Tools and tips for protecting sources

Journalists could learn a lot about source protection from drug dealers.

“Go watch The Wire!” Oliver Day  told a session at Byte B@ck, the Society of Professional Journalists recent conference. “Figure out why the drug dealers are using burner phones [cheap cell phones that can be thrown away, protecting anonymity].  Extend that to notebooks.”

Chromebooks and other cheap notebooks aren’t at the $20 per device level of some cell phones, but MicroCenter’s latest flyer has a Windows 8 laptop for $220 and Amazon is advertising a ChromeBook for $199. If you have an important story, is $200 too much to spend to guarantee secure communications with a source whose identity needs protecting?

Of course, you want to be careful about what email you use. Fake Gmail accounts were scorned by Day and his fellow panelists, Andy Sellars of the Digital Media Law Project and Cara Rubinksy, the New England News editor for the Associated Press.

“Email is dicey,” Rubinsky said. “Fake email accounts don’t protect you.” You’re likely to use them from your main computer, which means the IP address used to create them will lead back to you (hence the burner notebooks). “If you’ve got a source you don’t want revealed, don’t email about your story and create a paper trail.”

Hence the use of ‘burner’ phones, quickly discarded. The AP recommends reporters use these phones and give them to specific sources whose jobs might be endangered for talking with the press, as well.  “If you can’t protect your sources, people are going to stop telling you things,” Rubinksy said.

I wouldn’t seem to be the type of person who needed this session. Most of my reporting now involves explanatory features. I went to this session because you never know when you might need to protect a source, and it has clearly become more difficult to do since I was a working beat reporter.

Rubinsky offered some other tips: if you’re going to call sources at work, call them all the time. Every day. Better, though, is the burner phone. “Go to Wal-Mart or 7-11. Pay with cash. Don’t give them your real name. If they ask for your name, say your name is Eric Holder. Use the phone for three months and throw it out.” She also advised against using WiFi while in coffee shops and corporations, especially if you aren’t using encryption.

Day, who runs Securing Change, a non-profit that helps non-governmental organizations create secure communications, says the landscape for hacking is radically changed from just a decade ago. “There are more hackers than there were and more commercialized hacking tools. You don’t need skills, you can just go buy the stuff.”

Governments are also more willing to hack. He related stories about the Ethiopian government spear phishing a U.S. citizen, and the NSA’s hack of Al Jazeera.

  • Day loves OTR, an encrypted instant messaging service.
  • He also suggested journalists consider using GPG (Gnu Privacy Guard),
  • the Tor Browser Bundle, which protects against monitoring.
  • Tails Amnesiac is a privacy-loving operating system journalists could think about.
  • He also cited TrueCrypt, for encryption software, though he warned that passwords “will not get you past judges or the rubber hose decryption method.”

He also warned that security and convenience do not go together. These tools are for the most part either not simple to use, or much slower than conventional, unprotected means of communicating.
Andy Sellars of the Digital Media Law Project talked about the twin challenges journalists face. One is hackers and bad actors, but a potentially more potent and insidious one comes from the powers that be. Law enforcement and intelligence agencies have the legal right to come after journalists for information. Ask yourself questions like “Who has my data? Who has access to my data? What requirements do they have to give up data if law enforcement asks? What incentive do they have to fight back if law enforcement asks for my data? ”

Using encryption and burner phones can help, he said. It reduces risks of cloud storage providers, telecom providers and ISPs giving up your sources. Above all, he said “don’t write sensitive stories on Google Docs! Google has access to them and can be subpoenaed.” He suggested SecureDrop for document submissions.
He said journalists should consult the Committee to Protect Journalists’ extensive Journalist Security Guide. He also said the Digital Media Law Project will later this year release a guide that spells out what rights journalists have. He said the law is evolving; some journalists have been able to avoid giving up their crypto keys by invoking the 5th Amendment against self-incrimination.

During Q&A, I asked about the safest way for Bob Woodward to communicate with Mark “Deep Throat” Felt if he were working on the Watergate story today. “I would still prefer a garage,” said Sellars, “still prefer going offline.”

Time for me to go watch The Wire.

Leave a Reply