What to Do Before Sharing Classified Documents With Your Friends Online

Let’s say you’re locked in a heated geopolitical spat with a few of your online friends in a small chatroom, and you happen to be privy to some classified documents that could back up your argument. While it’s tempting to snap a photo and share it to prove your point, especially given the appeal of impressing onlookers and instantly placating naysayers, it would behoove you to take a step back and think through the potential repercussions. Even though you may only plan for the documents to be shared among your small group of 20 or so friends, you should assume that copies may trickle out, and in a few weeks, those very same documents could appear on the front pages of international news sites. Thinking of this as an inevitability instead of a remote prospect may help protect you in the face of an ensuing federal investigation.

Provenance

Thorough investigators will try to establish the provenance of leaked materials from a dual perspective, seeking to ascertain the original points of acquisition and distribution. In other words, the key investigatory questions pertaining to the origins of the leaks are where the leaker obtained the source materials and where they originally shared them.

To establish the point of acquisition, investigators will likely first enumerate all the documents that were leaked, then check via which systems they were originally disseminated, followed by seeing both who had access to the documents and, if access logs permit, who actually viewed them.

What all this means for the budding leaker is that the more documents you share with your friends, the tighter the noose becomes. Consider the probabilities: If you share one document to which 1,000 people had access and that 500 people actually accessed, you’re only one of 500 possible primary leakers. But if you share 10 documents — even if hundreds of people opened each one — the pool of people who accessed all 10 is likely significantly smaller.

Keep in mind that access logs may not just be digital — in the form of keeping track of who opened, saved, copied, printed, or otherwise interacted with a file in any way — but also physical, as when a printer produces imperceptible tracking dots. Even if the printer or photocopier doesn’t generate specifically designed markings, it may still be possible to identify the device based on minute imperfections that leave a trace.

In the meantime, investigators will be working to ascertain precisely where you originally shared the leaked contents in question. Though images of documents, for instance, may pass through any number of hands, bouncing seemingly endlessly around the social media hall of mirrors, it will likely be possible with meticulous observation to establish the probable point of origin where the materials were first known to have surfaced online. Armed with this information, investigators may file for subpoenas to request any identifying information about the participants in a given online community, including IP addresses. Those will in turn lead to more subpoenas to internet service providers to ascertain the identities of the original uploaders.

It is thus critically important to foresee how events may eventually unfold, perhaps months after your original post, and to take preemptive measures to anonymize your IP address by using tools such as Tor, as well as by posting from a physical location at which you can’t easily be identified later and, of course, to which you will never return. An old security adage states that you should not rely on security by obscurity; in other words, you should not fall into the trap of thinking that because you’re sharing something in a seemingly private, intimate — albeit virtual — space, your actions are immune from subsequent legal scrutiny. Instead, you must preemptively guard against such scrutiny.

Digital Barrels

Much as crime scene investigators, with varying levels of confidence, try to match a particular bullet to a firearm based on unique striations or imperfections imprinted by the gun barrel, so too can investigators attempt to trace a particular photo to a specific camera. Source camera identification deploys a number of forensic measures to link a camera with a photo or video by deducing that camera’s unique fingerprint. A corollary is that if multiple photos are found to have the same fingerprint, they can all be said to have come from the same camera.

A smudge or nick on the lens may readily allow an inspector to link two photos together, while other techniques rely on imperfections and singularities in camera mechanisms that are not nearly as perceptible to the lay observer, such as the noise a camera sensor produces or the sensor’s unique response to light input, otherwise known as photo-response nonuniformity.

This can quickly become problematic if you opted to take photos or videos of your leaked materials using the same camera you use to post food porn on Instagram. Though the technical minutiae of successful source camera identification forensics can be stymied by factors like low image quality or applied filters, new techniques are being developed to avoid such limitations.

If you’re leaking photos or videos, the best practice is to employ a principle of one-time use: to use a camera specifically and solely for the purpose of the leak; be sure not to have used it before and to dispose of it after.

And, of course, when capturing images to share, it would be ideal to keep a tidy and relatively unidentifiable workspace, avoiding extraneous items either along the periphery or even under the document that could corroborate your identity.

In sum, there are any number of methods that investigators may deploy in their efforts to ascertain the source of a leak, from identifying the provenance of the leaked materials, both in terms of their initial acquisition and their subsequent distribution, to identifying the leaker based on links between their camera and other publicly or privately posted images.

Foresight is thus the most effective tool in a leaker’s toolkit, along with the expectation that any documents you haphazardly post in your seemingly private chat group may ultimately be seen by thousands.