Or, how did the Panama Papers Whistle-blower do it?
2.6 Terabytes is ALOT of data. Especially when you’re talking about text files and scanned documents, and not media files such as movies.
Ex filtrating 40 years of Mossack Fonseca without being noticed (especially when the stakes are this high) presents a significant amount of technical challenges, particularly with the threat of ultra-powerful groups like Mafia getting pissed off by you leaking their data. nAs information security consultants and auditors, we’re very interested in how this level of data ex-filtration could take place.
It’s been established that the whistle blower would only communicate over encrypted services. When you’re shopping for an off-the-record, end to end encrypted chat service with forward secrecy, you don’t have a whole lot of options. When the stakes are this high, and your enemies list is this long, and this powerful perceptions about what is ‘secure enough’ change drastically.
Secure Chat Services
• Is the code open to independent review
• Has there been recent audits
• Can the provider read your messages?
• Is data encrypted end to end?
• Is there forward secrecy?
• Can one independently verify your correspondents identity?
Once you apply this criteria to a chat service, the list of options filters down significantly.
We know that the whistle blower used encrypted chat to talk to ICIJ personnel. The Whistle blower would have put a lot of thought into which service to use, and the most logical choice is Signal, by Open Whisper Systems. Signal is widely regarded in the security and privacy community, and has endorsements from guys like Edward Snowden, which would carry a lot of weight with an individual facing this level of risk.
The biggest caveat with these secure services is that many of them now require you to enter a valid phone number in order to use the service, if you live in Australia, mobile numbers require identity checks, where your drivers licence number or similar ID is recorded and linked to the phone number.
If this sounds like a problem you’re facing, consider using a online phone service such as
What about encrypted mail?
It’s unlikely that encrypted mail such as PGP encrypted email was used for communication, but the PGP protocol may have been used to sign, encrypt & decrypt files or disks. PGP encryption is often at the core of many commercial encryption soft wares, which are basically PGP in a nicer wrapper. The biggest caveat with PGP mail as a form of secure communication is the following:
•Lacks forward secrecy, meaning that if somebody steals your key, you cannot revoke access to files you previously encrypted and distributed with that key.
•Email by it’s very nature displays metadata about the communications taking place, which if the whistle blower insisted on encrypted chat, he wouldn’t suffer this meta data exposure.
Transferring the data in the leak
Tor has come up several times in discussions regarding the transfer of this leaked data. Tor is loved by NGO’s for it’s ability to allow them to communicate securely within a compromised countries network without revealing their associations, for example. Other groups love it as it is a safe way to conduct competitive analysis, and protect from eavesdroppers.
It’s unlikely that Tor was utilized to transfer this sheer amount of data, as the complexities and risks far outweigh the benefits. Firstly, Tor has a rather checkered history of compromise, network speeds aren’t amazing for this amount of data and thirdly, the ICIJ themselves say on their whistle blower page the following:
“We feel that no electronic form of communication is entirely secure – sometimes the safest ways are the old-fashioned ways. You can post printed documents, or electronic files on a portable storage device (a thumb drive, hard drive, memory card, DVD, CD, etc.) directly to ICIJ at the below address.”
Certainly cryptography was used to communicate about the leak, and likely in the drives that were shipped, but it is unlikely that the leaked data of 2.6 terabytes was transmitted over the internet, especially with the ICIJ themselves recommending that data be posted from a secure location.