Malicious Life Podcast: Protecting the Panama Papers Whistleblower

July 16, 2020 |

In 2015 Bastian Obermayer, an investigative journalist for the Süddeutsche Zeitung, received a message every journalist dreams of: the biggest leak in journalism history. But dealing with the massive 2.7 Terabyte data-dump, 11.5 million documents - while making sure his source's identity could not be uncovered, turned out to be a huge challenge...

Bastian Obermayer
About the Guest

Bastian Obermayer

Investigative journalist, Book author, Speaker

A Pulitzer Prize winning reporter for the investigative unit of the Munich-based Süddeutsche Zeitung, Germany's biggest broadsheet. He was the reporter who received the Panama Papers documents from an anonymous source, later known as John Doe. Together with his colleague Frederik Obermaier and the International Consortium of Investigative Journalists (ICIJ) he broke the story of the biggest leak in journalism.

ran-levi-headshot
About the Host

Ran Levi

Born in Israel in 1975, Malicious Life Podcast host Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.

In 2007, created the popular Israeli podcast Making History. He is author of three books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.

About The Malicious Life Podcast

Malicious Life by Cybereason exposes the human and financial powers operating under the surface that make cybercrime what it is today. Malicious Life explores the people and the stories behind the cybersecurity industry and its evolution. Host Ran Levi interviews hackers and industry experts, discussing the hacking culture of the 1970s and 80s, the subsequent rise of viruses in the 1990s and today’s advanced cyber threats.

Malicious Life theme music: ‘Circuits’ by TKMusic, licensed under Creative Commons License. Malicious Life podcast is sponsored and produced by Cybereason. Subscribe and listen on your favorite platform:

All Posts by Malicious Life Podcast

Malicious Life Podcast: Protecting The "Panama Papers" Whistleblower Transcript:

Daphne Caruana Galizia was one of those journalists they make Hollywood movies about. In her small home country of Malta, she wasn’t just the most popular journalist, she was more popular than the journalism industry. Her blog, “Running Commentary,” was more widely-read than all Maltese newspapers combined.

But what made her Hollywood material wasn’t that she was popular. It’s that she was the type of investigator to make enemies, and continue doing so even when her life was on the line. Death threats, for Daphne, were a daily phenomenon. In three decades, she was the victim of arson not once, but a few times. And being Daphne’s dog was almost a death sentence in itself. One dog of hers had been poisoned, and another shot. One day in 1996, she awoke to her dog laid out on her front porch, its throat slit.

In 2016, Daphne got her hands on one of the biggest scoops of her professional career. It implicated some of Malta’s highest government officials in criminal activity. It was going to be messy. But after decades of burned houses and murdered pets, she wasn’t exactly going to hold back this time.

She broke the story. Over the following year, more stories and leaked documents made it onto her blog. The most important political figures in the country were now in hot water, including the Prime Minister, his Chief of Staff, and another high-ranking Minister.

On October 3rd, Daphne was driving not far from her home when a bomb exploded in her car. She was killed in an instant. Her son identified the remains, a full 80 meters from the site of the explosion. “I looked down and there were my mother’s body parts all around me,” he wrote.

INITIAL CONTACT
Hi, I’m Ran Levi, welcome to Malicious Life, in collaboration with Cybereason.

In previous episodes of this podcast, we’ve told stories of people like Edward Snowden. Julian Assange. Chelsea Manning. These were individuals who, when faced with dark realities about the powerful and corrupt, willingly put their lives on the line to spread the truth. The sheer balls necessary to do that is, frankly, baffling to me. To drop any sense of a normal life, attempt such a dangerous leak, and keep your composure long enough to pull it off…who would put themselves through something like that?

Daphne Galizia is one journalist who did it. But she wasn’t alone. She was just one part of a much larger corruption story, involving other journalists around the world who also, in doing what they were doing, were putting their lives in direct danger. At the heart of it all was a man who happens to be the guest on this episode of our show.

“[Bastian] My name is Bastian Obermayer from Munich. I’m leading the investigation department at Süddeutsche Zeitung which is the biggest daily paper in Germany.”

One evening, in the winter of 2015, Bastian Obermayer was at home with his family. He was okay, but everybody else in the house was sick–his parents, his wife, his kids. Maybe it was an omen.
He received a ping on his phone.

Hello, this is John Doe. Interested in data?
Who are you?
I’m no one. Just a concerned citizen.

“[Bastian] Someone, who called himself John Doe and asked me if I was interested in data. And I said, yes as I find data as always a good thing because it’s kind of neutral in the beginning and you can see what you want to do with it later.”

The nature of this “data” was not yet clear. In fact, it hardly seemed all that important.

“[Bastian] In the beginning, I didn’t know what to think of it. We get many texts, we get many emails, we get many letters actually, written letters still from people who tell us that you know they have the biggest story on earth. And usually, most of it is BS. So, but still you know it’s my job to read it and to think about it.”

There is just a mind-boggling amount of criminal activity going on here.
How much data are we talking about?
More than anything you have ever seen.

“[Nate] did you get a sense of this person? I imagine it’s not like being – you can’t really get to know them like a Tinder date but what they were like, you know what they were after?

[Bastian] The person was very much to the point and that’s always a good sign.”

I want you to report the material and to make these crimes public.
Why are you taking the risk?
I can’t explain my rationale without making my identity clear.

“[Bastian] And I could really only – in the beginning that this person really had an interest that was not so much his personal interest but more like a mission. And usually, as a reporter, you get a lot of context from people, a lot of letters from people who have a very special interest. They want you to do this or that story or that story with a certain spin or whatever. And that guy, he just wanted me to look into it and he seemed to be really generally interested in a journalist looking at that company and the documents that he had obtained.”

LEAKING BEGINS

After some time, the two built a rapport. The source demonstrated they were serious, and Bastian demonstrated he would take them seriously.

There are a couple conditions. My life is in danger. We will only ever chat over encrypted files. No meeting, ever.

“[Bastian] I don’t know exactly why he trusted me. [. . .] I really tried to be careful. I really tried to help the person to set up a secure line to make sure that he doesn’t have to reveal his identity when handing over the first set of documents. And yeah, maybe that’s helpful.”

The two open up a private, encrypted channel through which documents could be transferred. For security reasons, he could not disclose to us by what means they did so. But we can speculate.

Ordinary news tips typically go straight through a paper’s phone line or general email. More serious tips might be communicated via WhatsApp, which encrypts all its messages. When Edward Snowden first contacted Glen Greenwald, he used PGP-encrypted email, and other leakers have done the same. But PGP can be difficult to set up for people with less technical background than Ed Snowden, and WhatsApp has been exploited in some high-profile cases–for example, that weird time when the Saudi Crown Prince Salman hacked Jeff Bezos. An easy-to-use alternative to WhatsApp these days is Signal–another end-to-end encrypted messaging app. Signal is also free, and open source, but was only released, in its current form, after the events of our story here.

Bastian’s leaker might have been best-off using either SecureDrop, or GlobaLeaks. These two services, free and supported by freedom of speech-focused nonprofits, use the Tor network, typically with Tails – a security focused Linux distribution – in order to protect the IP, location and identity of the leakers who use it. SecureDrop, in particular, requires that journalists go through a labyrinthine process, requiring multiple USBs and computer systems, in order to secure the data uploaded by an anonymous source.

“[Nate] So when this data comes to you, is it dumped all at once or overtime, how do you handle that?

[Bastian] So we received it in batches.”

There were too many documents to send all at once. So the leaker sent a small batch of them. A taste of what was to come. Bastian brought in his colleague, Frederick Obermaier (no relation) to help make sense of what he saw.

“[Nate] could you give our listeners a sense for what it’s like to be in that position during that point in your life when you get that first message or the moment when the weight of the story really sinks in?

[Bastian] Well, you know it didn’t feel like you know this is the beginning of something big. It was more like there might be a story somewhere, let’s see. But when we found the best friend of Vladimir Putin in that and the sitting Prime Minister of Iceland and the data grew and grew in our hands and so then we realized, OK, this is something big.”

Bastian hadn’t had a clue what he’d gotten himself into. But boy was it becoming clear now.

The documents came from a law firm which specialized in helping the rich evade taxes by funneling their huge amounts of money through artificial “shell” companies. Among those named in the documents were billionaire tycoons–CEOs of companies like Adidas, Barclays and Citigroup–famous celebrities from Shakira to Jackie Chan to Lionel Messi, and current and former heads of state from Italy, Australia, Ukraine, Iceland, Iraq, Argentina, and more.

So you know that wasn’t funny anymore. And at the same time, we realized there was no way back.

DANGER TO BASTIAN
As the documents rolled in, two things became clear. Number one: the leaker had good reason to stay anonymous. Number two: simply by viewing these documents, Bastian and Frederick were also now in danger.

“[Nate] But before all of the craziness, you still were in those early stages and some danger. Maybe it’s normal to you as an investigative reporter but when you really take the story…

[Bastian] No, it weren’t the story. No, no.

[Nate] Yeah. OK. No, say… go ahead.

[Bastian] No, no. So when we realized which kind of people we were starting to mess with, you know we thought a lot about safety and security. [. . .] also about our families and about ourselves and you don’t want to mess with Vladimir Putin. I mean he’s a guy who’d probably gave orders to have people killed in the last years and we found money that had belonged to mafia clans.

We found money in offshore companies affiliated to drug cartels and to all kinds of dictators. We found companies that were owned by the cousin of Bashar al-Asaad from Syria and you know he probably used those companies to buy fuel for his planes to bomb his own people.”

If the wrong people caught word of the impending leak, the consequences to those involved could not be overstated. We established, in the beginning of this episode, what happens to people who have such sensitive information to share. So it was imperative that Bastian keep all of his data under tight wraps using encrypted communications channels, and protected offline databases.

SCALE OF THE DATA
But ordinary security procedures weren’t enough, since this wasn’t an ordinary data dump.

“[Nate] could you give me a sense for the scale of this data just how much we’re talking about?

[Bastian] So in the end, we had more than 11.5 million documents and I think it was 2.7 terabytes or something which is – it doesn’t sound like a lot now and should have sounded like a lot back then. Back then…

[Nate]: It sounds like a lot.

[Bastian] Yeah. Well, when we started this, the biggest data leak that any journalist had worked with at being the offshore leaks with 260 gigabytes. And when we reached that level after a couple of weeks, I got really excited because you know, we know – we knew we were sitting on the biggest leak any journalist ever had gotten their hands on.”

Not only was this the biggest leak in the history of journalism–it was ten times larger than the previous record.

“[Bastian] I realized that I had to stop what I did in the beginning. I had to – I didn’t ask for more because at some point, I had to assume that this person still had access to the data and I didn’t want to make him go steal from me, you know.”

The sheer amount of data the leaker had access to made even the simple task of receiving and storing new batches of documents a problem. Bastian and Frederick brought in more of their colleagues, but they weren’t exactly IT experts.

“[Bastian] it kept growing and growing and growing which was also a huge disaster for us at Süddeutsche Zeitung because we already had to buy a new computer for the data when we had only like 100 gigabytes and then we had to buy another one for 500 gigabytes.

And when we broke the one terabyte, sign when we broke through this wall of one terabyte, we had to buy a new computer for like €17,000 which is a huge amount of money for us and – but we needed to have more capacity. And so it was really the technical side was never under control while we work on that.”

Keeping a tight hold of so much data required newer, better machines than they had at the Süddeutsche Zeitung offices, and more technical wherewithal than this small group of reporters was used to.

ICIJ
However, the biggest security threat posed by all this data had nothing to do with equipment, but, rather, access.

“[Bastian] In the very first days we thought that’s a big story and it’s a big international story and we are too small in Germany, we don’t have that experience, we have to have partners. And as we had worked with the ICIJ before, that was kind of a natural decision for us.”

“ICIJ” stands for the International Consortium of Investigative Journalists. It’s an organization which brings together reporters from over 100 different organizations in 80 countries around the world. Süddeutsche Zeitung sought their partnership, because 11.5 million documents was far more than Bastian and his team could handle on their own. But with added help came added risk.

“[Nate] So I’m trying to put myself in your position for a moment and I’m asking, in those early stages, is it safer to be the only one who has this information or to spread it around to as many of your colleagues as possible? Because on one hand, the more people who have this dangerous information, the less of a target there is specifically on you. But also, there’s a risk that one of your colleagues is talking on the phone and somebody overhears them or they tell their wife when they’re at home.

[Bastian] Yeah, yeah. [. . .] We were fine in the beginning with having partners that we already knew and already had worked with from the Guardian and Switzerland and from France. You know those were like our friends, we trusted them and we had worked with them on the Luxembourg Leaks, on the Swiss Leaks, you know. And we realized that every new partner, every new person, we didn’t know was a huge near-risk for the investigation for our source, and for ourselves. But at the same time, it made completely sense to add partners in Iceland, for example, where we had found the Prime Minister because we couldn’t do the story without a partner in Iceland.

And so this was what we thought about for every country and we had good arguments for every country that we later added. The downside that it got riskier and riskier because we now had like literally hundreds of people in the team that we didn’t know. And you know only a handful of them worked alone, most of them, they brought in more colleagues. I’m sure a lot of them told their partners, their wives, their husbands and so it was completely impossible for us to oversee how many people knew about our story.”

All of a sudden, Bastian had very little control over where the documents were, and who was seeing them. In just a few months, hundreds of people joined in the project.

“[Bastian] there was no way to shield our paper from the danger and we only could rely and count on the team spirit that you know everyone sticks to the rules. The most important rule was shut up while we could and we were just hoping we make this work.”

PROTECTING THE SOURCE
There was one security benefit to bringing in more journalists. At the very beginning, when Bastian and then Frederick were the only two people who knew of the leaks, they had huge targets on their backs. I mean, really, how hard would it have been for Putin to “neutralize” one or two reporters? He’s done it before. But now that hundreds of reporters all had access to the data, Bastian was probably safer for it.

But the same couldn’t be said of his source. If some powerful person included in the leaks were to find out the leaker’s identity…who knows?

“[Bastian] What we tried to do is, of course, we shielded as much as we could about our source. So we only gave away very basic information about how we had obtained it and all that stuff.”

Once all 11.5 million documents had been transferred, Bastian did one last thing to ensure the anonymity of his source.

“[Bastian] I just wasn’t sure that there was no trace of my source on that and I didn’t want to endanger our source.”

Whatever data that connected back to the source couldn’t just be deleted. For safety’s sake, it had to be really, really deleted. That meant doing more than just, you know, dragging files into the Recycle bin icon on the laptop screen and clicking “empty bin.” Because, as some of you out there may know, “deleting” files on your computer doesn’t always mean what we think it does.

Let’s say, hypothetically, that I had a night out on the town last weekend, and now there are some embarrassing photos that I needed to get rid of. Of course, this is just a made-up scenario…

[Nate] Oh man, Ran, what a night! I didn’t know it was physically possible to stick a microphone so far up your own-…

If!!…I select these photos on my smartphone, or laptop, and put them into my garbage folder, not much changes. They’re still on the computer, just found in a different directory. If I then empty that garbage folder, it would seem as if the photos are gone for good.

But actually, on the kinds of hard drives you’re used to, it’s likely that nothing has been literally removed from the device. Rather, it’s the pointer to the data that’s been forgotten. So your device no longer has the means to locate the data, yet the data remains in storage until it’s overwritten by some other data in the future.

Since Bastian didn’t know for sure that the data on his devices couldn’t, theoretically, be used to trace back to his source, he had to take extreme measures. He could have wiped the devices, refilled them with a bunch of random, new data and recycled the process a few times over. That, probably, would’ve been enough.

But, actually, there was an even simpler, more effective solution. One of the oldest tricks in the cybersecurity playbook.

“[Bastian] So after we had thoroughly erased everything and you know I just – we stood next to our tech guy and I asked her, “Are we really sure there’s not a trace on that and no one can do anything with all that stuff now with my phone and my laptop?” and she was like, “Yeah, I’m pretty sure.” But you know there’s no 100% and we don’t know what kind of technology might exist in two years and five years.

And so we thought, OK, what can we do to be 100% sure? And that’s when we brought in the hammer and start smashing the stuff. And so we just felt better. We also felt silly. Yes, I know but it felt better and yeah, that’s why we did it.”

CONCERNS
[Nate] Did it ever feel to you like failure was possible in the story?

[Bastian] Yes, of course. I mean we were completely overwhelmed with you know the technical part with all the data. And we also felt that he had added too many partners. We really… so we realized at a certain point that we couldn’t stop it anymore and that didn’t really feel good. We realized there’s no emergency button because so many people knew about this and we didn’t even know all the names of them. [. . .]

And also, the legal risks that we had no clue about how big they could become. [. . .] you don’t get sued in New York or in London for your stories because you were writing about some Germans in Germany and you’re writing in German. And now, we had an English homepage for Süddeutsche Zeitung and we wrote about the Russian oligarchs and that had billions you know. [. . .] You know if an oligarch wants just to use let’s say only 50 million to sue us in five different countries that maybe would have been the end of Süddeutsche Zeitung if we had made a mistake you know because then maybe some court would have ordered us to pay you know for the damage that we did and then it would be our fault that our paper would have died after 70 years. [. . .]

Also I mean if we would have lost our source if we would have made a mistake and our source, the name would have been public and you know the guy would have been arrested or whatever, maybe even killed and then… I mean you can stop being a journalist. [. . .] You know it’s a leak, what can go wrong with a leak? A lot. A lot. A lot can go wrong.”

CULMINATION
A lot could’ve gone wrong. Yet, incredibly, in spite of everything, most of what could’ve gone wrong did not. Dramatic music Beginning on April 3rd, 2016, Süddeutsche Zeitung and newspapers worldwide began publishing leaks from the law firm that helped the world’s richest people avoid taxes. They called them the “Panama Papers.”

Almost immediately, the Mossack Fonseca law firm was raided and dismantled. Protests erupted in Brazil, where members of seven different political parties were named in the documents. With the U.K.’s Brexit vote just two months away, several European Union officials were tied to the documents, as well as U.K. Prime Minister David Cameron and donors and members of his Conservative party.

In Iceland, protests in the capital Reykjavik forced the country’s Prime Minister, Sigmundur Gunnlaugsson, to resign. The Prime Minister of Pakistan was later removed from office and sentenced to ten years in prison. His daughter was sentenced to seven. Meanwhile, in Russia, Vladimir Putin denied any involvement with Mossack Fonseca. His spokesperson called the Panama Papers a CIA hoax.

After seven Communist Party officials were outed, the Chinese government began a strict crackdown on all news and information related to the leaks. Maybe start fading out the music around here As a result, few Chinese people today know the Panama Papers even exist. In dozens of other countries, though, lawsuits and investigations have been launched, leading to political reforms, litigation, and over a billion dollars recovered in back taxes.

Overall, the leaks were a success. But there was one blemish to the story. As journalists from countries around the world were reporting on the crimes relevant to their respective countries, so was the case in Malta. Daphne Galizia, never one to shy away from a fight, was the go-to source for Maltese citizens when it became clear that multiple government officials–including the Prime Minister’s wife, Chief of Staff, and another high-ranking Minister–were implicated by the Panama Papers. Daphne posted Panama Papers revelations to her blog regularly, for months after the initial news.

The last blog she ever wrote concerned a court hearing for the Prime Minister’s Chief of Staff. Her final words read, quote: “there are crooks everywhere you look now. The situation is desperate.”

CONCLUSION
“[Bastian] when we did the Panama Papers, we didn’t have an intent, honestly. We wanted to show what we’ve got but it’s not my intent to change the system and I never thought we could stop inequality and I never thought for a second that we could stop wealthy people evading taxes because you know that’s what many people do. [. . .] what we have achieved is you know we’re very practical that the role of offshore has gotten way more complicated for the people who use it and there are more rules in the post Panama Papers world than had been before. [. . .]

you know in former days, when you had – let’s say you had a million black money, a million euro, a million US dollars and you approached the Swiss Bank. Let’s say Deutsche Bank Switzerland and you told them that you have got this million here and you don’t want to pay taxes and you know you just want to hide it somewhere, they probably would have gotten you a Panamanian company with a bank account in Switzerland, on Luxembourg and that was it. No taxes anymore on that money.

Now, if you go to Deutsche Bank Switzerland with 1 million euro and you say you’re allergic to taxes, they just will look you in the eyes stone cold and tell you that’s your problem, mister.”

Following the Panama Papers, an unidentified source contacted Bastian and Frederick with what would become the “Bahamas Leaks.” The documents tied offshore companies and trusts to the Vice President of Angola, the former Prime Minister of Qatar, and former Commissioner of the EU. Later that same year, the duo revealed the so-called “Paradise Papers.” Of the names included: Juan Manuel Santos, the President of Colombia, U.S. Secretary of Commerce Wilbur Ross, Prince Charles and Queen Elizabeth.

These days, aside from leaking major financial crimes, Bastian lives with his wife and kids outside of Munich, and still reports every day to Süddeutsche Zeitung.

And somewhere else in the world–we don’t know where–is the person who called themselves “John Doe.” To this day, even Bastian does not know the identity of that individual who sent him the Panama Papers. For everybody’s sake, it’s probably better that way.

“[Bastian] I think like 10 years ago, when somebody would have told me, “You know you’ll do a huge story, a worldwide story about tax avoidance,” I would have laughed. I mean who cares about tax avoidance?”