Globaleaks – Keep the next Edward Snowden safe

0
1053

Mark Felt, Daniel Ellsberg, Chelsea Manning, Edward Snowden, so many familiar names which the media put on the first pages of all newspapers, presented as true heroes. But, who are they?

Source: www.globaleaks.org

Whistle-blowers

noun [c] /ˈwɪs.əlˌbləʊ.ər/

a whistleblower is someone who reports waste, fraud, abuse, corruption, or dangers to public health and safety to someone who is in the position to rectify the wrongdoing“[6]

Whistleblowers have become modern heroes, even more at the digital age, in disclosing information about wrongdoings that remain unknown to the wider population. Their names, faces, words travelled around the globe and were targets of the public attention and the media.

The disclosed information is, most of the time, classified as internal, confidential or in some cases Top Secret. This unauthorized discolure of information put the whistleblowers in very risky positions from a legal standpoint. As a consequence, there is a great need for technical means that safeguard their anonymity.

Globaleaks is a free, open-source and easy-to-use platform that answers this need for anonymity to whistleblowers. When set up, anyone can send documents through the platform and remain fully anonymous, protected by technical and cryptographic methods.

Supported by the Hermes Center for Transparencey and Digital Human rights, founded in 2011, Globaleaks has been developed by hacktivists, laywers and digital rights whose purpose is to advocate for freedom of speech, the human rights protection as well as personal freedom on the internet.

Useability

Globaleaks open-source platform is aimed at supporting non-technical users with a very easy-to-use implementation and web-user interface. The installation process only takes a few steps and the platform can be quickly set up without any prior programming or software knowledge.

Upon login, you are redirected to the home page of your whistleblowing platform. Everything is fully manageable from this simple web interface which supports more than 40 languages.

Globaleaks Web-Interface homepage

Customization is an important aspect of the platform’s mission to support whistleblowers. It relies on the idea that the whistleblowing depends on its context and environment. Therefore, the platform must reflect the cultural background of the field and create trust between whistleblowers and the organizations that provide the platform. Besides the possibility to change the key aspects of the website like the title of the homepage, it can be tailored to the needs of any organizations through custom CSS, Javascript files and still beneficiate from the technical support from the Hermes Center.

Globaleaks Web-Interface homepage

Questionnaires can be created and managed from the very easy-to-use interface. It enables the platform owner to know more about the leaked documents. For instance, information about the subject, or getting a complete description of the leaked information. Furthermore, the whistleblower can also select the receiving organization as an option.

Cases (submissions) can be easily managed from the web interface itself and tracked according to their status. The administrator can have a overview of the newly open cases and closed ones.

Globaleaks Web-Interface Case Management View

In order to further simplify the usability for its users, Globaleaks acknowledged the fact that using TOR network was a source of security issues for non-technical users who are struggling with configuring a secure working environment. Therefore, the system also gives the option to operate on HTTPS to enable accessibility to less skilled users.

Security

When it comes to the disclosure of highly sensitive information that can put the whistlblowers in jeopardy, security is perhaps the most important feature. Globaleaks is built in a way to preserve the anonymity of users and features a very important security dispositive.

Firstly, the design of the software when it comes to privacy makes difficult to trace back the IP address of the whistleblowers. All submissions and elements that compose it (questionnaire, comments, attachments, correspondence and even metadata) are encrypted and protected. Nothing is stored in plaintext on the servers.

Secondly, Globaleaks added a feature that is strongly related to privacy and security concerns: a robust retention policity that deletes the submissions after a given period of time in order to reduce the risk of future security breaches.

Furthermore, security audits are regularly performed in order to identify and classify all risks. It is worth mentioning that the last audit was performed in 2018 with little risks identified which were since then corrected. A very active Github community is constantly improving the software which support the security of the platform.

Finally, no transfer of data occurs between the hosting organization and Hermes Center. The ownership of the data remains with the organization which operates the instance of Globaleaks.

Some real-world implementations

Source sûre –  Investigative journalism

Source: https://www.sourcesure.eu/

Usually, journalists are protected by law and some local regulations. However, these are often disrespected, even by authorities. In order to help whistleblowers having a safe and anonymous place to share information, four French-speaking newspapers, “Le Monde”, “La Libre Belgique”, “Le Soir de Bruxelles” and “RTBF” launched their whistleblowing platform for investigative journalism called “Source sûre”, “Safe source” in English. Wistleblowers can currently choose among eight available media, to which of them the information will be sent.

https://www.sourcesure.eu/

Prosecutor Office at the International Criminal Court (ICC)-  Human rights protection

Source: https://www.icc-cpi.int/carII

Globaleaks has been used since many years to report human rights violations by many international organizations like Amnesty International or the Prosecutor Office at the International Criminal Court. It facilitates the sharing of information between lawyers, organizations and witnesses of genocides, crimes against humanity and war crimes.

https://www.icc-cpi.int/carII

Alternatives

The most popular alternative to Globaleaks is Securedrop which is primarly intended to help journalists share documents in a secure and anonymous fashion and communicate with their sources. The main organizations using this platform are “The Guardian” and the “New York Times”.

Source: https://securedrop.org/

Securedrop focus on the security model rather than on the usability of the platform. Its configuration requires the intervention of advanced users that will need to set up a dedicated TOR connection for instance. Securedrop requires a larger IT architecture in which receiving servers aren’t able to open the uploaded documents. Only “air-gaps”, computer with no internet access, are able to decrypt the documents read on a physical storage like a basic USB key.

In terms of usability, Securedrop requires advanced skills in Linux system administration. When documents, information is submitted on the platform, recipients (e.g. journalists) have to download the encrypted documents and transfer it on the air-gaps for verification. This process described as “labour-intensive” is particularly subject to spam abuses.

How to get started?

Globaleaks serves as a customizable platform that can directly be downloaded from their website www.globaleaks.org and follow the installation procedure.

The software is only designed to run on GNU/Linux distributions and it is specifically developed and tested to run on Debian based systems.

Only a few quick and simple steps are required to install the software locally on your machine, informing your project name and creating your login credentials.

Extensive user documentation is available on their website addressing various types of users (administrators, users, developers).

Summary:

  • Globaleaks is a digital platform providing anonymity to whistleblowers in just a few easy clicks.
  • It offers excellent useability for non-technical users, especially customization options and case management features without compromising on its security.
  • Main alternative is Securedrop which emphasizes on security rather than usability.

Sources

[1] Borland, J. (2017, June 3). Whistleblowing Rippling into New Corners. Wired. https://www.wired.com/2013/12/whistleblowing-rippling-new-corners/

[2] Digital whistleblowing with GlobaLeaks. (2015). International Journalism Festival. https://www.journalismfestival.com/programme/2015/digital-whistleblowing-with-globaleaks

[3] Jenkins, M. (2020, April). Overview of whistleblowing software. Anti-Corruption Resource Center, Transparency International. https://www.u4.no/publications/overview-of-whistleblowing-software

[4] Protecting whistleblowers – protecting democracy. (2020). European Digital Rights (EDRi). https://edri.org/our-work/protecting-whistleblowers-protecting-democracy/

[5] ReportLinker. (2020, October 20). Whistleblowing Software Market Forecast to 2027 – COVID-19 Impact and Global Analysis by Deployment Type ; Enterprise Size ; and Geography. GlobeNewswire News Room. https://www.globenewswire.com/news-release/2020/10/20/2111359/0/en/Whistleblowing-Software-Market-Forecast-to-2027-COVID-19-Impact-and-Global-Analysis-by-Deployment-Type-Enterprise-Size-and-Geography.html

[6] The National Whistleblower Center. (2020, March 27). What is a Whistleblower? National Whistleblower Center. https://www.whistleblowers.org/what-is-a-whistleblower/