Michael Moore is trying to grab a piece of the huge Trump-leaks pie. He recently created a new page on his website that provides different methods for leaking, “information and documents as well as photographs, video and/or audio recordings.” Michael Moore even claims,
“While no form of digital communication is 100% secure, the tools we’re using provide the most secure technology possible to protect your anonymity (and if you don’t require anonymity, you can just email me here).”
This is quite the claim to make. Especially from someone whose website is missing the integral TLS/SSL implementation of HSTS and has a grade of F from the Mozilla Observatory. Even more troubling is the insistence that the provided methods of leaking are ‘anonymous’ despite that none of the suggested tools provide any anonymity.
Moore suggests reaching out to them via Peerio, an open-source tool to share ‘private messages and files with friends.’ A technology that uses the miniLock algorithm for encryption. However, there are varying reports about the company possibly wanting to backdoor or give administrative controls over the ability to view the encrypted messages. Another key importance in this technology is that it doesn’t promise anonymity, but privacy. Something that isn’t backed by Moore’s claim of anonymity. So if you’re also trying to hide who you are, and trying to leak to Moore (I don’t know why), don’t use Peerio.
Signal, the famous encrypted voice and text messaging app whose protocol is the backend for Facebook’s Secret Messaging function, is also on this list. Signal provides strong end-to-end encryption between two devices to allow secure text and voice communication between two or more individuals. While this is a great tool to communicate securely on, it also doesn’t provide anonymity.
WhatsApp is definitely the most commonly used app in this list. It too, uses the Signal protocol for its end-to-end encryption. So while it is a reasonable tool for secure communication, again, it is not a tool that provides anonymity.
PGP Encrypted Email
The final tool Moore suggests is PGP encrypted email. However, Moore’s implementation has some caveats. Moore uses ProtonMail for their PGP encrypted email. ProtonMail is a company that provides encrypted email and encrypted email storage, when setup correctly. This means that in theory, the email isn’t even accessible to ProtonMail administrators; just the end-user with the correct account and mailbox passwords.
Despite this being the most simple way to setup and use PGP encryption for email, it is more likely to be susceptible to government intervention. In other words, ProtonMail could be forced to serve malicious code to an end-user/s that could capture the user and mailbox passwords, and be sent back to an interested governmental party. Thus rendering all the encryption features null and void. Using a PGP encryption plugin for something like Thunderbird is a much better option.
At least Moore setup 2-factor authentication on his account.
The final note? ProtonMail also doesn’t provide anonymity.
The final suggestion is to leak to Moore via Mail. This is honestly probably the closest thing to anonymity any of these services provide. Unfortunately, there are still ways to determine general locales of where a package originated from.
In short: Moore tries to create a place to leak Trump info to, but fails to provide any anonymity to people who would leak. While simultaneously doesn’t have any guarantees on his group’s operational security about keeping the identities of those who leak secret. So if you need to leak something, don’t leak to Michael Moore. Leak to more reliable and security-minded publications like The Guardian or the New York Times.