How to Protect Your Sources in the Age of Surveillance

One of the paramount rules of a free press is the protection of sources. Many reporters have been jailed or fined for refusing to turn over photographs, videos, or notes, or for protecting the identity of sources during government investigations. In other circumstances, such as international reporting, outing sources can put them at significant risk with their local governments.

But considering everyone who works in media is supposed to be plugged in all the time, wanting to protect a source and actually taking the right steps to protect that source aren’t the same thing. Even if we’re committed to confidentiality, widespread surveillance tools and other digital threats make it possible for information to get in the wrong hands via surreptitious means. Still, there are steps reporters can take to minimize risk.

Understand the landscape

Since you have a finite amount of time and resources for each story, the best way to be prudent and efficient is to consider what security researchers refer to as a threat model.

“If you’re trying to protect sources, you need to think a lot about who you’re trying to protect the source from,” said Michael Carbone, Manager of Tech Policy and Programs at Access, an international human rights organization that fights for open and secure communication.

For example, if you’re reporting on LGBT activism in Uganda, your goal is to protect your source from the Ugandan government, certain local residents, or perhaps even the source’s family members. In that circumstance, using Gmail for email communications is an improvement over using a local Ugandan email provider.

On the other hand, national security journalists in the U.S. may want to rely on other options. Freedom of the Press Foundation technologist Runa Sandvik balks at members of the media who use the term ‘NSA-proof,’ since there is little you can do to protect yourself from targeted attacks from the NSA or other nation-state actors. However, there are a number of clever strategies that may keep you safe from hackers and bulk government surveillance, and help both you and your source leave a smaller online footprint.

Use basic precautions

Keeping information confidential doesn’t necessarily require high-tech gadgets or any special technical skills, especially if you’re reporting locally. You do, however, need to make an effort to monitor your behavior.

Here are a few simple tips that will help you protect sources:

1. Discuss confidential information in person and leave your phone at home.

2. Call multiple sources in a company or agency to make it more difficult to determine who leaked information.

3. Double-check to make sure any identifying information about an individual has been removed from an article before it goes live.

4. Don’t discuss details you do not intend to publish, even with your editor.

5. Take hand-written notes, and when appropriate, don’t write down names.

6. Pay close attention to your privacy and location settings on your devices. In some circumstances—if you’re reporting on police brutality, for example—you may want to back up photographs to the cloud and publicize your location. In other circumstances, it’s important to stay off the grid as much as possible.

7. Be aware that using credit cards can make it easy for others to track your location.

8. Be very careful when clicking on links or opening attachments.

9. If your laptop has sensitive information on it, use a full disk encryption service such as FileVault (for Mac) or BitLocker (for Windows).

10. Update your software to make it more difficult for others to exploit vulnerabilities.

Get technical

At a recent London conference titled “Safeguarding Journalists and Their Sources,” executives from the Guardian discussed the need for reporters to understand technology better, since, according to editor-in-chief Alan Rusbridger, there are currently “insufficient safeguards to insure a free press.”

If you’re serious about keeping your sources safe, it’s worth learning how to use some of the tools designed for more secure communication, since meeting face-to-face isn’t always an option. These tools include Tor or Tails for anonymous browsing or keeping your location private, GPG or Thunderbird/Enigmail for encrypted emails, Jitsi for encrypted video chat, and TextSecure, Redphone, Signal, or Silent Circle for encrypted phone calls or texts.

As Queen’s Counsel lawyer Gavin Millar said at the Guardian event: “If we don’t protect what we’ve got then we begin the slide towards a situation where there are no sources and no public interest journalism.”