GlobaLeaks: anonymous whistleblowing framework

Claudio Agosti vecna@globaleaks.orgFrankfurt

ThinkTwice PP-INT 23/02/2014

Who we are ?• Hermes Center, for transparency and

digital human rightshttp://logioshermes.org

• Advocate in digital human rights• Developers (tor2web software)

https://globaleaks.org

GlobaLeaksWhat we don't

• After WikiLeaks cablegate:

• No more a central entity would face a danger so extreme

• General-purpose whistleblowing may be unable to understand details and environment

Who want whistleblowing ?

Who want whistleblowing ?

Whistleblowing + Technology = Citizens Power

Digital Whistleblowing

How connect them ?• Whistleblowers are someone with

“something to tell”.– a WB may not know that someone is

interested

• Journalist can trasform the right information in an action, in a change.– a WB may not know the right journalist.

“if you know something, you can do something about it”

Is internet safe for whistleblowers ?

• Online/LAN data control is a business itself• Offices control is commonly present• Whistleblowers

protection law• Freedom of speech

threatened in somecountries

• Reprisal/revenge

Our project• Free software

– We do not run services• Every topic may have an appropriate

whistleblowing site– We call them contexts

• Roles separation– Whistleblower– Node Administrator– Receivers (Journalists, experts, public

official)

Paradigm change

When “online” psychological barrier reduce

Digital Whistleblowing works only with strong privacy

But online reporting actions could leave online

Especially due to massive government surveillance

Not every node has NSA as primary concern...

• But you can't go back from not being anonymous

• GlobaLeaks is a framework, can adapt shape in different environments

• Note: 10 languages supported, and growing with Transifex!

EmailWeb BrowsingPhone callsLocation trackingMetadataData retention

Connection Protection• Guarantee whistleblower anonymity

(of whistleblower connection, almost)– No one can materially have information about the

whistleblower (admin, server, others)• Protection from censorship attempt• Do not disclose service

physical location

Security• Anonymity or Confidentiality (Tor, Tor2web, configurable)• Encryption

● Files encrypted with PGP● Realtime AES encryption from XHR to the disk

● 3 professional security review (iSec, cure53, leastauthority)● Data Retention

● Submissions are deleted every 2 weeks (configurable), keep server clean

● Whistleblower Awareness● PrivacyBadge, Forced disclaimers, Awareness messages

Running a GlobaLeaks node...

The troubles of the “node administrator”

● Social Activism by soliciting whistleblower isn’t just “running a whistleblowing platform & a twitter account”

● Different social goals, methods, threat model for various actors

● Different way to “transform information into action”● Activists often lacks all the skills required to startup

a whistleblowing initiative in an “effective” way

The rensponsibility of the “node administrator”

● Once a while / at the setup● Infrastructure, Security, Software and

procedures, Legal

● Always● Editorial, ADS/promotion, Fundraising,

Organization

The rensponsability of the “receivers”

• Trust only data– They are much more checkable than

gossip

• They need to be knowledgable about the subject, but not eventually related– They may be selected by the available

receivers, so have to declare their

https://irpi.eu/irpileaks/

http://atlatszo.hu/magyarleaks/ http://www.perun.rs/

Investigative Journalist Digital Dropbox• Investigative Journalist Groups acting on Topics of Public Interests• Journalistic investigation and fact-checking done in-house• Publishing of scoops and articles

Select Category

Send Tip

Fact Checking

Investigative Journalism

MediaMedia PublishingPublishing

Coordinate release across multiple media

Coordinate release across multiple media

Initiative supported by:http://pistaljka.rs/

Pistaljka: Anti Corruption Activism

Send Tip Issue FOIA SerbianGov

SerbianGov

AuthoritiesAuthorities

MediaMedia

Structured workflow of operation for Serbian wholesale anticorruption initiative

Recent Achievements:• 30/12/2013: Release of Iceland Banking Collapse raw data• 31/12/2013: Ministry of Finance found to be key stakeholder in saved banks

LJOST: Government Transparency Activism

Send Tip Validation Raw Data PublishingRaw Data Publishing

Crowdsourcing

Factchecking

May lead to Publishi

ng

May lead to Publishi

ng

http://www.ljost.is Iceland Government Transparency Activism

42 media partners• National Media• Printed Journal• Online Media• TV• Local Media

https://publeaks.nl

PubLeaks Foundation• Consortium by all media partners• Manage the IT infrastructure• Can’t access to Leaks• Provide technical support• Provide “Secure” Laptop

Achieved amazing result in few months• Abuse of power by politicians• Abuse of public funds• Already got attempt of Takedown

https://secure.publeaks.nl

Multi Stakeholders Digital Whistleblowing

Key Points:• Stimulate cooperation• Stimulate competition• Whistleblower choose reputation based

Select Media

Send Tip

Fact Checking

Fact Checking

Max 3 in parallel

out of 42

Max 3 in parallel

out of 42

IF only 1 media

IF multiple mediareceive the leaks

ExclusivityExclusivity

• Embargo Period• Cooperation Rules

• Embargo Period• Cooperation Rules

Publishingon mediaPlatform (web,

printed, tv)

Publishingon mediaPlatform (web,

printed, tv)

MUST write that source come from publeaks

MUST write that source come from publeaks

MafiaLeaks: Activism against Organized Crime

Mafia Whistleblowers

MAFIA LEAKSMAFIA LEAKS

AuthoritiesAuthorities

AntiaMafia ONGAntiaMafia ONG

Antimafia JournosAntimafia Journos

Victim of Mafia

“I know something”

http://www.mafialeaks.org

What’s your social activism schema and ideas?

Questions ?• Technical Documentation

http://github.com/globaleaks/GlobaLeaks/wiki• Project Plan (outdated! But...)

http://globaleaks.org/ProjectPlan.pdf

• Contacts

http://logioshermes.org

WE – Whistleblowe Everywhere @globaleaks