I can see where you are coming from here, though I do not fully agree with your assessment that the majority of blame being put upon the Intercept was “unfairly”. Yes, a major amount of those which are currently talking about the way Winner sadly got caught are doing so with the intent of harming the Intercept and other media outlet’s credibility in being trusted with classified information which may have the potential to harm the current US administration (if after all the self-made scandals, such a thing is even possible).
However, that being said, there are still a lot of things which should be criticized about both the Intercept and Winner herself in regard to this leak by people like us who are aware of the importance of whistleblowers and leaks in any political climate as well as the importance to assure those providing such information a maximum of security.
Now, if you recall, I have been rather critical of Riseup’s practices in the past because of their practices which, in my eyes, may endanger journalists and their sources in a variety of ways. This was only a hypothetical though, as, as far as we are aware, no one got endangered by Riseup’s missteps. I would thus be a hypocrite, if I didn’t critice the Intercept in a similar manner.
Now, the thing is this. The Intercept was founded with the initial goal of making the Snowden leaks accessible and easy to understand for anyone. They thus made their name on the basis of supporting leaks and whistleblowers. Thus, they should have a basic understanding of what is required to keep sources secure and they should take any precautions possible, just in the event that a (not so tech-savy) source hasn’t done everything required to cover their tracks.
That has not happened. Now, if Winner got caught because of a rather advanced surveillance technology that no one could have predicted or she got caught do to her own shortcomings (more on that later) I would understand that. I would find it regretful and would criticize the US jurisdiction for harming whistleblowers and leakers while not taking similar actions in regard to war crimes but I would understand why she got caught.
However, this was not the case. No. Reality Winner got caught, not because of her own mistakes, but because an Intercept-Employee simply scanned in the documents provided by her directly. That in my eyes is a mistake they should have been able to prevent.
It is common knowledge that printers have for years been able to inject small, almost invisible markers into print-outs to make the origin of said print-outs traceable. This is not a “mysterious hyper super dupper secret NSA technology”, no, this is tech that has been used publicly in offices for years via implementations provided by Xerox and other printer manufacturers.
It is in fact such a “normal” thing that the EFF provided an online-tool to decrypt these patterns: https://w2.eff.org/Privacy/printers/docucolor/
Simply enter the dots and you get the result.
Equally, it isn’t a secret that printers are prone to tracking what you are trying to print out or copy. The most famous example is the Eurion pattern which is found on Euro and other currency bills and forces certain printers to prevent them from printing what one must assume to be the worlds least convincing counterfeit currency.
All these things are covered under the label “Printer steganography”: https://en.wikipedia.org/wiki/Printer_steganography
Now, why am I saying this?
Simple: Because these are things an outlet like the Intercept should know about. Again, these aren’t highly specialized secret tracking solutions, no, this is a publicly known commercialized solution that any decent admin which ever had to deal with some higher volume office printer knows exist.
The fact that the Intercept not only didn’t consider that the documents might be tainted by this tracking tech is simply embarrassing and saddens me immensely. These are the things that someone receiving confidential leaked information should be looking out for first and foremost. There is no way to excuse that the Intercept made one of the biggest Opsec mistakes they could make, just shy of printing the name of the source including address and SSN outright.
It will (and in my eyes should) be a long and tedious process for the Intercept to regain the trust of sources. Hopefully though, they will not in any way let themselves deter from doing what has to be done to fight corrupt politicians and bring the truth to light.
Personally, I don’t think that Opsec should be a whistleblower only thing. Yes, everyone leaking classified information to the press should take as many safety precautions as possible, however, the journalists who then receive said information should feel obligated to both assist the whistleblower in security questions and furthermore, double check so things like these don’t happen.
The reason for this is A) as you’ve mentioned, not everyone can know everything and journalists working at a place like the Intercept SHOULD be knowledgeable in the latest of Opsec and B) I feel like that is just a basic thing of decency. I mean, that whistleblower has just risked his/her (financial, personal, free, …) life to get you that information and all you are going to do is make a few articles? That in my eyes is fundamentally wrong. Journalists are going to make money publishing these leaks so any protection (not just legal counseling after someone got caught) should be expected.
In conclusion, I can’t put into words how disappointed I am with the Intercept. They haven’t properly handled the information they received plain and simple and appear to not be knowledgeable enough in basic security to in my eyes be trusted with information as critical as this.
Now, let’s come to Reality Winner.
First of all, isn’t it ingenious that a person leaking information about the administration which has labeled anything in regard to Russian Interference “Fake News” is called “Reality”. That feels strangely fitting. Especially considering the information she leaked has also been called “Fake News”, though seems to be real enough to warrant an arrest.
It really would be impossible for me to cover everything she didn’t do ideally or outright wrong in regard to Opsec.
That’s why I’d just like to cover what I feel might have been her biggest mistake overall.
That would be not assuming that she might get caught.
Depending on where you get your news from, you either solely heard about this, didn’t at all notice this or, if your media diet is just right, heard about this, as well as everything else surrounding the scandal.
Her political statements on social media like Twitter.
Because what she posted on Twitter and co. made her look very much like a person which does not support the current administration in any way, shape or form, it was easy for the media and individuals supportive of the current US administrations bold “Make America stagnate again” agenda to discredit her. Especially as a lot of things she posted are very hard to defend for anyone who values a decent political discourse, it was equally very hard to cover these leaks fairly without having to talk about these aspects of her person as well.
That in turn made these leaks loose a massive amount of significance for the majority of people as any discourse, both online and in the media, that didn’t happen isolated in a specific “bubble” was easily steered away from the content of the leaks and on to the person leaking thus making it hardly possible to get properly informed by most public sources, especially considering most people will not look for the original article after witnessing a shouting-match about a person that can easily be labeled “radical-left” on TV.
Now, you might ask what this has to do with her assuming she might not get caught.
But here is the thing. If you are a whistleblower leaking information detrimental to a government which has shown to have no problem simply deflecting scandals by pointing at minor personal things as to not have to deal with policy, you have to expect that said government will use any attack-vector you hand to them.
Anyone capable of tying their own shoes would have likely been able to predict that supporters and members of the administration will use anything they can get their hands on to discredit and not cover these leaks. And something like the things on her Twitter feed are more than enough to do just that.
This either leaves us with two possibilities. Either Reality Winner somehow did not think her Tweets would create any kind of negative public reaction that could distract from the content of the leaks should she get caught. That would make her, and I’m sorry that I have to use this sort of language, rather shortsighted. Looking at her career at the Pluribus International Corporation and her security clearance though, I do not believe her to be this dense.
That leaves us with only one other conclusion. She did not expect to be caught and thus did not think her tweets would ever be a problem.
That in my eyes would constitute her biggest mistake. Opsec 101 is to ALWAYS consider that you could get caught at any second. You have to be prepared for that. You have to be sure that if your name should come out, that does not harm your initial goal of informing the public.
She by the looks of things did not do that.
Now, the thing is that this is again not some sort of “secret information” that only the best elite leakers know about.
Covering all your bases so in case you get caught there are no repercussions is common knowledge when it comes to doing anything that might be legally problematic.
It should be basic common sense to be prepared for any eventuality. Though, maybe that’s just the EDC guy in me talking…
Either way, that’s why I personally believe that in this case, it wasn’t curiosity, but rather pride that “killed that cat”, as someone who is as intelligent as she must have been, can’t tell me to not have seen the potential issues her social media presences might create if her name should get public.
Have a nice day,