It may not come as a surprise that journalists need digital security for various reasons. One of them is for protecting their information sources from prying eyes. Australian laws require ISPs to collect and retain metadata, which can be (ab)used to track down the sources.

Just last week, the Australian federal police admitted that they had accessed the call records of a journalist without obtaining a ‘journalist information warrant‘ first. The illegal access was part of an investigation into a leak.

Our CryptoAus workshop along with The Walkley Foundation last week was aiming to help journalists communicate with their information sources privately and securely. Our guests had a chance to see and learn using various tools and practices for protecting the identity of their information sources.

Topics on the workshop

We formed four desks with four different topics covering various challenges journalists may face.

One of the overarching themes was that metadata can be used to reveal the identity of the information source. By applying big data and data mining techniques, a link between the journalist and the information source can be established. Therefore, journalists not only have to protect the content of their communication with their sources but should leave as little metadata behind as possible.

Desk #1 – Scrubbing metadata from documents

The goal of this session was to teach journalists to remove metadata from photos and documents they receive from their sources. Journalists may obtain photos and documents from the sources to support their claims. However, files may contain data that could ultimately reveal the source. Therefore, metadata should be scrubbed from files before any publication.

Photo files sent by an information source may contain EXIF metadata revealing what camera type was used or where the photo was taken. Word and PDF documents, also provided by a source, could contain information about the author and the computer the document was created on. Furthermore, Data Leak Prevention software may embed tracking pixels into the received documents. This technique can reveal the IP address of the computer where the document is opened.

We used various command line tools to scrub the metadata and neutralise any tracking pixels or other malicious code from the documents.

Inspecting the metadata

Exiftool is a command line tool that can display the metadata in more than a hundred different file types.

We recommend running exiftool <filename> on every file before and after the sanitisation process. It not only can reveal hidden bits of metadata but can also confirm that the sanitisation process was successful.

Sanitising Photos

To remove metadata from photo files (png/jpg/gif/tiff), we used a tool called mogrify, which is part of the ImageMagick image manipulation toolkit.

As we can see from the screenshot above, the original photo was taken with an iPhone 6s in Hyde Park, Sydney. The embedded GPS coordinates reveal the exact location as well as the make and model of the camera device.

Once ImageMagick is installed (scroll below for the instructions), simply run mogrify -strip IMG_2125.JPG in a terminal window. The utility will do its best to scrub the unwanted metadata from the photo.

Scrubbing PDF documents

Adobe PDF files can also contain lots of revealing things like the name of the author and the version of the PDF creator software.

PDF files are also a favourite file type for carrying out phishing attacks. JavaScript (yes, PDF may contain them), malicious code and other deceptive content can be embedded into a document.

The good news is that PDF files can be neutralised with pdf-redact-tools. This simple command-line utility takes a screenshot of each page of the document and then it reassembles it into a new PDF file. The result will be a document safe to publication. The document will be clean from tracking and other malicious codes, and metadata of course.

Once pdf-redact-tools is installed, just simply run pdf-redact-tools -s filename.pdf from the terminal to sanitise your PDF file. It takes a few good minutes to run, so be patient.

The only downside of the documents sanitised with this tool that the PDF file will essentially be a collection of pictures, rather than text. As a result, features such as copy-paste will not be available in the sanitised documents.

Cleaning up Word documents

Word documents can be scrubbed with two methods.

The simpler way is to use Microsoft Word’s built-in document inspector feature. It will keep the Word format sans metadata. For absolute safety, however, you should convert the Word document into a PDF file and sanitise it with pdf-redact-tools.

If you are a Mac user, mogrify and pdf-redact-tools can be installed with Homebrew with brew install <packagename> .

Windows users can also install mogrify by downloading the Windows binary of ImageMagick. To run pdf-redact-tools on Windows, users will need to install a virtual machine with Linux on it to run unfortunately.

Word document inspector should be already part of Microsoft Office 2010 and better. Unfortunately, Office for Mac does not feature this tool. We recommend to export the Word document to a PDF file, and sanitise it with pdf-redact-tool instead.

Linux users can install mogrify with apt-get install imagemagick or yum install imagemagick . For installing pdf-redact-tools on Linux, follow the relevant instructions.

Desk #2 – Secure comms with an information source

The second desk was all about secure instant messaging and file exchange without leaving any metadata behind.

The problem with secure messaging apps like Signal is that although the content of the communication is secure, metadata could still be used to establish a link between the journalist and the information source.

Instant messaging without the metadata

Ricochet IM, on the other hand, does not leave metadata all over the place. The app connects the two parties together Tor. As a result, each chat session leaves no metadata at none of the participant's Internet service provider. Any network traffic between the journalist and the source is concealed.

Every Ricochet user has a unique ID, which can be published publicly such as on the journalist’s Twitter profile. Sources can copy-paste these IDs into Ricochet to initiate a chat with the journalist.

Exchanging files without the network metadata

OnionShare operates along the same line. It is a simple file sharing utility operating over the Tor network. The journalist and the information source can use it to exchange files on an ad-hoc basis. Make sure file download links are shared over Ricochet, otherwise a link could potentially be established between the two parties.

Software availability

Ricochet and OnionShare are both available on Windows, Mac and Linux.

A detailed configuration guide is available at one of CryptoAUSTRALIA's project called Privacy for Journalists.

Desk #3 – Secure comms with Signal

On the other hand, metadata may not be a concern at all. In certain cases, journalists may prefer to communicate with their sources privately. However, they are not worried about the identity of their sources. In this case, a standard secure messenger app such as Signal or WhatsApp is an appropriate choice.

Signal not only supports text messages and voice calls, but video calls are also available. What is more, a desktop application makes text messaging super-convenient.

We helped our participants to set up Signal on their phones, and link it together with the desktop app.

Signal is available on Android and iOS. The desktop app requires Google Chrome, which is available on Windows, Mac and Linux.

Desk #4 – Sneak-peek into a whistleblowing platform

Although Ricochet and OnionShare are both great tools for communicating with sources without leaving traces of metadata, sources may find them too complicated to install and set up. Also, these tools are not scalable as both Ricochet, and OnionShare only supports one-on-one connections.

These pieces of software are not scalable. Newsrooms may prefer to receive tip-offs by a group of journalists rather than a single person.

Further disadvantage is that the sources need to set up and install these special tools. This will discourage not tech-savvy sources from getting in touch with the journalist.

Whistleblowing platforms can solve these issues. Sources can just simply use a web browser or the Tor browser to connect. On the receiving end, files and messages can be retrieved easily by multiple users.

SecureDrop

SecureDrop is probably the most well-known application from all. The New York times (illustrated below) and dozens of other media outlets chose this platform.

The issue with SecureDrop is the complexity of setting it up and operating it. First of all, technical expertise is required. Media outlets, however, may not have this talent available. Secondly, SecureDrop requires three physical servers and a special viewer workstation to run. The installation guide explicitly states that using virtual servers is unacceptable.

These strict requirements all make the platform very secure, there is no doubt about that. However, these conditions could make SecureDrop a costly operation and could be discouraging for smaller organisations to run a service.

GlobaLeaks

In low-risk environments, GlobaLeaks can be a practical alternative.

Information sources need to connect to the service with a Tor or a web browser. Once they are logged in, sources can upload files and send messages to a journalist by clicking on simple links and file dialogues.

The platform's software and hardware requirements are way more relaxed. GlobaLeaks only requires a single server to run, and virtualisation is acceptable. Media outlets with plans to operate a secure tip-off service may find this platform more appropriate over SecureDrop.

CryptoAUSTRALIA was running a test GlobaLeaks instance during the workshop. Our guests could connect to our mock service with the Tor browser, and upload files and send messages through the platform. The admin panel of GlobaLeaks was on a display so our guests could see how a journalist would retrieve the files and messages from the admin panel of the service.

A detailed GlobaLeaks user's guide with more screenshots is available at our GlobaLeaks guide on Privacy for Journalists.

Summary

A combination of tools and practices were demonstrated on our secure comms workshop last week. Journalists could see and learn using the for protecting the identity of their information sources.

Our guests had a chance to learn and understand why these tools should be used in certain situations and how. The journalists were also given the opportunity to bring along their computer and install these special tools on their own devices. Finally, they could test drive a professional whistleblowing platform that numerous news outlets chose and operate.

Credits

If you are interested in learning more, come and join our next event on the Privacy Awareness Week. You will have the chance to meet and talk to a panel of experts from prominent privacy organisations.

If you need help with source protection, you can contact us and our digital security experts will help you.

A big thanks goes to The Walkley Foundation for having us on the event. Make sure to check out their Future Fridays series for more interesting talks.

Last but not least, thank you for every single volunteer who joined us as a workshop instructor.

Cover photo courtesy of Alex Steffler