The Metadata Trap

The Trump Administration Is Using the Full Power of the U.S. Surveillance State Against Whistleblowers

Illustration: Owen Freeman for The Intercept

Government whistleblowers are increasingly being charged under laws such as the Espionage Act, but they aren’t spies.

They’re ordinary Americans and, like most of us, they carry smartphones that automatically get backed up to the cloud. When they want to talk to someone, they send them a text or call them on the phone. They use Gmail and share memes and talk politics on Facebook. Sometimes they even log in to these accounts from their work computers.

Then, during the course of their work, they see something disturbing. Maybe it’s that the government often has no idea if the people it kills in drone strikes are civilians. Or that the NSA witnessed a cyberattack against local election officials in 2016 that U.S. intelligence believes was orchestrated by Russia, even though the president is always on TV saying the opposite. Or that the FBI uses hidden loopholes to bypass its own rules against infiltrating political and religious groups. Or that Donald Trump’s associates are implicated in sketchy financial transactions.

Related

Why You Should Care About Donald Trump’s War on Whistleblowers

So they search government databases for more information and maybe print some of the documents they find. They search for related information using Google. Maybe they even send a text message to a friend about how insane this is while they consider possible next steps. Should they contact a journalist? They look up the tips pages of news organizations they like and start researching how to use Tor Browser. All of this happens before they’ve reached out to a journalist for the first time.

Most people aren’t very aware of it, but we’re all under surveillance. Telecom companies and tech giants have access to nearly all of our private data, from our exact physical locations at any given time to the content of our text messages and emails. Even when our private data doesn’t get sent directly to tech companies, our devices are still recording it locally. Do you know exactly what you were doing on your computer two months ago today at 3:05 p.m.? Your web browser probably does.

Yet while we all live under extensive surveillance, for government employees and contractors — especially those with a security clearance — privacy is virtually nonexistent. Everything they do on their work computers is monitored. Every time they search a database, their search term and the exact moment they searched for it is logged and associated with them personally. The same is true when they access a secret document, or when they print anything, or when they plug a USB stick into their work computer. There might be logs of exactly when an employee takes screenshots or copies and pastes something. Even when they try to outsmart their work computer by taking photos directly of their screen, video cameras in their workplace might be recording their every move.

Government workers with security clearance promise “never [to] divulge classified information to anyone” who is not authorized to receive it. But for many whistleblowers, the decision to go public results from troubling insights into government activity, coupled with the belief that as long as that activity remains secret, the system will not change. While there are some protections for whistleblowers who raise their concerns internally or complain to Congress, there is also a long history of those same people being punished for speaking out.

The growing use of the Espionage Act, a 1917 law that criminalizes the release of “national defense” information by anyone “with intent or reason to believe that it is to be used to the injury of the United States or to the advantage of a foreign nation,” shows how the system is rigged against whistleblowers. Government insiders charged under the law are not allowed to defend themselves by arguing that their decision to share what they know was prompted by an impulse to help Americans confront and end government abuses. “The act is blind to the possibility that the public’s interest in learning of government incompetence, corruption, or criminality might outweigh the government’s interest in protecting a given secret,” Jameel Jaffer, head of the Knight First Amendment Institute, wrote recently. “It is blind to the difference between whistle-blowers and spies.”

While we all live under extensive surveillance, for government employees and contractors — especially those with a security clearance — privacy is virtually nonexistent.

Of the four Espionage Act cases based on alleged leaks in the Trump era, the most unusual concerned Joshua Schulte, a former CIA software developer accused of leaking CIA documents and hacking tools known as the Vault 7 disclosures to WikiLeaks. Schulte’s case is different from the others because, after the FBI confiscated his desktop computer, phone, and other devices in a March 2017 raid, the government allegedly discovered over 10,000 images depicting child sexual abuse on his computer, as well as a file and chat server he ran that included logs of him discussing child sexual abuse images and screenshots of him using racist slurs. Prosecutors initially charged Schulte with several counts related to child pornography and later with sexual assault in a separate case, based on evidence from his phone. Only in June 2018, in a superseding indictment, did the government finally charge him under the Espionage Act for leaking the hacking tools. He has pleaded not guilty to all charges.

The other three Espionage Act cases related to alleged leaks of government secrets have involved people who are said to have been sources for The Intercept. The Intercept does not comment on its anonymous sources, although it has acknowledged falling short of its own editorial standards in one case. It is not surprising that a publication founded as a result of the Snowden leaks, and one that has specialized in publishing secret government documents whose disclosure serves the public interest, has been an appealing target for the Trump administration’s war on whistleblowers.

The government comes to this war armed with laws like the Espionage Act that are ripe for abuse, and with the overwhelming firepower of surveillance technology that has almost no limits when applied to its own workers and contractors. But journalists also have tools at their disposal, including the First Amendment and the ability to educate ourselves about the methods the government uses to track and spy on its employees. We’ve mined the court filings in all seven leak cases filed by Trump’s Justice Department to identify the methods the government uses to unmask confidential sources. 

When a government worker becomes a whistleblower, the FBI gets access to reams of data describing exactly what happened on government computers and who searched for what in government databases, which helps narrow down the list of suspects. How many people accessed this document? How many people printed it? Can any of their work emails be used against them? What evidence can be extracted from their work computers?

Once the FBI has a list of suspects based on the vast amount of data the government itself has collected, they use court orders and search warrants to access even more information about the targets of its investigation. They compel tech companies, whose business models often rely on collecting as much information on their users as possible, to hand over everything, including personal emails, text messages, phone call metadata, smartphone backups, location data, files stored in Dropbox, and much more. FBI agents raid the houses and search the vehicles of these suspects, extracting whatever they can from any phones, computers, and hard drives they find. Sometimes, this includes files the suspects thought they had deleted or text messages and documents sent through encrypted messaging services like Signal or WhatsApp. The encryption these apps use protects messages while they’re sent over the internet so that the services themselves can’t spy on the content or hand it over to the government, but this encryption doesn’t protect messages stored on a phone or other device that is seized and searched.

Because whistleblowers aren’t spies, they normally don’t know how to avoid this kind of surveillance. One whistleblower who knew what he was up against, former CIA and National Security Agency contractor Edward Snowden, didn’t see any way to get secret government information into the public domain while retaining his anonymity.

“I appreciate your concern for my safety,” Snowden wrote in an encrypted email, from an anonymous address not associated with his real identity that he only accessed over the Tor network, to filmmaker Laura Poitras in the spring of 2013, “but I already know how this will end for me and I accept the risk.” In the documentary film “Citizenfour,” Snowden explains that the security measures he took while reaching out to journalists were only designed to buy him enough time to get information about the NSA’s overwhelming invasions of privacy to the American public. “I don’t think there’s a case that I’m not going to be discovered in the fullness of time,” he said from a hotel room in Hong Kong before he publicly came forward as the source.

If we want to live in a world where it’s safer for people to speak out when they see something disturbing, we need technology that protects everyone’s privacy, and it needs to be enabled by default. Such technology would also protect the privacy of whistleblowers before they decide to become sources.

In 2017, in the first indictment of an alleged whistleblower since Trump became president, the Justice Department charged Reality Leigh Winner under the Espionage Act for leaking a top-secret NSA document to a news organization that was widely reported to be The Intercept. At the time, Winner was a 25-year-old decorated U.S. Air Force veteran, who was also a dedicated CrossFit trainer with a passion for slowing the climate crisis. The document was an NSA intelligence report describing a cyberattack: Russian military intelligence officers hacked a U.S. company that provides election support in swing states and then, days before the 2016 election, sent local election officials — who were customers of this company — over 100 malware-infected emails, hoping to hack them next.

Government insiders charged under the Espionage Act are not allowed to defend themselves by arguing that their decision was in the public interest.

According to court documents, Winner was one of only six people who had printed the document she was accused of leaking (she had searched for, accessed, and printed the document on May 9, 2017). After searching all six of those employees’ work computers, they found that Winner was the only one who also had email contact with the news organization that published the document. (Using her private Gmail account, she had asked the news organization for a transcript of a podcast episode.) At the time, those who accused The Intercept of having revealed Winner’s identity said that the online publication, in an attempt to authenticate a document that had been sent anonymously, shared a copy with the government that contained a crease, suggesting that it had been printed. But Winner’s email and printing history alone would have made her the prime suspect.

FBI agents then raided her house and interrogated her without a lawyer present and without telling her she had a right to remain silent, leading to defense accusations that the government violated her Miranda rights. In her house, they found handwritten notes about how to use a burner phone and Tor Browser. They also seized her Android smartphone and her laptop and extracted evidence from both devices.

Related

In the Trump Era, Leaking and Whistleblowing Are More Urgent, and More Noble, Than Ever

The FBI also ordered several tech companies to hand over information from Winner’s accounts. Facebook provided data from her Facebook and Instagram accounts, Google provided data from two separate Gmail accounts she used, Twitter provided data on her account, and AT&T also contributed.

We don’t know exactly what these companies turned over, but we do know that they were ordered to disclose all information associated with her accounts, including:

• Usernames, email addresses, physical addresses, phone numbers, and credit card numbers.

• A history of every time she logged on, for how long, and from which IP addresses.

• Metadata about every instance of communication she ever had over these services, including the type of communication, the source and destination, and the file size or duration of the communication.

The FBI also requested records of accounts that were linked to her Facebook, Instagram, Google, Twitter, and AT&T accounts — those that were created using the same email address, accessed from the same IP address, or logged into from the same web browser. (If users don’t take extra steps to remain anonymous, service providers can trivially link different accounts accessed from the same computer.)

The FBI also extracted everything it could from Winner’s phone:

• Her photos, including one that was taken on February 7, 2017, of a webpage that listed eight SecureDrop servers run by different media organizations.

• Data extracted from her smartphone apps like the Facebook app, which contained private messages she had exchanged with her sister, which were later used against her.

• Her phone’s browser history: On March 7, she visited a website that contained a list of “dark web email providers,” and she searched the internet for “tor email.” On May 9, at “approximately 7:29:49 p.m. (EST),” Winner searched for and viewed the tips page of the news outlet to which she was accused of leaking the NSA document, as well as the tips page of a second news outlet; later that night, she logged into her Dropbox account, and three minutes after that, she viewed the first media organization’s tips page again.

So the FBI got a search warrant issued to Dropbox, demanding all the files and other information stored in Winner’s account, as well as “any messages, records, files, logs, or information that have been deleted but are still available to Dropbox, Inc.” Dropbox gave the FBI a thumb drive containing that data.

They also got a search warrant issued to Google, demanding nearly everything stored in Winner’s account, including:

• All the messages in her Gmail account.

• Her Google search history.

• Her location history.

• All of her web browser activity that could be identified based on web browser cookies (this could possibly include a list of every webpage she visited that used the Google Analytics service).

• Backups of her Android phone.

Based on metadata that the FBI got from its previous court order to Google, the bureau learned about a new, separate Google account that it suspected Winner used, which it hadn’t previously known about. The search warrant demanded data from this other account as well. Google gave the FBI “electronic files in excess of 809mb (compressed)” of data from Winner’s two Google accounts.

The FBI also extracted data from her laptop. It discovered that she had downloaded Tor Browser on February 1, 2017, and had used it in February and March. The FBI also discovered a note saved to her desktop that contained the username and password for a small email company called VFEmail, and so it got another search warrant demanding a copy of everything in the VFEmail account as well.

Winner was found guilty and sentenced to five years in prison, the longest sentence ever given to an alleged journalistic source by a federal court. The Intercept’s parent company, First Look Media, contributed to Winner’s legal defense through the Press Freedom Defense Fund.

TheIntercept_Surveillance_Office_Fin02B_web-1564422780
Illustration: Owen Freeman for The Intercept
During Terry Albury’s distinguished 16-year counterterrorism career at the FBI, he “often observed or experienced racism and discrimination within the Bureau,” according to court documents. The only black FBI special agent in the Minneapolis field office, he was especially disturbed by what he saw as “systemic biases” within the bureau, particularly when it came to the FBI’s mistreatment of informants. In 2018, the Justice Department charged Albury with espionage for leaking secret documents to a news organization, reportedly The Intercept, which in early 2017 published a series of revelations based on confidential FBI guidelines, including details about controversial tactics for investigating minorities and spying on journalists.

Even though the FBI did not know whether the documents had been printed before being shared, it was not hard to track down who had accessed them. The FBI identified 16 people who had accessed one of the 27 documents that the media organization published on its website. They searched all 16 of those people’s work computers, including Albury’s, and found that his computer had also accessed “over two-thirds” of the documents that were made public.

According to court documents, the FBI used a variety of activities on Albury’s computer as evidence against him: exactly which documents he accessed and when, when he took screenshots, when he copied and pasted these screenshots into unsaved documents, and when he printed them. For example, on May 10, 2016, between 12:34 p.m. and 12:50 p.m., Albury accessed two classified documents. Nineteen minutes later, he pasted two screenshots into an unsaved Microsoft Word document, and over the following 45 minutes, he pasted 11 more screenshots into an unsaved Excel document. Throughout the day, he accessed more secret documents, pasting more screenshots into the Excel document. At 5:29 p.m., he printed it and then closed the document without saving it.

And it wasn’t just his work computer that was under surveillance. Using a closed-circuit video surveillance system in his workplace, the FBI captured video of Albury. On June 16, August 23, and August 24, 2017, the system recorded Albury holding a silver digital camera, inserting “what appeared to be a digital memory stick” into it, and taking photos of his screen. On all three days, the court documents say, Albury was viewing documents on his computer screen.

“It became a human rights thing for him,” Albury’s wife said in a court document requesting a lenient sentence, “the mistreatment and tactics that were used by FBI and how he was a part of it.” Albury, who is 40 years old, pleaded guilty and was sentenced to four years in prison and three years of supervised release.

Services like Signal and WhatsApp have made it simple for journalists to communicate securely with their sources by encrypting messages so that only the phones on either side of the conversation can access them and not the service itself. (This isn’t true when using non-encrypted messaging services like Skype and Slack, direct messengers on Twitter and Facebook, or normal text messages and phone calls.) However, encrypted services don’t protect messages when a phone gets physically searched and the user hasn’t deleted their message history. This was made exceedingly clear on June 7, 2018, when the Justice Department indicted former Senate Intelligence Committee aide James Wolfe for making false statements to the FBI.

According to court documents, Wolfe had told FBI leak investigators that he had not been in contact with journalists. But the indictment against Wolfe quoted the content of Signal conversations he’d had with journalists. It doesn’t mention how the FBI obtained these messages, but the only reasonable conclusion is that agents found them when they searched his phone.

“I don’t think there’s a case that I’m not going to be discovered in the fullness of time,” Edward Snowden said from a hotel room in Hong Kong before he publicly came forward as the source.

In addition to obtaining his Signal messages, the FBI searched Wolfe’s work email and found messages he’d traded with a journalist. The FBI knew about physical meetings he’d had with journalists and where they had occurred. They mention hundreds of text messages he’d exchanged with journalists, which journalists he’d talked to on the phone, and for how long.

During the same investigation, the Justice Department sent court orders to Google and Verizon to seize years’ worth of phone and email records belonging to New York Times national security reporter Ali Watkins, who had previously worked for BuzzFeed News and Politico. The FBI was investigating Watkins’s source for a BuzzFeed article about a Russian spy trying to recruit Trump adviser Carter Page. The seized records went all the way back to when Watkins was in college. This was the first known case in which the Trump administration went after a reporter’s communications.

Wolfe pleaded guilty to lying to investigators about contacting the media and was sentenced to two months in prison and a $7,500 fine.

Even without physically searching a phone, the FBI can obtain real-time metadata, who sends messages to whom and when, for at least one encrypted messaging app. This happened in the case of Natalie Mayflower Sours Edwards, a senior official with the Treasury Department’s Financial Crimes Enforcement Network, or FinCEN. At the end of 2018, the Justice Department indicted Edwards for allegedly providing a journalist, widely reported to be BuzzFeed News’s Jason Leopold, with details about suspicious financial transactions involving GOP operatives, senior members of Trump’s campaign, and a Kremlin-connected Russian agent and Russian oligarchs.

According to court documents, the FBI got a “judicially-authorized pen register and trap and trace order” for Edwards’s personal cellphone. This is a court order that allows the FBI to collect various types of communication metadata from the phone using a range of techniques — ordering third parties to hand over this metadata, for instance, or using a device such as a StingRay, which simulates a cellphone tower in order to trick phones into connecting to it so they can be spied on.

Using this court order, the FBI was apparently able to gather real-time metadata from an encrypted messaging app on Edwards’s phone. For example, on August 1, 2018, at 12:33 a.m., six hours after the pen register order “became operative” and the day after BuzzFeed News published one of the articles, Edwards allegedly exchanged 70 encrypted messages with the journalist. The following day, a week before BuzzFeed News published another story, Edwards allegedly exchanged 541 encrypted messages with the journalist.

The FBI also extracted data from Winner’s laptop. It discovered that she had downloaded Tor Browser on February 1, 2017, and had used it in February and March.

The court documents don’t name the messaging app that was used, and it’s not clear how the government obtained the metadata. However, it could not have gotten the metadata by directly monitoring the internet traffic coming from Edwards’s phone, so it is most likely that the government ordered a messaging service to supply real-time metadata, and the service complied.

Moxie Marlinspike, the founder of Signal, said his app wasn’t responsible. “Signal is designed to be privacy-preserving and collects as little information as possible,” Marlinspike told The Intercept. “In addition to end-to-end encryption for every message, Signal does not have any record of a user’s contacts, the groups they are in, the titles or avatars of any group, or the profile names or avatars of users. Even GIF searches are protected. Most of the time, Signal’s new Sealed Sender technology means that we don’t even know who is messaging who. Every government request we’ve ever responded to is listed on our website along with our response, in which it’s possible to see that the data we’re capable of providing a third party is practically nothing.”

A spokesperson for WhatsApp said that they can’t comment on individual cases and pointed to a section of its frequently asked questions about responding to law enforcement requests. The document states that WhatsApp “may collect, use, preserve, and share user information if we have a good-faith belief that it is reasonably necessary” to “respond to legal process, or to government requests.” According to Facebook’s transparency report, which includes requests for WhatsApp user data, during the last half of 2018, which was when the pen register order against Edwards’s phone became operational, Facebook received 4,904 “Pen Register / Trap & Trace” requests, asking for data from 6,193 users, and responded with “some data” to 92 percent of the requests.

A spokesperson for Apple declined to comment but referenced the section of its legal process guidelines about the type of data related to iMessage that Apple can provide to law enforcement. “iMessage communications are end-to-end encrypted and Apple has no way to decrypt iMessage data when it is in transit between devices,” the guidelines state. “Apple cannot intercept iMessage communications and Apple does not have iMessage communication logs.” Apple does, however, acknowledge having “iMessage capability query logs,” which indicate that an app on one user’s Apple device has begun the process of sending a message to another user’s iMessage account. “iMessage capability query logs do not indicate that any communication between users actually took place,” the guidelines say. “iMessage capability query logs are retained up to 30 days. iMessage capability query logs, if available, may be obtained with an order under 18 U.S.C. §2703(d) or court order with the equivalent legal standard or search warrant.”

The FBI also ordered Edwards’s personal cellphone carrier to hand over her phone records; the bureau did the same with a colleague of hers, whom it referred to as a “co-conspirator.” The FBI obtained a search warrant for Edwards’s personal email account, mostly likely Gmail, and from that, accessed her “internet search history” records (she is accused of searching for multiple articles based on her alleged leaks shortly after they were published). The FBI got a search warrant to physically search her person, and it seized a USB flash drive, as well as her personal cellphone. According to the criminal complaint, the flash drive contained 24,000 files, including thousands of documents describing suspicious financial transactions. The bureau extracted the messaging app data from her phone, allowing agents to read the content of the messages she allegedly exchanged with the journalist.

Edwards faces up to 10 years in prison. She has pleaded not guilty.

TheIntercept_Surveillance_Hall_Fin02B_web-1564422775
Illustration: Owen Freeman for The Intercept
Government workers are often able to access restricted documents using internal databases that they log into and search, including databases run by private companies like defense contractor Palantir. These databases track what each user does: which terms they search for, which documents they click on, which ones they download to their computers, and exactly when. IRS official John Fry had access to multiple law enforcement databases, including one run by Palantir, as well as FinCEN’s database — the same one from which Edwards is accused of leaking suspicious activity reports.

This past February, the Justice Department indicted Fry for allegedly providing details about suspicious financial transactions involving Trump’s former attorney and fixer Michael Cohen to prominent attorney Michael Avenatti and at least one journalist, the New Yorker’s Ronan Farrow. In one of these transactions, Cohen had paid $130,000 of hush money shortly before the 2016 election to an adult film actress in exchange for her silence about an affair she says she had with Trump.

On May 4, 2018, at 2:54 p.m., Fry allegedly searched the Palantir database for information related to Cohen and downloaded five suspicious activity reports, according to court documents. The same day, Fry allegedly conducted several searches for specific documents in the FinCEN database.

The FBI obtained Fry’s phone records from his personal cellphone carrier. After downloading suspicious activity reports related to Cohen, Fry allegedly called Avenatti on the phone. Later, he allegedly called a journalist and spoke for 42 minutes. The FBI then obtained a search warrant for Fry’s phone. Between May 12 and June 8, 2018, Fry allegedly exchanged 57 WhatsApp messages with the journalist. After the article was published, he allegedly texted, “Beautifully written, as I suspected it would be.” The journalist’s cellphone number was allegedly in Fry’s cellphone contact list.

Fry faces up to five years in prison. He has pleaded not guilty.

Daniel Hale was ideologically opposed to war before he joined the military in 2009, when he was 21 years old, but he felt he had no choice. “I was homeless, I was desperate, I had nowhere else to go. I was on my last leg, and the Air Force was ready to accept me,” he said in “National Bird,” a 2016 documentary about drone warfare whistleblowers.

He spent the next five years working in the drone program for the NSA, the Joint Special Operations Task Force in Afghanistan, and as a defense contractor assigned to the National Geospatial-Intelligence Agency. His job included helping identify targets to be assassinated.

Hale is also an outspoken activist. “The most disturbing thing about my involvement in drones is the uncertainty if anybody that I was involved in kill[ing] or captur[ing] was a civilian or not,” he said in the film. “There’s no way of knowing.”

In May, the Justice Department charged Hale with espionage for allegedly leaking classified documents related to drone warfare to a news organization identified by Trump administration officials as The Intercept, which published a series of stories in 2015 that provide the most detail ever made public about the U.S. government’s assassination program.

“The most disturbing thing about my involvement in drones is the uncertainty if anybody that I was involved in kill[ing] or captur[ing] was a civilian or not. There’s no way of knowing.”

“In an indictment unsealed on May 9, the government alleges that documents on the U.S. drone program were leaked to a news organization,” Intercept Editor-in-Chief Betsy Reed said in a statement about Hale’s indictment. “These documents detailed a secret, unaccountable process for targeting and killing people around the world, including U.S. citizens, through drone strikes. They are of vital public importance, and activity related to their disclosure is protected by the First Amendment. The alleged whistleblower faces up to 50 years in prison. No one has ever been held accountable for killing civilians in drone strikes.”

On August 8, 2014, dozens of FBI agents raided Hale’s house with guns drawn and searched his computer and flash drives. This all happened during the Obama administration, which declined to file charges. Five years later, Trump’s Justice Department revived the case.

According to court documents, investigators could see the exact search terms that Hale allegedly typed into different computers he used, one for unclassified work and the other for classified work, and when. The evidence against him includes quotes from text messages that Hale allegedly sent to his friends and quotes from text and email conversations he allegedly had with a journalist who media outlets have identified as The Intercept’s Jeremy Scahill. It describes his phone call metadata. It alleges that he went to an event at a bookstore and sat next to the journalist. All of these things occurred before he had allegedly sent any documents to the media.

Between September 2013 and February 2014, according to the indictment, Hale and the journalist allegedly “had at least three encrypted conversations via Jabber,” a type of online chat service. It’s unclear where the government got this information; it could have been from internet surveillance, from the Jabber chat service provider, or from analyzing Hale’s computer. And as in the Winner and Albury cases, the FBI knew exactly which documents Hale had allegedly printed and when. Hale allegedly printed 32 documents, at least 17 of which were later published by the news organization “in whole or in part.”

When the FBI raided Hale’s house, agents allegedly found an unclassified document on his computer and a secret document on a USB stick that Hale had “attempted to delete.” They also found another USB stick that contained Tails, an operating system designed to keep data and internet activity private and anonymous and can be booted off a USB stick, though it does not appear that the FBI gathered any data from it. In Hale’s cellphone contacts, agents allegedly found the journalist’s phone number.

Hale, who is now 32, faces a maximum of 50 years in prison. He has pleaded not guilty.

Even though the odds are stacked against sources who want to remain anonymous, it’s not hopeless. Different sources face wildly different risks. If you work for a company like Google, Facebook, or Goldman Sachs, you might be under intense scrutiny on your work devices while your personal devices remain outside the reach of your employer’s surveillance (so long as you don’t rely on services it controls to communicate with journalists). And some government sources may have ways of accessing secret documents whose disclosure is in the public interest that don’t involve generating a log entry with a time stamp and associating their username with that access.

It’s increasingly clear that the primary evidence used against whistleblowers comes from events that happened before they contacted the media, or even before they made the decision to blow the whistle. But it’s still critical that journalists are prepared to protect their sources as best as they can in case a whistleblower reaches out to them. This includes running systems like SecureDrop, which gives sources secure, metadata-free ways to make first contact with journalists and minimizes traces of the contact on their devices.

Related

The Government’s Argument That Reality Winner Harmed National Security Doesn’t Hold Up. Here’s Why.

Journalists should also take steps to reduce the amount of information about their communication with sources that tech companies can access, and that ends up on their sources’ devices, by always using encrypted messaging apps instead of insecure text messages and always using the disappearing messages feature in those apps. They should also encourage their sources not to add them to the contacts in their phone, which might get synced to Google or Apple servers.

The journalistic process of verifying the authenticity of documents also carries risk to anonymous sources, but that process is essential to establish that the material has not been falsified or altered, and to maintain credibility with readers. Authentication, which often involves sharing information about the contents of a forthcoming story with the government, is a common journalistic practice that allows the government to weigh in on any risks involved in publishing the material of which the journalist may not be aware. By turning that process into a trap for journalists and sources, the government is sacrificing an opportunity to safeguard its legitimate interests and tell its side of the story.

News organizations also need to make hard decisions about what to publish. Sometimes, they may decide that it is safer to not publish documents if the story can be reported by describing the contents of the documents and leaving it ambiguous where the revelations came from. However, these approaches diminish transparency with readers and can also limit the impact of a story, which is important to both journalists and whistleblowers. In an era when the label “fake news” is used to discredit serious investigative journalism, original source documents serve as powerful evidence to refute such charges.

Encrypted messaging apps have made significant progress in securing conversations online, but they still have major issues when it comes to protecting sources. Many, including WhatsApp and Signal, encourage users to add the phone numbers of people they message to their contacts, which often get synced to the cloud, and WhatsApp encourages users to back up their text message history to the cloud. Although Facebook, which owns WhatsApp, doesn’t have access to the content of those backed-up messages, Google and Apple do.

It’s not enough that these apps encrypt messages. They also need to do better at promptly deleting data that’s no longer needed. End-to-end encryption protects messages as they travel from one phone to another, but each phone still has a copy of the plain text of all these messages, leaving them vulnerable to physical device searches. Disappearing messages features are a great start, but they need to be improved. Users should have the option to automatically have all their chats disappear without having to remember to set disappearing messages each time they start a conversation, and they should be asked if they’d like to enable this when they first set up the app. And when all messages in a conversation disappear, all forensic traces that a conversation with that person happened should disappear too.

In an era when the label “fake news” is used to discredit serious investigative journalism, original source documents serve as powerful evidence to refute such charges.

There is also much more work to be done on protecting metadata. Signal’s “sealed sender” feature, which encrypts much of the metadata that the Signal service has access to, goes further than any other popular messaging app, but it’s still not perfect. Messaging apps need to engineer their services so that they cannot access any metadata about their users, including IP addresses. If services don’t have access to that metadata, then they can’t be compelled to hand it over to the FBI during a leak investigation.

By default, web browsers keep a detailed history of every webpage you ever visit. They should really stop doing this. Why not only retain a month of browser history by default, and allow power users to change a setting if they want more?

At the moment, Tor Browser is the best web browser for protecting user privacy. Not only does it never keep a history of anything that happens in it, but it also routes all internet traffic through an anonymity network and uses technology to combat a tracking technique called “browser fingerprinting,” so that the websites you visit don’t know anything about you either. Unfortunately, simply having Tor Browser or other privacy-specific tools installed on a computer has been used as evidence against alleged whistleblowers. This is one reason I’m excited about Mozilla’s plan to integrate Tor directly into Firefox as a “super private browsing” mode. In the future, instead of downloading Tor Browser, sources could simply use a feature built into Firefox to get the same level of protection. Maybe Google Chrome, Apple Safari, and Microsoft Edge should follow Mozilla’s lead here. (The privacy-oriented browser Brave already supports private Tor windows.)

Finally, tech giants that amass our private data through services like Gmail, Microsoft Outlook, Google Drive, iCloud, Facebook, and Dropbox should store less information about everyone to begin with, and encrypt more of the data they do store in ways that they themselves can’t access and therefore, can’t hand to the FBI. Some companies do this for certain categories of data — Apple doesn’t have the ability to access the passwords stored in your iCloud Keychain, and Google cannot access your synced Chrome profiles — but it’s not nearly enough. I’m not holding my breath.

Correction: August 8, 2019
An earlier version of this story misstated Daniel Hale’s age. He is 32, not 31.

Latest Stories

Join The Conversation