The Washington Post and other media organizations have launched Web pages outlining ways you can leak information to them confidentially. Brendan Smialowski/AFP/Getty Images hide caption

The Washington Post and other media organizations have launched Web pages outlining ways you can leak information to them confidentially.

There was a time when a whistleblower had to rely on the Postal Service, or a pay phone, or an underground parking garage to leak to the press.

This is a different time.

A renewed interest in leaks since Donald Trump's surprise election victory last fall, and a growth in the use of end-to-end encryption technology, have led news organizations across the country to highlight the multiple high-tech ways you can now send them anonymous tips.

The Washington Post, The New York Times, and ProPublica have launched Web pages outlining all the ways you can leak to them. ProPublica highlights three high-tech options on its page (in addition to the Postal Service): the encrypted messaging app Signal, an encrypted email program called PGP (or GPG), and an anonymous file sharing system for desktop computers called SecureDrop. The Washington Post goes even further, highlighting six digital options.

Jeff Larson, a reporter at ProPublica, says of all this, "We're living in almost a golden age for leaks."

Some tools like SecureDrop, created by the Freedom of the Press Foundation, were made just for newsrooms to accept anonymous tips. Others, like Signal, the premier encrypted messaging app on the market right now, were created with a different, and more universal purpose.

Moxie Marlinspike, one of the creators of Signal, says it's for everyone who might not be aware that a lot of their communication might not actually be private.

"What we're really trying to do is bring people's existing reality in line with people's expectations," Marlinspike says. "Most of the time when people send someone a message, their assumption is that that message is only visible to themselves and the intended recipient. It's always disappointing when that turns out not to be true."

SecureDrop, created by the Freedom of the Press Foundation, was designed for newsrooms to accept anonymous tips. SecureDrop/Screenshot by NPR hide caption

Trevor Timm, executive director of the Freedom of the Press Foundation, says newsrooms' and leakers' reliance on these tools also speaks to a new reality.

"We're living in a golden age of leaks but we're also living in a golden age of surveillance," Timm says. "It is very easy for the government, for example, to subpoena a Google, or a Verizon, or an AT&T to get a journalist's phone records, or email records, that tells them who they talked to, when they talked to them, and for how long. Over the past 8 or 10 years, the government has been able to prosecute a record number of journalists, and the primary way they've been able to do this is because of their increased surveillance capabilities."

That heavier scrutiny of the press and its sources has come from both sides of the aisle. This month, President Trump directed the Justice Department to investigate what he calls "criminal leaks" coming from the federal government, and in a speech Friday at the Conservative Political Action Conference, he said journalists should not be allowed to use unnamed sources.

The Obama administration used the Espionage Act multiple times to prosecute leaks (more than any other administration according to PolitiFact), as well as secretly seizing Associated Press reporters' phone records.

While many encryption apps are used to bypass such surveillance of communications between leakers and the press, some apps are being used by staffers within the government to communicate with each other. A recent Washington Post article stated that some White House staffers are relying on an encrypted messaging app called Confide to communicate with each other without using official phones or email, out of a fear of leaks.

But using an app like that to make official White House communications private raises red flags for Chris Lu, former Deputy Labor Secretary under President Barack Obama.

"At the White House and at the Department of Labor," Lu says, "we were given very clear training and guidance about the Presidential Records Acts and maintaining documents." The Washington Post story, he says, "instantly raised red flags whether it was in compliance with the Presidential Records Act. And it clearly is not." (That law is meant to ensure that communications in the White House are maintained for historical purposes.)

Confide CEO Jon Brod says his company advises all users to follow the rules of their employers, if they're using Confide to talk to coworkers.

"There are certain industries and sectors where specific people and certain types of conversations are regulated," Brod says, pointing to financial services, health care, and parts of the government. "If you are in one of those industries or sectors, it's important that you use Confide in a way that conforms to any of those regulations that may be relevant to you."

Of course, the legality and ethics of such communications between government workers, as well as between the press and government leakers, often depends on who you ask.

For Moxie Marlinspike of Signal, there is no question on one thing: whether or not apps such as his are good for society. "I think what we're seeing is things like Signal almost democratizing that ability (to leak)," he says. "So people who are not necessarily at these high-level posts, but just ordinary workers, are able to communicate what's going on to people outside of government. If you're the director of the CIA, you don't need Signal."

But with the growth of apps like Signal and encryption technology, there might not ever be a way to tell just how ubiquitous all this high-tech leaking becomes. Often the data is so secret that there are few metrics to read, if there are any at all. "We don't have any information about our users," Marlinspike says. "That's how end-to-end encryption works: Even us, we don't have that kind of information."

The rest is here:
How The Media Are Using Encryption Tools To Collect Anonymous Tips - NPR

Poisonous political divisions have spawned an encryption arms race across the Trump administration, as both the presidents advisers and career civil servants scramble to cover their digital tracks in a capital nervous about leaks.

The surge in the use of scrambled-communication technology enabled by free smartphone apps such as WhatsApp and Signal could skirt or violate laws that require government records to be preserved and the publics business to be conducted in official channels, several ethics experts say. It may even cloud future generations knowledge of the full history of Donald Trumps presidency.

Story Continued Below

The operative word is accountability. You cannot hold an agency or someone accountable if records are not kept and made available, said John Carlin, a former Democratic Kansas governor who served as the archivist of the National Archives from 1995 to 2005. If there is a hearing or investigation someday and no access to records, there is not much you can do.

White House press secretary Sean Spicer has pointedly warned his staff that using encrypted apps would violate a law requiring the preservation of presidential records, POLITICO reported Sunday.

Conservative advocacy groups also denounce the use of encrypted technologies by career employees, comparing it to Hillary Clintons use of a private email server when she was secretary of State. The House Science Committee has demanded an inquiry into the use of encryption by employees at the Environmental Protection Agency although it has shown no similar curiosity about use of encryption in the White House.

Its stunning that its still going on in light of the Clinton email scandal, said Judicial Watch President Tom Fitton, who has been critical of the use of encrypted messaging by both civil servants and the White House. Its no different than what she was doing.

Defenders of federal workers say interest in encryption has skyrocketed as career employees ponder how to respond to an administration they fear will break the law and punish dissent in pursuit of a radical agenda. Jon Brod the co-founder of Confide, a company that offers an encrypted messaging program of the same name said the company has seen a surge in use of its app following the election.

People in the government are finding many uses for encryption, including internal conversations and leaks to the news media.

More than 70 workers from several agencies are using encrypted cellphone apps to arrange nighttime and weekend meetings at homes in the D.C. area to discuss their potential resistance to Trump, said Danielle Brian, executive director of the Project on Government Oversight.

She said the employees want to know what to do if they see something illegal happening at their agencies, how to report misdeeds to Congress or inspectors general, and what is protected under whistleblower laws. The demand is so great that POGO plans to hire a full-time employee to train workers across the country on how to report problems, keep their jobs and use encrypted messages to communicate and organize outside of work.

In addition to the EPA, employees at the State Department, the Department of Homeland Security, the Department of Transportation and other agencies are using encrypted messaging apps, POLITICO has learned.

We are responding to an increasing level of anxiety in the federal workplace about free speech rights and civil liberties, said POGO's Brian, who has attended three private sessions to offer advice on government workers legal protections. This is a whole new world for us.

Federal workers told POLITICO they've adopted encrypted apps because they fear being targeted by Trump's political allies.

"Its very scary," one career civil servant said in an interview, requesting anonymity to avoid possible retaliation. "You dont know who to trust.

Trump has made no secret of his desire to uncover the sources of the many leaks that have roiled the first month of his presidency. The spotlight has finally been put on the low-life leakers! he wrote on Twitter earlier this month. They will be caught!

The hunt for leaks has swept up the White House communications staff, where Spicer has begun quietly cracking down on the use of encrypted apps. POLITICO reported Sunday that Spicer recently checked White House staffers phones and warned them against using apps like Confide, which deletes messages as soon as theyre read, and Signal, which also has an optional setting to automatically delete messages.

The crackdown came after some political appointees in Trumps White House began using the encrypted apps so they can have covert conversations with journalists and their colleagues. But it remains unclear if top White House officials can completely halt the use of the apps. And at least some staff were still using them as of earlier this month, sources say.

"To my knowledge, no one in the [White House] is using the Confide app or any other similar app and we go to great lengths to preserve all records," a White House official told POLITICO in an email late last week.

However, a BuzzFeed reporter determined that Spicer and White House aide Hope Hicks had once downloaded the Confide app, the site reported this month after using a feature that lets users find contacts who have already signed up. Spicer told BuzzFeed he used Confide only once "months ago."

The White House official told POLITICO that Hicks "does not use the app and deleted it from her phone." The official did not respond to follow-up questions about how the White House knows other staff aren't using the app.

Trump staffers are keenly aware of the risks of their internal communications going public, having faced widespread leaking from their own ranks during the campaign and having seen the damaging fallout from last year's dumps of hacked emails from Democrats such as Clinton campaign chairman John Podesta.

Yet ethics experts argue that the use of encrypted messaging apps by White House staff for official business would be a clear violation of the law. "At a minimum, the White House ought to explain what record preservation steps it is taking," said Norm Eisen, former ethics czar under ex-President Barack Obama and co-founder of the group Citizens for Responsibility and Ethics in Washington. "If they refuse to answer those questions, it is fair to assume they are at risk of violating the law."

For both the Trump team and the career employees, encrypted apps like Signal, WhatsApp, Confide and Wickr make it easier to communicate in secret by leaving would-be snoops with unreadable strings of text thwarting any hackers or government investigators who might get hold of the messages. Thats on top of the strong encryption offered by devices such as the latest iPhones, which the FBI has complained it cant crack even in drug or terrorism investigations.

Its unclear whether the career employees are breaking any laws. While it is illegal for federal employees to hold secret discussions to conduct government business, several workers insisted in interviews that they use the apps only for personal communications.

A spokeswoman at the National Archives, which maintains the governments records, said in an email that personal opinions by and between agency employees, even about senior agency officials, would not likely meet the definition of a federal record that must be preserved.

But experts say the nature of encryption technology makes it difficult to tell what the employees are discussing. Conservative groups are exploiting that fact to target federal workers who are critical of Trump.

"Any effective regulation of federal employee behavior is heavily predicated on learning that that misconduct has occurred, said Dan Metcalfe, the former director of the Justice Departments Office of Information and Privacy, who spent more than two decades guiding federal agencies on Freedom of Information Act issues. Thats the only way you can regulate it after the fact.

White House staffers are bound by the Presidential Records Act, a post-Watergate law that requires the preservation of official government records. It allows public access to those documents after a waiting period that can stretch from five to 12 years.

Other federal employees must abide by the Federal Records Act, which similarly requires the preservation of government documents. But the law allows more speedy public access to those documents through Freedom of Information Act requests.

The Federal Records Act was amended in 2014 to include all electronic messages, including text messages, voice mails and messaging apps. July 2015 guidance to federal agencies from the National Archives specifically mentions WhatsApp as an example of an application whose messages must be preserved if they pertain to government business.

But even if the technology is new, attempts to skirt federal records laws arent.

This is just another variation on the theme, Fitton said about the use of encrypted messaging apps to communicate. Its not a new issue issue. Its just a new flavor. It doesnt matter the technology because the agencies are required to maintain these records. You can delete text messages and emails too.

Staffers in Republican and Democrat administrations alike often keep sensitive information out of emails, preferring phone conversations, which largely arent subject to record keeping laws. The Reagan, George H.W. Bush and Clinton administrations strongly resisted calls to preserve their email records (the Reagan White House adopted a rudimentary form of email in the 1980s), resulting in a years-long legal battle.

George W. Bush administration officials faced criticism for using non-government email accounts. And Obama administration officials were caught using alternative email addresses that obscured their identities.

Indeed, resistance to preserving records dates back to the early days of the country. Martha Washington and Thomas Jefferson famously burned their correspondence with their spouses, for example, keeping many of their private thoughts out of reach of later generations.

But the wide availability of encrypted messaging makes secrecy easier than ever.

Its certainly easier to circumvent public records laws in a written format now than it ever has been, said Mark Rumold, a senior staff attorney at the Electronic Frontier Foundation, a nonprofit group that pushes for government transparency.

Republicans in Congress are increasingly frustrated, worrying that career employees are secretly undercutting Trumps policies.

After POLITICO reported this month that several EPA employees were using Signal, House Science Chairman Lamar Smith (R-Texas) asked the agencys inspector general to look into the issue. Several right-leaning groups have filed FOIA requests seeking EPA employees communications using Signal.

But Smith and other Republicans have not publicly committed to investigate encryption at the White House. A spokeswoman for Rep. Jason Chaffetz (R-Utah), chairman of the House Oversight Committee, declined to comment when asked whether he is looking into the issue.

Some Democrats counter that federal workers should be protected, citing whistleblower laws that shield workers from retribution if they report law-breaking or gross mismanagement.

Reps. Ted Lieu (D-Calif.) and Rep. Don Beyer (D-Va.) even released a guide that underscores federal workers rights. The guide appears to endorse the use of encrypted apps, calling them a safe bet.

In an interview, Lieu said, I just want to make clear to federal employees, Congress passed an entire law protecting whistleblowers."

Tim Starks contributed to this story.

Read more here:
Trump inspires encryption boom in leaky DC - Politico

Google

Google has announced that E2EMail, an experimental end-to-end encryption system, has now been given to the open-source community with no strings attached.

Whether you are concerned about government surveillance and spying, man-in-the-middle (MiTM) attacks by threat actors or you are an enterprise player with the need to keep communications as secure and private as possible, end-to-end encryption is viewed as a method to prevent snooping.

Not every email service provider offers end-to-end encryption -- the best-known being PGP -- although, in the wake of former NSA contractor Edward Snowden's disclosures concerning the mass-spying efforts of the US government, more services have popped up or increased in popularity, including ProtonMail, Wire, WhatsApp, and Signal.

As we become more concerned with digital threats and surveillance, everything from email services to apps and social network chats is being locked up with cryptographic methods.

However, end-to-end encryption is yet to reach a wider audience -- and this is where Google intends to make a difference.

Last week, Google engineers KB Sriram, Eduardo Vela Nava, and Stephan Somogyi said in a blog post that as part of the tech giant's End-to-End research efforts, E2EMail is going open-source.

Built on the Javascript crypto library developed at Google, E2EMail offers a way to integrate OpenPGP into Gmail via a Chrome Extension while keeping cleartext of messages exclusively on the client.

Google is keen to emphasize that E2EMail is not a Google product, but thanks to the efforts of security engineers from across the spectrum, it is now a "fully community-driven open-source project."

The current form of E2EMail is rather bare when it comes to keyserver testing. However, Google's Key Transparency, made available earlier this year, may improve the security of the service far beyond its current incarnation.

"Key discovery and distribution lie at the heart of the usability challenges that OpenPGP implementations have faced," Google's engineers say. "Key Transparency delivers a solid, scalable, and thus practical solution, replacing the problematic web-of-trust model traditionally used with PGP."

"We look forward to working alongside the community to integrate E2EMail with the Key Transparency server, and beyond," the team added.

See also: Linus Torvalds on SHA-1 and Git: 'The sky isn't falling'

If you're interested, you can check out the e2email-org/e2email repository on GitHub.

Last week, Google gave the "Upspin" project to the open-source community. Upspin aims to reduce the fragmentation of current services such as Dropbox, Google Storage and Apple's iCloud and the amount of time wasted on "multi-step copying and repackaging" by creating a global namespace for files. Upspin is a set of protocols and standards which puts secure sharing at the forefront and is enabled with end-to-end encryption by default.

See the original post:
Google End-to-End encrypted email code goes open-source - ZDNet

Every company I speak with is throwing the kitchen sink at protecting their network from external attackers, data breaches and mobile device loss. At the heart is the fundamental point that we all must accept: that where once corporate data sat ring-fenced on a server, it is now dispersed geographically, across many different devices, and moving all the time.

As IT and security professionals we keep battling with the need to keep the drawbridge down, but stop the baddies getting in, and ensure soldiers (data) outside the castle walls are safe.

Encryption has played a key role in protecting data for a long time. Thousands of years before the computer appeared there were Hebrew mono-alphabetic substitutions, and of course the use by the Romans of ciphers, being just a couple of examples. Yet despite its clear benefits in protecting against prying eyes, for a long time it fell out of favor.

Certainly, in early computing it was a complete pain to work with, and some might use stronger language than that! Whilst vendors eventually got their heads around making it more usable, the world moved on, and the problem is no longer simply about protecting data at point A.

Precisely because of the problems we laid out earlier the need to manage encryption across devices, locations and users have become an IT imperative. Any security professional knows that complexity leads to risk, and that spells danger for the enterprise. Not just from invaders, but risks of regulatory non-compliance, accidental data breaches, or simply the loss of a smartphone.

The challenge therefore has become to simplify the security landscape in the organization, without compromising on protection. In the case of encryption, this means being able to manage encryption across on-premise, cloud, hybrid-cloud and a myriad of devices, as well when it is with users who may not belong to your company.

Centralized encryption management solves the problem by ensuring keys are controlled from one point, and more importantly the keys themselves are stored outside the organization: after all there is no point locking your data in a box, but leaving the key in the lock!

This alone is not enough in the modern enterprise, you need to be able to manage that same encryption across cloud services, virtual machines and resources that you do not own. Its important to ensure that when you look at choosing an encryption provider that you consider this reality, otherwise you leave yourself greatly exposed.

Encryption is here to stay, it is the last line of defense when a breach occurs, whatever action caused it, invader or accident. With so much at stake for a business in terms of reputation damage, regulatory fines, and ultimately the bottom line, centralized encryption management is the route to bringing clarity to effective encryption. Remember, nobody ever got fired for implementing encryption, but they probably did for mismanaging it.

Read the original:
Decipher your Encryption Challenges - Infosecurity Magazine

Even Aadhaar sceptics would do well to keep in mind that, while a criminal complaint has been filed against Axis Bank, Suvidhaa Infoserve and eMudhra for allegedly storing biometrics. (Source: Reuters)

Even Aadhaar sceptics would do well to keep in mind that, while a criminal complaint has been filed against Axis Bank, Suvidhaa Infoserve and eMudhra for allegedly storing biometrics and using them in an unauthorised manner, it was UIDAI that discovered the irregular transactions and reported them to the Delhi Polices cyber cell and, pending a probe, all transaction requests from these organisations have been put on hold. If the UIDAI system is able to detect fraud, as the banks did when they found millions of debit/credit cards had been compromised due to a faulty switch in a payments gateway some months ago in India, presumably that would mean it was working well. Under normal circumstances, as a safety feature, every time a transaction is made like withdrawing funds from a bank and UIDAI replies to an authentication request, an SMS/email alert is sent to the subscriber.

So, why didnt UIDAI send out alerts this time around when, going by a report in The Times of India, one individual performed 397 transactions, many of which were based on biometrics that were stored locally and bunched during one week in January? Is this an example of Aadhaar being open to misuse since banks, etc, can store your biometrics and use them to illegally authorise transactions later? There have also been reports of one website publishing Aadhaar data of 500,000 minorsthis, of course, is a list of names and matching Aadhaar numbers, but does not have actual biometricsand of white-hat hackers generating iris scans from high-resolution photographs and even the possibility of data being compromised since Aadhaar registrations/verifications are typically done by several private firms.

First, as UIDAI officials point out, since the individual doing the transactions was using his own Aadhaar number, the alerts went to himto that extent, the systems first fail-safe worked. Had the stored biometrics belonged to someone else, say a reader of this newspaper, she would have got the SMS/email alerts and would have escalated matters. Two, since the authentication request, and the reply, are encrypted at a 2048-bit levelnormal encryption levels are 128 or 256UIDAI officials argue this makes the system very safe from hacking. But what of cases where the biometrics are stolen, or generated from high-resolution photographs, and then stored locally? Since security has to be an evolving feature, designed to beat threats as they occur or before they do, UIDAI plans to introduce the concept of registered devices.

You might also want to see this:

For the last few months, UIDAI has been working with vendors of biometric-capture devices to get them to install an Aadhaar-encryption key in the hardware itselfamong other things, it ensures the biometric data used is captured live and is not stored data. Last month, it was notified that, after May, no data requests will be entertained if they come from unregistered devicesexisting biometric devices, such as those in ration shops already, are to be upgraded through software right now and those bought in the future must have the necessary pre-installed keys. It is certain criminals will find smarter ways to beat the system, and UIDAI will have to keep evolving to heighten securityto the extent some beat the system, or try to, as happens in the case of bank frauds, the criminal justice system has to be used to punish them.

Please Wait while comments are loading...

Follow this link:
Axis Bank case: To make Aadhaar safe, encryption devices coming soon, more in store - Financial Express