How safe are American whistleblowers on the Internet? If you use a U.S. government system to expose illegal activity, your information may be dangerously vulnerable.
The federal government hosts numerous websites and systems made specifically for helping anyone blow the whistle that are woefully insecure, putting whistleblowers’ information at risk of eavesdropping, interception, and even alteration, according to cybersecurity experts.
The criticism of federal whistleblower websites has been building for some time, but it’s intensified in the wake of massive hacks against U.S. government networks that have revealed how poorly federal cyberspace is secured against aggressive threats.
“Email is effectively like sending a postcard. … It’s in no way secure whatsoever.”
Whistleblowers are the people who tell us about abuse and wrongdoing inside governments and corporations. They’ve been some of the most important political figures in American history: A whistleblower started the Watergate scandal that brought down President Nixon, another exposed rampant New York police corruption, and yet another showed that cigarette companies knew they sold addictive and cancer-causing products. More recently, National Security Agency whistleblower Thomas Drake revealed the existence of vast American surveillance of the Internet, a move that set the stage for the Edward Snowden leaks.
Whistleblowers are the “eyes and ears” exposing otherwise secret crimes in the halls of power, Rep. Jackie Speier wrote, so solidifying their security is—or at least should be—a high priority.
Despite federal laws protecting whistleblowers, organizations from the U.S. Senate to the Drug Enforcement Administration host websites soliciting information from whistleblowers and tipsters that lack basic HTTPS encryption protecting Internet traffic from eavesdroppers. The U.S. Senate committees on homeland security and government oversight both lack encryption on their whistleblower pages. The Department of Veterans Affairs, which has recently been plagued by retaliation against whistleblowers, uses outdated and weak security, so the “confidentiality” they promise can’t realistically be guaranteed, as do the Department of Transportation and, until recently, the Department of the Interior (which hosts the networks of the recently hacked Office of Personnel Management, for example). The Department of Agriculture skips HTTPS encryption entirely.
HTTPS encryption is important, because without it, it’s really not hard to eavesdrop on people’s connections—an especially problematic fact for whistleblowers, who put their lives at risk of retaliation.
“For whistleblowers, it’s prudent that they don’t reveal their identity, so anonymity—especially when submitting sensitive information—is a prime concern,” Bill Budington, a software engineer at the Electronic Frontier Foundation, told the Kernel. “When you’re submitting a tip and trying to get information out there, it’s pretty important that you have strong assurances you are talking to who you want to talk to and that you’re not having your communications picked up by a third party. This is what HTTPS provides.”
One hypothetical scenario from Budington drives the point home.
If a whistleblower wants to keep their information secure, they might send data from a coffee shop instead of their own house. “But going to a coffee shop can be even worse, especially for sites without HTTPS,” Budington explains. “If you submit a document without security then anyone in the coffee shop using simple tools can actually see what you’re sending. That’s a really dangerous precedent. So HTTPS is absolutely one way you can protect submissions.”
Even beyond whistleblowing, many government websites—including the Department of Homeland Security—simply forgo encrypted connections, despite all the privacy benefits HTTPS offers.
If whistleblowing without a secure connection isn’t living dangerously enough for you, try giving tips to police about high-powered drug lords. The Drug Enforcement Administration solicits tips from informants without offering the protection of encryption.
Some agencies and politicians merely leave an email address for whistleblowers—despite the fact that email is “one of, if not the most insecure forms of communication,” Joseph Hall, chief technologist at the Center for Democracy & Technology, told the Kernel. Sens. Chuck Grassley and Ron Johnson and Rep. Jackie Speier are among those who leave email addresses for would-be whistleblowers.
“Email is an abdication of duty of an entity that wants to solicit whistleblowers,” Hall said during a phone interview. “Email is effectively like sending a postcard. To the extent a whistleblower feels secure sending materials from their home on a postcard, that’s how secure they should feel with email. It’s in no way secure whatsoever.”
The Department of Energy wants whistleblower emails and so does the Federal Communications Commission (more than once), the Federal Emergency Management Agency, Freddie Mac, and the Department of Defense. The Department of Commerce solicits emails as well, but at least it clearly warns that emails are not secure and can be intercepted.
What’s the solution?
If email is a necessity, agencies could offer public encryption keys to give whistleblowers a secure method of sending data. But personally encrypting emails is difficult for even the tech-savvy (here’s a simple guide), so the government must find another solution to make it as easy as possible to blow the whistle.
Both Hall and Budington have another idea: SecureDrop.
First developed in 2012, SecureDrop is “state of the art in supporting whistleblowers technically,” Hall said, “and the whistleblower doesn’t have to have a lot of technical expertise.”
SecureDrop directs a whistleblower to an anonymous website on the Tor network, thereby protecting not only their Web traffic from hackers but also securing their identity from eavesdroppers. From there, a whistleblower can upload documents. The documents are then transported to a secure viewing station from which any investigations can begin.
“The reason why this is desirable over simple HTTPS is, if you’re using [Tor], it protects your anonymity,” Budington, who worked on SecureDrop, said. “HTTPS is great for encryption; but with Tor, you want to make sure your anonymity is preserved. Sometimes you’re leaking documents that may risk your livelihood, your job, your loved ones even. People want assurances. They want to do the right thing, but they want to be protected.”
“Sometimes you’re leaking documents that may risk your livelihood, your job, your loved ones.”
SecureDrop minimizes the collection of metadata, doesn’t collect the logs that can identify nearly everything about a whistleblower’s computer, and encrypts whistleblower messages and data on multiple layers to provide improved security. SecureDrop is already widely used in newsrooms at major publications, including the Washington Post, Forbes, the New Yorker, and the Guardian.
“Even naive whistleblowers will cover their tracks with SecureDrop,” Hall says.
SecureDrop isn’t as easy as dropping an insecure form or simply pasting an email address. “You have to think about it as a practice,” Hall said. “There have to be people to maintain it and care about securing whistleblowers. Like any software, there will be vulnerabilities, and you have to have maintainers keep up security.”
SecureDrop is an open source system, so anyone can look at and play with all the code to find weaknesses in the system. If a government agency wished, it could write a custom version tailored to its own needs.
Whether a government agency will use their own version of SecureDrop remains to be seen. What is clear is that the status quo is dangerously insecure in many instances, warranting a new look at the way whistleblowing works.
A version of this story was originally published by the Daily Dot on June 22, 2015.
Photo via Alper Çuğun/Flickr (CC BY 2.0) | Remix by Jason Reed