Record and geo-locate the IP address and user-agent IF the whistleblowers explicitly reveal their identity

[fpietrosanti]

Current behavior
Whistleblowing is not only a matter of anonymity given that our society must protect whistleblowers but must also provide a degree of protection to the reported persons-organization against false claims, like almost all whistleblowing protection laws already does.

With the existing Whistleblower Identity feature, it's possible to explicitly ask the Whistleblowers for his identity, and that's idea in conditions where whistleblowing is not in a life-threatening situation and there's a good level of legal and organisation protection.

However self-declared identities without any kind of authentication can easily lead to false-claims that are explicitly directed against a specific persons, not just in the fact being reported, but as a misleading reporter.

This ticket comes from an elaborated conversation with a whistleblowing lawyers that, reasonably, also take into account the protection of the reported persons (like the law does), and that require to have some kind of clues on whenever the reporter/whistleblower explicitly reported identity is reasonably true or not.

Expected behavior
This ticket is to provide those indirect clues to the recipient, IF and only IF the whistleblower explicitly decide to reveal his identity by explicitly saying clicking "yes" on whistleblower identity question.

The clues to collect and report are:

• Collect the IP address, if available, and show it on the receiver tip interface
• Geo-locate the IP address, showing the geo-location provided by maxmind db, on receiver tip interface
• Collect the user-agent, if available, and show it on the receiver tip interface
• Do a reverse-dns-lookup of the IP and show it on the receiver tip interface
• Provide a link to domaintools or other deeper whois platform to get in depth on the origin of the IP

While this feature may appear controversial at the 1st reading by an unexperienced whistleblowing advocate, it shall be taken into account that any lawyer defending whistleblowers/reporters is also defending by law the reported people against false-claim, especially when those are instrumentally used against someone.

When the whistleblower decide to declare his identity in a explicit way, he is giving up any kind of anonymity protection in a consensusal and clear way, so the recipient must have some additional clues that enable him to deduct-infere if there's "something that doesn't work" between the reported identity and the technical data associated to the computer used to report that identity.

Steps to reproduce the problem or feature illustration

What is the motivation or use case for changing the behavior?

GlobaLeaks version:

Browser:

Server Operating System and Version (if applicable):

Client Operating System and Version (if applicable):

[NCommander]

So a couple of questions on how to implement it and a licensing question.

Right now, is the intention to collect receiver information once when whistleblower decides to reveal themselves, or keep an ongoing log that show changes to location/UA/etc over time.

Secondly, MaxMind's GeoLite2 database requires the use of an attribution clause in both adversing and in the documentation (https://dev.maxmind.com/geoip/geoip2/geolite2/), under the CC BY-SA 4.0 license. Is that something acceptable for the GL project?

Furthermore, doing a reverse DNS lookup of the IP/domain tools/etc may represent a side channel where a third party can deduct information about users of the platform. That may be a concern depending on the context since a whistleblower may wish to ident to the platform admins, but not have that information at least indirectly leaked to third-party sources.

[fpietrosanti]

@NCommander i think we can accept to include geolite2, also Tor is doing that, it's a mention in the licensing notice.

With the regards to the DNS lookup you are right, it maybe worth to avoid doing a reverse lookup, it would be up to the receiver doing the analysis to detect some kind of possible issues.

That shall be strictly bound to the explicitly intention to reveal the identity, within a legally protected environment, of the whistleblower

[NCommander]

So I started some work on this and got the whistleblower identify features working with some help.

So far, I've gotten as far as getting my head around the questionare/identification code, and trying to figure out how best to implement this.

I think the best way to do this is either to generate link similar to the pre-existing activation emails, or redirect the whistleblower to access a submission without Tor so their IP information can be captured and logged. Tor browser does pretty much everything it can to prevent leaking external IPs so I don't think there's a viable way to do this with just javascript alone.

I'm not sure what the best way to do this for ideal user experience is. Feedback welcome.

As far as code went, I implemented a switch to actually enable this but it's a pretty large job once I get it all together, which I break down below.

Right now, this likely needs the following components

• python-geoip2 needs to be packaged for Xenial (it's in artful/bionic, but not other releases)

• A new model which contains a snapshot of the GeoIP data at the time of submission as IP blocks can and have been reassigned to different regions of the world. This would be attached to the tip via a foreign key constraint so when the tip gets deleted, the geoip info goes with it.

• A new job to download a check for updated GeoLite2 information. Possibly include support for the higher tier databases if an organization wants/needs them (this would depend on legal requirements of the jurstiction on how much info they need). I haven't quite figured out the best way to grab this on the fly.

• New REST endpoint to handle capturing the data and attaching it to the tip, especially if combined with a one-time link generation as proposed above.

• Did some checking CC-BY-SA 4.0 (which is GeoLite 2's license) is compatible with the GPLv3 (https://www.fsf.org/blogs/licensing/creative-commons-by-sa-4-0-declared-one-way-compatible-with-gnu-gpl-version-3), and thus can be used via the GPL->AGPL conversion clause without further modification so we should be OK there.

No ETA on when I might have a workable branch, but maybe something by next week depending on my free time.

[fpietrosanti]

@NCommander well, this feature is only useful for double-checking anomaly identification and is meant only for whistleblowers that explicitly declare their identity.

If the user is declaring his identity from behind Tor (a quite strange condition, but a possible edge-case), it's just useful to know, that he is behind Tor, not his IP address, without trying to catch that in unusual way.

It's interesting to note that Tor, that's a dependency of GlobaLeaks, do use and bundle geo-ip database, so we may just rely on that existing support file?