Developed in 2007, Privacy Box was inspired by an incident involving Telekom, a large German telecommunications company, which spied on journalists that were investigating the company. Jan Suhr, a member of the German Privacy Foundation, says the ensuing scandal left him and other members brainstorming about how to give journalists “a simple and secure way to do their jobs.” Privacy Box offers a private and anonymous way for people to communicate, so it’s not inherently a leak platform, but it is being used that way by 100Reporters. Privacy Box has been implemented on both a German whistleblower network and a Russian leaks website. The program is also being used by other organizations: NGOs, political parties, an anti-fascist group, an anti-nuclear energy group. Suhr says he got word that a university was using it for anonymous lecture feedback.
Here’s how it works: First, the message is encrypted, and sent to the receiver. It can only be opened and made legible with a key, which the receiver is provided with. Privacy Box does not record who is doing the messaging, so it leaves no trail, but Suhr says the most secure way to use this technology is with Tor, which makes it nearly impossible to trace which computer an action is coming from by dispersing the transfer of the information across many networks. Suhr says they don’t know how often their Tor advice is heeded, since they don’t analyze their users. Most leak platforms encourage using their systems in conjunction with Tor, including WikiLeaks, since it helps to hide not only what’s being communicated, but from where.
Honest Appalachia, the newest leak platform to make headlines, has made the use of Tor a requirement. “It’s not optional,” says Garrett Robinson, who built the site. “If you try to use [Honest Appalachia] without Tor, it will just redirect you to a page with directions on how to use it.”
Launched on January 10th, the site is focused on West Virginia, Virginia, Pennsylvania, Ohio, Kentucky, Tennessee and North Carolina. Both Robinson and cofounder Jim Tobias live in the region and feel this rural area could especially benefit from more transparency. Robinson says the biggest challenge with this work is authenticating the documents, which is why they have modeled their site around handing submissions over to journalists rather than publishing themselves. “Journalists have a lot more experience dealing with this, so we want their help to analyze and authenticate these documents.” He says once they receive files, they will decrypt them and then go through the process of “cleaning” the file of any other identifying metadata before handing it off to journalists.
The code is open source. “A truly secure site will withstand attack,” says Robinson, and the tool can be easily replicated by running a script that installs about 80 percent of the software, leaving only the cryptography to be done manually. The hope is for others to use it to “support accountability and transparency in their communities,” but Robinson is quick to point out that Honest Appalachia doesn’t guarantee anything. “When you hear guarantees and promises in the security field, you should get concerned,” says Robinson. “You should always be reevaluating. Security is a process, not a product.”