I’m concerned about this TrumpiLeaks page on Michael Moore’s website. I’m concerned about it because I spend a lot of time thinking about information security and helping people practice it. I’m concerned about it because we all know examples of news outlets who do actually obsess about source protection and yet still, on occasion, have gotten it wrong.
My own little side project on the topic is slow moving, mostly due to a lack of money + time. But I’d rather have it slow moving instead of thoughtless risk enabling. I don’t mind risk-takers. A number of people I work with fit that description, but they know these risks and have at least given passing thought into how to reduce them. This TrumpiLeaks pages is all egging-on and little mitigation. It’s kind of similar to the New York Times own confidential news tip page, the only major difference being is they’ve got a SecureDrop option. The options they list may be secure, depending on the person’s situation, but choosing the right end-to-end encryption tool is just the beginning. The Intercept has a page that goes into this, but most people will not be equipped with the skills or experience to make the right decisions. It’s also very likely that by coming across the information they want to share with a journalist, the source has already made a few wrong choices about the trail they may be leaving.
Michael Moore and the New York Times are missing two things on their pages:
- Practical Guidance on how not to end up like Chelsea Manning or Reality Winner. (such as ‘don’t use work computers or printers’ or ‘don’t send authentic files, send the copied or retyped content,’ and etc.)
- A clear set of expectations on what a journalist or news organisation will do once they receive the information: How will they share it? With whom? What verification methods are used and what risk could they pose? What prior notice will they give the source? What will be redacted and how? To what extent in practice and in legal challenges will the news organisation protect the sources identity?
This matters. Leaks are likely the only way authentic information about President Trump’s many crimes will get evidenced, and he’s working on stopping them. We have an incredibly dangerous situation emerging around Qatar, likely spurred on by a state actor not yet identified. In the UK, we now have a government forming with a far-right extremist party — the DUP — which hasn’t released information on how it received nearly £500,000 in donations for Brexit campaigning. If better methods aren’t put in place and maintained to enable whistle blowers, anonymous sources or deep background information, the leaks are going to dry up. Whistles won’t be blown.