Aid for Assad Documents showed a secret flight had ferried cash from Russia to Syrian. A shipment of attack helicopters failed to get in. (Bryan Denton / Corbis)
In November 2012, the investigative news site ProPublica published a two-part story that added an important new dimension to coverage of the civil war in Syria. It was based on documents that showed a Syrian plane had secretly flown to Moscow and returned loaded with supplies to boost the ailing Assad regime. This wasn’t humanitarian aid. It was more than 200 tons of bank notes shipped into Syria while the military fought off rebels and a deteriorating economy. Shipments of attack helicopters had apparently failed to get in, but the stories confirmed that Russian support for the Assad regime went deeper than had been publicly acknowledged.
This is the story of how ProPublica got those flight manifests, and it offers a glimpse into the complicated world of secure international reporting in the digital age.
It began in July 2012, when I was contacted via the internet by someone who got my name from a friend in the digital activism community. The person referred to himself as a “he,” though in this community people often switch genders for security. And my contact was strict in his desire for security. Our initial exchange was over a public chat, but after that we communicated almost exclusively over secure channels.
He contacted me via IRC, or Internet Relay Chat, a group-chat protocol that allows people to interact on a remote server. People adopt nicknames, which my source had as well, that can become alternative identities, carrying their own reputations and status in the digital realm, and becoming as important to people as their legal names. IRC has been around for slightly less than 30 years and is still the favorite tool of developers, network administrators, and the more technically capable in international hacktivist groups like Anonymous. I was a regular in these chat groups, but my source was not willing to discuss what he wanted to talk to me about on the open internet.
I gave him my Jabber address: firstname.lastname@example.org. It looks like an email, but isn’t. It is a Jabber, or XMPP, server where I am registered as quinn. If you point your Jabber software at that address, it will connect with your XMPP server, which forwards the message to my server (jabber.ccc.de), which then forwards it to me. Jabber itself isn’t encrypted, but there’s a popular plug-in called OTR (Off The Record) Messaging that puts a layer of encryption into the instant messaging. This way, my source’s server and my server would know we were talking, and no one could see what we were saying.
The manifests didn’t just show odd cargo, but an odd flight path that dodged around Turkey.
He told me he had documents he was interested in getting to the press, and wanted my help. Many people in the communities I work with knew that I had brokered such deals before. I couldn’t deal with large document sets myself, but the newsrooms that can typically don’t have my connections or knowledge of secure communications. Even so, these data deals were mostly unsuccessful. Often what a source leaked to me wasn’t newsworthy, and sometimes when it was, trying to hand large data sets to a news organization fails to produce any worthwhile results. I didn’t have high expectations. But what my source told me next astounded me: He had backdoor access to the mail servers at four Syrian embassies. And it was ongoing access, not just a one-time email dump.
A backdoor meant that without the Syrians knowing it, he was quietly taking a copy of every email they sent or received. He gave me a sample of the data to prove his claim. He had encrypted an archive of the emails, given the file an innocuous name, and uploaded it to a free file-sharing site. The files were now on the public internet, but because they were encrypted, that was okay. Without the password we’d shared over our encrypted chat, no one could do anything with the scrambled text.
My source practiced careful operational security, or opsec. When he connected to servers, whether for the Syrian emails or for our chats, he did so over Tor—an open-source private network that hides the user’s IP address. No one could locate where he was coming from. As the known party in this exchange, I didn’t need to use Tor. My name was likely to be on an article eventually. Had I needed to hide that my source was talking to a journalist, Tor would have been my method of choice.