Passing Sensitive Information To OPERATION ORANGE
(For a PDF of this page, CLICK HERE)
Sensitive information is accepted by OPERATION ORANGE and we will protect it to the best of our ability. We do not fear repercussions to our organization for being in receipt of, or publishing sensitive information. The First Amendment protects online journalists and activists from the chilling effects of prior restraint on free speech.
We do wish to protect our sources from harm, and preserving anonymity is the primary way we wish to implement that objective. We can control the information on our computers, but we can not control the security of information on the various servers used in the internet system. Corporate espionage (hackers) and law enforcement can exploit the vulnerabilities at the server.
OPERATION ORANGE uses a very powerful encryption/verification software called “Pretty Good Privacy” (aka “PGP”). We have provided a free source for this software from SYMANTEC Corporation. It is linked at our website. We have also included the PDF for the instruction manual in our MASTERDOCS.zip file. PGP is very easy to install and use.
PGP enables us to perform two vital functions over an unsecured medium: encryption and verification. We can send and receive encrypted information to any party using PGP, or in some cases any party with a pre-arranged pass phrase. We can also verify the unique digital identity of any PGP user.
Please refer to the PGP user manual for an exhaustive explanation of how PGP works.
There is still the issue of deniability when sending information to OPERATION ORANGE. If you send an email to our server from an account that you control, a vulnerability exists. If you have a PGP key pair, and OPERATION ORANGE has a copy of your public key, we can verify any message you send, provided it was signed with your private key. This works no matter what account you use to send us the information.
If you have highly sensitive information, and wish to establish deniability for communicating with OPERATION ORANGE, please use the following procedure:
- Write your message on software on a public computer, such as a library computer or hotel computer.
- Save the information onto a removable medium, such as a thumb drive.
- Take the removable medium to the computer you use for PGP and plug it in.
- Do not transfer the file to your computer, or you will have to use the PGP Disc Wipe / File Shred feature.
- Convert the file to PDF or other suitable medium while still on the removable medium. We accept a wide range of file structures such as PDF, JPG, BMP, DOC, DOCS, XLS, etc. We prefer PDF.
- Sign the file with your private key. Use the detached signature option. This creates a signature file.
- Put the signature file and the signed file in a NEW FOLDER on the removable medium.
- Encrypt the NEW FOLDER with one of our public keys. Steps 7 and 8 bury the signature file within the encrypted file and the identity is unknown to anyone who can not decrypt the file.
- Rename the new PGP encrypted file whatever you wish.
- Take the removable medium to a public computer, such as a library or hotel.
- Create a GMAIL (or similar web based email) account that does not reference you.
- Send an email to one of our email addresses from the GMAIL account and attach the encrypted file to the email. Alert us in the body of the message of an attachment.
We will receive, decrypt, and verify the contents. If we have your public key, we will know it is from you. Nobody else will be able to determine the identity. If we are not already familiar with you, we may have to verify your identity by some external means, depending on the nature of the information.
We distinguish between highly sensitive information and that which is patently illegal in nature.
Please note that we will refuse all forms of pornography, human rights degradation, and any information detrimental to the national defense of the United States and its allies. We are not WIKILEAKS for pilots.