There are other types of tools that have tried, and sometimes failed, at providing privacy and security. In 2009, a site called Haystack emerged to much buzz. Named for its supposed ability to make sensitive web searches appear innocuous to outside observers, akin to a “needle in a haystack,” it was intended to be used by Iranian dissidents to work around the state’s Internet monitoring systems. The main developer, Austin Heap, refused to make code of the project public, his reason being that the Iranian government would then be able to circumvent the tool. But security expert Jacob Applebaum and a team of researchers reverse-engineered the program, gaining access to the code, and found considerable security gaps, with Applebaum tweeting that “Haystack is the worst piece of software I have ever had the displeasure of ripping apart. Charlatans exposed. Media inquiries welcome.” Eva Galperin, an activist for the EFF, says that Haystack put Iranian dissidents in “direct danger” by claiming Haystack was secure when it wasn’t. “When someone says they are going to build a tool to guarantee anonymity and privacy, they should be open and transparent about how they are guaranteeing that,” says Galperin. “This way, the open source community can try to break into it and find out what the problems are.”
Reporters Without Borders announced at this December’s Chaos Communications Congress, an annual hacker conference, that they are building a “Virtual Shelter” for censored stories and documents. Lucie Morillon, who gave the presentation, says they are working closely with security experts to build the portal, and will also be inviting them to try and “break it” before they launch, to be sure it’s secure. Morillon says the conduit, which does not have an official name as of yet, will not put up raw material; all published submissions will be accompanied by stories to conceptualize the information. But another part of this project, Morillon says, is to “make censorship completely useless” through something which has been referred to as the “Streisand effect.” In 2003, Barbara Streisand sued to suppress pictures of her coastline mansion from publication, but instead drew more attention to the photos. Morillon says if someone has been arrested for publishing an article, Reporters Without Borders will be encouraging people to leak it over their portal so the organization can publicize it widely.
But it’s not always necessary to build a tool like this from scratch. 100Reporters’s technology and web developer Jonathan Hutcheson looked to use existing options when building for Whistleblower Alley. Hutcheson decided on Privacy Box—open source secure-communications software that can be customized and installed on any site. The software is distributed by the German Privacy Foundation, a nonprofit privacy advocacy group. The site’s description says Privacy Box “provides non-tracked (and also anonymous) contact forms” and is “running primarily for journalists, bloggers and other publishers.” This was exactly what Hutcheson was looking for, “It’s a one trick pony that is operated by an organization devoted to privacy,” says Hutchseson. “And one of the things that was incredibly attractive is that we didn’t actually operate it ourselves.”
Developed in 2007, Privacy Box was inspired by an incident involving Telekom, a large German telecommunications company, which spied on journalists that were investigating the company. Jan Suhr, a member of the German Privacy Foundation, says the ensuing scandal left him and other members brainstorming about how to give journalists “a simple and secure way to do their jobs.” Privacy Box offers a private and anonymous way for people to communicate, so it’s not inherently a leak platform, but it is being used that way by 100Reporters. Privacy Box has been implemented on both a German whistleblower network and a Russian leaks website. The program is also being used by other organizations: NGOs, political parties, an anti-fascist group, an anti-nuclear energy group. Suhr says he got word that a university was using it for anonymous lecture feedback.
Here’s how it works: First, the message is encrypted, and sent to the receiver. It can only be opened and made legible with a key, which the receiver is provided with. Privacy Box does not record who is doing the messaging, so it leaves no trail, but Suhr says the most secure way to use this technology is with Tor, which makes it nearly impossible to trace which computer an action is coming from by dispersing the transfer of the information across many networks. Suhr says they don’t know how often their Tor advice is heeded, since they don’t analyze their users. Most leak platforms encourage using their systems in conjunction with Tor, including WikiLeaks, since it helps to hide not only what’s being communicated, but from where.