Whistleblowing In The Surveillance Age

This article was published in Bitcoin Magazine “The question of inscription.” Click here For your annual subscription to Bitcoin Magazine.

Bitcoin allows the permanent recording of data in the public record. However, blockchain-related whistleblowing remains a terrible idea.

Leaking information is a risky business. If you get access to sensitive information — especially if you're not supposed to have said information in the first place — you can't send an email or post to your Twitter feed. If you do, before you know it, you will be tracked down, identified, and thrown in prison, while the data you obtained will be quickly deleted.

By recording information on the Bitcoin blockchain, the data you have obtained cannot be deleted. Just as a Bitcoin transaction is final, so is any information published on the blockchain. There forever, for anyone in the world to see. But what sounds like a grandiose plan to leak information – let's call it WikiLeaks 2.0 – is actually not a very smart idea.

Whistleblower protection is of the utmost importance to any sophisticated publisher. This is definitely not easy. By publishing data yourself directly to the Bitcoin blockchain, you may miss important data points that could identify you as the source. Readers will also not be able to verify the chain of custody, which could discredit your leak. In addition, neither Bitcoin nor the Internet are privacy technologies, which could result in your identity being leaked via various mechanisms to the public.

Watermarks and digital fingerprints

Many major companies use methods to identify the sources of leaks, such as watermark analysis and digital fingerprinting. Watermarking is the process of changing a piece of data to make it uniquely identifiable, while digital fingerprinting is derived from information inherent in most forms of digital communication. Both are largely invisible to the human eye.

One common way to watermark is to adjust the spacing between text in documents that employees have access to. Tesla's Elon Musk used spacing to watermark documents to identify the person behind a 2008 email leak, which revealed that the company only had $9 million in cash. Each email sent at Tesla has slightly different text spacing, forming a binary signature to identify the source of the leak.

Another way to watermark documents is via printers. Again, most printers – especially laser printers, which are invisible to the naked eye – form unique dotted patterns on printed documents in order to identify which printer the document was printed on.

Click the image above to subscribe!

This was the case with Reality Winner, which leaked to the American newspaper confidential information about Russian interference in the 2016 US elections. Objection. Objection, funded by eBay founder and CIA friend Pierre Omidyar (whom journalist Yasha Levin called “one of the scariest tech billionaires out there”), published the Winner documents without removing the document's watermarks, leading to Winner's arrest. While a watermark adds recognizable patterns to Data, fingerprints deduct recognizable patterns from Data. For example, the headers of JPEG images typically contain unique metadata that gives indications about the device on which the image was captured, as well as the time and location of the image. Fingerprints may also indicate which platform was used for communication, as most platforms use different compression mechanisms to send data. Unless you are aware of all the ways a document can be watermarked and fingerprinted, leaking the information yourself is not a good idea.

Chain of custody

Establishing a chain of custody is important to protect the credibility of leaked information. Simply adding documents to the blockchain will not help journalists verify the integrity of the information you uploaded, likely resulting in a loss of your credibility.

The chain of custody is important for maintaining ethical reporting standards. Just as law enforcement is required to protect the chain of custody to ensure evidence is not altered, journalists are expected to verify any and all information they receive. This is done by identifying the provenance of a particular document and by the number (and from whom) it subsequently passed into hands. Without documenting how and by whom the document was handled, it is difficult for journalists to determine whether the leak is real or has been manipulated. In general, the chain of custody attempts to answer the questions of who, when, why, where and how the document was discovered.

Denigration has become somewhat of a profession. In general, there are two ways to discredit a leak: discrediting the leaker and discrediting the leak itself. Discrediting a leaker can include revealing undesirable information about a target, such as sexual relationships or health problems, or outright accusing the leaker of invoking a perception of bias, with an emphasis on from And Why.

The credibility of the documents is greatly discredited by sowing further uncertainty about the chain of custody of the leak. Chain of custody here creates a dilemma, as removing metadata to protect us from identification makes it harder to determine who, when, why, where, and to what extent. Therefore, in digital forensics, the focus is often on whether documents appear authentic, accurate, and complete, as well as whether the documents are believable and interpretable. Without a consistent chain of custody, establishing originality, accuracy, completeness, credibility, and interpretability becomes more difficult, making it much easier to lose credibility.

While we can be sure that the leaked document was not tampered with after it was added to the blockchain, we cannot answer the questions of who, when, why, where and how, regarding the much-misunderstood dilemma that the blockchain can only verify data it has produced itself – which has been Perfectly illustrated by Todd Eden in 2018, who added the Mona Lisa image to the blockchain-based art platform VerisArt, turning himself into a verified Leonardo da Vinci. This makes leaking information about the Bitcoin blockchain meaningless unless due journalistic diligence is applied.

Private information on the Internet

Contrary to popular opinion, Bitcoin is not a privacy technology. Even if you do not fingerprint documents and follow chain-of-custody procedures, publishing information on the public blockchain can still lead to your identification.

The easiest way to determine where a leak is originating is through so-called supernodes. A supernode is a node in Bitcoin's peer-to-peer network that establishes connections to as many nodes as possible, allowing it to know which node a transaction originated from.

We might now think that using the Tor network might be enough to hide our private information and prevent it from being accessed. But because blockchain surveillance works closely with government intelligence — Chainalysis has received more than $3 million in the past two years from the CIA's venture capital fund In-Q-Tel, while its competitor Elliptic was founded through the GCHQ accelerator — it must We have to assume that blockchain monitoring companies have access to global passive adversarial resources.

A global passive adversary is an entity that has the ability to monitor all traffic on a given network. By doing so, it is able to determine when a package was sent and when it was received, linking sender and recipient. For example, if you use the Tor network from within the United States to access a website in the United States, the United States knows which websites you have visited by correlating the timing of network requests sent and received. Because the United States is a passive global adversary, it has the ability to globally tie the timing of network requests.

To leak information securely, it is recommended to do so via the Tor network from the Internet café while refraining from executing any other web request. If you leaked a document from an Internet café and recently logged in to your email from the same computer, your identity could be assumed even when using Tor. Therefore, you should never use your computers to leak information, as computers are also fingerprinted all over the World Wide Web, from the sizes of browser windows used to applications installed. In addition, it is recommended to visit the sites from which information will be leaked while leaving your phone at home, as intelligence is able to obtain your location records. Nation states here have the ability to track your location even when your GPS is disabled by tracking the network requests your phone sends to the WiFi networks you pass through.

Unfortunately, it is unlikely to find an internet café that will allow you to install a Bitcoin node. Therefore the only other way to leak information securely is to purchase a disposable computer, as using someone else's node leads to more specific information being leaked to untrusted third parties. But once your personal devices and secret computer are connected to the same networks, you can be identified again.

Conclusion

Leaking information is very important, especially when it comes to abuse of power. But it's also incredibly dangerous. Using Bitcoin as a whistleblowing platform, as has been suggested many times throughout the ecosystem, is a terrible idea given the risks involved.

The Tor network is insufficient to protect an individual's privacy in the face of negative global adversaries, making direct deployment on the Blockchain very difficult while ensuring the protection of an individual's identity, as the Bitcoin network is insufficient to protect an individual's personally identifiable information in general. Documents can contain invisible fingerprints that lead to a person's identity, and the lack of chain of custody will likely tarnish the reputation of your leak.

It's dangerous to think you're safe from government and corporate surveillance, because it leads to less caution and more reckless behavior. It is always better to be safe than sorry. Unfortunately, this slogan doesn't seem to resonate with many Bitcoin users these days.

This article was published in Bitcoin Magazine “The question of inscription.” Click here For your annual subscription to Bitcoin Magazine.

AgesurveillanceWhistleblowing
Comments (0)
Add Comment