Protecting whistleblowers

Careful steps must be taken to protect the identities of whistleblowers whose information could lead to serious consequences. Chicago journalist Brandon Smith led a workshop addressing how journalists can provide security for their sources sponsored by Working Journalists.

“They (whistleblowers) are relying on you the journalist to keep them safe,” Smith said.

He cited the McAfee incident as a cautionary tale. Software developer John McAfee had shared his location with one reporter so the reporter could interview him while he was in hiding on the condition the reporter would keep McAfee’s location a secret. However, the reporter inadvertently led officials to McAfee’s door because the proper precautions to remove metadata from the photo accompanying the story were not taken.

Assess what information a whistleblower has given away when he/she has contacted you the journalist, Smith said. That includes what is said but also the method of communication, which in certain cases can tip off an employer to the fact that one of his or her employees is talking to you.

Security measures vary depending on how the journalist is getting information from a whistleblower. If it’s via e-mail, Smith recommended the informant use an e-mail account not connected to any personal information for the whistleblower. If it’s via the phone, a burner phone paid for in cash. If it’s in person, neither source nor reporter should bring a cell phone to hide the location.

None of this actually ensures security. Security is all about knowing who you’re up against. And because nearly any kind of detection is theoretically possible, defense is all about making it prohibitively expensive for your adversary to figure out what’s going on, Smith said.

About 85 percent of large media outlets have been hacked so the hacker can identify the journalists’ sources, according to two security researchers who worked for Google. Disk encryption defends against your research or contacts being read in the event your *powered off* device is stolen or confiscated. If it’s asleep or screen-locked, no dice. And if your data is backed up to the cloud, you have to worry about the security of the cloud protocol.

-Sunlight Foundation () and Muck Rock ()for FOIA tutorials
-Tor, anonymous Web browser to hide the location of the user
-Tails, an operating system that masks browser traffic, stored on a USB drive
-encryption apps: TextSecure to protect text messages for Androids
RedPhone to protect voice
Signal for iPhones (includes RedPhone)

This entry was posted in Working Journalists. Bookmark the permalink.

Comments are closed.