Hacker News new | past | comments | ask | show | jobs | submit login
Justice Dept. Seizes Times Reporter’s Email/Phone Records in Leak Investigation (nytimes.com)
342 points by MBCook on June 8, 2018 | hide | past | web | favorite | 174 comments

Reminder to NOT use any 3rd-party VPN service if you truly value your privacy. ProtonVPN, PureVPN, Private Internet Access, etc. Do not use those services if you're intending to do some "shady shit". I know first hand that Google has a (semi)-automated web-based process for law enforcement to submit their subpoenas and get the entire access history of a particular Google/Gmail account. They don't get access to the contents of the account, but they get to see IP addresses and user agents that accessed that account in the last N days. A warrant to see the contents of the accounts would be trivial if the investigators wanted to pursue it.

Private Internet Access has been subpoenaed by the FBI before for user logs and they were unable to comply due to not saving any [1]. That's probably the best reassurance you can get for a VPN.

[1]: https://torrentfreak.com/vpn-providers-no-logging-claims-tes...

That's going too far, I think. Sure, you can run your own VPN server, on an anonymously leased and managed VPS. But then, how do you anonymously lease and manage that VPS? As far as I know, your options are pretty much limited to VPN services, Tor and I2P. Also, VPS traffic is readily logged by providers, so your "anonymity" is pretty fragile.

Your best bet is distributing trust among multiple parties, such that no one of them can compromise you. VPN use is common, so start with nested VPN chains. Then Tor. If either the VPN chain or Tor resists compromise, then you're still safe.

After that, you can use any PM or email that you like. Because it's not connected to your meatspace identity. If content is end-to-end encrypted, the provider has nothing useful to share with adversaries. You and correspondents must, of course, avoid leaking metadata through account names and subject lines.

> But then, how do you anonymously lease and manage that VPS?

At least on DigitalOcean, it’s possible to create an anonymous account (no name required, not even by their TOS) connected to an anonymous email provider and funded by a cash-purchased Visa gift card. And a $5/mo droplet running IKEv2 VPN traffic (see Algo) is very secure and provides more than enough bandwidth/throughput for several people.

That would only leave the traffic itself (particularly the IP address(es) that initiate connections to your droplet). DO has a policy of not logging traffic unless an abuse alert is triggered.

> DO has a policy of not logging traffic unless an abuse alert is triggered.

I'd be willing to bet they log all the info about the signup process though, including the IP address used. It's how you prevent abuse.

The question then becomes, how do you hide your IP address from the DO signup process. I know, used a VPN! Wait a second...

Mullvad.net (a VPN provider) gives 3 hour accounts for free. You solve a captcha and they give you an account id to use to connect to their servers. If you want to keep using that account id for more than 3 hours you have to add money to that account. You can pay them in cash (they're in Sweden though) or Bitcoin, credit card, etc. They don't even ask you for your email and they claim to not keep logs that would allow to match an IP and a time stamp to a user [1].

[1] https://torrentfreak.com/vpn-services-anonymous-review-2017-...

One more thought - connecting via a temporary Mullvad account from a public or obscured entry point (perhaps during an international trip or at a McDonalds) would probably be the most straightforward method. The worst you're giving away is that entry point (to Sweden's loggers), but the DO/VPS fraud detection is less likely to fire if you're going through Mullvad.

To be clear, my own goal in all of this is primarily to get through residential ISP snooping -- I don't trust them not to sell my personal info. Staying out of the state dragnets is also a plus (I don't like the idea of snoops in a building somewhere reading my personal emails; same reason I close the living room curtains in the evening).

Yes, one can "anonymously" use WiFi APs. But it's hard to get close enough without becoming observable. And more and more, without being videoed. I've played with a Ubiquiti radio and parabolic antenna, and can hit APs at several km. But then, the dish is pretty big, so you need a large window. And unsecured APs have become harder to find.

It’s a lot easier to escape surveillance in the suburbs and rural areas. That being said, the ratio of McDonalds franchise density to population density goes higher the further out you go (at least in the US).

Note - Sweden is one of the “14 eyes”, so your browsing session (origin and destination IP, date/time) very well may be logged by their backbone, if not by Mullvad itself.

You can use pre-pay internet or public wifi to sign up

Public library?

Is that you, Dread Pirate Roberts?


Why can't you just sign up via tor?

Ordering any server from a tor IP, even dirt cheap shared hosting plans, will trip their fraud detections 100% of the time. You'll likely get an email asking for photo ID.

I buy all my vpses via Tor, it takes some effort. But after a while I always manage to find a provider where I can complete the process. So, not all the providers all the time. Just some of them some of the time.

It depends on the hoster. BitHost has no problem with Tor exit IPs. Neither does Host Sailor. I know a few others, but sharing names would be imprudent.

Could using tor for the signup process work?

Or just use bithost.io, and get DO droplets for well-mixed Bitcoin. There's a premium, I admit.

But even with all that, there's the risk of logging. I don't get how DO differs from whatever "no logging" VPN service, in that regard.

I don’t trust them implicitly, but I do trust them more than any “VPN service” — to me, those are all honeypots (whether intentionally or not).

The point is that you can't trust anyone. And so you distribute trust.

That works only if each additional layer properly covers the whole surface.

A few years ago I tried that as an experiment. I wanted to see if I could setup completely anonymous Tor exit nodes. It didn't work.

I bought a prepaid debit card at a grocery store with cash. I tried to sign up for a few VPS providers using coffee shop WiFi. All wanted additional verification or wouldn't allow me to use the card. All providers use 3rd party services (eg MaxMind) to prevent fraud and prepaid cards is one of the things they look for.

Has anyone had luck doing this?

I've run into the issue as well. You just need to find providers that don't ask.

In the US you have to provide a Social Security number to activate your cash-purchased Visa gift card.

Not true. There may be some that do, but not all - just know ahead of time before you walk into the store.

It looks like your correct. I was under the impression that the USA PATRIOT Act required all cash cards to collect that information, but looking up the details it appears to only apply to reloadable cards in that they "establish a banking relationship" with the provider.


You're over thinking it. Just set up an email server in your house and use that.

if you use your house connection how are you going to stay anonymous?

Can you explain this a bit more?

Are you saying that

- Google’s policy could unmask users behind a VPN, via an IP+time correlation attack[0]


- VPN providers who say they don’t keep logs, are actually keeping logs in secret, because of what you’ve seen at Google


I’m straining to make the connection you’re hinting at.

[0] You can now basically buy these from telcos as an identity verification measure, so a VPN seems useful here.

AFAIK basically all legal VPN providers keep logs. If you're providing a service on the net, it is likely that you are required to log all access to your services.

The law inforcement officers or prosecutors can simply ask for the history of your traffic.

As it does not contain the content of your communication, in most legal systems they do not need any warrant to request this data.

That's not so in the US. And generally not so in the EU, as far as I know.

What jurisdictions are you speaking of? Cites would be cool too.

> And generally not so in the EU, as far as I know.

As far as I know the EU does have data retention laws on the books for ISPs.


The last paragraph under that heading says the directive was declared invalid 2014.

> On 8 April 2014, the Court of Justice of the European Union declared the Directive 2006/24/EC invalid for violating fundamental rights. The Council's Legal Services have been reported to have stated in closed session that paragraph 59 of the European Court of Justice's ruling "suggests that general and blanket data retention is no longer possible".[18] A legal opinion funded by the Greens/EFA Group in the European Parliament finds that the blanket retention data of unsuspicious persons generally violates the EU Charter of Fundamental Rights, both in regard to national telecommunications data retention laws and to similar EU data retention schemes (PNR, TFTP, TFTS, LEA access to EES, Eurodac, VIS).[19]

I'm speaking of Turkey, and as far as I know my country adapted the regulations following the EU-Directives.

I'll have to look them up on Eurlex, I'll post them here if I find the time.

Well, Turkey is rather repressive, so I wouldn't be surprised.

Due to the increasing amount of downvotes, I wanted to provide you with some EU legislation. [1] There is also a reddit thread asking the same question [2]

  of 15 March 2006
  on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC
Some citations from the preamble showing the purpose of data retention

  On 13 July 2005, the Council reaffirmed in its  declaration condemning the terrorist attacks on London the need to adopt common measures on the retention of telecommunications data as soon as possible.

  Given the importance of traffic and location data for the investigation, detection, and prosecution of criminal offences, as demonstrated by research and the practical experience of several Member States, there is a need to ensure at European level that data that are generated or processed, in the course of the supply of communications services, by providers of publicly available electronic communications services or of a public communications network are retained for a certain period, subject to the conditions provided for in this Directive.
The citations of the corresponding paragraphs:

Article 3 para. 2 (data necessary to trace and identify the source of a communication):

  The obligation to retain data provided for in paragraph 1 shall include the retention of the data specified in Article 5 relating to unsuccessful call attempts where those data are generated or processed, and stored (as regards telephony data) or logged (as regards Internet data), by providers of publicly available electronic communications services or of a public communications network within the jurisdiction of the Member State concerned in the process of supplying the communication services concerned. This Directive shall not require data relating to unconnected calls to be retained.
Article 5 Categories of data to be retained para. 1/a/2

  concerning Internet access, Internet e-mail and Internet telephony:
  (i)the user ID(s) allocated;
  (ii) the user ID and telephone number allocated to any communication entering the public telephone network;
  (iii) the name and address of the subscriber or registered user to whom an Internet Protocol (IP) address, user ID or telephone number was allocated at the time of the communication;
Article 5 para. 1/b/2 ( data necessary to identify the destination of a communication):

  concerning Internet e-mail and Internet telephony:
  (i) the user ID or telephone number of the intended recipient(s) of an Internet telephony call;
  (ii) the name(s) and address(es) of the subscriber(s) or registered user(s) and user ID of the intended recipient of the communication;
Article 5 para 1/c/2 data necessary to identify the date, time and duration of a communication:

  concerning Internet access, Internet e-mail and Internet telephony:
  (i) the date and time of the log-in and log-off of the Internet access service, based on a certain time zone, together with the IP address, whether dynamic or static, allocated by the Internet access service provider to a communication, and the user ID of the subscriber or registered user;
  (ii) the date and time of the log-in and log-off of the Internet e-mail service or Internet telephony service, based on a certain time zone;
Note: Legislation is said to be anulled in 2014 by the European Court of Justice. [3] I don't know how EU legislation works. But many countries adapted the regulation in their national law. The EU anulment doesn't automatically change the regulations in other legislations. For more info on how data retention is implemented in different countries, you could look at the wikipedia link jacquesm provided.

[1] Link to the directive: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CEL...

[2] Link to the reddit thread: https://www.reddit.com/r/VPN/comments/7x07am/if_a_vpn_doesnt...

[3] Decision of the anulment of the directive: http://curia.europa.eu/juris/liste.jsf?language=en&num=C-301...

Yes, I know about the DRD. But it was declared invalid in 2014. If any EU member attempted to enforce national law requiring general data retention, I presume that the target could appeal to the CJEU.

I looked into this fairly carefully some months ago, consulting with Nick Pestell, IVPN's CEO. In writing for their blog.[0] And I got from him that data retention requirements are now rare in the EU.

0) https://www.ivpn.net/blog/collection-of-user-data-by-isps-an...

Thanks again for the link, was very informative. I admit I didn't know much about the regulations outside of Turkey and to some extent EU. I just had a criminal procedure law class and I learned that in Turkey the prosecutors can request any communication logs without a warrant.

As we import our laws from other European countries (for example criminal procedure law was imported from Germany) I thought that this must've been the case in many law systems.

This discussion has been eye-opening for me.

I didn't dowvote, but my guess for why some have would be:

> in most legal systems they do not need any warrant to request this data.

From a quick read of your law extract, it doesn't seem to cover that aspect of your original claim (and if it does, I'd warmly suggest you highlighted the controversial bit for those who like me have a hard time grokking through such a long text)

Request does not compel compliance the way a warrant does.

Law enforcement is generally allowed to request just about anything just like everyone else.

In the UK at least, authorities can access data without a warrant.


After the CJEU declared the DRD invalid in 2014, the UK enacted the Data Retention and Investigatory Powers Act (DRIPA).[0] The CJEU annulled that in 2016, and the UK proposed amendments.[1] However, in January 2018, the court ruled those amendments insufficient.[2] I'm not aware of further developments, and I expect that I'd have seen anything relevant on Wilders, but please do share if I've missed something.

0) http://www.legislation.gov.uk/ukpga/2014/27/contents/enacted

1) https://www.theguardian.com/technology/2017/nov/30/police-to...

2) https://www.theguardian.com/uk-news...ruled-unlawful-appeal-...

Thank you for sharing the links. But as far as I can understand, the new regulations do not abolish the need to record the data. They only set up safeguards for which data can be used.

I think a VPN provider in this case is still obliged to keep logs, albeit only hand them over if the necessary conditions are met.

Coming from Turkey, I could not imagine a state, where the communication logs are not saved. But it seems the US does this only through intelligence agencies and does not force the ISPs to keep logs.

That's true, moreover in the legal systems I know, prosecutors also have the authority to request such documents that means the documents requested can be used as evidence. If you do not comply with it a judge can compel you to give up the document. In which case you also might get in legal trouble, because you refused the initial request of the prosecutor.

Furthermore, at least here in Turkey, communication records are also used in civil cases. For example, in a divorce case, the parties sometimes request the phone log through a judge and prove disloyalty by showing call history and duration of each call.

Yes. While details vary between countries and languages, I believe the general interpretation is that a warrant involves a judge.

The fact that they only need a subeona for metadata might change very soon, depending on how the SCOTUS case Carpenter is decided:


What's your alternative suggestion? ISPs will surely give over that information outright. At least a VPN touting privacy has the incentive to avoid putting its entire business at stake if it can't make good on its raison d'être.

So a better option would be to use your Comcast / AT&T / Verizon connection to leak data to the press?

Everything on the internet (and really in life) is a chain of trust - there are going to be weak links however far down the rabbit hole you go.

> So a better option would be to use your Comcast / AT&T / Verizon connection to leak data to the press?

A better option is to use technology that might be better able to provide some verifiable anonymity guarantees, like Tor.

True. But Tor has pwned people too. Most recently, there was the bug that CMU researchers exploited, and then shared with the FBI. Also, many users of Tor browser have been pwned by phone-home malware, which leaked their ISP-assigned IP addresses. Hitting Tor through nested VPN chains would have protected them.

If you use Tor you can't really trust the machine it is on, all sorts of potential web browser vulnerabilities. (And please don't do GPGing on the same box.) At a minimum, run it in a VM so its upstream IP is an internal NAT address, and so it won't have unique phys IDs like MAC address, which can be traced through the supply chain.

Preferably use a VPN for the host machine's connection too, at least to first download the tor client (the subset of IPs which have downloaded a recent tor bundle is quite small). At the very least, firewall the VM so traffic can only go to a tor bridge IP; even then, https (non tor) from a compromised host can identify the tor user, as all tor entry point traffic is logged and possibly has active mitm boxes (varying packet timing, fingerprinting tor versions).

Given the overall complexity of getting it right, and the enduring consequences of a single opsec failure, I'm not sure tor is a great option. Sending USB sticks through the mail would probably be safer. (Even then, encrypt them, use a dedicated laptop, don't lick the stamp or leave fingerprints, don't be observed/CCTVed posting them, purchasing the USB sticks, etc.)

Good points. I should have emphasized use of Whonix, which comprises Tor gateway and workspace VMs. Forwarding isn't enabled on the gateway or workspace, the gateway is firewalled, and it doesn't just use TransPort. It exposes a bunch of SocksPorts to the workspace VM, so each app gets its own SocksPort.

> all tor entry point traffic is logged and possibly has active mitm boxes

That's a broad claim. You need cites for that. Tor relays are run by a large collective of volunteers, and keeping something like that secret would be quite some achievement.

Okay, not all gateways. But top by volume, yes. Not by the people running them, but at the network/ISP layer. There was some open source reporting about it in Singapore (not a democracy admittedly) I'll try to dig up. But on the 5th anniversary of the Snowden leaks, why do you find it strange?

OK, maybe at network/ISP level. There's no way for relay operators to know, of course. But if an operator learned of logging, I'd expect to see that reported on tor-relays@lists.torproject.org, and I don't recall that.

This is yet another reason to hit Tor through a VPN service. Or better, a nested chain of VPN services.

Edit: I do recall a post by Virgil Griffith about the situation in Singapore.[0] He says nothing explicitly about logging, but does note that Singapore's "love of anti-corruption exceeds its apprehension about human-rights-laden privacy enhancing technologies." And I don't find anything about logging of Tor relays there. But then, I'm searching in English :(

0) https://medium.com/@virgilgr/tors-branding-pivot-is-going-to...

^^^ I've been repping physical data transfer to people for a while. Veracrypt is a great option.

> True. But Tor has pwned people too. Most recently, there was the bug that CMU researchers exploited, and then shared with the FBI. Also, many users of Tor browser have been pwned by phone-home malware, which leaked their ISP-assigned IP addresses. Hitting Tor through nested VPN chains would have protected them.

It's better, as in closer to trust-no-one, but of course it's not perfect. Especially when we're talking about endpoint security concerns.

Yes, totally agree. I love Tor :)

I understand that sentiment but a technological work around (that probably also has captured data points) that would entirely alleviate whatever hypothetical issue the OP is referring to seems at best naive to this layman.

> alleviate whatever hypothetical issue the OP is referring to

That "hypothetical" the OP referred to is the VPN provider keeping logs (or more logs than they advertise) and providing them when asked to the authorities.

It's not really that hypothetical. There was a link here today about a "no log" VPN service that apparently did that.

> I understand that sentiment but a technological work around (that probably also has captured data points)

Tor is a technology that specifically answers the issue the OP brought up, which is over-trust in a single entity to preserve anonymity. Nothing's perfect, but Tor is better than both the "VPN provider" option the OP was warning people away from and from your snarky "what and use Comcast?" option.

> but a technological work around ... seems at best naive to this layman.

You'll have to elaborate why the use of better (if imperfect) technology is "at best naive."

Ehem, asking for a friend - is using Tor in conjunction with a third-party VPN service like the ones mentioned above any safer than using Tor regularly?

OK, so imagine that your friend was using Tor in 2014, while CMU attackers (OK, "researchers") were deanonymizing users and onion sites. They exploited a bug ("relay-early") in Tor, which allowed them to communicate among malicious relays through a back channel. That led to a number of prosecutions.

But imagine instead that your friend was connecting to Tor through a VPN service. Even if CMU attackers had been running your friend's entry guard, they would have just seen the VPN exit IP address.

Better yet, your friend could have been connecting to Tor through a nested chain of VPN services. Then the FBI would have needed to do lots more work to get your friend's ISP-assigned IP address.

The Tor Project, I note, will not agree with my assessment. But so it goes.

> "Freedom of the press is a cornerstone of democracy," Ms. Murphy said. "This decision by the Justice Department will endanger reporters’ ability to promise confidentiality to their sources and, ultimately, undermine the ability of a free press to shine a much-needed light on government actions. That should be a grave concern to anyone who cares about an informed citizenry."

Sure. But Ms. Watkins could have used better OPSEC, and trained her sources to do the same.

Edit: You can't "promise confidentiality" if you're depending entirely on the behavior of third parties.

And government officers could not blatantly violate their oaths to defend the Constitution.

There's no clear claim that any such oath -- or other law or guideline -- has been violated.

Consider this statement from Watkins' lawyer:

“It’s always disconcerting when a journalist’s telephone records are obtained by the Justice Department — through a grand jury subpoena or other legal process. Whether it was really necessary here will depend on the nature of the investigation and the scope of any charges.”

It'd look different if MacDougal were confident that the DOJ had violated process or law, including constitutional rights. As it reads, it sounds like he recognizes that right now, there's no apparent violations, and it's plausible that actions like this, disconcerting or not, may well be fully legal and justified.

I think one could make a plausible argument for an expansionist reading of press freedom that would cover this case.

Courts have consistently held that freedom of the press means freedom of the press-as-medium, not press-as-industry. Reporters have no more rights than you or I. What would the rationale be?

You sound fancy, but also wrong.

Sure. But it's prudent to assume that they'll do whatever they think is necessary, regardless of some particular reading of the Constitution. I mean, the Supreme Court could bless this practice, and who would stop them?

I do think the government has a certain prerogative to prevent leaks. Leakers need to realize the seriousness of the game they are playing and act accordingly. The Times and Post in particular make at least superficial efforts to ensure their sources are using good opsec, but I do wonder how hard individual reporters push back against using unsecured channels.

Nonetheless. In this case the reporter had a years-long relationship with the alleged leaker, that makes it much harder to cover all of your digital tracks vis-a-vis casual exchanges. We don’t know what exactly they have on this guy, but apparently it’s enough to establish that he lied to the FBI about his contact, if not anything pinning the leaks on him squarely. From the sounds of it, prudence may not have been sufficient.

> but apparently it’s enough to establish that he lied to the FBI about his contact

Yes, that's likely the key issue. Once the FBI etc are asking questions, it's already too late. So it's crucial to avoid attention. But that's very hard for leakers like this, where there are few possibilities, and all will likely be questioned.

The reporter also had a prior romantic relationship with the leaker.

> Investigators sought Ms. Watkins’s [sic] information as part of an inquiry into whether James A. Wolfe, the Senate Intelligence Committee’s former director of security, disclosed classified secrets to reporters. F.B.I. agents approached Ms. Watkins about a previous three-year romantic relationship she had with Mr. Wolfe, saying they were investigating unauthorized leaks.

Damn, I missed that.

So I wonder if Ms. Watkins can be prosecuted for lying to the FBI. Or is she immune because she's a reporter?

From the article:

Shortly before she began working at The Times, Ms. Watkins was approached by the F.B.I. agents, who asserted that Mr. Wolfe had helped her with articles while they were dating. She did not answer their questions.

I did see that. But she must have said something to them. Just "no comment"? Or maybe she referred them to her attorney? And then her attorney asserts her right to keep sources confidential?

Everybody has a right to remain silent.

But when the government manages to plug a leak that happened to hand things to the media (compared to leaks that handed things to, say, foreign governments), people are surprised that the Constructionally guaranteed freedom of the press doesn’t actually include a right for the media to keep sources confidential. That’s why Judith Miller ended up in jail (and the story I heard was that her first legal team thought she had a right to keep sources confidential, which is why she spent so long in jail).

> people are surprised that the Constructionally guaranteed freedom of the press doesn’t actually include a right for the media to keep sources confidential

Is this really true? As opposed to the right getting trumped occasionally through some technicality? If it's true, why do reporters so commonly expect to keep sources private?

But maybe I've missed the point. To remain private, the source must not share their identity with the reporter. Is that it? That's why the NYT etc have Tor-based leak drops.

I’m sorry I didn’t see this earlier. My comment was based on what I remember from attorneys discussing why Judith Miller was in jail for refusing to name her source, and why she only got out of jail when Libby told her she didn’t need to keep protecting him.

According to Wikipedia ( https://en.wikipedia.org/wiki/Reporter%27s_privilege ) there is some kind of legal privilege, in some cases. But since reporters do end up in jail for contempt of court, it certainly doesn’t go as far as they seem to believe.

It takes me a while: Constitutionally guaranteed freedom, not constructionally guaranteed.

The thing about the Constitution is that until it gets to the USSC, everyone gets to have their own interpretation of it.

People on the left were screaming that GWB was violating the constitution. People on the right were screaming that Obama was violating the constitution. Globalists et al are screaming that Trump is violating the constitution. But it literally means nothing until the highest court rules on it.

It also means nothing when the highest court rules on it, unless lower courts and lower law enforcement agencies pay attention. The Supreme Court has a few police officers, but they just protect the court building and the people in it; they can't enforce the Constitution themselves. The only thing the Supreme Court can do is tell other people what the Constitution says.

So, the Supreme Court only has power as long as people respect the Constitution in the first place.

(I don't understand your point about the left and right; it's certainly possible that all of Bush, Obama, and Trump violated the Constitution. The article specifically calls out the Trump administration for "continu[ing] the aggressive tactics employed under President Obama." It's not true that Democrats and Republicans are the same, but it's also not true that they're dualistic opposites, where every virtue and every vice belongs to exactly one. Sometimes they both possess the same vice.)

Great point, the USSC decides like 50 cases a year? The next layer of federal courts decides thousands, and usually those are the tiebreaker appeals that don't get the writ of centiaori.

I have no idea what why you are getting downvoted. You speak truth:

>People on the left were screaming that GWB was violating the constitution. People on the right were screaming that Obama was violating the constitution. Globalists et al are screaming that Trump is violating the constitution. But it literally means nothing until the highest court rules on it.

Best to say it was the US highest court that has violated the constitution during all three administrations.

Link to the indictment: https://www.justice.gov/usao-dc/press-release/file/1069836/d...

> The former aide, James A. Wolfe, 57, was charged with lying repeatedly to investigators about his contacts with three reporters. According to the authorities, Mr. Wolfe made false statements to the F.B.I. about providing two of them with private information related to the committee’s work. They did not say whether it was classified.

Ah interesting. They definitely have metadata but they don't have (or don't admit to having) all the data. So they know who talked to who and when and caught him in a lie which can end up badly. But it seems they don't know the content so they can't say "on this day, in this message you divulged this classified information". They disclose a few Signal messages but they were simple like "Great job" or "I am glad I made your career" etc.

Lying to FBI is not good but disclosing classified information is even worse. It seems in this case he is only charged with lying.

I wonder had he refused to talk to the investigators what would have happened? Given he was an employee with clearance, did he even have a choice in saying "I am not answering your questions, talk to my lawyer"...

> Under Mr. Obama, the Justice Department prosecuted more leak cases than all previous administrations combined.

I wonder if there were simply more leaks because there were more dissenters, more media channels, more disappointed employees or those in charge ordered more resources allocated on finding and stopping the leaks.

It is scary that they are going after and collecting all of reporter's communication going back for years. I can imagine that would be very scary.

I don't belive you give up any fifth amendment rights when given a security clearance.

However, you also have no right to a security clearance so simply refusing to answer probabbly kills your career / clearance right there, and suddenly you're the focus of the investigation.

When asked I wonder if it was just the FBI "casually" asking everyone a bunch of questions. Then you have to decide, do I lie (not a good idea) and maybe keep my job... or end my job outright?

Most people's choice likely has to do with how likely they think they're the focus of an investigation and how much the FBI already knows or doesn't know.

Lying to the FBI is a crime by itself - if they're talking to you at all, there's a good chance that it's only to save them the effort of having to prosecute a more difficult to prove crime.

Yeah I certainly would choose the not talking thing.

> I wonder if there were simply more leaks because there were more ...

No, Obama had a personal thing against leakers. None was too many for him. I followed it in the news, but couldn't tell if it was motivate by being a lawyer, so some kind of omerta.

OTOH, previous administrations used leaks as trial balloons, so had a more balanced approach.


> No, Obama had a personal thing against leakers. None was too many for him.

Funny enough he did promise transparency https://www.washingtonpost.com/lifestyle/style/obama-promise...

And unsurprisingly, he failed to deliver on this.

That is accurate: https://www.pbs.org/newshour/nation/obama-administration-set...

Background on FOIA: Basically, in 1966 the US Government created the Freedom of Information Act that allowed people to ask for records from federal agencies. In theory, it was supposed to create transparency. Unfortunately, it's a bit outdated and in many areas it's turned into many in the Government thinking requestors are just out to get them (and a lot of it is also commercial requesters). Under Obama, the USG denied more requests than ever. In their defense though, it's got really easy to do a FOIA request online and flood the government with requests (it only applies at the federal level, states have their own version of public information laws).

The EPA used/uses fake email addresses to dodge FOIAs during the Obama and Trump administrations- guessing they all still do something like this. Scott Pruitt apparently has 4.

>During President Barack Obama’s first term, then-EPA Administrator Lisa Jackson came under fire for maintaining a separate agency email under the alias “Richard Windsor” — a name that derived from Jackson’s family dog when she lived in East Windsor Township, N.J.


Well the point was the leakers did it for him!

Really? I'm not really a news junkie, but I can't recall a single time hearing anything about Obama having a dispute with anyone, whereas I've heard stories about Trump virtually every day for the last year. Maybe he's even worse than they say?

That's because Obama was generally careful about what he said in public.

I fear Trump is doing grevious harm to our democracy, and would never compare the damage done by Trump to that done by Obama.

That said, Obama was notorious for his crackdown on leakers. If you at all kept up with the news then, you'd be aware. One of his darker qualities (though he had many positive ones as well).

> Given he was an employee with clearance, did he even have a choice in saying "I am not answering your questions, talk to my lawyer"...

Yes. The trick is that most likely he needs a lawyer with a security clearance. Yes, those exist for exactly this purpose.

In a way it’s no different than the DoJ getting into Trump’s lawyer’s archives and sniffing into any dealing with any of his clients that would normally be protected by attorney-client privilege.

James Wolfe, 57, Director of Security of the Senate Intelligence Committee for 29 years... leaks intel on Carter Page to his “girlfriend” (she was 21 years old at the time) at BuzzFeed, who publishes a huge scoop and lands a job at the NYT.... [1]

Sounds like a script from House of Cards.

[1] - https://www.nytco.com/ali-watkins-joining-washington-bureau/

And just wow.... this tweet from her in 2013:


Even The Intercept got it their disclosure wrong once, and these guys are probably the experts: https://blog.erratasec.com/2017/06/how-intercept-outed-reali...

But unencrypted email certainly isn't the right way to go if you're leaking.

They screwed over Winners by being unjustifiably incompetent and reckless or simply malicious. Thats not the behavior of any sort of "experts". Even more so when you look at the history of the reporter in question when it comes to the safety of his sources.

Does using gmail count as unencrypted?

General Patraeus was caught leaking through Gmail. And, amusingly, they didn’t actually send the emails, they just shared an account and wrote draft emails for the other side to read.

Granted, sharing an account with a co-writer turned out to be suspicious behavior, but apparently the government was able to get access to the draft emails that were under Google’s control (and I haven’t heard of any changes to Gmail that would make it more secure now).

Most definitely.

Using any electronic text messaging as a means to communicate state secrets strikes me as lazy, regardless of encryption. Data, metadata and breadcrumbs are left littered amongst an unknowable number of endpoints and 3rd party servers, permanently.

Leaking state secrets isn't supposed to be easy and convenient; there's not an app for that.

A staffer working for the Senate Intelligence Committee was dating a reporter who was writing stories based on exclusive intelligence leaks.

They weren't exactly being super careful.

I wonder what they were thinking. I mean, maybe something like "I'm a reporter, so they can't ask about my sources." I'm reminded of David Petraeus and Paula Broadwell.

I bet they watched House of Cards and thought, hey it works for Zoe Barnes...

Edit: I hope she does not have the same character arc of Zoe Barnes, which I won't spoil.

Any idea how the DOJ got their Signal communications? I've never used the app, but did he just not delete his messages or something stupid like that?


The most likely explanation would be that he simply didn't delete his messages, or have auto-delete enabled; or, perhaps, he had the auto-delete window for these particular contacts set too long.

Most definitely this. Bad messenger OPSEC is a real problem, still. Just recently Paul Manafort backed up his encrypted WhatsApp messages to iCloud, for example.

Many users of these apps don't realize that they are opening themselves up to security issues by performing certain behaviors. Are there any guides to good messenger OPSEC available for the general public (or even at-risk people like journalists or politicians?)

While it may be true that Manafort incidentally backed up WhatsApp or Signal messages to iCloud, the FBI supporting statement in the motion to revoke parole indicates that the messages cited were preserved by the receiving party and voluntarily turned over to the FBI.

This is the one I see circulating the most. Links to Signal setup are in the body and include auto-deleting messages.


Im surprised that majority of the comments are about how they are dissapointed about their carelessness and not noting that leaking classified information is bad regardless of your ultimate aim. This is exactly what we should expect to happen when people leak classified information regardless of your ultimate motivation

Dan Carlin had a podcast about this. He said something to the effect of, "what if you had a stamp and every time you stamped something, your boss would never find out about it. How long do you think it would take before you start putting the stamp on your mistakes?"

What he was trying to get at is, how does a democracy function properly when it has no idea what it's leadership is doing, because the leadership makes everything secret and classified? It's a good question and I don't really have an answer.

On the reverse side of that, how can a government function when everybody feels like they are privy to know everything about its operations. Its like having a meeting with too many people in the room. Nothing ever gets done. Democracy functions in that we have a democratic process to elect those who represent us, and at some level we need to trust them with certain elements of operations because everyone knowing everything could cause harm in some cases. If we dont trust who we elect to office then thats a seperate issue that we need to tackle on its own.

> Its like having a meeting with too many people in the room. Nothing ever gets done.

I'm not sure I accept the metaphor - visibility is not participation. Too-large meetings are useless because they have too many participants, and everything falls to bike-shedding. Plenty of organizations, from public companies to the Federal Reserve, get things done with visible meetings where interested parties can't speak but do see the minutes. In my version of the metaphor, non-secrecy is totally consistent with small-meeting democracy: we elect people to go and represent us, but demand information about how they did so in order to hold them accountable. (If Congress voted by secret ballot, do you think it would represent us better or worse?)

(The question of information which is harmful to share is a fundamentally different one than a general argument for privacy, and a much harder one. Those cases are real, but it's also true that there's a long track record of government claiming information is harmful to release when it's actually embarrassing or unethical.)

> If we dont trust who we elect to office then thats a seperate issue that we need to tackle on its own.

Great, we haven't tackled it, and without clear information about what officials do it's not clear how we can.

There's never been an era of declassification and leaks where we looked around and said "yep, everything in there looks like it was done in good faith". I'll embrace an end to leaks around the same time they stop containing evidence government bodies knowingly classifying horrible misdeeds.

Hell, I'd even settle for "no war crimes lately", but we haven't managed that yet.

> I'm not sure I accept the metaphor - visibility is not participation. Too-large meetings are useless because they have too many participants, and everything falls to bike-shedding.

I was about to reply with exactly this point. Transparency does not entail everyone gets their say, merely that the factors and interests considered in a decision are ultimately disclosed with no secrecy. Then perhaps there can be a public commentary period before proceeding so there is some participation, but participation at every step isn't necessary for engendering trust via transparency.

This obviously gets trickier on national security matters, but the judiciary is supposed to judge what is and isn't too sensitive here. Secret court proceedings are skirting dangerously close to crossing that line though.

This is why we have meeting notes that get broadly sent out. We are not talking about inviting all citizens to be decision makers, we are talking about making transparent what the decision makers are doing so they can be held accountable.

IMO that issue can be tackled by making laws prohibiting financial conflicts of interest removing the incentive to be untrustworthy. Then we get civil servants in office again.

“leaking classified information is bad regardless of your ultimate aim”

No, this is not a universal absolute truth.

This assumes the people classifying the information are the good guys.

It's not an easy problem to solve.

Leaking classified information is good. This is the only way people can get a peek behind the scenes and understand that the state absolutely doesn't work in a way it wants people to believe it does.

Many of us have observed that the federal government, from time to time, conducts unethical and/or illegal behavior and should not be blindly trusted. We also know they use classification to hide embarrassing or illegal actions.

Leakers are one way we can learn how the sausage is really made, and in most cases that knowledge is in the public interest.

>leaking classified information is bad regardless of your ultimate aim

Perhaps, if you implicitly trust the government

What if the three letter agencies are the bad guys? I personally think that Edward Snowden is one of the great American heroes of the past 50 years.

Many people here have some edgy anarchist vibe to them. Fight the power, brother.

Maybe I'm overlooking something here, but I don't know why leakers don't just use a forever stamp and drop something in the mail. Securing electronic communications seems freakishly hard by comparison. Is there some reason that is an obviously bad idea?

Using the postal service might be lower-risk, but it's not risk free.

If you try that, don't forget about the Mail Covers [1] program.

If you're mailing a reporter at the NY Times, you're at risk if you use your own handwriting. You might also be at risk if you use a printed label [2].

There's also the risk that your mail will be intercepted, and I wouldn't be too shocked to discover that government agencies were selectively (or not-so-selectively) reading our mail [3].

[1] https://en.wikipedia.org/wiki/Mail_cover


[3] https://motherboard.vice.com/en_us/article/53dk3n/this-camer...

Its really sad how low trust in the rule of law has become. US Mail used to be sacrosaint. Damaging a mailbox is a felony to give an idea of how strong the law is in this area.

There's a significant amount of physical evidence from that. You'd have to make sure it's clean of any fingerprints and DNA (hair) for one. Plus printers will typically inject watermarks into the document. Handwriting is definitely a thing to be analyzed. And the location which you mail stuff from leaks another few bits of information.

It's probably a better idea than email, but not by all that much.

That's how Reality Winner leaked and she got caught via printer microdots.

source? She printed it on a work printer. They had a short list of everyone that accessed the file. Microdots were both unnecessary and useless towards finding who did it. https://www.bloomberg.com/news/articles/2017-06-08/accused-l...

Anything you print or xerox is fingerprinted (the infamous yellow dots). You would need to write by hand and leave no fingerprint. It’s not trivial.

They still do! Probably wouldn't work as well for classified Gov info but it still happens.


Interesting to see this shortly after the release of the movie The Post. Obama attempted something similar. Basically Nixon had more respect for the independence of the press than current administrations.

Apparently this reporter was at BuzzFeed (not NYTimes) at the time of the messages. https://twitter.com/BuzzFeedBen/status/1004904034132725760

Who in their right mind would communicate confidential info to a reporter via email and what kind of reporter would allow their sources to do that? The minimum acceptable way to do this is end-to-end encrypted messages via Signal or GPG-encrypted emails via a service in a jurisdiction beyond the FBI’s reach (e.g ProtonMail).

The reporter's pinned tweet has her Signal number. The feds seized her emails anyway, because they can / if they're going to be thorough, why wouldn't they.

(The replies to the reporter's pinned tweet, meanwhile, are people gleeful about her messages being seized. I don't recommend reading them, except perhaps as a way of pondering whether a society where literally everyone feels encouraged to send sentence-long invective to literally everyone else has really done good things with communication.)

here’s the problem with saying things like “use proton mail” it deflects from the problem (warrantless search of email for 7 years) and instead attacks the use of email.

Note that what was used shouldn’t matter from the POV warrant vs no warrant. Follow on with: there is no claim that there was anything found in those emails. All we have is an acknowledgement that the government is undertaking warrantless surveillance of a reporter,. It doesn’t have to find anything, it just needs to be threatening enough to ensure that no one talks again.

Hence “chilling effect on journalism”

Apologies for terrible editing in the above message. Typing on my phone with beta software. There are some issues :)

The Times provides the information necessary to do just this right on their tips page, including instructions for PGP, WhatsApp, Signal, and SecureDrop.

One would hope that serious whistleblowers would heed these instructions.

Everyone needs these directions, they need to be clear and followable to the letter with ease.

It doesn't matter how competent you are, if your blowing the whistle then you not want the slightest chance of making a mistake - got to be a high stress situation, someone holding your hand through a critical portion makes sense to me.

The reporter wasn't working for NYTimes at the time, but rather Buzzfeed.

The indictment talked mostly about using Signal so the comments here making fun of using email seem unfair.

If, as seems likely, the messages were revealed because they weren't auto-deleted, then the flak email takes is especially well deserved. People are bad at deleting IM messages (even with apps like Signal that will auto-delete them if you ask). But scrubbing an email conversation is actually challenging, and people are notoriously bad at it. Email gets archived, and email replies and threads repeatedly quote and repeat fragments of the conversation; we've all read email "discussions" that were a single message with a long quote history in it.

>we've all read email "discussions" that were a single message with a long quote history in it.

Those emails are notorious for leaking information - especially when you loop someone external in and forget to scrub the long 3 month-long trail at the bottom.

More of the same from the last 9 years.

Sort of. But I think it’s important to note how many people were applauding the seizure of communications when the target was Trump’s lawyer...

Is there a material downside to the Times switching external e-mails to E2E encrypted and to be deleted after N months?

Johnny can't encrypt so their sources would probably still send them unencrypted email.

Don't forget step two, blacklist all buzzfeed writers from being hired.

Well that’s not at all disconcerting.

If you're only feeling unsettled now, then you haven't been paying attention. The previous administration waged a similar war on leakers and their journo contacts since at least 2012.

And now a staffer has been indicted.

Anyone know what she was reporting on that caused the Justice Department to censor the coverage?

Send a letter.

I would leak printed documents - preferably not with a Laserjet - by sending them, not sent from my hometown but random (does this make it less secure? pattern detection? gas stations linked to my VISA?) towns. And make sure - difficult (re-OCR to text? high contrast?) - they are not marked (dot-marked, whitespace-marked, font-marked, ...) to me.

I'd prefer that way to any long chain of online trusted systems of which only one needs to leak. To me digital OpSec feels more difficult to maintain.

Add a printed PGP key and the reporter can post more questions online on their homepage (could the NSA detect cut&paste? JS-events with injected JS?).

Times, let me introduce you to ProtonMail.

Pretty cheeky to be the director of security and be leaking to a reporter that you're fucking.

What is the correct way for the USG to behave in this manner? Some people are upset that they seized her communications, but what other choice is there? Just let leaks go unpunished? Or should senate aides et al sign a 'no privacy' agreement, where the USG can do whatever they want to intercept their communications at all points?

Really depends what is "leaked" doesn't it? The only leak I am aware of that breaks a law would be passing classified documents (uncertain if the law specifically extends to discussions at which classified material may be used).

Are you suggesting leaking details of something like the EPA heads abuses of position should be prosecutable?

They could have just revoked his security clearance, forcing him to resign. Think about the resources being expended on criminal prosecution of lying to the FBI.

It's meant to act as a deterrent. Nail one leaker to the wall, and others will be more reticent to leak.

Of course this is assuming the NYT didn't voluntarily give up the source and then ask the government to send them this letter. Given the NYT's history with whistleblowers, I have trouble seeing how anyone is taking this story at face value.

While the reporter works for NYTimes now, she was working at Buzzfeed at the time. It wasn't a NYTimes source.

That actually makes more sense. Still though, it's pathetic that the NYT pretended like they were going to publish the story about mass illegal wiretapping by the NSA and then buried it to get Bush re-elected, and now are complaining about the government reading their reporter's emails. As if this isn't completely deserved.

Freedom of speech does not mean freedom from consequences turns out to be a really shitty idea when it happens to people you agree with.

The Executive Branch is going after both the press and the Congress, and the article doesn't convey anyone putting up too much of a fight. Unless I missed something, I only see statements of concern or principle, from 'we'll see if this is bad' to "we're deeply troubled"

> “Freedom of the press is a cornerstone of democracy, and communications between journalists and their sources demand protection,” said Eileen Murphy, a Times spokeswoman.

> Ms. Watkins’s personal lawyer, Mark J. MacDougall, said: “It’s always disconcerting when a journalist’s telephone records are obtained by the Justice Department — through a grand jury subpoena or other legal process. Whether it was really necessary here will depend on the nature of the investigation and the scope of any charges.”

> Ben Smith, the editor in chief of BuzzFeed News, said in a statement, “We’re deeply troubled by what looks like a case of law enforcement interfering with a reporter’s constitutional right to gather information about her own government.”

This really isn't that surprising. If, by reporting you are directly involved in a crime - you're gonna have a bad time. We can argue all day about whether information should be classified, but the fact remains that disclosing classified information is illegal in the US. Had the reporter engaged in murder or theft while reporting, would there be any outrage? I admit it's a bit odd, because it isn't a crime for the reporter -- but they are definitely involved in the commission of a crime.

> the fact remains that disclosing classified information is illegal in the US

It's not as simple as that; a few points:

1. The Constitution's protection of freedom of the press can outweigh any laws on classification, though the courts haven't said that.

2. The unauthorized release of classified information has many times been important for democracy to function, for government to be held accountable, and that is exactly the role and function of the press.

3. The classification of information is believed by many to be excessive. Much that is classified is not dangerous and doesn't need to be classified. I've read several examples of information classified to cover up government activities.

4. Classification obviously could be used to intentionally reduce accountability to the public. It's not hard to imagine a scenario where the President commits a crime, and it's covered up by classification. Arguably, this happened with NSA spying and CIA torture.

5. Until the Obama administration, Presidents did not prosecute leaks regularly, indicating that they were not viewed as dangerous. Generally, not nearly all laws are enforced; 'it's illegal' is not a threshold, or it seems almost everyone could be prosecuted for something.

> Had the reporter engaged in murder or theft while reporting, would there be any outrage?

Not comparable.

Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact