Category Archives: SecureDrop

Time for this year’s Aaron Swartz Day and International Hackathon


The Internet Archive is hosting the Fifth Annual Aaron Swartz Day International Hackathon and Evening Event:

Location: Internet Archive, 300 Funston Ave, San Francisco, CA 94118

November 4, 2017, from 6:00-7:00 (Reception)               7:30pm – 9:30 pm (Speakers)

The purpose of the evening event, as always, is to inspire direct action toward improving the world. Everyone has been asked to speak about whatever they feel is most important.

The event will take place following this year’s San Francisco Aaron Swartz International Hackathon, which is going on Saturday, November 4, from 10-6 and Sunday, November 5, from 11am-6pm at the Internet Archive.

Hackathon Reception: 6:00pm-7:00pm(A paid ticket for the evening event also gets you in to the Hackathon Reception.) 

Come talk to the speakers and the rest of the Aaron Swartz Day community, and join us in celebrating many incredible things that we’ve accomplished by this year! (Although there is still much work to be done.)

We will toast to the launch of the Pursuance Project (an open source, end-to-end encrypted Project Management suite, envisioned by Barrett Brown and brought to life by Steve Phillips).

Migrate your way upstairs: 7:00-7:30pm – The speakers are starting early, at 7:30pm this year – and we are also providing a stretch break at 8:15pm – and for those to come in that might have arrived late.

Speakers upstairs begin at 7:30 pm.

Speakers in reverse order:                

Chelsea Manning (Network Security Expert, Former Intelligence Analyst)

Lisa Rein (Chelsea Manning’s Archivist, Co-founder Creative Commons, Co-founder Aaron Swartz Day)

Daniel Rigmaiden (Transparency Advocate)

Barrett Brown (Journalist, Activist, Founder of the Pursuance Project) (via SKYPE)

Jason Leopold (Senior Investigative Reporter, Buzzfeed News)

Jennifer Helsby (Lead Developer, SecureDrop, Freedom of the Press Foundation)

Cindy Cohn (Executive Director, Electronic Frontier Foundation)

Gabriella Coleman (Hacker Anthropologist, Author, Researcher, Educator)

Caroline Sinders (Designer/Researcher, Wikimedia Foundation, Creative Dissent Fellow, YBCA)

Brewster Kahle (Co-founder and Digital Librarian, Internet Archive, Co-founder Aaron Swartz Day)

Steve Phillips (Project Manager, Pursuance)

Mek Karpeles (Citizen of the World, Internet Archive)

Brenton Cheng (Senior Engineer, Open Library, Internet Archive)


About the Speakers (speaker bios are at the bottom of this invite):

Chelsea Manning – Network Security Expert, Transparency Advocate

Chelsea E. Manning is a network security expert, whistleblower, and former U.S. Army intelligence analyst. While serving 7 years of an unprecedented 35 year sentence for a high-profile leak of government documents, she became a prominent and vocal advocate for government transparency and transgender rights, both on Twitter and through her op-ed columns for The Guardian and The New York Times. She currently lives in the Washington, D.C. area, where she writes about technology, artificial intelligence, and human rights.

Lisa Rein – Chelsea Manning’s Archivist, Co-founder, Aaron Swartz  Day & Creative Commons

Lisa Rein is Chelsea Manning’s archivist, and ran her @xychelsea Twitter account from December 2015 – May 2017. She is a co-founder of Creative Commons, where she worked with Aaron Swartz on its technical specification, when he was only 15. She is a writer, musician and technology consultant, and lectures for San Francisco State University’s BECA department. Lisa is the Digital Librarian for the Dr. Timothy Leary Futique Trust.

Daniel Rigmaiden – Transparency Advocate

Daniel Rigmaiden became a government transparency advocate after U.S. law enforcement used a secret cell phone surveillance device to locate him inside his home. The device, often called a “Stingray,” simulates a cell tower and tricks cell phones into connecting to a law enforcement controlled cellular network used to identify, locate, and sometimes collect the communications content of cell phone users. Before Rigmaiden brought Stingrays into the public spotlight in 2011, law enforcement concealed use of the device from judges, defense attorneys and defendants, and would typically not obtain a proper warrant before deploying the device.

Barrett Brown – Journalist, Activist, and Founder of the Pursuance Project

Barrett Brown is a writer and anarchist activist. His work has appeared in Vanity Fair, the Guardian, The Intercept, Huffington Post, New York Press, Skeptic, The Daily Beast, al-Jazeera, and dozens of other outlets. In 2009 he founded Project PM, a distributed think-tank, which was later re-purposed to oversee a crowd-sourced investigation into the private espionage industry and the intelligence community at large via e-mails stolen from federal contractors and other sources. In 2011 and 2012 he worked with Anonymous on campaigns involving the Tunisian revolution, government misconduct, and other issues. In mid-2012 he was arrested and later sentenced to four years in federal prison on charges stemming from his investigations and work with Anonymous. While imprisoned, he won the National Magazine Award for his column, The Barrett Brown Review of Arts and Letters and Prison. Upon his release, in late 2016, he began work on the Pursuance System, a platform for mass civic engagement and coordinated opposition. His third book, a memoir/manifesto, will be released in 2018 by Farrar, Strauss, and Giroux.

Jason Leopold, Senior Investigative Reporter, Buzzfeed News

Jason Leopold is an Emmy-nominated investigative reporter on the BuzzFeed News Investigative Team. Leopold’s reporting and aggressive use of the Freedom of Information Act has been profiled by dozens of media outlets, including a 2015 front-page story in The New York Times. Politico referred to Leopold in 2015 as “perhaps the most prolific Freedom of Information requester.” That year, Leopold, dubbed a ‘FOIA terrorist’ by the US government testified before Congress about FOIA (PDF) (Video). In 2016, Leopold was awarded the FOI award from Investigative Reporters & Editors and was inducted into the National Freedom of Information Hall of Fame by the Newseum Institute and the First Amendment Center.

Jennifer Helsby, Lead Developer, SecureDrop (Freedom of the Press Foundation)

Jennifer is Lead Developer of SecureDrop. Prior to joining FPF, she was a postdoctoral researcher at the Center for Data Science and Public Policy at the University of Chicago, where she worked on applying machine learning methods to problems in public policy. Jennifer is also the CTO and co-founder of Lucy Parsons Labs, a non-profit that focuses on police accountability and surveillance oversight. In a former life, she studied the large scale structure of the universe, and received her Ph.D. in astrophysics from the University of Chicago in 2015.

Cindy Cohn – Executive Director, Electronic Frontier Foundation (EFF)

Cindy Cohn is the Executive Director of the Electronic Frontier Foundation. From 2000-2015 she served as EFF’s Legal Director as well as its General Counsel.The National Law Journal named Ms. Cohn one of 100 most influential lawyers in America in 2013, noting: “[I]f Big Brother is watching, he better look out for Cindy Cohn.”

Gabriella Coleman – Hacker Anthropologist, Author, Researcher, Educator

Gabriella (Biella) Coleman holds the Wolfe Chair in Scientific and Technological Literacy at McGill University. Trained as an anthropologist, her scholarship explores the politics and cultures of hacking, with a focus on the sociopolitical implications of the free software movement and the digital protest ensemble Anonymous. She has authored two books, Coding Freedom: The Ethics and Aesthetics of Hacking (Princeton University Press, 2012) and Hacker, Hoaxer, Whistleblower, Spy: The Many Faces of Anonymous (Verso, 2014).

Caroline Sinders – Researcher/Designer, Wikimedia Foundation

Caroline Sinders is a machine learning designer/user researcher, artist. For the past few years, she has been focusing on the intersections of natural language processing, artificial intelligence, abuse, online harassment and politics in digital, conversational spaces. Caroline is a designer and researcher at the Wikimedia Foundation, and a Creative Dissent fellow with YBCA. She holds a masters from New York University’s Interactive Telecommunications Program from New York University.

Brewster Kahle, Founder & Digital Librarian, Internet Archive

Brewster Kahle has spent his career intent on a singular focus: providing Universal Access to All Knowledge. He is the founder and Digital Librarian of the Internet Archive, which now preserves 20 petabytes of data – the books, Web pages, music, television, and software of our cultural heritage, working with more than 400 library and university partners to create a digital library, accessible to all.

Steve Phillips, Project Manager, Pursuance Project

Steve Phillips is a programmer, philosopher, and cypherpunk, and is currently the Project Manager of Barrett Brown’s Pursuance Project. In 2010, after double-majoring in mathematics and philosophy at UC Santa Barbara, Steve co-founded Santa Barbara Hackerspace. In 2012, in response to his concerns over rumored mass surveillance, he created his first secure application, Cloakcast. And in 2015, he spoke at the DEF CON hacker conference, where he presented CrypTag. Steve has written over 1,000,000 words of philosophy culminating in a new philosophical methodology, Executable Philosophy.

Mek Karpeles, Citizen of the World, Internet Archive

Mek is a citizen of the world at the Internet Archive. His life mission is to organize a living map of the world’s knowledge. With it, he aspires to empower every person to overcome oppression, find and create opportunity, and reach their fullest potential to do good. Mek’s favorite media includes non-fiction books and academic journals — tools to educate the future — which he proudly helps make available through his work on Open Library.

Brenton Cheng, Senior Engineer, Open Library, Internet Archive

Brenton Cheng is a technology-wielding explorer, inventor, and systems thinker. He spearheads the technical and product development of Open Library and the user-facing website. He is also an adjunct professor in the Performing Arts & Social Justice department at University of San Francisco.


For more information, contact:

Lisa Rein, Co-founder, Aaron Swartz Day


The First Amendment Protects Journalists From Revealing Sources, Period

A concerning development occurred during the congressional hearings today on Russian Interference in the Election (link goes straight to testimony): Trey Goudy (a member of the House Permanent Select Committee on Intelligence) implied that the FBI had somehow dropped the ball by not going after New York Times and Washington Post journalists for protecting their sources when publishing classified information in the public interest.

It was quite odd watching a room ponder the prospect of charging the press with criminal activity for what is considered standard journalistic First Amendment protected practice (of publishing classified information) as if it were some kind of allowable solution to what’s been going on with the current round of White House leaks.

This issue has already been decided on quite clearly by the Supreme Court in the Pentagon Papers case, United States v. New York Times, 328 F. Supp. 324, 329 (S.D.N.Y. 1971).

This has mostly to do with something Justice Gurfein referred to as a “cantankerous press.”

As Gurfein writes in his decision:

The First Amendment concept of a “free press” must be read in the light of the struggle of free men against prior restraint of publication. From the time of Blackstone it was a tenet of the founding fathers that precensorship was the primary evil to be dealt with in the First Amendment…

The security of the Nation is not at the ramparts alone. Security also lies in the value of our free institutions. A cantankerous press, an obstinate press, an ubiquitous press must be suffered by those in authority in order to preserve the even greater values of freedom of expression and the right of the people to know…it is not merely the opinion of the editorial writer or of the columnist which is protected by the First Amendment. It is the free flow of information so that the public will be informed about the Government and its actions.

These are troubled times. There is no greater safety valve for discontent and cynicism about the affairs of Government than freedom of expression in any form. This has been the genius of our institutions throughout our history. It is one of the marked traits of our national life that distinguish us from other nations under different forms of government.

Here’s Trevor Timm (Freedom of the Press Foundation) explaining this in a brief 1 1/2 minute video. This clip is from the upcoming film “From DeadDrop To SecureDrop.” (Transcription below):




The Supreme Court case that came out of the Pentagon Papers was one of the most important First Amendment cases of the twentieth century. It essentially is affirmed that newspapers in the United States have the constitutional right to publish information – even that the government considers “Top Secret” – that’s in the public interest, and that they cannot be censored, or what courts refer to as “the government can’t issue a ‘prior restraint.’

The opinion was written incredibly fast – from the start of the case where it went from the District court to the Supreme Court took only 13 days, which is incredibly fast. If you ever read the history of Supreme Court opinions, it usually takes years to get there. And so, all nine judges wrote separate opinions, but the core of the case still stands, which is that unless there are extreme extreme circumstances – which we have never seen in this country – that newspapers and journalists have the right to publish classified information. And because of this, we have learned so much more about what our government does behind closed doors.

Often, what they do, that is immoral and wasteful and illegal, we never would have known without this decision.


Planning For This Year’s World-Wide Hackathon on November 5th

Update October 28th: This year’s focus, as always, will be SecureDrop.

We were going to try to do a post quantum crypto track, in parallel, but it didn’t work out.

Here’s the rest of this original blogpost:

Chelsea Manning has taken a special interest in participating in this year’s Aaron Swartz Day Hackathons.

As Chelsea explains herself in a blog post this morning:

It’s important to keep our encryption safe in the post-quantum world. Luckily, you don’t need to be a quantum math or quantum computer expert in order to be able design stronger algorithms to protect our current encryption methods against quantum attacks. These algorithms are classical, and don’t require any kind of complex understanding of anything quantum. We can let the PhDs deal with that.

I am putting together a collection of materials on this topic, and I thought perhaps we could all explore this together during this year’s Aaron Swartz Day Hackathons.

Using SageMath, an open source python-like mathematics software system, I am hoping to start things off with a generic construct that anyone can easily start working from.

I’ll be putting up pages soon for the different participating cities. Please write me at lisa(at) if you’re putting on a hackathon in your town, and I’ll make a page for it here that you can populate accordingly, as your event develops.

I’m lining up some incredible speakers for San Francisco, and I’ll make sure they get questions from all the hackathoners participating all over the world.

Chelsea is putting together some materials that I will be distributing to everyone a few months before the hackathon, to get us all ramped up. This isn’t like the year 2000 problem –> there’s no ticking time bomb yet, as far as we know. (Although when advances are made, they will undoubtedly happen quickly :) To be clear:  We’re approaching this problem way before it gets to that point.

That’s the whole point of starting this conversation now in our community, while it’s still a fun thing we have lots of time to prepare for, so it’s not only huge government institutions and multi-national corporations that have a handle on the implications of this technology.

Also, rest assured, there will be lots of other things to work on if post-quantum cryptography isn’t your bag. But I encourage you to please not write it off yet, as it’s a lot of fun to think about hypothetically, even if you are not a programmer. (Boy was I relieved to find that out when Chelsea started down this path :-)

Snowden Explains “Opsec” – Operational Security for Everybody

Micah Lee and Edward Snowden, in Moscow, Russia. Photo: Sue GardnerMicah Lee and Edward Snowden, in Moscow, Russia. Photo: Sue Gardner

A few weeks ago, Micah Lee, Technologist for The Intercept and   Co-Founder and Board Member of the Freedom of the Press Foundation, went to Moscow to meet Edward Snowden (who is on the Freedom of the Press Foundation’s Board).

They had been in close contact online, since January of 2013, albeit anonymously, on Ed’s end, for the first six months.

Snowden took the opportunity to explain some technical details about what he has come to refer to as “Opsec,” or “Operational Security,” a collection of a few simple best practices for security that folks can use to protect the privacy of their day to day communications.

Engaging in Opsec helps protect one’s privacy, not only against the threat of what is, to some, the merely abstract notion of “government surveillance,” but also against much scarier threats that are not so abstract. For instance, abusive relationship victims, stalking victims, or children who are at risk of being monitored by pedophiles. There are many scary scenarios, all made possible by the current lack of basic encryption on most people’s emails and text messages. In these cases, being a victim of online surveillance often translates into physical harassment or abuse in the “real world.”

Using Opsec to “reclaim your privacy” may seem confusing at first, especially to those who have not realized that their privacy is already compromised daily. But as Micah explains, “This doesn’t need to be an extraordinary lifestyle change. It doesn’t have to be something that is disruptive. It should be invisible, it should be atmospheric, it should be something that happens painlessly, effortlessly.”

In the article, Snowden outlines some Opsec basics, including:

  • Using “Signal” (“Text Secure” on Android), by Open Whisper Systems, to encrypt your text messages and phone calls. It’s very easy to install and use, instantly, on your Android or iPhone device.
  • Encrypting your laptop hard drive, so if your computer is stolen, the thief won’t also have access to all of your private data. (Micah has already written a guide for this.)
  • Using a password manager (here’s Bruce Schneier’s favorite) that helps you generate unique passwords for all of your different services and stores them for you, so you don’t have to remember them.
  • Using two-factor authentication to provide an additional level of security on your accounts.
  • Using browser plugins like HTTPS Everywhere by the EFF, to try to enforce secure encrypted communications so your data is not being passed while “electronically naked,” in transit.
  • Using adblocking software, such as Privacy Badger, by the EFF.
  • Using Tor and TorBrowser to anonymize your browsing.

A few relevant quotes from the article:

On Tor:

Lee: What do you think about Tor? Do you think that everyone should be familiar with it, or do you think that it’s only a use-it-if-you-need-it thing?

Snowden: I think Tor is the most important privacy-enhancing technology project being used today. I use Tor personally all the time. We know it works from at least one anecdotal case that’s fairly familiar to most people at this point. That’s not to say that Tor is bulletproof. What Tor does is it provides a measure of security and allows you to disassociate your physical location…

But the basic idea, the concept of Tor that is so valuable, is that it’s run by volunteers. Anyone can create a new node on the network, whether it’s an entry node, a middle router, or an exit point, on the basis of their willingness to accept some risk. The voluntary nature of this network means that it is survivable, it’s resistant, it’s flexible.

Micah: [Tor Browser is a great way to selectively use Tor to look something up and not leave a trace that you did it. It can also help bypass censorship when you’re on a network where certain sites are blocked. If you want to get more involved, you can volunteer to run your own Tor node, as I do, and support the diversity of the Tor network.]…

On Whistleblowing:

Snowden: What we do need to protect are the facts of our activities, our beliefs, and our lives that could be used against us in manners that are contrary to our interests. So when we think about this for whistleblowers, for example, if you witnessed some kind of wrongdoing and you need to reveal this information, and you believe there are people that want to interfere with that, you need to think about how to compartmentalize that.

Tell no one who doesn’t need to know.

Micah: [Lindsay Mills, Snowden’s girlfriend of several years, didn’t know that he had been collecting documents to leak to journalists until she heard about it on the news, like everyone else.]

Snowden: When we talk about whistleblowers and what to do, you want to think about tools for protecting your identity, protecting the existence of the relationship from any type of conventional communication system. You want to use something like SecureDrop, over the Tor network, so there is no connection between the computer that you are using at the time — preferably with a non-persistent operating system like Tails, so you’ve left no forensic trace on the machine you’re using, which hopefully is a disposable machine that you can get rid of afterward, that can’t be found in a raid, that can’t be analyzed or anything like that — so that the only outcome of your operational activities are the stories reported by the journalists.

Micah: [SecureDrop is a whistleblower submission system. Here is a guide to using The Intercept’s SecureDrop server as safely as possible.]…

On Simple and Practical Threat Modeling:

Snowden: …You can drive yourself crazy thinking about bugs in the walls and cameras in the ceiling. Or you can think about what are the most realistic threats in your current situation? And on that basis take some activity to mitigate the most realistic threats.

In that case, for most people, that’s going to be very simple things. That’s going to be using a safe browser. That’s going to be disabling scripts and active content…And making sure that your regular day-to-day communications are being selectively shared through encrypted means…

On How Cell Phones Track Us By Default:

Micah: People use smartphones a lot. What do you think about using a smartphone for secure communications?

Snowden: Something that people forget about cellphones in general, of any type, is that you’re leaving a permanent record of all of your physical locations as you move around. … The problem with cellphones is they’re basically always talking about you, even when you’re not using them. That’s not to say that everyone should burn their cellphones … but you have to think about the context for your usage. Are you carrying a device that, by virtue of simply having it on your person, places you in a historic record in a place that you don’t want to be associated with, even if it’s something as simple as your place of worship?



The Securus Hack and SecureDrop Upload Explained: Interview with Alex Friedmann of Prison Legal News

The recent article by The Intercept, and Wired‘s coverage of The Intercept‘s announcement, told us that Securus, a prison phone company here in the U.S., had been hacked, and that the hacker then uploaded the data obtained to The Intercept via SecureDrop.

It really provided a perfect example of a whistleblower releasing information in order to help the common man. In this case, assisting inmates and their families by drawing attention to:

1) Their sensitive data not being stored properly.

2) Recordings of attorney-inmate “privileged” calls that should never have been recorded.

3) “Kickbacks” the government agencies awarding the phone contracts were getting that these families were funding with their overcharged calls.

This article provided me with a real world example for my movie, “From DeadDrop to SecureDrop,” which was pretty exciting, because I had originally given up hope on having a real world example, mainly because there are lots of different reasons why it often might not be in the whistleblower’s best interest to make any of the details surrounding any one particular leak public. (Mainly out of fear of releasing information that could potentially identify the whistleblower, especially if they were an insider.)

In this case though, although Securus is claiming that it was a leak from an insider, rather than a hack (see the bottom of The Intercept article), the folks at The Intercept make it pretty clear in their article that they believe it to be a hack, saying “an anonymous hacker who believes Securus is violating the constitutional rights of inmates” uploaded the data.

It appears that, of the 70 million records, at least 14,000 of these calls were made by detainees to their attorneys, and therefore should NOT have been recorded. However, although most legal experts agree that Securus has violated those inmates’ rights by recording those calls, it’s hard prove and calculate damages, should an inmate choose to challenge it. The burden is on the inmate to prove that such improperly recorded calls were also accessed by a prosecutor and then resulted directly in some kind of damage to the inmate (for instance, a longer sentence).

But as The Intercept article explains, prosecutors are not always forthcoming about accessing such calls. For example, in a lawsuit brought by the Austin Lawyers Guild, “four named attorneys, and a prisoner advocacy group … alleges that”:

“…despite official assurances to the contrary, privileged communications between lawyers and clients housed in the county jails have been taped, stored, “procured,” and listened to by prosecutors. The plaintiffs say that while some prosecutors have disclosed copies of recordings to defense attorneys as part of the regular evidential discovery process, other prosecutors have not, choosing instead to use their knowledge of what is in individual recordings to their “tactical advantage” in the courtroom “without admitting they obtained or listened to the recordings.”

Over the last few weeks we’ve all learned how Securus, GTL, CenturyLink, Telmate, NCIC and other companies overcharge prison inmates for calling their families. But to learn, via a Prison Legal News article from 2011, referenced in The Intercept article, that the overcharging was specifically to pay “kickbacks” to the prison executives that awarded the contracts, and that this had already been written about extensively for many years, kinda blew my mind.

So what’s Securus’ side of the story? A Securus Press Release from October 2014 seems like it was published in order for Securus to make it clear to its government agency clients that it tried to keep the commission system alive. Although it’s hard to believe the release made it out of the company’s PR department, with statements like:

“We have been a vocal advocate of maintaining commissions and have spent approximately $5 million in legal fees and other costs on behalf of our facility customers over the last decade to maintain commissions, but the FCC maintains that it is not good public policy to have the poorest in society help to fund government operations, even though the programs funded are worthwhile.”

The press release also has Securus’ CEO giving an explanation regarding where the money from the overcharges is going:

“Part of the heritage of our business is that we calculate, bill, and collect commissions and pay those to jails, prisons, and local, county, and state governments,” said Richard A. (“Rick”) Smith, Chief Executive Officer of Securus Technologies, Inc.  “Clearly these commission payments that have been used to fund critical inmate welfare programs and support facility operations and infrastructure have improved the lives of inmates, victims, witnesses and individuals working in the correctional environment, and helped to fund government operations.  And it appears, sadly, that regime may come to an end in the not too distant future,” said Smith.

This quote suggests that money from the overcharges benefits the prisoners, in the long run. But this raised even more questions in my mind. Why are prisoners’ families paying for their own “facility operations and infrastructure” costs? As addressed in the interview with Alex Friedmann, it turns out that the budgets these overcharges go into have little or no government oversight, be they at the Local (Municipal), State, or Federal level.

I contacted Alex Friedmann, Managing Editor of Prison Legal News, to get some answers. Prison Legal News has reported on criminal justice-related issues since 1990 and is a project of the Human Rights Defense Center.

Lisa: Let’s talk about the SecureDrop upload that was announced on November 12th. What were your first impressions, when you read about the upload?

Alex: It wasn’t terribly surprising. Nor was it surprising that they were apparently recording attorney-inmate calls. There are already some lawsuits in Texas and other places over these issues.  Although the volume of recorded calls was somewhat surprising.

Really, the most surprising thing was that somebody actually cared enough to release the records. That was rare, that someone decided this was an issue, and decided to do it, and did it.

Lisa: What do you feel is the takeaway on this?

Alex: The important thing about the SecureDrop dump was that it showed what data was being collected, and that it’s not being stored securely.

Storing such sensitive data insecurely is a privacy violation. Much in the same way that Target was responsible when all the private data of its customers was released, due to not being properly protected. For this reason, it doesn’t matter whether the leak came from inside or outside; the sensitive data was not being properly protected. Securus claiming it was an insider, and not a hack, doesn’t explain away this issue; their data was still insecure.

Lisa: Let’s talk about the attorney-client privilege issue. It looks like at least 14,000 of the phone calls recorded “shouldn’t have been.” So, walk me through this. A call is “improperly recorded,” lets say as a result of recording a call to a number on “the list” of attorney numbers (that should therefore not be recorded). Could you explain why you think that it would be hard for an inmate to show they were harmed by these calls being merely recorded?

Alex: Okay. So the onus is on the prisoner to prove that 1) the call was accessed by a prosecutor and 2) that the prosecutor acted on the information that was heard in those phone calls, and then used that information in some way harmful to the prisoner. To show damages, you’d have to show that the prosecutor listened to the call, and then took action based on that call, and that doing so resulted in a longer sentence, or something else adverse directly happening to the prisoner as a result.

Lisa: So, at that point, it would have interfered with the prisoner’s 6th Amendment “Right to Counsel?”

Alex: Yes. But they would have to show injury. Though there can be injury in the form of chilling their right of access to counsel, if they know that calls to their attorneys are being recorded.

Lisa: So, moving forward, post-upload. Now that the fact that these calls were being improperly recorded, there could be a chilling effect, but for calls that took place before the upload, the argument would be “how could their speech be chilled if they didn’t know they were being recorded?”

Alex: Correct. In effect, it’s like giving officials one free bite at the constitutional apple. They’re not supposed to record attorney-client phone calls, but if they do, it’s hard to hold them accountable.

Lisa: Let’s talk about the “kickbacks. These “kickbacks” have been reported on for years, without anyone doing anything about them?

Alex: Well, yes. Because it may be that no laws are actually being violated, due to general lack of accountability of these programs. There tends to be a lot of “wiggle room” in prison and jail budgets and very little oversight. The practice of prison phone service providers giving kickbacks to corrections agencies – up to 94% of gross revenue in some cases – is perfectly legal. And that’s the problem, that it’s legal.

Lisa: Is this happening primarily at the local (Municipal), State, or Federal level?

Alex: When we talk about prison and jail phone “commissions,” in general, we are talking about a multi-level, local (municipal), state, federal commission kickback model that exists at all three levels.

Lisa: Why is it so hard to follow the money?

Alex: Oh you can follow the money, it’s just that there is little actual oversight of the budgets themselves, and few regulations defining allowable expenditures in most cases.

Lisa: So no one’s checking that it’s spent properly, and no one defining what “properly” is?

Alex: Yes. Due to the way the money is mixed up in the funds. It’s all mixed up and hard to track. Once it gets to something like a county’s general fund or a state’s general fund, its impossible to track completely. Once the money finds its way to the general budget of an agency. For instance, the Sheriff’s office. They can often do whatever they want with it.

Lisa: Please explain how, once the money goes into something called the IWF (Inmate Welfare Fund), you can put in a “public records request,” and get a breakdown of what went in and out.

Alex: For a number of years we have submitted public records requests to corrections agencies nationwide, and obtained copies of prison phone contracts, rate data and commission data, which are posted on our data site, In some cases we have also requested records related to how IWF funds are spent; for example, at one county jail we found that IWF funds were used to pay for prisoners’ meals, as well as a variety of other things, such as server upgrades, that either do not benefit prisoners or should be paid from the jail’s general fund, not the IWF.

Lisa: So, it’s the position of the Human Rights Defense Center that there should be no commissions, no matter what the money is used for?

Alex: Right. Let’s say that most of the money from the excessive phone charges does go back into prisoner programs. So what? The state is supposed to be paying for prisoner programs, not the families of prisoners. Hence, our stance is that there should be no commissions. It’s not a question of what they should be spent on.

Overcharging the families of prisoners in this way would be like charging taxes for schools only on households with children. These services should be funded by everyone, because they benefit everyone. Just like schools, roads, and other public services. Similarly, programs and services for prisoners need to be funded through the general tax base. Otherwise, it’s a tax solely on prisoners’ families, which is unfair.

Lisa: In the Intercept article, an example is given of a couple deciding between phone time and food. It struck me that no one should have to make those kinds of choices.

Alex: Right, prison phone rates shouldn’t be much higher than anyone else’s phone rates. And if it costs more to make such calls “secure,” that should hardly be an expense that the families are expected to cover, any more than prisoners’ families should have to pay for razor wire, security cameras or guards’ salaries at prisons and jails. Again, incarceration is a public service and those costs should be paid by all members of the public, not just prisoners’ families.

Take the county jail I mentioned, where one can actually access the actual expenditures for the IWF funds, which were used to pay for food and server upgrades, among other things. Why are prisoners’ families paying higher phone rates to cover such expenses?

Lisa: Arguably, how do “server upgrades” help the prisoners directly anyway?

Alex: They don’t, unless you really stretch the language for how IWF funds should be used. But even for expenditures that do directly benefit prisoners, so what? Why are the prisoners’ families paying for things that should be covered by the corrections agency? These are the most basic of necessities that should be paid for by the prison system itself, not by the families of those being incarcerated.

The simple fact remains that prisoners’ families are being exploited and have been for some time, and that the various agencies (Bureau of Prisons, state Departments of Corrections) allow it to happen. This amounts to an estimated $460 million in phone commission kickbacks each year, as it involves not just state or federal prisons, but also immigration facilities, county jails and other detention centers. Nor does this address the many other ways that prisoners and their families are price gouged.

Lisa: A report from the FCC explains (on page 12, paragraph 23) that, although these unfair price hikes only represent somewhere between 0.3% and 0.4% of the budgets the money collected from them go into, “What appears to be of limited relative importance to the combined budgets of correctional facilities has potentially life-altering impacts on prisoners and their families.”

Alex: It depends on the agency and its budget, but in general, prison and jail phone commissions are just a drop in the government’s bucket of taxpayer funds. Yet prisoners’ families face real hardships when they have to pay inflated phone rates to stay in touch – money spent on calls could otherwise be spent on rent, food, healthcare needs, and so on. But what mother doesn’t want to speak with her incarcerated son? Or what wife wouldn’t take a call from her imprisoned husband? Keep in mind that prison and jail phone contracts are monopoly contracts; families have no choice and can’t choose a less expensive option for accepting phone calls from their incarcerated loved ones.

One of the main problems with all of these scenarios in which prisoners and their families are exploited is they have no voice in our legal or political systems. It’s easy for those in charge to take advantage of these families who have no one looking out for them or protecting their interests. Both prisoners and their family members are easy targets for greedy prison telecommunications companies and their government partners. There are currently around 2.2 million people locked up in prisons and jails in the United States, which means 2.2 million families are affected by these exploitive prison and jail phone rates.

The FCC has recently taken action on this issue, after more than a decade of efforts by advocacy organizations, including Prison Legal News/Human Rights Defense Center, but more needs to be done. The two largest ICS providers, GTL and Securus, are owned by private equity firms, and as such are only interested in financial returns, not fair and equitable phone rates for families.

Lisa: Would you say this whole scenario of having private companies, whose bottom line is profit, rather than servicing the needs of their customers, is just another example of why privatizing the prison industry is a bad idea – especially with little or no government oversight, which seems to always be the case?

Alex: Removing for-profit incentives from our criminal justice system would certainly help shift the focus away from providing various correctional services – including operating prisons and jails – for the purpose of making money. We tend to monetize almost everything in the United States, but I submit our criminal justice shouldn’t be included. That being said, our public corrections agencies aren’t that great either; the entire system is in need of reform, from the top down.

Lisa: But you think prison and jail phone rates will be going down, for sure, next year?

Alex: The FCC order has already been issued. Once it’s published in the Federal Register, it will go into effect after 90 days. So that’s a done deal, though ICS providers will likely challenge it in court. Thus, there is no guarantee the rates will go down on a date certain, but eventually they will go down.

Lisa: So the big question is “what can prisoners and their families do to protect their privacy, now that they know calls are being recorded, and perhaps stored for months or years into the future? And insecurely?

Alex: They, through their elected lawmakers, need to demand accountability from the prison and jail officials who enter into contracts for phone services, to ensure their privacy interests are respected to the same extent as all other citizens.

There isn’t much families can do right now to make things better, particularly with respect to privacy. There is a combined class-action suit pending against GTL, but it doesn’t focus on privacy issues. They could complain to their state Public Utility Commission (or similar agency that regulates in-state phone services). In many states, the telecom industry has been deregulated, however. But really, how does anyone protect their privacy given that our own government spies on its citizens through the NSA?


1. Not So Securus – Massive Hack of 70 Million Prisoner Phone Calls Indicates Violations of Attorney-Client Privilege
November 11, 2015. By Jordon Smith and Micah Lee for The Intercept.

2. SecureDrop Leak Tool Produces a Massive Trove of Prison Docs November 11, 2015. By Andy Greenberg for Wired.

3. Nationwide PLN Survey Examines Prison Phone Contracts, Kickbacks. April 15, 2011. by John Dannenberg for Prison Legal News.

4. Prison Legal News, Complete Issue, December 2013.

5. Securus Press Release, October 2014.

6. Securus Press Release, March 2015.

7. GTL on reducing rates (From October 2015):

8. Jail’s Inmate Welfare Fund Gets Rich .

9. From HRDC executive director Paul Wright, October 23, 2015, FCC Caps the Cost of Prison Phone Calls .

12. FCC Second Further Notice of Proposed Rulemaking, October 22, 2014.

11. Authorities Listen in on Attorney-Client Calls at Jails in FL, CA and TX, by David Reutter for Prison Legal News. Aug. 15, 2008

12. Suit Filed Over Minnesota Jail’s Secret Recording of Privileged Phone Calls, by Matthew Clarke for Prison Legal News. April 15, 2009

13. Recording of Nashville, Tennessee Jail Prisoners’ Attorney Calls Criticized, published in Prison Legal News, Dec. 15, 2011.


Micah Lee at Aaron Swartz Day 2015

Download mp4      Hi-res files of entire event

Note: I’m including a full transcription at the bottom of this post, for safekeeping. Thanks to for their transcriptions of these talks.

Micha Lee gave a charming first person account of how Ed Snowden first contacted him anonymously, looking for Laura Poitras’ PGP key, and then asked him to please get Glenn Greenwald get set up on PGP.

Next, he explains how SecureDrop enables sources to connect with journalists without having to learn PGP, and how Aaron’s core design is still in use today.

Micah has also written about this entertaining story in much more  splendid detail at The Intercept.

Quotes from Micah’s Talk:

“…two years before Edward Snowden decided to start becoming a whistleblower, Aaron had already done a lot of development work on DeadDrop and was well on his way to making it so that rather than having someone like Ed have to try and send a bunch of plaintext emails to journalists he wants to talk to to convince them to learn how to use PGP and stuff, he made it so that whistleblowers could talk to journalists in less than six months. I think that was pretty amazing…

The one thing is that SecureDrop has come a very long way and it’s really easy to use for sources now. So now if you’re a whistleblower and you want to leak documents, it’s really easy. All you need to do is go and download Tor Browser, go to a web site, click “I’m a new source,” and upload a document. Then you’re done…

…he (Aaron) made it so that whistleblowers could talk to journalists in less than six months. I think that was pretty amazing. And like what Garrett was saying earlier, the core design of DeadDrop is still exactly the same in SecureDrop, and that’s pretty amazing I think that he had such good foresight to figure out what all these technical problems were and try and solve them.– Micah Lee, Co-Founder, Freedom of the Press Foundation, Technologist at The Intercept.


***Complete Transcript Below****

Hello. I don’t have a whole lot to say.

When I was thinking about what I would talk about last night, I was reading more about Aaron. Unfortunately, I never got to meet him before he died, but I realized that he passed away on January 11, 2013, and that was actually the same day that I first heard from Edward Snowden.

At the time I didn’t know that it was Edward Snowden. He was anonymous. He sent me an email and it was encrypted. And he was trying to get Laura Poitras’ PGP key and he was saying that—you know, he couldn’t tell me what it was for but I should help Glenn Greenwald learn how to use PGP and it was important.

So I helped out as I could, and it took several months. I kept talking to Glenn and Glenn was into it, but he was also really impatient with learning anything new on the computer and he didn’t really know why it was so important. I didn’t really know why it was so important. There were a couple of false attempts at teaching Glenn PGP, and finally I had a Skype call with him where I helped him set up Pidgin and off-the-record encryption. That was like, five and a half, six months later after I first got that encrypted anonymous email from Snowden. And that was the first time that Snowden was able to have a secure conversation with Glenn Greenwald.

And I was thinking about it. Aaron had already kind of done a lot of work to solve this problem. The year, two years before Edward Snowden decided to start becoming a whistleblower, Aaron had already done a lot of development work on DeadDrop and was well on his way to making it so that rather than having someone like Ed have to try and send a bunch of plaintext emails to journalists he wants to talk to to convince them to learn how to use PGP and stuff, he made it so that whistleblowers could talk to journalists in less than six months. I think that was pretty amazing. And like what Garrett was saying earlier, the core design of DeadDrop is still exactly the same in SecureDrop, and that’s pretty amazing I think that he had such good foresight to figure out what all these technical problems were and try and solve them.

I guess the one thing is that SecureDrop has come a very long way and it’s really easy to use for sources now. So now if you’re a whistleblower and you want to leak documents, it’s really easy. All you need to do is go and download Tor Browser, go to a web site, click “I’m a new source,” and upload a document. Then you’re done, and you don’t have to go through all of this having to be a technical expert and having to train the journalists and all this stuff. But the hard part is that it’s still not nearly as easy for journalists to use. So, in fact, Glenn Greenwald doesn’t use SecureDrop himself. Instead, other people who have more time and patience with technical stuff use it and talk to him about it if there’s stuff for him.

So there’s still a lot more work to be done in this area, and I just really wish that Aaron were still around to help with this, because I think that he would contribute greatly on his project.

And that’s all that I have to say.

Wired: SecureDrop Leak Tool Produces a Massive Trove of Prison Docs

SecureDrop Leak Tool Produces a Massive Trove of Prison Docs

by Andy Greenberg for Wired, November 11, 2015

This is really exciting, and what great timing!

The whole purpose of last weekend’s event was to get the word out about SecureDrop‘s usefulness to the common man, and yet I couldn’t point directly to an example of it in action.

Then, low and behold, when I woke up yesterday afternoon (heh, been a long week), I could not believe my eyes! A real world, shining example of SecureDrop in action. A hacker obtained over 70 million phone records that exposed some first class corruption: exploiting  those who are already underprivileged and underserved in the community. In this case, prisoners and their families, which often barely have enough money for the essentials.

I’ll be posting a summary of The Intercept article that fully explains what the hack, and subsequent anonymous upload, exposed, shortly. It’s a little complicated, and therefore took me a minute to be able to summarize it – but it will be up soon… :-)

From the article:

“It’s been more than two years since the debut of SecureDrop, a piece of software designed to help whistleblowers easily and anonymously leak secrets to media outlets over the Tor anonymity network. Now, that system is finally bearing fruit, in the form of a massive dump of files from one of the country’s largest prison phone companies…”

“Just as significant as those revelations, perhaps, is how the Intercept obtained the documents that enabled them: The news site has confirmed that it first made contact with the anonymous source who provided the Securus files through the Intercept’s SecureDrop platform, starting with an initial sample of the Securus database uploaded around the beginning of 2015.

That Tor-enabled leak marks a landmark for a still-evolving form of journalism that takes a page out of the playbook invented by WikiLeaks: Like Julian Assange’s secret-spilling organization, SecureDrop allows anyone to run a cryptographically anonymous submission system for leaks and tips. Because that upload site runs as a Tor “hidden service,” anyone who visits has to run Tor too, making it very difficult for anyone to trace his or her location or identity—even the news outlet on the receiving end.

The Intercept’s lead security technologist—and a co-author of the Securus story—Micah Lee says SecureDrop’s benefit isn’t just anonymity, it’s ease of use. Instead of carefully using Tor to create an anonymous email address and figuring out how to encrypt email so that service can’t read their leaked secrets, sources can upload their leak or message using SecureDrop in seconds.

Lee says that this is far from the first time the Intercept has received useful leaks through the SecureDrop system. But the Securus revelations represent the first story of national significance where a news outlet has publicly revealed that the story’s source used SecureDrop anonymous submissions.

“We use SecureDrop on a regular basis, but this story is a little exceptional because we decided it was safe for us to mention that it came from SecureDrop,” Lee says. “This is exactly why we decided to run SecureDrop: to get juicy stories like this and do it in a way where we protect our sources.”

EFF: Aaron Swartz Hackathon This Weekend Is Your Chance To Hack for a Better World

Aaron Swartz Hackathon This Weekend Is Your Chance To Hack for a Better World

 From the post:

This weekend marks the third annual Aaron Swartz Day hackathon, and a chance for you to meet up with other people working to use technology to make the world a better place. Once again, cities around the world will host two days of meetups.

The Internet Archive in San Francisco is the main event hub, with film screenings, talks from developers working on projects started or inspired by Aaron, a mini-conference of privacy-enhancing technologies, and a two-day hackathon.

The hackathon will focus on SecureDrop, an anonymous whistleblower document submission system originally developed by Aaron, and now maintained by the Freedom of the Press Foundation. SecureDrop has grown significantly in the years since Aaron began the project—it is now installed in newsrooms around the world—and it benefits from a robust community of developers and supporters who help build and document the project. Lead developer Garrett Robinson will lead the hackathon and explain where people with different skillsets can pitch in.

SecureDrop will not be the only thing to work on. The founder of the OpenArchive project will also be there to lead prospective hackers on developing that app. Developers from our own Privacy Badger browser tool will be there hacking, and EFF staff technologist Cooper Quintin will present during the privacy mini-conference.

Also at the privacy mini-conference on Saturday: presentations on Keybase; former EFF staffer Micah Lee, now with The Intercept, presenting on encryption for journalists; and Brad Warren on exciting developments with the Let’s Encrypt certificate authority.

Starting at 6pm after the first day of hacking, the Internet Archive will host a reception where people can meet. At 7:30, there will be a rare opportunity to see excerpts of the upcoming “From DeadDrop to SecureDrop,” a documentary about that software and Aaron’s role in developing it.

Finally, on Saturday night from 8 to 10pm an impressive line-up of speakers, including EFF Executive Director Cindy Cohn and co-founder John Perry Barlow, will present on their work and Aaron’s legacy. Tickets for the evening event—including the reception, screening, and talks—are available on a sliding scale.

The hackathon and mini-conference continue on Sunday, with more talks from Library Freedom Project’s Alison Macrina and Restore The 4th’s Zaki Manian.

For friends of EFF, and people who want to advance the causes Aaron dedicated his life to, this weekend’s event is a can’t-miss. If you can make it, please RSVP so the organizers can plan accordingly. We hope to see you there.

Freedom of the Press Foundation: Come Hack on SecureDrop at the Third Annual Aaron Swartz Day

Come hack on SecureDrop and Celebrate the Third annual Aaron Swartz Day

From the blog post:

Next week on Saturday November 7th is the third annual Aaron Swartz Day, which celebrates the life of Aaron and the many wonderful Internet projects he created or worked on during his brief but brilliant life.

One of Aaron’s last projects was SecureDrop, the open-source whistleblower submission system, which Freedom of the Press Foundation adopted after his untimely passing in 2013. Every year on Aaron Swartz Day, we help host a weekend-long hackathon in Aaron’s honor.

This year, the hackathon will be held at the Internet Archive in San Francisco (there are also other cities holding similar events). We will be at the Internet Archive on Saturday and Sunday to help guide and hack alongside any volunteer developers who want to learn about SecureDrop and work on the many open issues.

If you’re interested, you can read through our developer guide and the new-and-improved SecureDrop documentation. On our GitHub page, there is a list of open issues, and by November 7th, many will be tagged specifically for developers to work on at the hackathon.

Please RSVP for the hackathon here if you’d like to attend.

Also make sure to stick around the Internet Archive Saturday night for the Aaron Swartz Day celebration. There will be many great speakers at the event, including SecureDrop’s lead developer Garrett Robinson to talk about the latest on the project, as well as two of our board members and co-founders, Micah Lee and J.P. Barlow.

Many thanks to Lisa Rein, who tirelessly organizes Aaron Swartz Day every year and always makes it a celebration to remember.


Come to this year’s Aaron Swartz Day and International Hackathon


This year we are celebrating whistleblowers and hackers that work hard to make the world a better place, and, specifically, the “SecureDrop,” anonymous whistleblower submission system, now at the Freedom of the Press Foundation (originally prototyped by Aaron and Kevin Poulsen).

There’s also an “Encryption Training for Beginners” day going on in San Francisco, upstairs all day, at the SF Hackathon. (See below for more details.)

Now, thanks to SecureDrop, whistleblowers can connect directly, safely and anonymously to news organizations, such as the Washington Post, Guardian, The Intercept, the New York, Gawker, and other news outlets.

Evening speakers include:  Garrett Robinson (Lead Developer, SecureDrop), Alison Macrina (Library Freedom Project), Brewster Kahle (Digital Librarian, Internet Archive), Cindy Cohn (Executive Director, Electronic Frontier Foundation), Micah Lee (Co-founder, Board Member, and Technologist at “The Intercept,”) Jacob Appelbaum (Wikileaks volunteer, Security Expert/Citizen Four, Tor Project), and John Perry Barlow (EFF and Freedom of the Press Foundation co-founder) and Special Guests.  See more details in the INVITATION.

In San Francisco, at the hackathon, there will be a mini-conference for beginners to receive training on encryption and privacy-enabling software.

In the morning, the Keybase folks will be giving tutorials on encryption basics and tools that you can use to protect your privacy.

In the afternoon, Micah Lee, Technologist for The Intercept and The Freedom of the Press Foundation, with be giving his “Encryption for Journalists” tutorials. Then Micah will give tutorials on OnionShare (a P2P-based anonymous whistleblowing submission platform) and SecureDrop. Details on mini-conference/hackathon