Security

Aaron Swartz legacy lives on with New Yorker's Strongbox: How it works

Strongbox was Aaron Swartz's final project. Michael P. Kassner explains why The New Yorker requested a way to keep sources and their information secret.

It's not often a news agency promotes an "above-the-fold" breaking-news article about itself:

WASHINGTON (AP) -- The Justice Department secretly obtained two months of telephone records of reporters and editors for The Associated Press in what the news cooperative's top executive called a "massive and unprecedented intrusion" into how news organizations gather the news.

"Freedom of the Press" is one of the founding principles of the United States. All throughout our history, news services also known as the "Fourth Estate" ensured balance, keeping democracy healthy. Also, all throughout our history, individuals or groups have tried to suppress those who want to shed light on wrongdoing. There's even a term for it -- chilling effect.

Impeccable timing

The New Yorker has either impeccable timing or fortuitous luck. Just two days (May 15th) after the Associated Press story made headlines, New Yorker contributor Amy Davidson introduced Strongbox, a method for maintaining anonymity between reporters and sources:

Readers and sources have long sent documents to the magazine and its reporters, from letters of complaint to classified papers. But, over the years, it's also become easier to trace the senders, even when they don't want to be found. Strongbox addresses that; as it's set up, even we won't be able to figure out where files sent to us come from. If anyone asks us, we won't be able to tell them.

As I read further, I began to realize Strongbox (originally called DeadDrop) has been a long time coming; in fact, it was a two-year collaboration between Kevin Poulsen and the late Aaron Swartz. The reason Kevin asked Aaron to work on Strongbox was Aaron's extensive coding skills, familiarity with anonymity, and Aaron already having a piece of the puzzle in place;  Tor2Web, a previous project of Aaron's that allows anonymous posting of sensitive documents on the Internet. Aaron, true to form, only agreed to take the project on if the code would be open-source.

Kevin provides an insightful account of how Strongbox came to fruition in his New Yorker article, "Strongbox and Aaron Swartz." A particularly poignant moment in Kevin's article describes Aaron's untimely death:

By December, 2012, Aaron's code was stable, and a squishy launch date had been set. Then, on January 11th, he killed himself. In the immediate aftermath, it was hard to think of anything but the loss and pain of his death.

Kevin eventually wondered about the appropriateness of continuing Strongbox:

His suicide also raised new questions: Who owned the code now? (Answer: he willed all his intellectual property to Sean Palmer, who gives the project his blessing.) Would his closest friends and his family approve of the launch proceeding? (His friend and executor, Alec Resnick, reports that they do.)

How Strongbox works

Also true to form, Aaron provided exact details and flow charts of how Strongbox worked on GitHub. Below, I attempt to give the short version of how it works:

Steps taken by the source: Download and install client software from Tor Project (https://www.torproject.org). Next access Strongbox (http://tnysbtbxsf356hiy.onion/) using the Tor Network. Once there, instructions inform how to upload messages and or confidential files. After that, the source receives a random-generated code name. (I blocked out my code name.)

What happens behind the scenes is an interesting and intricate process. The following slide (courtesy of the Aaron Swartz estate) provides an idea as to how complex the process actually is.

Click image to enlarge.

Please note where the source and journalist are in relation to each other and all the steps in between.

The internal steps: The following bullets explain some of the more important "behind the scenes" pieces of the process:
  • Once uploaded, the source's files are encrypted, and sent to a server independent of the Conde Nast network.
  • Using a VPN connection, one of only two reporters from New Yorker check the Strongbox server for new material.
  • Any new files found by the reporter are downloaded to a flash drive.
  • stand-alone computer is booted via a live CD.
  • A second flash drive containing the decryption keys is plugged into the stand-alone computer.
  • The first flash drive with the encrypted material is also plugged into the stand-alone computer.
  • The source's files are decrypted, and checked with forensic software for incriminating metadata and malware.
  • If The New Yorker needs to send a return message, the process is reversed using the source's code name.

Final thoughts

On occasion, I have been asked to protect a source's anonymity, giving me a sense of the responsibility and pressure mainstream journalists and news agencies must cope with. So, if the new normal is going to become Grace Hopper's, "It's easier to ask forgiveness, than it is to get permission," I'm glad tools like Strongbox/DeadDrop are available, and open-source for all to use.

I also wanted to thank Tyler Pitchford for walking me through the legal intricacies of the rapidly developing AP incident.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

8 comments
JCitizen
JCitizen

but a great development for maintaining our freedoms. I'm frequently critical of the press for giving away tactical information, that was not really needed to know by the public during the GWOT, but that doesn't mean I think they should lose their 1st Amendment rights just because some individuals and/or news agencies choose abuse them. I feel the same way about our 2nd Amendment rights - just because crazy nuts want to abuse them, doesn't mean you take it away - this ridiculous concept is utterly preposterous and beyond contempt! It seems our government has also forgotten that we are not given these rights by and for the government, but hold them totally above the law, and are inalienable. When are these knuckle heads going to wake up? This is a great article Michael, and I've seen nothing like it from other sources! Congrats!! :)

Dogcatcher
Dogcatcher

The guys at Justice are neither stupid nor clueless. When issuing a subpoena to a news organization they likely anticipated the blow-back and hoped for a chilling effect. When your goal is to stop leaks, then discouraging leaking counts as success. Subsequent to the Democrats' decision to try to get to the right of Republicans on national security issues, our leaders have followed a dangerous course, with neither major party demonstrating concern for our civil liberties and the freedoms that used to be understood as American values. Anyone wanting a refresher on how bad things can get may want to watch the German film [i]The Lives of Others[/i] currently running on the Sundance Channel. It is an intense look at what happens when the Stasi send an officer to secretly monitor the conversations of a playwright and his actress girlfriend. http://www.sundancechannel.com/films/the-lives-of-others-2

Wingkeel
Wingkeel

To a free and often miss-understood free Press, It's quite easy for us self-righteous armchair experts to pass judgement on the Press. Articles like this bring the point of reality home illustrating the reason why the press is allowed such freedom. The stark reality that we are a free-People because of a free-Press and not in spite of it, needs to be revisited from time to time. As corrupt as our Government today, can you imagine what it could be like without a free-Press? If Government officials could do anything they wanted for their own gain without the threat of being exposed? From the bottom of my heart, thank you for all you do to ensure we remain free!

Michael Kassner
Michael Kassner

Even if it is found the DOJ was wrong, the "Chilling effect" on sources coming forward to news agencies and reporters may be damaged. Kevin Poulsen, the late Aaron Swartz, and The New Yorker have developed a way for sources to remain anonymous, and keep their documents confidential.

tylerpitchford
tylerpitchford

We may not always agree with what people do with their freedoms, but that doesn't mean we shouldn't have them. It's really the divergence of ideas that keeps us strong; at least that's how I like to look at it.

Michael Kassner
Michael Kassner

Our country would be a place I'd rather not experience if the "Fourth Estate" was shackled.

Michael Kassner
Michael Kassner

Thank you Wingkeel. While researching for this article, I read a doctrine that mentioned the founding fathers were so concerned about Freedom of the Press, they put it into each of the colonies founding papers.

Editor's Picks