NAMAleaks

What is NAMAleaks?

Namaleaks is a project that seeks to uncover possible injustice and poor practice related to NAMA (National Asset Management Agency) and financial institutions in Ireland.

It is directed by Mick Wallace TD and the Namaleaks team includes Cormac Butler (financial consultant), Clare Daly TD, Frank McDonald (Irish Times journalist) and Julien Mercille (University College Dublin academic). It has been developed in collaboration with experts who work extensively with whistleblower Edward Snowden. They are world leaders in creating secure and anonymous systems for whistleblowers.

Please contact us if you have relevant information. Whether you are an insider with confidential information, someone who has been evicted from your house unjustly, or know something else of relevance to the project, we would like to hear from you.

Below, we outline several methods for you to get in touch with us and send us documents. However, please be aware that no system can ever fully guarantee your security (and anybody who says otherwise for any system is lying). Any method of communication always has at least a theoretical possibility of being hacked, even when conceived and used by experts like Snowden. This being said, the methods proposed below offer safe ways to communicate with us. We at Namaleaks will do everything in our power to protect your identity. Nevertheless, in some cases, the best way to protect your anonymity may be not to disclose your identity even to us.

At any point, if you are unsure about how to leak to us, contact us with questions and we will assist you in leaking safely.

How to contact us

  1. If you’d like to submit tips to us and your anonymity is not important, you can simply email info@namaleaks.com by using your regular email.

    However, if anonymity and confidentiality are important, use one of the methods below.

  2. You can send us text messages to this mobile at 0838558732 using the smartphone app Signal, available for iOS and Android and which is very easy to use. Signal works like WhatsApp but offers better security and anonymity. It makes it very difficult for people spying on you to know who you are talking to, and your texts are fully encrypted and cannot be read by anybody but you and us. Look for the lock next to the send button before you send your text to make sure it is encrypted.

    Another advantage of using Signal is that we can communicate back with you, just like we would using normal texts. You cannot attach pdf or docx documents with Signal, but you can send us photos/pictures of confidential documents.

    Also, if you want to send us confidential documents but are unclear how to do it, use Signal to ask us and we will text you back providing guidance.

    One thing to keep in mind is that when you contact us via Signal, we will know your phone number (just as if you sent us a normal text). We will not reveal your phone number to anybody, but if your anonymity is extremely important, please use the methods below to communicate with us instead of Signal.

  3. If you need maximum security and anonymity, create an anonymous email and send us encrypted emails. How do you do this? There are a number of steps, outlined in detail in the next section.

How to leak sensitive information to us if you require maximum security

General:

Don’t contact us from work. Government and company networks often log traffic. If you want to leak us documents that exist in your work, first remove them from work and submit them using a personal computer on a different network. Don’t contact us on social media, which is insecure. Don’t tell anyone that you’re a source. There’s no point informing people of what you are doing, as this would expose you to unnecessary risks.

How to leak:

  1. Go to a public WiFi network. Take your personal computer and go to a network that isn’t associated with you or your employer, such as at a coffee shop. Ideally you should go to one that you don’t already frequent. Leave your phone at home, and buy your coffee with cash. Choose a coffee shop without security cameras, or a spot within the shop where cameras aren’t recording. Be aware of your surroundings, turn your screen away from curious neighbours.
  2. Download and install the Tor browser on your laptop (go to the section “Stable Tor Browser” and select the one you need for your operating system and language). Tor Browser maximises your anonymity online because it hides which sites you are visiting (whereas browsers like Chrome, Explorer or Safari are more easily spied on). This is why Edward Snowden always uses Tor. The first time you open Tor, it may ask you if you want to “Connect” or “Configure”: click “Connect”.
  3. Create your anonymous email address and account. Use Tor browser to navigate to this site: http://sigaintevyh2rzvw.onion/ which will do just that. (You can only access this site with Tor). Click on the “Sign up” tab, then choose your new username and password, fill in the Captcha, and you will have created a new anonymous email account! Your email address will be your username followed by @sigaint.org. Now login to get to your account (the “name” to enter when logging in is simply your username).
  4. The general principle is this: you must create an anonymous email address using Tor. We used Sigaint in the example above but if you use another service it’s fine, as long as you use Tor. Don’t create an anonymous email in Gmail or Hotmail for example, as those will not be fully anonymous. And never log in to your anonymous e-mail address from your normal browser. Only use Tor.
  5. Encrypt your new anonymous email. This will ensure that your communications with us are not readable by anybody who might be spying. The way to encrypt your email and contact us varies slightly depending on your operating system so we provide instructions for each. You might want to read a short and clear explanation of PGP encryption in general.

Instructions for Mac OS X

There is a good guide, which approximates what we will do here.

We’ve made these videos to show you the steps outlined below visually

How to create an anonymous email and get keys in MacHow to create an anonymous email and get keys in Mac
How to retrieve Namaleaks' keys in MacHow to retrieve Namaleaks’ keys in Mac
How to enable your Mac for encryption How to enable your Mac for encryption
How to send an encrypted message in MacHow to send an encrypted message in Mac
How to send an encrypted file in MacHow to send an encrypted file in Mac
  1. Download and install GPGTools.
  2. When the installation is complete, open GPG Keychain (which will be in your applications folder), if it doesn’t automatically open. Click “New” at the top of the window to generate your PGP keys. A window will pop up and ask you to enter your name (give an anonymous name), email address (enter the @sigaint.org email you created) and a passphrase of your choice (different from the password you created for your Sigaint email). Use a strong passphrase, you can use this guide to help you. Make sure the “Upload public key” box is NOT checked. It’s also a good idea to click on “Advanced options” and ensure the “Length” is set at 4096. Then you can click on “generate keys”. After a few moments, your key will be generated, and you will see it appear (in bold) in the GPG Keychain window.
  3. Get Namaleaks’ encryption keys by using Tor and navigating to this key server: https://pgp.mit.edu/. It's important to go to that server using Tor, not via a regular browser like Chrome or Safari, to protect your anonymity. In the “search string” enter info@namaleaks.com and check the box“ Show PGP fingerprints for keys", then press Search. Then you will see more than one key: find the one whose“ fingerprint" is C42A 593F F20C 3118 8D62 58C2 DFD9 813B 4BAC 7823 and then click on the 4BAC7823 link for that key. A big paragraph of letters and symbols will appear, that's the key. Copy it from -----BEGIN PGP PUBLIC KEY BLOCK----- to -----END PGP PUBLIC KEY BLOCK----- inclusive. Then paste it into Notepad. Save the Notepad document on your desktop. Then go into the GPA's Key manager and click “Import", select the Notepad document you've just saved on your Desktop, and the key should be imported. It will appear listed in your Key manager.
  4. Click on the apple icon at the top-left corner of your Mac and select “System preferences” → “Keyboard” → “Shortcuts” → “Services” (in the left pane). Make sure that in the right pane, under “Files and folders”, all the OpenPGP options are ticked, and that under “Text”, all the OpenPGP options are ticked as well. Your computer is now enabled to use encryption!
  5. Let’s start with an encrypted message that you want to send us. Open TextEdit (in your applications), and write your message in it in full. Something like “Hi, I’d like to leak those documents to Namaleaks.” Then, select the whole message (i.e., highlight it), right-click on it, choose “Services” → “Encrypt selection”.

    A window will pop up entitled “Choose recipients”. Here is what you do in that window: at the top, you tick the email to which you want to send your message, namely, info@namaleaks.com. Then, at the bottom of the window, ensure that the “Your key” field shows your Sigaint email. And next to that, tick the “Sign” box. Then click “Ok”. (You may be prompted to enter your password that you created for encryption).

    Now go back to your TextEdit window, and surprise, you will see a bunch of unreadable letters and symbols: that’s your email message, encrypted, so no one can read it!

  6. Select that entire encrypted message in TextEdit (including “-----BEGIN PGP MESSAGE-----“ and “-----END PGP MESSAGE----“), copy it and paste it in Sigaint in Tor as the text of an email to send us (so go to “compose” email): this is what you will send to us. Fill the “To:” field with “info@namaleaks.com”, write the Captcha code, and press send. You’re done, we will receive your email and decrypt it to read it.
  7. Now suppose you want to leak us a file such as a pdf, excel spreadsheet, picture of a document, etc. Right-click on that file wherever it is in your computer. Then go to “Services” → “OpenPGP: Encrypt file”, and the “Choose recipients” window will open: select info@namaleaks.com as recipient at the top and make sure your email key appears in the “Your key” field at the bottom, check “Sign”, and click “Ok”. (You may be prompted to enter your password that you created for encryption here). This will encrypt the file, which will then appear next to the original unencrypted file but with a .gpg extension at the end of the file name.
  8. Using Tor, you then simply have to go to your Sigaint account to compose an email and attach the encrypted .gpg file, and send it to info@namaleaks.com!
  9. If you want to send us both an email message and attachment, do the above two steps one after the other to encrypt both your message and your file, and then send us the email.
  10. Note that there is a limit of 2MB for files to be sent as attachments through Sigaint, but if you have more or bigger files, it’s not a problem, you can zip them all together and compress them. There are also other ways of sending us heavy files: please send us an email and we will send you instructions about this if you need it.
  11. Finally, it is very important that you send us your PGP key in order for us to be able to communicate back with you securely. It’s easy. Go into GPG Keychain, select your key, then click the “Export” button, a “Save as” window will pop up, click save to your Desktop. Then simply email us that file via Sigaint (you don’t need to encrypt it).

Instructions for Windows

There are good guides here and here, which cover parts of what we will do here.

We’ve made these videos to show you the steps outlined below visually

How to create an anonymous email address in WindowsHow to create an anonymous email address in Windows
How to generate your email's keys in WindowsHow to generate your email's keys in Windows
How to retrieve Namaleaks' keys in WindowsHow to retrieve Namaleaks' keys in Windows
How to send an encrypted message in WindowsHow to send an encrypted message in Windows
How to send an encrypted file in WindowsHow to send an encrypted file in Windows
  1. Download and install GPG4Win (click on the green button, then select the full version). When it prompts you to select which components to install, select them all.
  2. When the installation is complete, open the GNU Privacy Assistant (GPA), which should be on your Desktop. Go to “Keys” and “New Key” to generate your PGP keys. Then enter an anonymous name and your @sigaint.org email you created above. Select “Do it later” when asked if you want to create a back up copy. Then enter a passphrase of your choice (not the same as the password you created for your Sigaint email). Use a strong passphrase, you can use this guide to help you.
  3. Get Namaleaks’ encryption keys by using Tor and navigating to this key server: https://pgp.mit.edu/. It’s important to go to that server using Tor, not via a regular browser like Chrome or Safari, to protect your anonymity. In the “search string” enter info@namaleaks.com and check the box “Show PGP fingerprints for keys”, then press Search. Then you will see more than one key: find the one whose “fingerprint” is C42A 593F F20C 3118 8D62 58C2 DFD9 813B 4BAC 7823 and then click on the 4BAC7823 link for that key. A big paragraph of letters and symbols will appear, that’s the key. Copy it from -----BEGIN PGP PUBLIC KEY BLOCK----- to -----END PGP PUBLIC KEY BLOCK----- inclusive. Then paste it into Notepad. Save the Notepad document on your desktop. Then go into the GPA's Key manager and click “Import”, select the Notepad document you've just saved on your Desktop, and the key should be imported. It will appear listed in your Key manager.
  4. Now let’s start with an encrypted message that you want to send us. In the GPA, click on “Clipboard” and write your message there. Then click on “Encrypt”. A window will pop up: in the top half you will see info@namaleaks.com, select it, it is the recipient of your email. Midway down in the window, check the “Sign” box. And in the bottom half make sure it is your Sigaint email that appears because you are the sender and signer. Then click “Ok” in the confirmation pop up window, and it will prompt you for your password. Once you enter it, you will see a bunch of unreadable letters and symbols: that’s your email message, encrypted, so no one can read it!
  5. Select that entire message (including “-----BEGIN PGP MESSAGE-----“ and “-----END PGP MESSAGE----“), copy it (ctrl + C), and paste it in your compose box in your Sigaint email window in Tor: this is what you will send to us. Then fill the “To:” field with “info@namaleaks.com”, write the Captcha code, and press send. You’re done, we will receive your email and decrypt it to read it.
  6. Now suppose you want to send us a leaked file such as a pdf, excel spreadsheet, picture of a document, etc. In GPA, click on “Files” and “Open” and navigate to the file you want to send us. Select it and then it will appear in the File Manager window. Then click on “Encrypt”. A window will pop up: in the top half you will see info@namaleaks.com, select it, it is the recipient of your email. Midway down the window, check the “Sign” box. And in the bottom half make sure it is your Sigaint email that appears because you are the sender and signer. Then click “Ok” in the confirmation pop up window (you may be prompted to enter your password). The encrypted file will appear near the original one with the extension .gpg.
  7. Using Tor, you then simply have to go to your Sigaint account to compose an email and attach the encrypted .gpg file, and send it to info@namaleaks.com!
  8. If you want to send us both an email message and attachment, do the above two steps one after the other to encrypt both your message and your file, and then send us the email.
  9. Note that there is a limit of 2MB for files to be sent as attachments through Sigaint, but if you have more or bigger files, it’s not a problem, you can zip them all together and compress them. There are also other ways of sending us heavy files: please send us an email and we will send you instructions about this if you need it.
  10. Finally, it is very important that you send us your PGP key in order for us to be able to communicate back with you securely. It’s easy. Go into GPA, click on the “Brief” icon, select your key, click the “Export” button, enter a name, click on “Desktop” in the left pane and save it, it will appear on your Desktop. Then simply email us that file via Sigaint (you don’t need to encrypt it).

Instructions for Linux

If you are on Linux, the steps are standard and can be found online, for example here: Linux Steps.