In early January, Micah Lee worried journalist Glenn Greenwald’s computer would get hacked, perhaps by the NSA , perhaps by foreign spies.
Greenwald was a target, and he was vulnerable. He was among the first to receive tens of thousands of top secret NSA documents from former contractor Edward Snowden , a scoop that eventually helped win the most recent Pulitzer prize .
Though Greenwald took precautions to handle the NSA documents securely, his computer could still be hacked.
“Glenn isn’t a security person and he’s not a huge computer nerd,” Lee tells Mashable . “He is basically a normal computer user, and overall, normal computer users are vulnerable.”
Lee, 28, is the technologist hired in November to make sure Greenwald and fellow First Look Media employees use state-of-the-art security measures when handling the NSA documents, or when exchanging emails and online chats with sensitive information. First Look was born in October 2013, after eBay founder Pierre Omydiar pledged to bankroll a new media website led by Greenwald, with documentary journalists Laura Poitras and Jeremy Scahill.
Essentially, Lee is First Look’s digital bodyguard, or as Greenwald puts it, “the mastermind” behind its security operations.
Lee’s position is rare in the media world. But in the age of secret-spilling and the government clampdown on reporters’ sources, news organizations are aiming to strengthen their digital savvy with hires like him.
“Every news organization should have a Micah Lee on their staff,” Trevor Timm, executive director and cofounder of Freedom of the Press Foundation , tells Mashable .
Timm believes the Snowden leaks have underscored digital security as a press freedom issue: If you’re a journalist, especially reporting on government and national security, you can’t do journalism and not worry about cybersecurity.
“News organizations can no longer afford to ignore that they have to protect their journalists, their sources and even their readers,” Timm says.
Once hired, Lee needed to travel to Brazil immediately . First Look has an office in New York City, but Greenwald works from his house located in the outskirts of Rio de Janeiro.
Unfortunately, the consulate in San Francisco near where Lee lives didn’t have an open spot for a visa appointment. It would be at least two months before he’d be able to leave for Brazil.
Undeterred, Lee created a smart (and legal) hack — a script that constantly scraped the consulate’s visa calendar to check for cancellations. If it found any, it would text Lee, giving him the opportunity to hop online and book.
In less than 48 hours, he scored an appointment and flew to Rio within days.
“That’s what he does. He’s brilliant at finding solutions for any kind of computer programming challenge,” Greenwald tells Mashable . It’s exactly the kind of industrious initiative Greenwald needed.
When he got to Rio, Lee spent one entire day strengthening Greenwald’s computer, which at that point used Windows 8 . Lee was worried spy agencies could break in, so he replaced the operating system with Linux , installed a firewall, disk encryption and miscellaneous software to make it more secure.
The next day, Lee had a chance to do something he’d been dreaming of: peek at the treasure trove of NSA top secret documents Snowden had handed to Greenwald in Hong Kong.
Since the beginning, Greenwald had stored the files in a computer completely disconnected from the Internet, also known as “air-gapped” in hacker lingo. He let Lee put his hands on that computer and pore through the documents. Ironically, Lee used software initially designed for cops and private investigators to sift through the mountain of seized documents.
Sitting inside Greenwald’s house, famously full of dogs, Lee spent hours reading and analyzing a dozen documents containing once carefully guarded secrets.
“I wasn’t actually surprised. I was more like, ‘Wow, here’s evidence of this thing happening. This is crazy,'” he remembers. “At this point I kind of assume that all of this stuff is happening, but it’s exciting to find evidence about it.”
During his two days in Rio, Lee wore two hats : the digital bodyguard who secures computers against hackers and spies, and the technologist who helps reporters understand the complex NSA documents in their possession. In addition to Greenwald, he also worked with Poitras, the documentary filmmaker who has published a series of stories based on the Snowden documents as part of both The Guardian ‘s and The Washington Post ‘s Pulitzer-winning coverage.
For Greenwald, Lee’s skills, as well as his political background (Lee is a longtime activist) make him the perfect guy for the job.
“There’s a lot of really smart hackers and programmers and computer experts,” Greenwald tells Mashable . “But what distinguishes him is that he has a really sophisticated political framework where the right values drive his computer work.”
J.P. Barlow, founder of the Electronic Frontier Foundation , where Lee used to work, agrees. There are two Lees, the activist and the hacker, he says. One couldn’t exist without the other.
“He acquired his technical skills in the service of his activism,” Barlow tells Mashable .
In some ways, Lee was destined to work on the Snowden leaks. At Boston University in 2005, he was involved in environmental and anti-Iraq War activism. His college experience didn’t last long, though. After just one year he dropped out to pursue advocacy full-time.
“I had better things to do with my time than go to college, because I wanted to try and stop the war. And it didn’t work,” Lee says.
During that time, he worked as a freelance web designer, despite no formal computer education. He started teaching himself the computer programming language C++ when he was around 14 or 15 years old, in order to make video games. (Alas, none of those games are available anymore.)
Then in 2011, Lee was hired by the Electronic Frontier Foundation, the digital rights organization. “My dream job,” Lee says.
As an EFF technologist, teaching security and crypto to novices was second nature for him. He was one of the people behind an initiative in which technologists taught digital security to their fellow employees over lunchtime pizza. And as CTO of the Freedom of the Press Foundation, he helped organize “cryptoparties” to teach encryption tools to journalists and activists.
Lee became a go-to source for reporters looking for computer security and encryption answers. After the first NSA leaks were published in June 2013, many reporters, not only those working on the Snowden leak, knew they’d need to protect their own communications. Lacking technical knowledge, they turned to Lee for help.
He recalls, for example, that he helped reporters at NBC get started using encryption. It was only when NBC News published a series of stories based on the Snowden documents, with the contribution of Glenn Greenwald, that Lee realized why they needed his guidance.
In early July 2013, he wrote what some consider one of the best introductory texts about crypto, a 29-page white paper called ” Encryption Works .” Its title was inspired by an early interview with Snowden — a Q&A on The Guardian ‘s site. The whistleblower said, “Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on.”
Those words had a profound effect on Lee.
“That gave me a lot of hope, actually, because I wasn’t sure if encryption worked,” Lee says laughing, his eyes brightening behind a pair of glasses. He is lanky in jeans and a t-shirt, behind a laptop with stickers.
He’s a true hacker, but one who happens to explain extremely complicated concepts in a way that’s easy to understand.
He was one of the first people Greenwald and Poitras, both on the Freedom of the Press Foundation board, named for their “dream team,” Greenwald says — a group that would eventually create The Intercept , First Look Media’s first digital magazine that would later be instrumental in breaking new NSA stories.
“He was top of my list,” Poitras tells Mashable .
In the wake of the Snowden leaks, which revealed the pervasiveness of the NSA’s surveillance techniques, it seems no one, including journalists, is safe. And it’s not just the NSA; other branches of the U.S. government have pressured journalists to reveal their sources and have aggressively investigated information leaks.
“Concern has grown in the news industry over the government’s surveillance of journalists,” New York Times lawyer David McCraw wrote in a recent court filing .
The Obama administration “is the greatest enemy of press freedom that we have encountered in at least a generation,” said journalist James Risen at a recent event in New York, called Sources and Secrets.
The Department of Justice has for years demanded Risen to reveal his source inside the government. The Bush administration first, and the Obama administration later, have been issuing subpoenas to force Risen to reveal the source of a chapter of his 2006 book, The State of War , in which the reporter reveals a secret Clinton-era CIA operation to sabotage Iran’s nuclear program.
Last year, the DOJ secretly obtained the phone records of the Associated Press. The DOJ has never said why it sought those records, but at the time AP reported the U.S. government had opened an investigation to find out the source of information in an AP story about a CIA operation in Yemen.
These investigations, according to some, create a chilling effect on both sources and reporters, a climate of fear in which journalists have a hard time doing their jobs.
“I think we have a real problem. Most people are deterred by those leaks prosecutions. They’re scared to death,” said New York Times national security reporter Scott Shane.
“The ability of the press to report freely on its government is a cornerstone of American democracy. That ability is, by any reasonable assessment, under siege,” wrote the Times public editor Margaret Sullivan in a column last year.
For these reasons, some believe media organizations should follow First Look’s example and hire people like Lee.
As both The Intercept ‘s digital bodyguard and geek-in-chief, Lee has a unique role in the media business: He puts systems in place to receive sensitive documents from sources, making sure the potential whistleblowers are protected and anonymous; he secures journalists’ communications; and he even helps write about the documents themselves. (Most of his work hasn’t been published yet, but he has contributed to some articles.)
“Reporting in the 21st century is dangerous. Reporting on government surveillance is dangerous, for the journalist, for the source,” Chris Soghoian, the principal technologist at the American Civil Liberties Union, tells Mashable . He says what First Look is doing is unique. “It’s vital that [other] news organizations hire technical experts and security experts to help to protect their reporters.”
Publications like The Wall Street Journal have reporters who are able to take care of their security needs themselves, but there’s no organizational culture that promotes digital security, he says.
The only other property with a similar approach is The Washington Post , which hired star privacy and security researcher Ashkan Soltani to work on the NSA leaks hand-in-hand with reporter Barton Gellman, the other early recipient of the Snowden treasure trove of documents, along with Greenwald and Poitras. Soltani’s byline has graced many NSA scoops, while he’s helped other reporters with their own technical stories.
In communicating with reporters over the years, Soghoian insists he’s seen “everything” in terms of security horror stories. Last summer, he discovered that a “leading national security reporter” did most of his reporting from his desk phone, even after the AP phone records case. Soghoian urged that reporter to use email encryption and pre-paid phones.
A spokesperson for The New York Times told Mashable that the paper has staff “in a position to advise reporters on security issues,” but declined to elaborate more. A Washington Post spokesperson revealed that the newspaper is installing SecureDrop , the WikiLeaks-style leaking software first developed by the late coder Aaron Swartz , and that reporters receive training in “encryption technology for email and saving files, as well as on procedures for staying as secure as possible while traveling.” (The spokesperson didn’t respond to a follow-up question on whether all journalists receive this kind of training.)
By being part of First Look Media since the beginning, Lee has had a chance to shape its security practices from day one, teaching journalists the best digital security practices, and helping establish a robust infrastructure for secure communications with sources.
First, Lee taught every journalist how to use encrypted, secure communications like the email encryption software PGP, and OTR, software that allows for secure chat conversations and is considered by most security experts one of the safest ways to communicate online nowadays. Every employee of First Look can now receive encrypted emails and chat messages. Lee also taught everyone how to use SecureDrop.
And unlike most of the major news websites around the world, which outsource to Google or Microsoft , First Look controls its own email and chat servers. This gives Lee and the rest of the company control and prevents the U.S. government from going to a third party and subpoenaing First Look’s email records without the company’s knowledge.
It happened last year when the DOJ obtained Fox News reporter James Rosen’s emails in an attempt to identify his sources.
Once such practices were in place at First Look, encryption became routine. Lee says practically every email within the company has been encrypted “since the beginning.” Lee himself scrambles the content of more than half of all his emails. And among themselves, First Look employees chat using mostly OTR.
Lee also set up the website so it would be fully encrypted using HTTPS (the “s” stands for secure). With HTTPS enabled, the connection between a user and the website he or she is visiting gets scrambled, meaning a passive attacker — say a government agency or a hacker at your local Starbucks — can’t see what happens once the user goes to the encrypted site.
This might seem trivial, but spy agencies like the NSA or its British sister GCHQ take advantage of unprotected websites to monitor Internet user activity, trying to identify potential targets. Any information traveling over unencrypted websites could be captured and later accessed by tools like the NSA’s Xkeyscore , Lee explains.
“Since there’s this huge database full of plaintext stuff going over the Internet, analysts just have to be creative about what they search for to get any of it,” Lee says.
If The Intercept wasn’t encrypted, for example, a spy agency could see which stories someone reads, or which journalists someone, like Snowden, watches.
Imagine you are a would-be whistleblower reading a story by Glenn Greenwald. You decide to get in touch with him to leak some documents. On an insecure, unencrypted website, a spy agency can probably trace the connection back to your initial, seemingly innocuous web-surfing activity, and identify you.
At The Intercept , Lee is working to make sure nobody leaves any traces. Making websites encrypted, Lee says, “is the very bare minimum basic of making it not really easy for sources to get compromised.”
All these practices aim to protect journalists’ and sources’ communications, but handling the Snowden documents, and making sure no one who has them gets hacked, is also key. Unfortunately, that’s not as easy as installing an antivirus or a firewall.
When exchanging documents, journalists at The Intercept use a complicated series of precautions. First of all, Lee says, documents are never stored on Internet-connected computers; they live in separate computers disconnected from the web. To add an extra layer of precaution when logging in to air-gapped computers, journalists must use secure operating system Tails .
So, imagine two employees at First Look Media (we’ll call them Alice and Bob) need to send each other Snowden documents. Alice goes to her air-gapped computer, picks the documents, encrypts them and then burns them onto a CD. (It has to be a CD, Lee says, because thumb drives are more vulnerable to malware.) Then Alice takes her CD to her Internet-connected computer, logs in and sends an encrypted email to Bob.
If you’re keeping score, the documents are now protected by two layers of encryption, “just in case,” Lee says, laughing.
Then Bob receives the email, decrypts it and burns the file on a CD. He moves it to his own air-gapped computer where he can finally remove the last layer of encryption and read the original documents.
To prevent hackers from compromising these air-gapped computers, Lee really doesn’t want to leave any stone unturned. That’s why First Look has started removing wireless and audio cards from air-gapped computers and laptops, to protect against malware that can theoretically travel through airwaves. Security researchers have recently suggested it might be possible to develop malware that, instead of spreading through the Internet or via thumb drives, could travel between two nearby computers over airwaves, effectively making air-gapped computers vulnerable to hackers.
If this all sounds a little paranoid , Lee is the first to acknowledge it.
“The threat model is paranoid,” Lee tells Mashable , only half-joking. But it’s not just the NSA they’re worried about. (After all, the spy agency already has the documents.) Other spies, however, would love to get their hands on the intel.
“Any type of adversary could be out to get the Snowden documents. But specifically large spy agencies. And I actually think that the NSA and GCHQ aren’t as much as a threat compared to other international ones,” Lee says. Apart from the NSA, Russia and China are the real concerns.
“It’s not just this theoretical prospect that maybe the government is trying to read my emails or listens to my phone calls,” Greenwald says. “I know for certain that they are doing that.”
“I don’t think that the threat model is paranoid at all,” Poitras says, not wanting to underestimate their enemies. “We have to be careful in terms of digital security.”
“All of the reporters who are working on these stories have a gigantic target painted on their backs,” says Soghoian.
Every precaution, in other words, is essential, and makes it “much safer for us to operate as adversarial journalists,” says Lee.
Every lock on the door is necessary, and they should all be bolted. What’s more, every door should be under the control of First Look itself.
In March, approximately one year after connecting with Snowden , Greenwald, Poitras and Gellman won the Polk Awards and the Pulitzer Prize. They shared the honors with other Guardian and Washington Post reporters.
But Greenwald almost missed the opportunity of his career all together. Initially, he ignored Snowden, at the time a mysterious, anonymous source. The whistleblower had insisted Greenwald install encryption before revealing more about the leak. Snowden even created a 12-minute video tutorial to convince his chosen reporter the intel was worth the extra steps.
Typically, sources never take all these precautions — or reserve such patience. Snowden was a rare case in which the source knew more about digital security than the journalists he dealt with.
Greenwald isn’t willing to risk another close call. He hired Lee for First Look with a strategic goal in mind: Establish unprecedented security practices that make the young news organization attractive for the next secret-spiller, the next Snowden, whoever he or she may be.
Most other media organizations aren’t protecting their sources nearly as scrupulously, and may not be for years to come.
Perhaps the next Snowden is already out there, sending an encrypted email or using SecureDrop to leak the next big treasure trove of secret documents. Which publication will he target?