Late on the evening of January 11, 2013, someone sent me an interesting email. It was encrypted, and sent from the sort of anonymous email service that smart people use when they want to hide their identity. Sitting at the kitchen table in the small cottage where I lived in Berkeley with my wife and two cats, I decrypted it.
The anonymous emailer wanted to know if I could help him communicate securely with Laura Poitras, the documentary filmmaker who had repeatedly cast a critical eye on American foreign policy.
From: anon108@■■■■■■■■■I didn’t know it at the time, but I had just been contacted by Edward Snowden, the National Security Agency contractor who was then preparing a momentous leak of government data.
To: Micah Lee
Date: Fri, 11 Jan 2013
Micah,
I’m a friend. I need to get information securely to Laura Poitras and her alone, but I can’t find an email/gpg key for her.
Can you help?
A month earlier, Snowden had anonymously emailed Glenn Greenwald, a Guardian journalist and chronicler of war-on-terror excesses, but Greenwald didn’t use encryption and didn’t have the time to get up to speed, so Snowden moved on. As is now well known, Snowden decided to contact Poitras because she used encryption. But he didn’t have her encryption key, as is necessary to send someone encrypted email, and the key wasn’t posted on the web. Snowden, extraordinarily knowledgeable about how internet traffic is monitored, didn’t want to send her an unencrypted email, even if just to ask for her key. So he needed to find someone he thought he could trust who both had her key and used encrypted email.
That was me.
And as it turned out, several months later I was drawn more deeply into the whole thing, when Snowden got back in touch and asked me to work with him to launch an online anti-surveillance petition.
Until now, I haven’t written about my modest role in the Snowden leak, but with the release of Poitras’ documentary on him, “Citizenfour,” I feel comfortable connecting the dots. I think it’s helpful to show how privacy technologists can work with sources and journalists to make it possible for leaks to happen in a secure way. Securing those types of interactions is part of my job now that I work with Greenwald and Poitras at The Intercept, but there are common techniques and general principles from my interactions with Snowden that could serve as lessons to people outside this organization.
When I got that first email, I was working as a staff technologist for the Electronic Frontier Foundation and as the chief technology officer of the Freedom of the Press Foundation. My encryption key was posted at both sites, so Snowden was able to find it easily, and the key was digitally signed by people who were well-known in the privacy world (pioneering blogger Cory Doctorow and free software champion Richard Stallman, for instance); this meant those people had digitally vouched, in a way that was incredibly difficult to forge, that the key really belonged to me and not to, say, some NSA trickster. In other words, Snowden didn’t need to worry about the key being a fake. Poitras was a founding board member of the FPF, so he assumed I would have her key, and he was right.
It wasn’t uncommon for me to receive the type of email Snowden sent — strangers send me encrypted emails all the time, requesting help. Some of those emails are from people who appear to have personal issues to work out, but the inquiry from Snowden, emailing under a pseudonym, struck me as serious. I quickly forwarded it in an encrypted email to Poitras. The encryption technology we used — the standard among email users concerned with privacy — is known by two acronyms: GPG, for GNU Privacy Guard, or PGP, for Pretty Good Privacy.
From: Micah LeeLike me, Poitras was accustomed to receiving anonymous inquiries, and she recognized that this one was credible. A few hours later, she sent me a reply.
To: Laura Poitras
Date: Sat, 12 Jan 2013
Hey Laura,
This person just send me this GPG encrypted email. Do you want to respond? If you want to, and you need any help with using crypto, I’m happy to help.
From: Laura PoitrasThe frustrating and ironic thing about GPG is that even experts make mistakes with it. Even, as it turns out, Edward Snowden.
To: Micah Lee
Date: Sat, 12 Jan 2013
Hey Micah,
Thanks for asking. Sure, you can tell this person I can be reached with GPG at: laurapoitras@gmail.com
I’ll reply with my public key.
I’m also on jabber/OTR at:
l.p.@jabber.org
I hope all is good with you!
Laura
I now had Poitras’ permission to send Snowden her encryption key, but in his first email to me, Snowden had forgotten to attach his key, which meant I could not encrypt my response. I had to send him an unencrypted email asking for his key first. His oversight was of no security consequence—it didn’t compromise his identity in any way—but it goes to show how an encryption system that requires users to take specific and frequent actions almost guarantees mistakes will be made, even by the best users.
After receiving Snowden’s key, I sent him an encrypted email with Poitras’ key. This enabled him to send his first encrypted email to Poitras, in which he called himself Citizenfour. But I wasn’t out of the identity-confirmation picture yet.
Snowden and Poitras quickly set up a more secure channel for communication. Poitras created an anonymous email account, doing so with the Tor Browser that masks your identity on the web, and she created a new GPG key, just for communicating with Citizenfour. This was advisable because, if she were under surveillance by the NSA or any other intelligence agency, they might have compromised her known accounts, and she would prefer for there to be no trace of her true name in the correspondence with this secrecy-seeking stranger.
But the internet is a hall of mirrors.
