Digital Security: Some Thoughts on the New York Times Leak Case

The Electronic Frontier Foundation (EFF) (June 22, 2018) has published and article Journalists and Digital Security: Some Thoughts on the NYT Leak Case.

I would like to highlight two points from the article and encourage you to visit the EFF and read the entire article.

First, according to the New York Times article, FBI agents “secretly seized years’ worth” of Watkins’ phone and email records. “Among the records seized were those associated with her university email address from her undergraduate years.” However, “Investigators did not obtain the content of the messages themselves.”

Many digital security resources, including EFF’s own Security Self-Defense (SSD) guide,  emphasize using end-to-end encryption. However, it’s important to understand that while encryption protects the contents of communications, encryption does not mask metadata. Thus, without listening to or reading the communications themselves, government agents can see who you talked to and when, and sometimes from what location.

Unfortunately, completely masking communications metadata is nearly impossible. Creating a temporary email account through an anonymizing tool like Tor can make it more difficult to associate that account with a particular person. Features like Signal’s Disappearing Messages will automatically delete some metadata after a set period of time, making it harder for law enforcement to acquire it after the fact.

Second, the government obtained the contents of communications Wolfe had with reporters over encrypted messaging apps (apparently Signal and WhatsApp).

Our guess is that the FBI got a warrant for Wolfe's phone and somehow accessed the apps -- perhaps his phone wasn’t locked, agents had his password, or they used a forensic tool to bypass the lock screen and any device-based encryption. It’s also possible investigators found backups stored in the cloud or on a hard drive that contained the unencrypted messages. (This issue has also come up in the Mueller investigation.)

If this is what happened, then it's important to understand that although end-to-end encryption thwarts interception of communications content, if that content is sitting unencrypted at an end point—that is, in an app or a backup—then anyone who has access to the journalist’s or suspected source’s phone or backup may be able see those messages. Therefore, deleting unencrypted messages is an added security precaution. Once again, Signal’s Disappearing Messages feature is an effective way to defend against future device searches.
--

• Good crypto can't protect you against bad OPSEC.
• Yes, use end-to-end encryption, it's important.
• Use ephemeral (disappearing) messages. 
• Don't store messages on your phone or computer - read it and delete it!
• Don't back-up messages to the cloud. They may not be encrypted when backed up, and the cloud is just someone else's computer where data can be subpoenaed.

--