
Justice Dept. Seizes Times Reporter’s Email/Phone Records in Leak Investigation - MBCook
https://www.nytimes.com/2018/06/07/us/politics/times-reporter-phone-records-seized.html
======
snacktaster
Reminder to NOT use any 3rd-party VPN service if you truly value your privacy.
ProtonVPN, PureVPN, Private Internet Access, etc. Do not use those services if
you're intending to do some "shady shit". I know first hand that Google has a
(semi)-automated web-based process for law enforcement to submit their
subpoenas and get the entire access history of a particular Google/Gmail
account. They don't get access to the contents of the account, but they get to
see IP addresses and user agents that accessed that account in the last N
days. A warrant to see the contents of the accounts would be trivial if the
investigators wanted to pursue it.

~~~
mirimir
That's going too far, I think. Sure, you can run your own VPN server, on an
anonymously leased and managed VPS. But then, how do you anonymously lease and
manage that VPS? As far as I know, your options are pretty much limited to VPN
services, Tor and I2P. Also, VPS traffic is readily logged by providers, so
your "anonymity" is pretty fragile.

Your best bet is distributing trust among multiple parties, such that no one
of them can compromise you. VPN use is common, so start with nested VPN
chains. Then Tor. If either the VPN chain or Tor resists compromise, then
you're still safe.

After that, you can use any PM or email that you like. Because it's not
connected to your meatspace identity. If content is end-to-end encrypted, the
provider has nothing useful to share with adversaries. You and correspondents
must, of course, avoid leaking metadata through account names and subject
lines.

~~~
TimTheTinker
> But then, how do you anonymously lease and manage that VPS?

At least on DigitalOcean, it’s possible to create an anonymous account (no
name required, not even by their TOS) connected to an anonymous email provider
and funded by a cash-purchased Visa gift card. And a $5/mo droplet running
IKEv2 VPN traffic (see Algo) is very secure and provides more than enough
bandwidth/throughput for several people.

That would only leave the traffic itself (particularly the IP address(es) that
initiate connections to your droplet). DO has a policy of not logging traffic
unless an abuse alert is triggered.

~~~
kbenson
> DO has a policy of not logging traffic unless an abuse alert is triggered.

I'd be willing to bet they log all the info about the signup process though,
including the IP address used. It's how you prevent abuse.

The question then becomes, how do you hide your IP address from the DO signup
process. I know, used a VPN! Wait a second...

~~~
sanbor
Mullvad.net (a VPN provider) gives 3 hour accounts for free. You solve a
captcha and they give you an account id to use to connect to their servers. If
you want to keep using that account id for more than 3 hours you have to add
money to that account. You can pay them in cash (they're in Sweden though) or
Bitcoin, credit card, etc. They don't even ask you for your email and they
claim to not keep logs that would allow to match an IP and a time stamp to a
user [1].

[1] [https://torrentfreak.com/vpn-services-anonymous-
review-2017-...](https://torrentfreak.com/vpn-services-anonymous-
review-2017-170304/#mullvad)

~~~
TimTheTinker
One more thought - connecting via a temporary Mullvad account from a public or
obscured entry point (perhaps during an international trip or at a McDonalds)
would probably be the most straightforward method. The worst you're giving
away is that entry point (to Sweden's loggers), but the DO/VPS fraud detection
is less likely to fire if you're going through Mullvad.

To be clear, my own goal in all of this is primarily to get through
residential ISP snooping -- I don't trust them not to sell my personal info.
Staying out of the state dragnets is also a plus (I don't like the idea of
snoops in a building somewhere reading my personal emails; same reason I close
the living room curtains in the evening).

~~~
mirimir
Yes, one can "anonymously" use WiFi APs. But it's hard to get close enough
without becoming observable. And more and more, without being videoed. I've
played with a Ubiquiti radio and parabolic antenna, and can hit APs at several
km. But then, the dish is pretty big, so you need a large window. And
unsecured APs have become harder to find.

~~~
TimTheTinker
It’s a lot easier to escape surveillance in the suburbs and rural areas. That
being said, the ratio of McDonalds franchise density to population density
goes higher the further out you go (at least in the US).

------
mirimir
> "Freedom of the press is a cornerstone of democracy," Ms. Murphy said. "This
> decision by the Justice Department will endanger reporters’ ability to
> promise confidentiality to their sources and, ultimately, undermine the
> ability of a free press to shine a much-needed light on government actions.
> That should be a grave concern to anyone who cares about an informed
> citizenry."

Sure. But Ms. Watkins could have used better OPSEC, and trained her sources to
do the same.

Edit: You can't "promise confidentiality" if you're depending entirely on the
behavior of third parties.

~~~
emidln
And government officers could not blatantly violate their oaths to defend the
Constitution.

~~~
wwweston
There's no clear claim that any such oath -- or other law or guideline -- has
been violated.

Consider this statement from Watkins' lawyer:

“It’s always disconcerting when a journalist’s telephone records are obtained
by the Justice Department — through a grand jury subpoena or other legal
process. Whether it was really necessary here will depend on the nature of the
investigation and the scope of any charges.”

It'd look different if MacDougal were confident that the DOJ had violated
process or law, including constitutional rights. As it reads, it sounds like
he recognizes that right now, there's no apparent violations, and it's
plausible that actions like this, disconcerting or not, may well be fully
legal and justified.

~~~
emodendroket
I think one could make a plausible argument for an expansionist reading of
press freedom that would cover this case.

~~~
charleslmunger
Courts have consistently held that freedom of the press means freedom of the
press-as-medium, not press-as-industry. Reporters have no more rights than you
or I. What would the rationale be?

------
rdtsc
Link to the indictment: [https://www.justice.gov/usao-dc/press-
release/file/1069836/d...](https://www.justice.gov/usao-dc/press-
release/file/1069836/download)

> The former aide, James A. Wolfe, 57, was charged with lying repeatedly to
> investigators about his contacts with three reporters. According to the
> authorities, Mr. Wolfe made false statements to the F.B.I. about providing
> two of them with private information related to the committee’s work. They
> did not say whether it was classified.

Ah interesting. They definitely have metadata but they don't have (or don't
admit to having) all the data. So they know who talked to who and when and
caught him in a lie which can end up badly. But it seems they don't know the
content so they can't say "on this day, in this message you divulged this
classified information". They disclose a few Signal messages but they were
simple like "Great job" or "I am glad I made your career" etc.

Lying to FBI is not good but disclosing classified information is even worse.
It seems in this case he is only charged with lying.

I wonder had he refused to talk to the investigators what would have happened?
Given he was an employee with clearance, did he even have a choice in saying
"I am not answering your questions, talk to my lawyer"...

> Under Mr. Obama, the Justice Department prosecuted more leak cases than all
> previous administrations combined.

I wonder if there were simply more leaks because there were more dissenters,
more media channels, more disappointed employees or those in charge ordered
more resources allocated on finding and stopping the leaks.

It is scary that they are going after and collecting all of reporter's
communication going back for years. I can imagine that would be very scary.

~~~
captain_perl
> I wonder if there were simply more leaks because there were more ...

No, Obama had a personal thing against leakers. None was too many for him. I
followed it in the news, but couldn't tell if it was motivate by being a
lawyer, so some kind of omerta.

OTOH, previous administrations used leaks as trial balloons, so had a more
balanced approach.

[https://www.theguardian.com/world/2013/oct/10/obama-leaks-
ag...](https://www.theguardian.com/world/2013/oct/10/obama-leaks-aggressive-
nixon-report-prosecution)

~~~
mistermann
Really? I'm not really a news junkie, but I can't recall a single time hearing
anything about Obama having a dispute with anyone, whereas I've heard stories
about Trump virtually every day for the last year. Maybe he's even worse than
they say?

~~~
mirimir
That's because Obama was generally careful about what he said in public.

------
zaroth
James Wolfe, 57, Director of Security of the Senate Intelligence Committee for
29 years... leaks intel on Carter Page to his “girlfriend” (she was 21 years
old at the time) at BuzzFeed, who publishes a huge scoop and lands a job at
the NYT.... [1]

Sounds like a script from House of Cards.

[1] - [https://www.nytco.com/ali-watkins-joining-washington-
bureau/](https://www.nytco.com/ali-watkins-joining-washington-bureau/)

~~~
zaroth
And just wow.... this tweet from her in 2013:

[https://twitter.com/aliwatkins/status/347800186195701760?s=2...](https://twitter.com/aliwatkins/status/347800186195701760?s=21)

------
iends
Even The Intercept got it their disclosure wrong once, and these guys are
probably the experts: [https://blog.erratasec.com/2017/06/how-intercept-outed-
reali...](https://blog.erratasec.com/2017/06/how-intercept-outed-reality-
winner.html)

But unencrypted email certainly isn't the right way to go if you're leaking.

~~~
marmshallow
Does using gmail count as unencrypted?

~~~
maxlybbert
General Patraeus was caught leaking through Gmail. And, amusingly, they didn’t
actually send the emails, they just shared an account and wrote draft emails
for the other side to read.

Granted, sharing an account with a co-writer turned out to be suspicious
behavior, but apparently the government was able to get access to the draft
emails that were under Google’s control (and I haven’t heard of any changes to
Gmail that would make it more secure now).

------
loteck
Using any electronic text messaging as a means to communicate state secrets
strikes me as lazy, regardless of encryption. Data, metadata and breadcrumbs
are left littered amongst an unknowable number of endpoints and 3rd party
servers, permanently.

Leaking state secrets isn't supposed to be easy and convenient; there's not an
app for that.

~~~
wmil
A staffer working for the Senate Intelligence Committee was dating a reporter
who was writing stories based on exclusive intelligence leaks.

They weren't exactly being super careful.

~~~
mirimir
I wonder what they were thinking. I mean, maybe something like "I'm a
reporter, so they can't ask about my sources." I'm reminded of David Petraeus
and Paula Broadwell.

~~~
creaghpatr
I bet they watched House of Cards and thought, hey it works for Zoe Barnes...

Edit: I hope she does not have the same character arc of Zoe Barnes, which I
won't spoil.

------
res0nat0r
Any idea how the DOJ got their Signal communications? I've never used the app,
but did he just not delete his messages or something stupid like that?

[https://twitter.com/mattdpearce/status/1004913094772944896](https://twitter.com/mattdpearce/status/1004913094772944896)

~~~
tptacek
The most likely explanation would be that he simply didn't delete his
messages, or have auto-delete enabled; or, perhaps, he had the auto-delete
window for these particular contacts set too long.

~~~
tuxxy
Most definitely this. Bad messenger OPSEC is a real problem, still. Just
recently Paul Manafort backed up his encrypted WhatsApp messages to iCloud,
for example.

Many users of these apps don't realize that they are opening themselves up to
security issues by performing certain behaviors. Are there any guides to good
messenger OPSEC available for the general public (or even at-risk people like
journalists or politicians?)

~~~
plorg
While it may be true that Manafort incidentally backed up WhatsApp or Signal
messages to iCloud, the FBI supporting statement in the motion to revoke
parole indicates that the messages cited were preserved by the receiving party
and voluntarily turned over to the FBI.

------
nautilus12
Im surprised that majority of the comments are about how they are dissapointed
about their carelessness and not noting that leaking classified information is
bad regardless of your ultimate aim. This is exactly what we should expect to
happen when people leak classified information regardless of your ultimate
motivation

~~~
Clubber
Dan Carlin had a podcast about this. He said something to the effect of, "what
if you had a stamp and every time you stamped something, your boss would never
find out about it. How long do you think it would take before you start
putting the stamp on your mistakes?"

What he was trying to get at is, how does a democracy function properly when
it has no idea what it's leadership is doing, because the leadership makes
everything secret and classified? It's a good question and I don't really have
an answer.

~~~
nautilus12
On the reverse side of that, how can a government function when everybody
feels like they are privy to know everything about its operations. Its like
having a meeting with too many people in the room. Nothing ever gets done.
Democracy functions in that we have a democratic process to elect those who
represent us, and at some level we need to trust them with certain elements of
operations because everyone knowing everything could cause harm in some cases.
If we dont trust who we elect to office then thats a seperate issue that we
need to tackle on its own.

~~~
Bartweiss
> _Its like having a meeting with too many people in the room. Nothing ever
> gets done._

I'm not sure I accept the metaphor - visibility is not participation. Too-
large meetings are useless because they have too many _participants_ , and
everything falls to bike-shedding. Plenty of organizations, from public
companies to the Federal Reserve, get things done with _visible_ meetings
where interested parties can't speak but do see the minutes. In my version of
the metaphor, non-secrecy is totally consistent with small-meeting democracy:
we elect people to go and represent us, but demand information about how they
did so in order to hold them accountable. (If Congress voted by secret ballot,
do you think it would represent us better or worse?)

(The question of information which is harmful to share is a fundamentally
different one than a general argument for privacy, and a much harder one.
Those cases are real, but it's also true that there's a long track record of
government claiming information is harmful to release when it's actually
embarrassing or unethical.)

> _If we dont trust who we elect to office then thats a seperate issue that we
> need to tackle on its own._

Great, we haven't tackled it, and without clear information about what
officials do it's not clear how we can.

There's never been an era of declassification and leaks where we looked around
and said "yep, everything in there looks like it was done in good faith". I'll
embrace an end to leaks around the same time they stop containing evidence
government bodies knowingly classifying horrible misdeeds.

Hell, I'd even settle for "no war crimes lately", but we haven't managed that
yet.

~~~
naasking
> I'm not sure I accept the metaphor - visibility is not participation. Too-
> large meetings are useless because they have too many participants, and
> everything falls to bike-shedding.

I was about to reply with exactly this point. Transparency does not entail
everyone gets their say, merely that the factors and interests considered in a
decision are ultimately disclosed with no secrecy. Then perhaps there can be a
public commentary period before proceeding so there is some participation, but
participation at every step isn't necessary for engendering trust via
transparency.

This obviously gets trickier on national security matters, but the judiciary
is supposed to judge what is and isn't too sensitive here. Secret court
proceedings are skirting dangerously close to crossing that line though.

------
jurassic
Maybe I'm overlooking something here, but I don't know why leakers don't just
use a forever stamp and drop something in the mail. Securing electronic
communications seems freakishly hard by comparison. Is there some reason that
is an obviously bad idea?

~~~
ipsin
Using the postal service might be lower-risk, but it's not risk free.

If you try that, don't forget about the Mail Covers [1] program.

If you're mailing a reporter at the NY Times, you're at risk if you use your
own handwriting. You might also be at risk if you use a printed label [2].

There's also the risk that your mail will be intercepted, and I wouldn't be
too shocked to discover that government agencies were selectively (or not-so-
selectively) reading our mail [3].

[1]
[https://en.wikipedia.org/wiki/Mail_cover](https://en.wikipedia.org/wiki/Mail_cover)

[2][https://www.eff.org/pages/list-printers-which-do-or-do-
not-d...](https://www.eff.org/pages/list-printers-which-do-or-do-not-display-
tracking-dots)

[3] [https://motherboard.vice.com/en_us/article/53dk3n/this-
camer...](https://motherboard.vice.com/en_us/article/53dk3n/this-camera-can-
read-a-book-without-opening-it)

~~~
slededit
Its really sad how low trust in the rule of law has become. US Mail used to be
sacrosaint. Damaging a mailbox is a felony to give an idea of how strong the
law is in this area.

------
cm2187
Interesting to see this shortly after the release of the movie The Post. Obama
attempted something similar. Basically Nixon had more respect for the
independence of the press than current administrations.

------
geofft
Apparently this reporter was at BuzzFeed (not NYTimes) at the time of the
messages.
[https://twitter.com/BuzzFeedBen/status/1004904034132725760](https://twitter.com/BuzzFeedBen/status/1004904034132725760)

------
huy-nguyen
Who in their right mind would communicate confidential info to a reporter via
email and what kind of reporter would allow their sources to do that? The
minimum acceptable way to do this is end-to-end encrypted messages via Signal
or GPG-encrypted emails via a service in a jurisdiction beyond the FBI’s reach
(e.g ProtonMail).

~~~
uabstraction
The Times provides the information necessary to do just this right on their
tips page, including instructions for PGP, WhatsApp, Signal, and SecureDrop.

One would hope that serious whistleblowers would heed these instructions.

~~~
zer00eyz
Everyone needs these directions, they need to be clear and followable to the
letter with ease.

It doesn't matter how competent you are, if your blowing the whistle then you
not want the slightest chance of making a mistake - got to be a high stress
situation, someone holding your hand through a critical portion makes sense to
me.

------
eli
The indictment talked mostly about using Signal so the comments here making
fun of using email seem unfair.

~~~
tptacek
If, as seems likely, the messages were revealed because they weren't auto-
deleted, then the flak email takes is especially well deserved. People are bad
at deleting IM messages (even with apps like Signal that will auto-delete them
if you ask). But scrubbing an email conversation is actually challenging, and
people are notoriously bad at it. Email gets archived, and email replies and
threads repeatedly quote and repeat fragments of the conversation; we've all
read email "discussions" that were a single message with a long quote history
in it.

~~~
statictype
>we've all read email "discussions" that were a single message with a long
quote history in it.

Those emails are notorious for leaking information - especially when you loop
someone external in and forget to scrub the long 3 month-long trail at the
bottom.

------
WindowsFon4life
More of the same from the last 9 years.

~~~
SlowRobotAhead
Sort of. But I think it’s important to note how many people were applauding
the seizure of communications when the target was Trump’s lawyer...

------
JumpCrisscross
Is there a material downside to the _Times_ switching external e-mails to E2E
encrypted and to be deleted after N months?

~~~
wmf
Johnny can't encrypt so their sources would probably still send them
unencrypted email.

------
olliej
Well that’s not at all disconcerting.

~~~
oh_sigh
If you're only feeling unsettled now, then you haven't been paying attention.
The previous administration waged a similar war on leakers and their journo
contacts since at least 2012.

------
notveryrational
Anyone know what she was reporting on that caused the Justice Department to
censor the coverage?

------
_Codemonkeyism
Send a letter.

~~~
_Codemonkeyism
I would leak printed documents - preferably not with a Laserjet - by sending
them, not sent from my hometown but random (does this make it less secure?
pattern detection? gas stations linked to my VISA?) towns. And make sure -
difficult (re-OCR to text? high contrast?) - they are not marked (dot-marked,
whitespace-marked, font-marked, ...) to me.

I'd prefer that way to any long chain of online trusted systems of which only
one needs to leak. To me digital OpSec feels more difficult to maintain.

Add a printed PGP key and the reporter can post more questions online on their
homepage (could the NSA detect cut&paste? JS-events with injected JS?).

------
arosier
Times, let me introduce you to ProtonMail.

------
oh_sigh
Pretty cheeky to be the director of security and be leaking to a reporter that
you're fucking.

What is the correct way for the USG to behave in this manner? Some people are
upset that they seized her communications, but what other choice is there?
Just let leaks go unpunished? Or should senate aides et al sign a 'no privacy'
agreement, where the USG can do whatever they want to intercept their
communications at all points?

~~~
jonstewart
They could have just revoked his security clearance, forcing him to resign.
Think about the resources being expended on criminal prosecution of lying to
the FBI.

~~~
cycrutchfield
It's meant to act as a deterrent. Nail one leaker to the wall, and others will
be more reticent to leak.

------
Alex3917
Of course this is assuming the NYT didn't voluntarily give up the source and
then ask the government to send them this letter. Given the NYT's history with
whistleblowers, I have trouble seeing how anyone is taking this story at face
value.

~~~
jasonlotito
While the reporter works for NYTimes now, she was working at Buzzfeed at the
time. It wasn't a NYTimes source.

~~~
Alex3917
That actually makes more sense. Still though, it's pathetic that the NYT
pretended like they were going to publish the story about mass illegal
wiretapping by the NSA and then buried it to get Bush re-elected, and now are
complaining about the government reading their reporter's emails. As if this
isn't completely deserved.

------
zeth___
Freedom of speech does not mean freedom from consequences turns out to be a
really shitty idea when it happens to people you agree with.

------
forapurpose
The Executive Branch is going after both the press and the Congress, and the
article doesn't convey anyone putting up too much of a fight. Unless I missed
something, I only see statements of concern or principle, from 'we'll see if
this is bad' to "we're deeply troubled"

> “Freedom of the press is a cornerstone of democracy, and communications
> between journalists and their sources demand protection,” said Eileen
> Murphy, a Times spokeswoman.

> Ms. Watkins’s personal lawyer, Mark J. MacDougall, said: “It’s always
> disconcerting when a journalist’s telephone records are obtained by the
> Justice Department — through a grand jury subpoena or other legal process.
> Whether it was really necessary here will depend on the nature of the
> investigation and the scope of any charges.”

> Ben Smith, the editor in chief of BuzzFeed News, said in a statement, “We’re
> deeply troubled by what looks like a case of law enforcement interfering
> with a reporter’s constitutional right to gather information about her own
> government.”

~~~
drawnwren
This really isn't that surprising. If, by reporting you are directly involved
in a crime - you're gonna have a bad time. We can argue all day about whether
information should be classified, but the fact remains that disclosing
classified information is illegal in the US. Had the reporter engaged in
murder or theft while reporting, would there be any outrage? I admit it's a
bit odd, because it isn't a crime for the reporter -- but they are definitely
involved in the commission of a crime.

~~~
forapurpose
> the fact remains that disclosing classified information is illegal in the US

It's not as simple as that; a few points:

1\. The Constitution's protection of freedom of the press can outweigh any
laws on classification, though the courts haven't said that.

2\. The unauthorized release of classified information has many times been
important for democracy to function, for government to be held accountable,
and that is exactly the role and function of the press.

3\. The classification of information is believed by many to be excessive.
Much that is classified is not dangerous and doesn't need to be classified.
I've read several examples of information classified to cover up government
activities.

4\. Classification obviously could be used to intentionally reduce
accountability to the public. It's not hard to imagine a scenario where the
President commits a crime, and it's covered up by classification. Arguably,
this happened with NSA spying and CIA torture.

5\. Until the Obama administration, Presidents did not prosecute leaks
regularly, indicating that they were not viewed as dangerous. Generally, not
nearly all laws are enforced; 'it's illegal' is not a threshold, or it seems
almost everyone could be prosecuted for something.

> Had the reporter engaged in murder or theft while reporting, would there be
> any outrage?

Not comparable.

