A news outlet’s obligations to its sources

I’m concerned about this TrumpiLeaks page on Michael Moore’s website. I’m concerned about it because I spend a lot of time thinking about information security and helping people practice it. I’m concerned about it because we all know examples of news outlets who do actually obsess about source protection and yet still, on occasion, have gotten it wrong.

My own little side project on the topic is slow moving, mostly due to a lack of money + time. But I’d rather have it slow moving instead of thoughtless risk enabling. I don’t mind risk-takers. A number of people I work with fit that description, but they know these risks and have at least given passing thought into how to reduce them. This TrumpiLeaks pages is all egging-on and little mitigation. It’s kind of similar to the New York Times own confidential news tip page, the only major difference being is they’ve got a SecureDrop option. The options they list may be secure, depending on the person’s situation, but choosing the right end-to-end encryption tool is just the beginning. The Intercept has a page that goes into this, but most people will not be equipped with the skills or experience to make the right decisions. It’s also very likely that by coming across the information they want to share with a journalist, the source has already made a few wrong choices about the trail they may be leaving.

Michael Moore and the New York Times are missing two things on their pages:

  1. Practical Guidance on how not to end up like Chelsea Manning or Reality Winner. (such as ‘don’t use work computers or printers’ or ‘don’t send authentic files, send the copied or retyped content,’ and etc.)
  2. A clear set of expectations on what a journalist or news organisation will do once they receive the information: How will they share it? With whom? What verification methods are used and what risk could they pose? What prior notice will they give the source? What will be redacted and how? To what extent in practice and in legal challenges will the news organisation protect the sources identity?

This matters. Leaks are likely the only way authentic information about President Trump’s many crimes will get evidenced, and he’s working on stopping them. We have an incredibly dangerous situation emerging around Qatar, likely spurred on by a state actor not yet identified. In the UK, we now have a government forming with a far-right extremist party — the DUP — which hasn’t released information on how it received nearly £500,000 in donations for Brexit campaigning. If better methods aren’t put in place and maintained to enable whistle blowers, anonymous sources or deep background information, the leaks are going to dry up. Whistles won’t be blown.

Interesting posts on the topic

New project site up and running

The concept note site is now live at poison.kitchen.


A PGP key and a couple emails addresses
We’ve set up contact email addresses and PGP keys. More easy to use forms coming from these two ingredients soon, but in the meantime. Find both here.

779D 75C4 3CEE 7ADA 9E86  1049 0334 9543 55AA 9797

On Github
It’s just a few markdown pages for now.

Follow @drew3000 Watch Star Fork Issue Download