Journalists and source protection: More than just a secure contact platform

Last week, the Blueprint Whistleblowing Prizes were held at Frontline Club here in London and honoured a doctor who outed Australia’s brutal treatment and criminal neglect of refugees in its offshore immigration detention facility in Nauru. I’d have liked to have made it, had the ticket, but life comes at you pretty fast sometimes, so had to skip the night out. But more than wanting to promote that, what’s worth highlighting is Bluprint’s guidance on how journalists should operate to safeguard a whistleblowing source’s identity.

The Perugia Principles for Journalists Working with Whistleblowers in the Digital Age was drafted in consultation with at roundtable event of 20 journalists at a Blueprint hosted event in (you guessed it) Perugia, Italy. It’s a solid, top-line document of 12 principles for protecting confidential sources, that we’ll get into in just a bit, and it tackles an issue that was behind my initial brain dump on source protection a couple of years back and the frequently neglected poison.kitchen website (More on what caused that is here and here). Getting source protection wrong is both common and dangerous to all involved. Getting it right, is a complicated, moving target. But it’s wildly needed.

Wikileaks broke ground in journalism at its outset by establishing a new model in which source documents played the key role. However, subsequent events showed that there are other important aspects to both journalism and source protection and whistle blowing outside of being able to make a website that dumps docs.

My goal in supporting true source protection would be to combine ethical principles, technical tools and training together to support independent journalists learning how to use an over-arching framework and having access to the tools and resources to do it.

My focus is on small groups of freelance journalists or independent journalists focusing more deeply on narrow topics, here, as opposed to larger news outlets. The latter more or less has this covered or at least has the resources to cover it. However, often it could be better for a source — or a story — to bypass contacting a publication that may or may not act as a gatekeeper, and reach out to a specific independent journalist directly who will still have the professionalism, but also have the deeper knowledge on the topic, issue, region, etc., and the ability to shop the story to the best publication.

The holistic approach of source protection for a journalistic project.

The Perugia Principles (PDF link) are a good set of guidance meeting the ethical requirements in the source protection venn. The document gets into some of the technical details on how to implement some of its principles. I tend to gravitate toward the weeds and tall grass of working out how to live up to the letter and spirit of lofty aspirations as it pertains to deploying hardened online platforms, working out the niggly settings, user roles and access levels on services, finding and training people on the right tool sets and mapping all the areas where the work meets technology and the various things that can/will go wrong.

As a technologist, I enjoy tools and platforms. There are an emerging number of of them for obtaining insider-access information from anonymous sources. Here are some:

  • News organisations with the resources to manage it can run a SecureDrop platform, which offers a high degree of protection for information in transit and in storage, and even includes a workflow for sources covertly and anonymously maintain contact with the news outlet.
  • GlobaLeaks is another open source platform that offers strong anonymity through the submission process and a back-end communication system with some deniability for the source. Some organisations have been able to set up GlobaLeaks instances with either support from Free Press Unlimited’s PubLeaks initiative or more recently, the Digital Whistleblowing Fund (for which I’m on the selection committee).
  • For those operating on not quite advanced nation state level threat models, an initiative to quickly set up an anonymous document receiving using NextCloud exists, called Enough.
  • The Intercept’s security engineer and software developer Micah Lee also also developed and maintains OnionShare, which is a brilliant app that allows a user to instantly and anonymously share a document using Tor, and then wipe all traces of having done so, and features a “receive mode” for journalists to likewise quickly share a hidden Tor-only link with a source to submit information and then shut it off as soon as it’s received.
  • Journalists are turning to work-specific numbers to use Signal and WhatsApp, or using protonmail, which can all be good, but essentially put more demands on the source to understand their own anonymity issues.

So, loads of emerging secure ways to get the dirt. However, there’s the process of analysing, verifying and ultimately publishing it that also requires source protection methods at each stage. Platforms are great. More of them are available, and some are getting easier to set up and use. Awesome. They don’t solve the problem. In fact, they reduce the friction of more potential problems arriving. Before inviting trouble, more journalists need to understand how to deal with it.

The Perugia guidance quotes James Risen, national security journalist at The Intercept, pointing out “We’re being forced to act like spies, having to learn trade craft and encryption and all the new ways to protect sources. But we are not an intelligence agency. We’re not really spies. So, there’s going to be a time when you might make a mistake or do something that might not perfectly protect a source. This is really hard work. It’s really dangerous for everybody.”

The same document cites one famous incident of things going wrong through a scoop by The Intercept which landed NSA whistle blower Reality Winner in prison. More than not being spies, journalists are journalists. And as such, a huge pillar of the trade is around information verification, often by contacting the subject of the investigative journalism.

Getting a proper news exclusive is hard, because it’s not actually a scoop until its verified as being true.
A hastily and obviously not comprehensive sampling of threats to source identity at different stages of the investigative reporting process.

Instead of behaving like spies, training journalists in source protection would be better served by borrowing from the reverse engineering analogy. Spies produce reports for inward audiences. Journalists publish outwardly. At each stage in the news gathering and publishing process, the audience of the story grows, increasing the likelihood of source exposure. The longer the story is published over time, source identification continues to grow incrementally.

The issue, beyond tools and platforms, is buy-in to transparent ethical policies that build source confidence and add actual protection throughout the investigative process and lifespan of the published material, as well as giving sources a fair understanding of potential risks and requirements. The other part is training journalists in not just understanding the needs of various aspects of source protection, but how to carry it out and deal with things going wrong.

Note: Usually, I try to have more jokes on blog posts, but this one kind of fell flat. I’ll attempt to be better in the future.

Featured image: Secret whistles.