INTERVIEWING THE MOST WANTED MAN in the hemisphere is not something any sane person undertakes lightly. Aside from weighing the risk to one’s personal safety, a journalist must also protect his or her source by taking careful precautions — some reporters have gone so far as to risk or actually receive jail time rather than break the confidence of their sources. As the Snowden revelations have brought ubiquitous mass surveillance into sharp relief, these considerations have become far more complex and personal fortitude isn’t always enough.
On Saturday, Rolling Stone published a major scoop: Actor Sean Penn traveled to northwestern Mexico to speak with Joaquín Archivaldo Guzmán Loera — “El Chapo” — the notorious leader of the Sinaloa drug cartel. It was El Chapo’s first (and perhaps last) press interview as a free man. At the time of the visit, El Chapo was a fugitive in hiding, but the day before the article went live, Mexican marines, with support from the U.S. Drug Enforcement Administration and U.S. Marshals, captured him after “a fierce gun battle.”
Mexico’s Attorney General Arely Gomez has said that Penn’s face-to-face meeting with Guzmán “was an essential element” in the operation that led to the fugitive drug lord’s apprehension. Mexico City’s El Universal published a photo gallery of what appears to be a series of surveillance images of Penn and actress Kate del Castillo’s arrival in Mexico to meet with Guzmán.
The photos notwithstanding, there are still plenty of reasons to maintain a healthy skepticism of the official line that Penn inadvertently helped Mexico and the U.S. catch El Chapo and there is no public suggestion that his digital security practices led to the raid.
Penn clearly made an earnest effort to cover his digital tracks, and it’s easy for even the most skilled operators to make costly errors, but the self-described “single most technologically illiterate man left standing” details a litany of seeming operational security mistakes in his communications. Most of these descriptions are vague and could be misinterpreted, and, of course, he could also be omitting other, more effective security measures he employed. Thus, this article is intended as a case study in source protection based on the limited information available. The Intercept reached out to Rolling Stone for this article but they did not respond.
In the age of mass surveillance, technological ignorance is no longer an option, but even best practices are far from foolproof. If you’d rather skip the don’ts and jump right to the do’s, technologist Micah Lee, my colleague at The Intercept, has written some of the handiest explainers out there on how to implement operational security best practices, which can be read here, here, here, here, here, and here.
Penn’s first error is his most egregious, precisely because it is the simplest operational security rule by which one should abide: Don’t talk specifics about your operational security. The descriptions of his security methods are the first words of his 10,000-word article:
It’s September 28th, 2015. My head is swimming, labeling TracPhones [sic] (burners), one per contact, one per day, destroy, burn, buy, balancing levels of encryption, mirroring through Blackphones, anonymous e-mail addresses, unsent messages accessed in draft form. It’s a clandestine horror show for the single most technologically illiterate man left standing. At 55 years old, I’ve never learned to use a laptop. Do they still make laptops? No fucking idea!
Let’s imagine a hypothetical scenario in which, at the point the article is published, Guzmán is still at large and Mexican and U.S. officials searching for him were unaware of his rendezvous with Penn. Each of these details becomes a clue for law enforcement.
Using mass surveillance to track criminals or terrorists invokes the tired but true analogy of “a needle in a haystack.” By revealing specific brands of equipment, types of software, and particular practices, you greatly narrow the haystack that any analyst has to sift through. If your goal is to protect your source, revealing these sorts of details to establish your James Bond bona fides is an error that could be putting your source’s life at risk.
In this case, the problem is compounded by the fact that none of the particular practices is particularly effective at evading a major nation-state adversary, which I will explore below, item by item.
Penn rightfully suspected that the feds might be on to him and reiterates this throughout the article. At one point he writes, “There is no question in my mind but that the DEA and the Mexican government are tracking our movements.”
While encrypted emails or messaging, when used effectively, can help obscure what someone is saying, encrypted communications produce voluminous, potentially compromising metadata that can be used to track location. Metadata is not the contents of communications, but information about the two devices in contact. If your source is using a mobile phone on a cellular network, metadata can be used to geolocate him within 30 feet of his actual position. If your source is using a standard internet connection without an effective VPN or anonymization service, like Tor, that information can identify a location to within less than a half mile.
Geolocation via metadata is a very valuable tool in the intelligence community’s arsenal. As former head of the NSA and CIA Michael Hayden once put it, “We kill people based on metadata,” which is why top jihadis have learned to stay off the phone and off the internet. This 2014 article from The Intercept explains how it is done.
Finally, the mere use of sophisticated encryption programs in parts of rural Mexico described by Penn by those not affiliated with the cartels is likely quite rare. Thus, if the NSA or DEA knows their target is using a specific program, they could simply search for the unique signatures of those programs in a given area to considerably “thin the haystack” of potential suspects.
Cheap, single- or short-term use, prepaid cellphones paid for in cash — burners — first surged into the public consciousness thanks to HBO’s The Wire, which featured Baltimore drug dealers regularly swapping phones to avoid warranted wiretaps by the Baltimore police. Each new phone number has to be identified by the cops and then requires a new warrant, a process that can take days, at which point the dealers are already using another phone. Yet this high-tech game of cat and mouse loses much of its effectiveness for staying anonymous when stacked up against a massive adversary like the NSA, which isn’t always bound by the legal safeguards that cops have to follow.
Particularly on international phone calls, the NSA employs complex algorithms to sort through massive stacks of communications metadata — which doesn’t require a warrant — “to help analysts identify a phone number of interest.” Using documents obtained by NSA whistleblower Edward Snowden, the Washington Post first reported on a program known as CO-TRAVELER, which sifts through cellphone metadata looking for and automatically flagging examples of suspicious behavior indicative of tradecraft. Advanced computational tools at the NSA’s disposal can be used to identify, for example, a particular phone number in Mexico that receives only one call each from a series of phones on a prepaid cellphone carrier like TracFone.
By identifying the carrier in the article, Penn would be further assisting the hypothetical NSA analyst greatly by narrowing the necessary search parameters.
Using burner phones may help keep the authorities off of your scent and allow your conversations to blend into the masses of unencrypted phone traffic, but without the protection of encryption there is yet another technological foe to contend with: voice recognition.
The NSA maintains enormous databases of unselected recordings of foreign phone conversations — that means everybody’s and anybody’s calls, not just those of targets. In the Bahamas that data has been stored for 30 days. It is not publicly known what the commensurate capabilities are in Mexico, but the country is an area of high interest for the NSA.
A 2011 document published last year by The Intercept describes how the NSA has implemented Human Language Technology processing in Mexico, which includes the ability to identify a speaker using a “statistically generated voice model.” With just a short sample of El Chapo’s voice, the NSA could be automatically sorting through all collected voice traffic in Mexico in search of his unique speech patterns, and then correlate that with geolocation metadata — although the specifics of how widely and how effectively this technology is currently implemented by the agency are not entirely clear.
Penn references using “unsent messages accessed in draft form,” an op-sec strategy that has been thoroughly debunked, most famously in the 2012 scandal that led to the resignation and eventual conviction of former CIA Director David Petraeus. America’s top spy, Petraeus, was revealed to have been using this technique, known as a “digital dead drop,” to pass messages with Paula Broadwell, his biographer with whom he was having an affair. Investigators were eventually able to piece together the metadata trail to identify Broadwell, who did not use Tor or an effective VPN to shield her IP address.
As the ACLU’s principal technologist, Chris Soghoian, pointed out at the time, this tactic simply is not effective since drafts are stored in the cloud just like sent email. “Ironically enough, by storing emails in a draft folder, rather than an inbox, individuals may be making it even easier for the government to intercept their communications,” Soghoian wrote. “This is because the Department of Justice has argued that emails in the ‘draft’ or ‘sent mail’ folder are not in ‘electronic storage’ (as defined by the Stored Communications Act), and thus not deserving of warrant protection. Instead, the government has argued it should be able to get such messages with a mere subpoena.”
The Rolling Stone article highlights the use of Blackphone, an encrypted cellphone operating on a modified Android operating system, developed by Silent Circle and marketed to the security-conscious in the post-Snowden environment. A Silent Circle founder, legendary cryptographer Phil Zimmermann, has previously gone on the record to push back against some of the hype surrounding his company’s product. “We have a bit of a problem with the press saying that the Blackphone will make you NSA-proof,” he told Extreme Tech.“If someone [at Blackphone] tells you that it’ll protect you from the NSA, I’ll fire them.”
Last week, researchers revealed a major security vulnerability in Blackphone that had gone undetected for over a year.
Penn also repeatedly references the use of Blackberry Messenger, or BBM, by members of Guzmán’s Sinaloa cartel. At one point, when a second meeting between Penn and Guzmán is scuttled for security concerns after Guzmán narrowly escapes a military raid, Penn sends his remaining questions via BBM. Available on BlackBerry, Android, and iOS, BBM is only end-to-end encrypted if both parties pay the annual fee to upgrade to BBM Protected — Penn does not specify which version he and the others used.
BlackBerry has long maintained a vaunted reputation as “uncrackable.” In September 2013, CBC ran a headline referring to the company’s platform as “NSA-proof” even though just days earlier Der Spiegel broke a story from the Snowden archive detailing the NSA’s and GCHQ’s successful exploitations of BlackBerry.
Last month, BlackBerry’s CEO John Chen boldly stepped out against a growing tech industry consensus in favor of strong encryption and declared, “Our privacy commitment does not extend to criminals” (emphasis in the original).
Many messaging platforms marketed as “secure” or “encrypted” often don’t pass muster with security experts. And you can never 100 percent trust even those services that do get a passing grade.
If Penn was running BBM Protected on a BlackPhone, which passes all internet traffic through a VPN by default, that would definitely qualify as enhanced security measures, but, for the reasons listed above (among others), is not a recommended protocol when your risk levels are this high and your adversary is the most powerful intelligence apparatus in the world.
In this category, Penn performed admirably. He left his electronics in California before leaving for Mexico to meet El Chapo. Meanwhile, his guides from the cartel were apparently less careful. On his ride to meet with El Chapo, Penn describes how “throughout the hour-and-a-half drive away from the city and across farmlands, both men receive frequent BBM messages.”
Yes and no. Any digital communication comes with some risk that a journalist should make clear to his or her source as early as possible, and both parties must weigh the risks and rewards independently.
As the ACLU’s Soghoian told the Washington Post, “The only way to hide your location is to disconnect from our modern communication system and live in a cave.” Granted, that is not a very appealing option for most of us, and we are willing to make certain compromises. Only meeting face to face is one good alternative, but not always practical.
However, best practices do exist (as does debate over those best practices within the security community).
You can try some of the practices endorsed by Micah Lee and Edward Snowden.
Or, try this relatively easy-to-use approach from Soghoian:
OPSEC advice: Use Signal. On an iPod Touch. Connect via Tor. Don't chat with Sean Penn.— Christopher Soghoian (@csoghoian) January 10, 2016
First came the Never Trumpers, and I did not speak out, because they stood against Donald Trump. Then came the Lincoln Project, and I did not speak out, because their videos went viral. Then came the Chamber of Commerce, and by then it was too late.