A news outlet’s obligations to its sources

I’m concerned about this TrumpiLeaks page on Michael Moore’s website. I’m concerned about it because I spend a lot of time thinking about information security and helping people practice it. I’m concerned about it because we all know examples of news outlets who do actually obsess about source protection and yet still, on occasion, have gotten it wrong.

My own little side project on the topic is slow moving, mostly due to a lack of money + time. But I’d rather have it slow moving instead of thoughtless risk enabling. I don’t mind risk-takers. A number of people I work with fit that description, but they know these risks and have at least given passing thought into how to reduce them. This TrumpiLeaks pages is all egging-on and little mitigation. It’s kind of similar to the New York Times own confidential news tip page, the only major difference being is they’ve got a SecureDrop option. The options they list may be secure, depending on the person’s situation, but choosing the right end-to-end encryption tool is just the beginning. The Intercept has a page that goes into this, but most people will not be equipped with the skills or experience to make the right decisions. It’s also very likely that by coming across the information they want to share with a journalist, the source has already made a few wrong choices about the trail they may be leaving.

Michael Moore and the New York Times are missing two things on their pages:

  1. Practical Guidance on how not to end up like Chelsea Manning or Reality Winner. (such as ‘don’t use work computers or printers’ or ‘don’t send authentic files, send the copied or retyped content,’ and etc.)
  2. A clear set of expectations on what a journalist or news organisation will do once they receive the information: How will they share it? With whom? What verification methods are used and what risk could they pose? What prior notice will they give the source? What will be redacted and how? To what extent in practice and in legal challenges will the news organisation protect the sources identity?

This matters. Leaks are likely the only way authentic information about President Trump’s many crimes will get evidenced, and he’s working on stopping them. We have an incredibly dangerous situation emerging around Qatar, likely spurred on by a state actor not yet identified. In the UK, we now have a government forming with a far-right extremist party — the DUP — which hasn’t released information on how it received nearly £500,000 in donations for Brexit campaigning. If better methods aren’t put in place and maintained to enable whistle blowers, anonymous sources or deep background information, the leaks are going to dry up. Whistles won’t be blown.

Interesting posts on the topic

New project site up and running

The concept note site is now live at poison.kitchen.


A PGP key and a couple emails addresses
We’ve set up contact email addresses and PGP keys. More easy to use forms coming from these two ingredients soon, but in the meantime. Find both here.

779D 75C4 3CEE 7ADA 9E86  1049 0334 9543 55AA 9797

On Github
It’s just a few markdown pages for now.

Follow @drew3000 Watch Star Fork Issue Download

Cooking up a Poison.Kitchen

Long ago, in the early ’00s, I made a website. It was called poisonkitchen.com, and I’ll get into why it was called that a few lines later. It was one of the first websites I ever created, while still working in newspapers as a reporter and editor. The purpose of this thing was to create a space for fellow print reporters to dish information about work and life at their news organisations, in an age when newspapers were declining in revenue and quality far before the internet was perceived a serious threat.

I never kept a local copy of it, because that seemed kind of pointless. Here’s a Time Machine capture of it in it’s earlier days as a a static html page site. Later on, I remade the site adding a blog made with pMachine (The internet archive doesn’t display that unique code too well), and some php forum script. The forum was the main point; It was picking up where a previous site, called News Mait, had left off when it closed. The site had its regulars, but over time, as many single-purpose niche sites run by one person in their spare time go, it’s useful its useful lifespan was limited. Other sites better at handling the topic of toxic newsroom working environments moved in. I let it the site go. Closed it, and transferred the domain to someone who said he was going to “do something” with it. He never did.

testycopyeditors.org was just one site that did a similar thing, but more entertainingly.

The domain is still owned, but pointing to nothing. It’s booked and locked for some reason, but hasn’t actually ever been used in more than 12 years(!). I’m not entirely sure what the owner is hoping to achieve, though a movie option could be one possibility. Anyway, that’s not a huge deal or the point of this post. I digress… often. Recent events reminded me about the domain name, though. I was in Berlin the other week and the news was all about U.S. President Trump’s latest attacks against the press. An independent press is under attack by the executive branch of the U.S. government. More so than in any other time in recent history.

So, what’s with the slightly creepy sounding domain, then? My choice of the domain all those years ago was based on the pejorative that Hitler had dubbed the Münchener Post (Munich Post), an adversarial newspaper that critiqued each of Adolf’s speeches and investigated his every political move up until and including the day before the SS were sent to close the paper and arrest it’s staff. The editor’s last instruction to his staff upon publishing the final addition, allegedly, had simple been, “run.”

The Nazi regime had dubbed the Munich Post ‘fake news’, and tried various means to block the paper’s journalists from covering politics. Ultimately, once power had been concentrated, it was banned, published anyway, and arrest warrants were issued against many members of the staff.

This may not sound like an entirely uplifting story arc, but I found the narrative inspiring. I had come by this piece of great journalistic history while reading a chapter about it in Explaining Hitler by Ron Rosenbaum, long before I’d thought of starting a website called ‘Poison Kitchen.’ But once I read it, I decided it would make a great sounding website of some sort.

The point of naming the site poisonkitchen.com was that people went into journalism for aspirational reasons that seldom ended up matching the reality. Newspapers didn’t push hard enough in the lead up to the election in 2000, and this was what had led (at that time) to President George Bush winning a demonstratively flawed vote. He didn’t have much use for an investigative press, either.

The situation today seems to once more tick all the right boxes, only more so: We now have a deranged, conspiracy obsessed, authoritarian president in the U.S. who targets segments of the population with hateful rhetoric, attacks the press, tries to enact draconian laws against immigrants, employs vast propaganda to pursue his goals, and doesn’t seem to like an independent judiciary, either. He also took office with a minority vote and seems to not like being reminded of that. He may have tiny hands, an orange complexion and cartoony hair, but  to be honest, these aspects are the least of our worries.

A forum isn’t going to cut it. But I spent last week getting some interesting notions at the Internet Freedom Festival on what just might. The media landscape has changed, the web as changed, and I’m in a different place, too. As a technologist who now works with journalists on issues of secure hosting, web applications and digital safety, I think I have use for a Poison Kitchen domain again. I can’t have that .com, but that’s okay, because domains have changed, too. So, there’s poison.kitchen.

Don’t rush over there now, there’s not much to see. Here in my mini-launch manifesto, I’m just going to lay out some concepts that the domain’s eventually arriving website will  be exploring.


There are two parts to this. The first deals with the safety and confidence of the potential whistle blower, or anonymous source of the information. The second has to do with how well that information is used in coverage.

  1. Not everyone wants to be famous/notorious. Not everyone who would share newsworthy but highly sensitive information wants to be an Edward Snowden and allow this one act be what defines them. Chelsea Manning didn’t want to. From Jeremy Hammond to Mordechai Vanunu, we’ve seen examples through history where people paid a high price to make the world more aware. Mathematically speaking, if those people exist, then there are likely many others who have access to information they would release to a journalist, but would rather not give up their family, friends, income and entire way of life in the process. That should be possible.
  2. Sensitive information in talented hands has more impact. Snowden’s NSA files leak were more useful because they went through talented investigative journalists, first. The Panama Papers leaks became more impactful because of how the story was handled by ICIJ. How much better and more accurate would the coverage of the CIA ‘hacking tools’ leak be, had it been released first to knowledgeable technology journalists? Helping sources self select the right journalistic contacts should be posible.


These are some ideas based around the two items mentioned above.

  1. Build source confidence in methods and tools and the journalists they reach out to.
    Encryption tools and technology overall have taken a bashing over the last few years. It’s time to bash back. Yes, there are suitable, and safe ways to transmit a piece of information with reasonable expectation of both privacy and anonymity. No, it’s not single-app, one-click, or “It Just Works“™ easy. Outside of that, a source needs reasonable confidence that the journalist will treat what they share carefully, which many journalists may want to do, but may not know what it involves.
  2. Combine all the known resources, guides, templates and risk assessment tools to enable sources to contact specific journalists of their choice more securely.
    As the story that’s now in both myth and legend goes: Edward Snowden needed to work at it for more than a year to get Glenn Greewald to spend an hour setting up encryption keys for an email address. There are now guides, tools and how-to things all over the web on setting this up, but it’s really just one way of reaching out to a journalist, or being a journalist who wants to hear from a source, and it may not be your way, or the correct way for your situation. This is aimed at sources to be able to confidently reach journalists and transmit information.
  3. Implement secure contact pathways of communication for independent/freelance journalists and their sources.
    The New York Times, Guardian and other large news organisations have the facility to manage in house highly secure systems, such as Secure Drop. Investigative, freelance or independent journalists may not have these resources, but they do often have specific areas of deep knowledge, and can sometimes be better placed to receive confidential information on a topic that is their primary focus. Over the longer haul, The site’s goal would to take advantage of existing secure contact methods to create a gateway between sources desiring higher levels of off-record care and attention, with qualified journalists of their choice who agree to an ethical framework for dealing with confidential source material.


So there’s the concept note. Interested parties are welcome to drop a line. Watch this space.

There’s a Github Repo to track.