Late on the evening of January 11, 2013, someone sent me an interesting email. It was encrypted, and sent from the sort of anonymous email service that smart people use when they want to hide their identity. Sitting at the kitchen table in the small cottage where I lived in Berkeley with my wife and two cats, I decrypted it.
The anonymous emailer wanted to know if I could help him communicate securely with Laura Poitras, the documentary filmmaker who had repeatedly cast a critical eye on American foreign policy.
From: anon108@■■■■■■■■■ To: Micah Lee Date: Fri, 11 Jan 2013
Micah,
I’m a friend. I need to get information securely to Laura Poitras and her alone, but I can’t find an email/gpg key for her.
Can you help?
I didn’t know it at the time, but I had just been contacted by Edward Snowden, the National Security Agency contractor who was then preparing a momentous leak of government data.
A month earlier, Snowden had anonymously emailed Glenn Greenwald, a Guardian journalist and chronicler of war-on-terror excesses, but Greenwald didn’t use encryption and didn’t have the time to get up to speed, so Snowden moved on. As is now well known, Snowden decided to contact Poitras because she used encryption. But he didn’t have her encryption key, as is necessary to send someone encrypted email, and the key wasn’t posted on the web. Snowden, extraordinarily knowledgeable about how internet traffic is monitored, didn’t want to send her an unencrypted email, even if just to ask for her key. So he needed to find someone he thought he could trust who both had her key and used encrypted email.
That was me.
And as it turned out, several months later I was drawn more deeply into the whole thing, when Snowden got back in touch and asked me to work with him to launch an online anti-surveillance petition.
Until now, I haven’t written about my modest role in the Snowden leak, but with the release of Poitras’ documentary on him, “Citizenfour,” I feel comfortable connecting the dots. I think it’s helpful to show how privacy technologists can work with sources and journalists to make it possible for leaks to happen in a secure way. Securing those types of interactions is part of my job now that I work with Greenwald and Poitras at The Intercept, but there are common techniques and general principles from my interactions with Snowden that could serve as lessons to people outside this organization.
When I got that first email, I was working as a staff technologist for the Electronic Frontier Foundation and as the chief technology officer of the Freedom of the Press Foundation. My encryption key was posted at both sites, so Snowden was able to find it easily, and the key was digitally signed by people who were well-known in the privacy world (pioneering blogger Cory Doctorow and free software champion Richard Stallman, for instance); this meant those people had digitally vouched, in a way that was incredibly difficult to forge, that the key really belonged to me and not to, say, some NSA trickster. In other words, Snowden didn’t need to worry about the key being a fake. Poitras was a founding board member of the FPF, so he assumed I would have her key, and he was right.
It wasn’t uncommon for me to receive the type of email Snowden sent — strangers send me encrypted emails all the time, requesting help. Some of those emails are from people who appear to have personal issues to work out, but the inquiry from Snowden, emailing under a pseudonym, struck me as serious. I quickly forwarded it in an encrypted email to Poitras. The encryption technology we used — the standard among email users concerned with privacy — is known by two acronyms: GPG, for GNU Privacy Guard, or PGP, for Pretty Good Privacy.
From: Micah Lee To: Laura Poitras Date: Sat, 12 Jan 2013
Hey Laura,
This person just send me this GPG encrypted email. Do you want to respond? If you want to, and you need any help with using crypto, I’m happy to help.
Like me, Poitras was accustomed to receiving anonymous inquiries, and she recognized that this one was credible. A few hours later, she sent me a reply.
From: Laura Poitras To: Micah Lee Date: Sat, 12 Jan 2013
Hey Micah,
Thanks for asking. Sure, you can tell this person I can be reached with GPG at: [email protected]
I’ll reply with my public key.
I’m also on jabber/OTR at: [email protected]
I hope all is good with you!
Laura
The frustrating and ironic thing about GPG is that even experts make mistakes with it. Even, as it turns out, Edward Snowden.
