee, now with The Intercept, presenting on encryption for journalists; and Brad Warren on exciting developments with the Let’s Encrypt certificate authority.

Starting at 6pm after the first day of hacking, the Internet Archive will host a reception where people can meet. At 7:30, there will be a rare opportunity to see excerpts of the upcoming “From DeadDrop to SecureDrop,” a documentary about that software and Aaron’s role in developing it.

Finally, on Saturday night from 8 to 10pm an impressive line-up of speakers, including EFF Executive Director Cindy Cohn and co-founder John Perry Barlow, will present on their work and Aaron’s legacy. Tickets for the evening event—including the reception, screening, and talks—are available on a sliding scale.

The hackathon and mini-conference continue on Sunday, with more talks from Library Freedom Project’s Alison Macrina and Restore The 4th’s Zaki Manian.

For friends of EFF, and people who want to advance the causes Aaron dedicated his life to, this weekend’s event is a can’t-miss. If you can make it, please RSVP so the organizers can plan accordingly. We hope to see you there.

Freedom of the Press Foundation: Come Hack on SecureDrop at the Third Annual Aaron Swartz Day

freedompresslogo
Come hack on SecureDrop and Celebrate the Third annual Aaron Swartz Day

From the blog post:

Next week on Saturday November 7th is the third annual Aaron Swartz Day, which celebrates the life of Aaron and the many wonderful Internet projects he created or worked on during his brief but brilliant life.

One of Aaron’s last projects was SecureDrop, the open-source whistleblower submission system, which Freedom of the Press Foundation adopted after his untimely passing in 2013. Every year on Aaron Swartz Day, we help host a weekend-long hackathon in Aaron’s honor.

This year, the hackathon will be held at the Internet Archive in San Francisco (there are also other cities holding similar events). We will be at the Internet Archive on Saturday and Sunday to help guide and hack alongside any volunteer developers who want to learn about SecureDrop and work on the many open issues.

If you’re interested, you can read through our developer guide and the new-and-improved SecureDrop documentation. On our GitHub page, there is a list of open issues, and by November 7th, many will be tagged specifically for developers to work on at the hackathon.

Please RSVP for the hackathon here if you’d like to attend.

Also make sure to stick around the Internet Archive Saturday night for the Aaron Swartz Day celebration. There will be many great speakers at the event, including SecureDrop’s lead developer Garrett Robinson to talk about the latest on the project, as well as two of our board members and co-founders, Micah Lee and J.P. Barlow.

Many thanks to Lisa Rein, who tirelessly organizes Aaron Swartz Day every year and always makes it a celebration to remember.

 

Come to this year’s Aaron Swartz Day and International Hackathon

INVITATION

This year we are celebrating whistleblowers and hackers that work hard to make the world a better place, and, specifically, the “SecureDrop,” anonymous whistleblower submission system, now at the Freedom of the Press Foundation (originally prototyped by Aaron and Kevin Poulsen).

There’s also an “Encryption Training for Beginners” day going on in San Francisco, upstairs all day, at the SF Hackathon. (See below for more details.)

Now, thanks to SecureDrop, whistleblowers can connect directly, safely and anonymously to news organizations, such as the Washington Post, Guardian, The Intercept, the New York, Gawker, and other news outlets.

Evening speakers include:  Garrett Robinson (Lead Developer, SecureDrop), Alison Macrina (Library Freedom Project), Brewster Kahle (Digital Librarian, Internet Archive), Cindy Cohn (Executive Director, Electronic Frontier Foundation), Micah Lee (Co-founder, Board Member, and Technologist at “The Intercept,”) Jacob Appelbaum (Wikileaks volunteer, Security Expert/Citizen Four, Tor Project), and John Perry Barlow (EFF and Freedom of the Press Foundation co-founder) and Special Guests.  See more details in the INVITATION.

In San Francisco, at the hackathon, there will be a mini-conference for beginners to receive training on encryption and privacy-enabling software.

In the morning, the Keybase folks will be giving tutorials on encryption basics and tools that you can use to protect your privacy.

In the afternoon, Micah Lee, Technologist for The Intercept and The Freedom of the Press Foundation, with be giving his “Encryption for Journalists” tutorials. Then Micah will give tutorials on OnionShare (a P2P-based anonymous whistleblowing submission platform) and SecureDrop. Details on mini-conference/hackathon

Congrats to Citizen Four’s Oscar Win! Ed Snowden’s Statement via the ACLU

Congratulations to Laura Poitras and her team for winning an Oscar for Best Documentary! Her film is truly unprecedented.

academy awards newLaura lists SecureDrop (the whistleblower submission platform originally developed by Aaron Swartz and Kevin Poulsen) in the credits of tools she used during the making of Citizen Four.

citizen four

Ed Snowden is legally represented by the ACLU. (See his statement on the film winning here, and also reprinted below.) He is  on the Board of Directors of the Freedom of the Press Foundation, the organization that picked up SecureDrop’s development, at Kevin Poulsen’s request, after Aaron’s death.

Garrett Robinson, Lead Developer of SecureDrop, presented at last year’s Aaron Swartz Day (video). Here’s a relevant interview with Garrett Robinson from last year about why SecureDrop is so important for a functioning democracy.

The purpose of SecureDrop is to provide a secure, anonymous platform where citizens can upload information to a news organization, but without having to potentially put their whole life at risk in the process. There are now 15 SecureDrop implementations all over the world!

Here’s the ACLU press release:

Edward Snowden Congratulates Laura Poitras for Winning Best Documentary Oscar for Citizenfour

The following is a statement from Edward Snowden provided to the American Civil Liberties Union, which represents him:

“When Laura Poitras asked me if she could film our encounters, I was extremely reluctant. I’m grateful that I allowed her to persuade me. The result is a brave and brilliant film that deserves the honor and recognition it has received. My hope is that this award will encourage more people to see the film and be inspired by its message that ordinary citizens, working together, can change the world.”

Anthony D. Romero, executive director of the ACLU, had this reaction:

“Laura’s remarkable film has helped fuel a global debate on the dangers of mass surveillance and excessive government secrecy. The ACLU could not be more delighted that she has been recognized with an Academy Award.”

The ACLU’s petition asking President Obama to grant clemency to Snowden is at:
https://www.aclu.org/secure/grant_snowden_immunity

Information on government spying is at:
https://www.aclu.org/nsa-surveillance

Help Protect The Next Aaron Swartz (ACLU Petition)

 

Video From Aaron Swartz Day at the Internet Archive

lisareinVideo of Speakers:

Lisa Rein (Coordinator, Aaron Swartz Day)                                                                         April Glaser (EFF, Freedom to Innovate Summit)
Yan Zhu (Yahoo, SF Hackathon Organizer)
Brewster Kahle (Digital Librarian, Internet Archive)
Cindy Cohn (EFF Legal Director – CFAA Reform)
Kevin Poulsen (Journalist – FOIA case that MIT intervened in)
Garrett Robinson (SecureDrop)
Daniel Purcell (Keker & Van Nest, one of Aaron’s lawyers)

Q and A after the movie:  with Brian Knappenberger, Director, “The Internet’s Own Boy,” Trevor Timm (executive director and co-founder, Freedom of the Press Foundation), John Perry Barlow (co-founder, EFF, Freedom of the Press Foundation), and Lisa Rein (Coordinator, Aaron Swartz Day).