GlobaLeaks AMA - 01/2015
Localization Lab’s First Ask Me Anything took place on January 29, 2015 with the team from GlobaLeaks. Below is a transcript of the questions and answers.
Localization Lab: Hello everyone, welcome to the the GlobaLeaks "Ask Us Anything." GlobaLeaks is a free open source software platform that individuals or organizations can use for anonymous whistle-blowing or to transparently share information. We have with us Giovanni, Claudio and Arturo (hellais). Thank you for participating GlobaLeaks team. Can we ask you to each introduce yourselves?
GlobaLeaks: This is Giovanni Pellerano, developer of GlobaLeaks, together with Arturo Filasto and Claudio Agosti. Fabio Pietrosanti and Juha Nurmi are also here. We all are part of an association (an NGO) that is based in Milan and it's called Hermes Center for Transparency and digital human rights. Just for reference the main website of the association is logioshermes.org
Localization Lab: We have some questions for the team that have come in through via email, and we also invite anybody here on IRC to add their questions into the chat. Here is one to get us started: What was the motivation behind the creation of GlobaLeaks?
GlobaLeaks: Regarding the motivation behind the creation of GlobaLeaks, we realised that there was huge potential in initiatives that acted in the public interest to promote transparency and openness, a la Wikileaks, but seeing what similar organisations faced when dealing with such materials we felt the need of decoupling the organisation from the software. We also saw a lot of potential in more local initiatives that focused on more specific topics and regions. For this reason we sought out to create a software that would empower anybody, even not technically skilled, to setup a leak site and start collecting anonymous submissions. Although our initial focus was more geared towards civil society and journalistic endeavors we have more recently realised the potential for this sort of software even in more, let's say, institutional environments, such as public agencies.
Yes, it’s also important to think of the historical moment. After the Wikileaks success a plenty initiative of whisleblowing-leaking arise, but develop a secure software required dedicated people, cannot be improvised. Many of these initiatives were lacking of the proper product management and research. So we analyze the workflow of the whistleblowing organisation, and separated the technical needs. We provide the technology and the knowledge base, and more initiative can born because they do not need the technical knowledge anymore (lowering the entrance barrier).
Localization Lab: Were you also motivated by particular countries or communities? Has this affected your priorities for localization and end-user outreach?
GlobaLeaks: Certainly every new country requires a new software release. We can assume that the needs impact with the priorities, but we do not have a specific geographical preference. Whoever needs, get us. Our vision is in supporting every country or minority to address local issues so our attention is on trying to achieve a large score in internationalization. Due to our current main source of funding we are mostly focused on the global south in general, as the project we applied is mainly focused on this countries.
Localization Lab: Interesting, thank you! I have another related question coming in via email. We know AfriLeaks was just released, what has been the response to it? And what other regional platforms do you have planned?
GlobaLeaks: Right now the project also if launched by media is in an initial stage, where all receivers are currently trained. As Hermes we do not have any visibility on the outreach by whistleblowers nor do we see any submissions or the number of the submissions so the real visibility of the platform is not understandable right now, but let me say that the interest by journalists is really growing and we have received a lot of enquiries and request to join the Afrileaks project from a wide range of newsrooms from various countries. Due to this there is a plan to organize further training (in addition to the ongoing one for current receivers).
Localization Lab: Thank you. Here is a question from China. Chinese netizens are using tools that are under the government's surveillance. They know there are better platforms out there, but do not know what they are. Are there any plans to promote GlobaLeaks in China?
GlobaLeaks: Can you clarify what is meant by "tools that are under the government's surveillance”?
Localization Lab: This user specifically mentioned Weibo and Webchat, but did not explain further.
GlobaLeaks: That depends on the Chinese community. We provide support if required. but we do not seek actively for a specific initiative. If a needs like that will arise, probably we'll have to develop something new to most of the citizen-connected, and to this aim we are now discussing all these problems in order to better address them for such a country, therefore having as requirement "Tor + bridge", the current configuration required to access Tor, is quite high as a prerequisite.
Participant V: There is a good although quite outdated manual on bypassing internet censorship available here: http://howtobypassinternetcensorship.org
Localization Lab: Thank you GlobaLeaks and Participant! Everyone who has just joined us--Welcome! Feel free to type your questions directly into the chat, or if you prefer, you can message them to me and I will ask them on your behalf!
Participant U: If you have finished the explanation, I want to say something.
GlobaLeaks: Okay.
Participant U: Thank you. You know that for this kind of project, people needs to be sure for 200%, so, for example I strongly recommend to use the Extended Validation Certificate for the website rather than the one used now, seeing the "green" in Firefox for example makes the user feels safe.
GlobaLeaks: Ok, yes we are conscious and for problematic countries like China the discussions are done with various local activists trying to find the best solutions. From our point of view in addition, as you are saying is really important to teach something to the users by means of the same application they are using, for example every user interface of GlobaLeaks, tries to embed a lot of additional information data for the user.
Participant V: Participant U, I don't understand properly, GlobaLeaks has to be used with Tor browser bundle connected to a hidden service.
GlobaLeaks: I think that Participant U is referring to the use of HTTPS in order to provide GlobaLeaks, right?
Participant U: Of course.
Participant V: Ah, you mean, a stronger protection against a man in the middle attack that replace the binary downloaded?
GlobaLeaks: As clarification for all the others users (without going in details): GlobaLeaks can work in two modes. 1) anonymous mode (using only Tor and providing to the user strong anonimity + confidentiality), 2) confidential mode (using a specialized proxy in order to raise the confidentiality to the maximum achievable). The second is intended to raise the visibility of the initiative, but obviously is not enough secure to be used in a context like China and its use should be discouraged.
Participant U: To be sure that the domain globaleaks.org is really run on a trusted server as it claims to be, that’s why you should use the Extended Validation Certificate.
GlobaLeaks: Participant U, well, globaleaks.org is not an entry point for something meaningful: the download happens via apt-get of debian based system and is signed with out PGP key.
Localization Lab: Thanks GlobaLeaks, Ihave another question, is it ok to ask?
GlobaLeaks: I think so, if Participant U has no other connected questions.
Localization Lab: Sure. Participant U, do you have any additional questions on this topic?
Participant U: No I'm satisfied go on :)
Localization Lab: Thanks!
GlobaLeaks: As a reference the specialized proxy is tor2web, https://www.tor2web.org that was designed by aaron swartz and that we are now developing as Hermes center. Tbh I don't think EV certs really give you much more protection in the specific Chinese case. WoSign is a Chinese CA that is part of the EV cert clique and they could issue a cert that would allow MITM to the site. The best solution to avoid MITMs at the moment is using Tor Hidden Services and having the user obtain the HS address out of band.
Localization Lab: You must be asked this a lot - is there any relationship or communication between Wikileaks and Globaleaks? How are your missions similar and how are they different?
GlobaLeaks: No connection at all. Wikileaks is an organisation managing leaks, releases, sources and a network around them. We are nothing similar. We are a non-profit organisation (Hermes Center) developing a technology (GlobaLeaks and tor2web) that support the whistleblowing environment, but we never will manage sources or a globaleaks initiative, is out of our scope.
Localization Lab: That is interesting and helpful, thank you. I like the idea of scoping the problem in a focused way, which you seem to do.
GlobaLeaks: Our influence in the whistleblowing environment is provide research, technology, awareness, but the environment requiring whistleblowing are much more than journalism and high profile secrets. Someone used the "long tail" analogy.
Localization Lab: Because globaleaks focus on the long tail of the whistleblowing environment, correct?
GlobaLeaks: If wikileaks address the 1% of the leak, and that 1% is world-relevant, we are focused on the other 99%. In order to do so, we have to enable other community to do so.
Localization Lab: Exactly! Thank you.
Participant U: It's better to let user decide if he can trust the CA root issuer than letting him in a unknown identity of who is hosting the server.
GlobaLeaks: This would be a very long discussion, but in general I don't think we should be filling even the more the greedy pockets of a system that is known to be broken. EV by itself doesn't really get you much more than a cert signed by a known CA, at least not against a powerful state adversary like China. </rant>
Localization Lab: Another question: What has been the most interesting translation or localization experience that GlobaLeaks has had (with the Localization Lab community or otherwise)? And as we only have about 10 minutes left of our time with GlobaLeaks, if anyone else has questions for the team, please ask!
GlobaLeaks: For what concerns translation right now, all the work is thanks to the Localization Lab community in general and to the Transifex community and most of the work is really really thanks to a volunteer basis. I'm really glad to say this cause the success of the project is for the 50% due to that because obviously the penetration of the software relies on this. For who is not aware of what Transifex is : https://www.transifex.com/projects/p/globaleaks/ This is the main page of transifex for the GlobaLeaks project. You can see that we have more than 20 quite complete translation, and ~50 ongoing due to user requests and the Localization Lab is coordinating for us most of the paid translations. I would like to thank them also for their precious work.
Participant U: I propose to bring world well known penetration analyst and add it in the "about" dialog to show they are did a the test.
GlobaLeaks: Yes, it would be important also. For this topic, Participant U, there is material you can read about our research and the penetration tests we received. You find them on the wiki https://github.com/globaleaks/GlobaLeaks/wiki and https://github.com/globaleaks/GlobaLeaks/wiki/Penetration-Tests. We try to receive analysis on regular basis.
Participant U: Thank you for the link!
Localiation Lab: Thank you GlobaLeaks team for your time today. It has been a great chance to hear from you. We have reached the end of our time.
Participant N: Thanks for the information! It's really cool to see what your movement is doing! :)
GlobaLeaks: Thank you all, it's a pleasure to answer interested people like you
Localization Lab: Thanks GlobaLeaks, this was really interesting! We will be compiling this discussion into a Q&A and sharing it on our website at localizationlab.org, but keeping the questions anonymous. If anyone prefers that we do not include their question (even anonymously), please message me and let me know.
Participant U: I feel safe, however I think about those who are very paranoid to express a secret when it's a danger for their life, everything show be done to make theme feel safe that's what every developer should keep in mind :)
Localization Lab: Thank you everybody for joining us in this first Localization Lab Ask Me Anything, and thank you so much to the GlobaLeaks team for being our first subjects!