Source Protection in 2017: A Starter Guide
Like sex, there's no such thing as safe leaking. But there is safer leaking, and ways to encourage your sources to be safer.
The next few months (like the last few weeks) will see a lot of people who want to talk about their life and their work with a media audience; people who never wanted to talk before. If they come to us, and by us I mean journalists, we need to be ready and equipped to protect them, whether what they tell us becomes journalism or not. We also need time. We need to be in a position to check stories, cross check references, and talk to experts to make sure the leaks we receive are true and right and placed in the appropriate context. We get all this from protecting our sources from discovery by governments, corporations, or individuals.
First off, initial contact is the hardest step to keep secure and private. But it is doable. Journalists, you should use social media profiles, bylines, and web pages protected by https to tell potential contacts how to communicate with you safely. If someone communicates with you unsafely, have colleagues (preferably at other news orgs) in mind you can hand them off to after you get them up to speed on safe communications. Discourage the use of phones -- they are leaky with identity information. Signal and its ilk, Whatsapp, Wire, etc., are great for hiding what you say, but not always as great at hiding whom you're saying it to. These tools are great for talking to colleagues, named sources, editors, etc., and I recommend that you use them for general communications. for anonymous sources, focus on communication methods that aren't easily tracked or likely to be bound to legal identities.
Everyone hears that Tor is a good privacy tool, but it's not particularly useful for the reporter most of the time. You're usually tweeting where you are, and sometimes what you're doing, anyway. Tor is a powerful tool for your source to use, if they're not on a network where using Tor is suspicious. If your source is using Tor already, they're probably more technically sophisticated than the vast majority of sources. But you still may need to find out where and how they are contacting you quickly, and advise them how to proceed more safely. A source who has used Tor to log into their email is still logging into their own email.
Your source needs a way to talk to you and pass files to you without exposing where and who they are. SecureDrop (https://securedrop.org/) is the news org's choice of file submission platform. But it doesn't, in and of itself, solve the problem of the relationship with the journalist. For that, one or both ends of communication need to be obscured. The easiest current software for this, in my recent experiences are Cryptocat (https://crypto.cat/) and Ricochet (https://ricochet.im/). Cryptocat is better used through Tor or a VPN which isn't responsive to law enforcement if possible, but Ricochet is already entirely on Tor. Otherwise there's Jabber/XMPP with OTR. Clients include Adium, Pidgin, PSI+, but make sure you have OTR or off the record messaging enabled and don't accept unencrypted messages. (There is something called OTR in Google's chat client, it's not related, or useful.)
These tools can be hard to used compared to other tools, but they can serve a good purpose. Not ideal, but much better than ever using Skype, is meet.jit.si. For cases where you absolutely need to see the other side, Jitsi is to my knowledge your best bet. Most, but not all, of these options also allow file transfers.
If you need help with this, there's a plethora of guides you can search for on duckduckgo.com or google.com. And there's also me. You can contact me on Ricochet (ricochet.im) at ricochet:j3bwhhvevmobckih, on Cryptocat as faradayfangirl (Desktop only), or on Jabber/OTR (Pidgin on Win/Linux, Adium on Mac, Chatsecure on iOS/Android) as email@example.com. (My contact information is linked at the bottom of the page.)
If you are a source, not sure what to do and looking for advice, please also feel free to contact me any of these ways. At this time, I'm focusing on educating the media rather than my own stories. I'm not likely to work on your story myself, but I'm happy to get you ready to talk to someone else safely. The array of tools can be confusing and no one is better than another intrinsically, you have to understand your environment and situation, and make a good choice.
What's Under the Hood: Two kinds of encryption
Encryption is using math to encode messages such that only a person who has the proper decryption key can read them. There are many forms of encryption, but on the internet they fall into two basic architectures: end-to-end and server side.
End-to-end encryption means I encrypt a message on my device, and pass it encrypted over the net to you, where you decrypt it. Anyone intercepting the message can't read it without somehow stealing the key.
Server side encryption is when we have that same kind of connection with an agent that sits between us. That agent can be a company like Google, or Facebook. Incidentally, there's no technical different between server side encryption and what's called a Man in the Middle attack, or MITM. In that kind of attack, an agent sits in the middle of a communication, decrypts the incoming message, copies it, and re-encrypts it and sends it along to the intended recipient. The only different between a service and an attack is the intentions and relationship we have with the agent in the middle of the communication.
It's important to understand that relationship can change, or not be what we think it is. The line between a trusted service and a MITM attack is a fuzzy and ever-shifting one. Our communications can be sold, or subpoenaed, or even hacked by someone attacking the service we're using. Because of the dangers of that relationship, we should think carefully about what data the services we use have about us and our sources. American journalists should never put something on a server they don't control that they don't want to see in court -- a lesson hard learned by various whistleblowers, and Gawker, in the last few years. The exception to that is if what we've put on that server is encrypted and can't be decrypted by the owner of that server. Services that offer this as a feature will often refer to it as end-to-end encryption -- but some companies with media people who don't understand the issues will claim to have an end-to-end system when they don't. Check the company or product's offerings and their reputation before you use any tool to keep your sources safe, and favoring an Open Source option over the propriety equivalent (as long as it's mature and actively developed) usually won't steer you wrong.
Your source is always more important than your scoop
Very few sources are Snowden, in terms of technical sophistication, determination, or emotional fortitude. Chelsea Manning did fine on technical protection. But without any support or emotional resources from her contact, she was left tremendously vulnerable, and ultimately paid for it with years of her life. Not everyone in journalism has the resources to support such a source, but we do research, and it's not too much to ask that we put some of those research skills into finding resources for vulnerable sources. What we do adds tremendous stress to the lives of people who were already often far from the life they expected to have. I don't believe we should simply decide that's not our problem. When I was dealing with Anonymous sources regularly, I often asked them if they were supported, if there were family and friends they could reach out to, and sometimes, recommended mental health resources. At no point did I suggest any of them that they alter their activities, legal or not. That was not my business, and it was potentially illegal for me to do so in some cases. But I did see that what I was doing inevitably added stress and pain to my sources' lives, even when they wanted me to do it.
We all know it's not ok to get our sources shot or arrested haphazardly. It's just as not ok to leave them to their nervous breakdowns, lost careers, isolation, financial ruin, or even suicides. We can't always prevent this, and there will always be cases where journalism ruins lives for the larger goal of an informed public. But these aren't and shouldn't be the norm. They're where we've failed to do our proper support, or been overwhelmed by circumstances.
We have a lot of tools to protect sources. There's almost never an absolutely safe way for an insider to whistleblow, and there's almost no way to instantly trust anonymous sources, but we can do a lot. We can take time and care around the security of our conversations, the physical and emotional safety of the people who risk harm in talking to us. We can also take care to protect the public when we check and contextualize the information we get.
Rarely in the history of the Fourth Estate has working with obscured information been so important. It's new, and challenging, but with a little attention we can do it, and we must.
If you have questions or need help don't hesitate to contact me via one of the methods on my contacts page: https://gist.github.com/quinnnorton/d9285826ee8bc7415205f22fe1e22965