Panama Papers, privacy, encryption, and you

Any way you look at it, the Panama Papers leak is incredible. 2.6 terabytes worth of files, encompassing 11 million documents. That's over one thousand times bigger than Wikileaks, yet somehow, the leak was kept secret for almost a year. Most impressively, we have no idea who leaked the files. Neither do the journalists the whistle-blower contacted.

In a world where privacy is often considered dead, that's no easy feat.

While "corporate monopolies and governments" are "attempting to undermine encryption", ethical hacker and founder of Whitehack Adrian Wood believes the internet can still be a private place, providing one understands the complexities of using it as such. Thisn’t necessarily easy, which makes the Panama Papers even more impressive.

"There are certainly secure methods of shifting information securely across the internet, but many of these options do not scale well at all when you're walking about 2.6 terabytes of data, even over an extended period of time," Wood told CyberShack.

The Panama Paper leak itself is made of up internal documents from a Panamanian law firm – Mossack Fonscea – which sells offshore shell companies that theoretically enable their owners to mask their business dealings. Politicians, FIFA officials, celebrities, professional athletes, and drug smugglers were all implicated by the leak. Iceland Prime Minister Sigurður Ingi Jóhannsson was one of the leak's first causalities, resigning after it was revealed that he allegedly owned holdings in the country's collapsed banks.

Considering the potential fallout, Wood said that the secrecy of the original leaker's identity could very well be a matter of life and death.

Below is a brief overview of some of the technology that may have been used in preserving the Panama Papers whistle-blower's anonymity. 

Encrypted messaging apps 
Encrypted messaging apps such as Signal, Telegram and Wickr are becoming increasingly popular and are incredibly easy to use. While app stores have been swamped with apps that promise secure communications, Wood says users should ask four questions when looking at a private messaging solution.

Is the code open to independent review?
Have there been recent audits?
Can the provider read your messages?
Is data encrypted in transit?

"When you’re talking about potentially being killed if you’re caught whistleblowing, the whistle-blower would have put a ton of thought into what system to use," said Wood.

It's also important to consider whether an app requires a phone number to sign up in the first place. While WhatsApp has made headlines for rolling out end-to-end encryption messaging to its one billion users, they can’t use it without providing their phone number.

Signal and Telegram both share the same issue.

In Australia, all phone numbers have to be tied to a person, but this may not have been an issue for the Panama Paper whistle-blower. Certain services do however allow users to register for free phone numbers in other countries while providing minimal personal information.

Open Whisper Systems' Signal is well regarded by security experts, and has received endorsements from prolific whistle-blowers such as Edward Snowden.

Going old school 
The International Consortium of Investigate Journalists (ICIJ) was one of the key organisations involved in the analysis of the Panama Papers leaks. On the organisation's website, it says that "no electronic form of communication is entirely secure" and instead recommends leakers use snail mail for sharing information.

"We feel that no electronic form of communication is entirely secure – sometimes the safest ways are the old-fashioned ways. You can post printed documents, or electronic files on a portable storage device (a thumb drive, hard drive, memory card, DVD, CD, etc.) directly to ICIJ at the below address."

Pretty Good Privacy, or PGP, is data encryption software that allows users to protect files, directories, emails, and even entire hard drives. When encrypting files with PGP, users need two keys, a public key and a private key.

Users give their public key to anyone they want to securely communicate with. This public key can then be used to encrypt or lock an email or file. After encryption, the file in question can only be decrypted by the use of the matching private key. As such, it is essential that a user never reveals their private key.

While PGP is often associated with email, Wood says it's unlikely the Panama Paper whistle-blower would have relied on email for the leaks due to the metadata trail that would have been left behind.

"It wouldn't be worth the risk," said Wood.

PGP encryption may have been used to protect any leaked documents, however.

When used to protect documents or emails, PGP's decentralised nature can be a double-edge sword. Since everything is encrypted on a file-by-file basis, there's no management tools for the worst case scenario.

"If somebody steals your key, you cannot revoke access to files you previous encrypted and distributed with that key."

Tor is another piece of software commonly associated with discussions around privacy and encryption. The most readily available form of Tor is a browser that masks a user's internet traffic by rerouting a connection through "virtual tunnels" rather than establishing a direct link to a website.

On paper, using the Tor browser is similar to using a VPN. Anyone monitoring a user's online activity would see a connection to the Tor network, or the VPN server rather than the website they are visiting.

Unlike a VPN, Tor only protects applications that are configured to send their internet traffic through its network.

What about me? 
For the average person, these technologies might sound like overkill. In reality, programs like Signal and Tor Browser as easy to use as their less encrypted counterparts. In the case of WhatsApp, there's a good chance you're already using it.

While privacy might not be a case of life and death for most, all of these technologies can lead to a safer online experience.