Meet the digital bodyguard for investigative journalists
If you’ve read a big story about international corruption in the last few years, it was likely the work of journalists from multiple countries using complex data sets to trace money flowing through offshore accounts registered to fake corporations. A decade ago, only law enforcement agencies could tie those strands together, if they were lucky.
Today, journalists can do it, and one huge reason why is due to the work of the Organized Crime and Corruption Reporting Project. Founded in 2006, the OCCRP’s creation coincides with the birth of high-tech, transnational investigative journalism.
We profiled the OCCRP — “The People’s NSA” — in this week’s episode of Coded . In the following Q&A, we talk to Smári McCarthy, the group’s former head of security, about risks journalists face when they take on organized crime and corrupt governments.
Freethink: Let’s start with a quick overview of what OCCRP is and what it does.
Smári: The Organized Crime and Corruption Reporting Project is a hybrid NGO-journalism organization set up about 8 years ago that focuses on big organized crime cases and corruption cases, typically those that cross borders and involve multiple countries with a lot of complex assets going around.
When it was founded, there was a tacit understanding that the governments of the world had failed to adapt to the internationalization of everything. Whereas all sorts of cartels and gangs and mobs have become internationalized, just as corporations and international trade have become internationalized, the police forces of the world haven’t kept up and neither have journalism organizations. So OCCRP was founded with the goal of creating a much stronger cross-border reporting scheme that could delve into very complex cross-border issues.
Freethink: Your role is to protect the work journalists do online. What does that involve?
Smári: Security isn’t something you do once. It isn’t surgery, it’s more like hygiene. It’s something you have to do continuously.
Security isn’t something you do once. It isn’t surgery, it’s more like hygiene. It’s something you have to do continuously.
As Chief Technologist, my job is to take all of the different technological problems that come up in our organization and find solutions. This means creating databases, building software that manages these databases, and managing the security of our people.
I work with our journalists on how to use specific encryption tools like Signal for instant messaging and chat tools. I also do regular check-ups to make sure everybody is encrypting their hard drives, and discuss field security issues that may have recently come up for them.
Freethink: We’re having this conversation in Moldova, where the kind of corruption the OCCRP investigates recently exploded into view. Can you tell us about that case?
Smári: About a year ago, roughly 1.5 billion dollars disappeared out of three of the largest banks here in Moldova — about 15 percent of the country’s GDP.
Moldova is a country that has had a very bad track record in the 26 years since it broke away from the Soviet Union. Some years have been very good, others have been very bad. But one of the overriding things has always been the strong need for a people who understand journalistic practices, who go and dig deep into the murky depths of the Moldovan underworld and just expose the entire thing.
So our partner here, RISE Moldova, is a young organization that’s been doing just that over the last two years. They’ve embarrassed the government, exposed criminal syndicates, and done a lot of work that has altered the political narrative in this country. But there’s a lot more work to be done.
Over the last twelve months, meanwhile, we’ve had five different governments take power in the country. That’s a much faster turnover rate than is reasonable, even for a country that has had a lot of turmoil.
The theft completely set the Moldovan Lei — which is the country’s currency — on a very bumpy path. It’s caused financial insecurity in what was already the poorest country in Europe.
Freethink: Can you tell us a bit about how RISE Moldova got started and how they’ve been able to do this kind of journalism?
Smári: RISE Moldova is a collection of pretty young, very eager, very talented journalists who have come together with this new goal of really building out a proper investigative capability. It’s the sister organization of the RISE Project in Romania, which was founded by Paul Radu, who is one of the founders of OCCRP.
Freethink: I’m guessing they have a lot of enemies.
Smári: Yes, which is why over the course of the last three to four months, we’ve seen more or less continual denial of service attacks against the servers where RISE Moldova’s website is hosted.
From that, we know somebody is hell-bent on preventing their website from staying on the internet. Whoever’s doing this is very enthusiastic about taking them down, but isn’t very good at it.
But even a weak attack creates a security challenge. Because if they’re trying to keep RISE Moldova off the internet, they might also be trying to figure out what RISE Moldova is doing.
Whoever’s behind this might be employing surveillance techniques, trying to tap phones, trying to hijack cell towers, break into computers, or deploy malware.
The attacks you can see are normally the ones you can deal with. The real fear is always that there are attacks going on you can’t see.
But we don’t really know all the details of what is being tried, because the attacks you can see are normally the ones you can deal with. The real fear is always that there are attacks going on you can’t see and you don’t know about, which means there is no realistic way of dealing with them. So the only thing we can really do is employ a very robust approach to security.
On the one hand, that means keeping the servers running and making sure that they are very well protected. But it also means making sure all of the computers and phones and other devices being used by our journalists are well-protected and regularly scanned and preferably wiped, because a lot of people put a lot of faith into anti-virus software. And anti-virus software will capture certain types of malware.
But there’s still that entire category of really bad stuff that we can’t anticipate, which is what we call zero day exploits, which are security holes that not even the people who made the software know about. They come up publicly very infrequently, but in our line of work, they’re used more often because we’re high-value targets. So that means that the only way we can be sure we’ve gotten rid of a problem is by wiping the operating system, clearing everything, and starting from scratch on a regular basis.
Freethink: Do you ever feel that what you’re doing is keeping you safe or secure? Or are you always worried about gaps?
Smári: Realistically, you just have to work with what you know, try to understand the actual scope of the threat, and work through the problems. The tendency to allow emotions to run away with you will lead you down a path of paranoia and cynicism, which is never a good way to go. So my approach is to try to bury those feelings of anxiety and just work with the problem as it stands.
Freethink: Can you give us your definition of privacy?
Smári: Privacy is the right to selectively expose yourself to society. That’s Eric Hughes’ definition. It is a very good one because it doesn’t focus on the secrecy, it focuses on right of individuals to choose with whom they share information.
When it comes to the government, the question should be, Why should this be private? As opposed to, Why shouldn’t it be private?
That’s a very important right for individuals. But when it comes to the government, the question should be, “Why should this be private?” As opposed to, “Why shouldn’t it be private?” The default for governments should always be open. Historically, they have defaulted to being closed. Most governments don’t give you access to any data. But they should, because government exists to serve the people. It’s why people pay taxes.
Freethink: Can you talk about how what the OCCRP does in comparison to a governmental organization like the NSA?
Smári: Spy agencies like the NSA spend billions and billions of dollars every year trying to gather what one U.S. Government official called “a robust social graph of the world.” That means they’re trying to figure out who knows who, why they know each other, how much they know each other, what they do together, what they talk to each other about, and so on and so forth.
Basically, they’re trying to create a haystack because they think you need a haystack in order to find a needle. That’s a self-righteous statement for those who are enthusiastic about building haystacks, and it doesn’t acknowledge the reality that finding needles is a lot of easier if you don’t have to dig through mountains of hay.
The problem with doing it that way is that it violates the fundamental idea of privacy by eliminating the ability of people to selectively expose themselves. Under that model, social progress will be stifled, one way or another. Even if police don’t start coming to houses knocking down doors and arresting people on the basis of what they think, people will still fear that that might happen, and stop having those conversations, even with close trusted friends or family. And we can’t allow that to happen.
The investigative journalism approach is much better because it tries to achieve the same goal of discovering criminality without spying on everybody.
The investigative journalism approach is much better because it tries to achieve the same goal of discovering criminality without spying on everybody . We don’t need the haystack. We need public records. We need information from governments about what governments are up to. We need information from corporate registries about which corporations exist. By compiling all of this public information together, we can find the leads to criminality. And you can do this without violating privacy or any kind of thought policing or chilling of free speech.
In practice, it appears this is a much more effective approach with much better return on investment. And because the end-product of journalism is publicly accessible content, the journalists who are involved in this process are ultimately completely accountable to the public, something that we unfortunately we can’t say for law enforcement.
At the time of the interview, Smári McCarthy worked as OCCRP’s chief of technology. He now serves in the Icelandic parliament.