It doesn’t happen all the time, but some sources reach out to journalists at risk to their safety or livelihood. Understanding how to minimize risk begins with understanding how our information flows—who can see our communications, when, and under what circumstances? Of course, it’s not enough to guide tipsters toward meaningful protections—we also want to make sure their information is sound. This collection of resources by journalists and security specialists will help you make safer decisions about where and how to speak to sources.
To protect sources, we have to know how to protect ourselves. This article introduces some basics on assessing security threats to newsrooms. It offers specific recommendations about the basics of strong authentication practices, how to encrypt storage locally, as well as how to identify fake login pages and emails designed to trick you into downloading malicious software.
This brief guide, written by a security expert and journalist, walks through some foundational concepts on the technical aspects of source protection. What’s the difference between protecting the content of a message, versus metadata—information about the message, such as the sender? What’s happening behind the scenes when we encrypt a message on a third party service? The guide also introduces multiple pieces of software for securing communications (e.g., SecureDrop, Ricochet, Cryptocat, Jitsi Meet) and examines their security tradeoffs.
News organizations that invite people to reach out with tips should be cautious about how they advise would-be tipsters. Before anyone reaches out, we should give them information about which channels would be best for their situation. This guide walks through the security tradeoffs of several channels, including Signal, WhatsApp, SecureDrop, encrypted email, physical mail, and others. It also examines steps news organizations should take to avoid compromising sensitive conversations.
When deciding where and how to speak to sources, it helps to understand their legal context. Based on four decades of experience representing or advising thousands of whistleblowers, the Government Accountability Project wrote an exhaustive resource on legal considerations for journalists. The report describes how to assess the legal protections afforded to whistleblowers, which can vary depending on who the whistleblower is, the nature of the information disclosed, and when. Legal protections may also vary depending on when, or if, a whistleblower experiences reprisal. It also offers some practical security considerations when working with sources on a story.
Signal is one of the most secure options available for helping to protect the content of your communications. This brief primer walks through setting up and using Signal on Android and iOS, as well as some considerations for high-risk users. Importantly, Signal retains nearly no metadata, but it’s not truly designed to provide anonymity.
One of the most popular chat tools in the world, WhatsApp, offers great features for protecting the content of your communications. But it also collects a great deal of metadata about your conversations, and many of its security features are not enabled by default, making your conversations vulnerable to eavesdropping. This guide examines how to strengthen your WhatsApp security settings.
While SecureDrop is one of the most robust tools available for helping whistleblowers to reach out to news organizations, reporters should know that there are a few ways to undermine your anonymity when using it. This article, written by a privacy and anonymity researcher, walks through several ways that someone could identify themselves when reaching out to a news organization over SecureDrop.
Have you ever wondered how difficult it is to speak to a news organization confidentially? This article examines a few approaches for reaching out to news organizations while withholding personally identifying information from unwanted third parties. It examines the basics of risk assessment, as well as practical considerations for using several types of secure communication channels.
Martin Shelton is a user researcher working with at-risk groups and the press on digital security hygiene.