Two men partially obscured by a reflection in a window are shown talking, one wearing sunglasses and face mask.
Mohammad Naweed, a journalist from western Afghanistan, hides his identity for security reasons as he gives an interview to The Associated Press in Kabul, Afghanistan, on February 3, 2021. (AP Photo/Rahmat Gul)

Digital and Physical Safety: Protecting Confidential Sources

Protecting confidential sources is a cornerstone of ethical reporting. When journalists have agreed to protect someone’s identity, they should make every effort to do so, especially in circumstances where a source could be arrested or harmed.

Maintaining confidentiality has become more challenging due to increasing levels of digital surveillance and monitoring by authorities and the public. Journalists should therefore consider the following safety advice to help protect the identity of confidential sources.

Be aware, however, that media organizations may have a policy that requires journalists to share a source’s identity with their editors. In some countries, organizations may also have the legal right to hand a journalist’s notebooks or equipment over to a court or the authorities, if they are considered to belong to the organization. Research any such rules before making any promises.

Please note that this is a general introduction written for a global audience. Seek additional advice for country-specific contexts and questions.

Contents

Planning

Preparation before engaging with confidential sources for the first time is critically important, as is ongoing cooperation, secure communication, and trust.

  • Never presume that a source is willing to be named. Always seek consent.
  • Research any legal obligations regarding working with confidential sources. This will vary by country and employer.
  • Try to find out if the source has previously spoken to other journalists, or if other organizations might be trying to contact them.
  • Is there a risk that the source is being monitored, or are they already in hiding? If authorities or hostile actors already have them on their radar, engaging with them could put you in danger.
  • Establish a method of verification such as an unusual phrase or a question to answer, and use it each time you speak to the source.  
  • Depending on the risk involved, you may need to identify a place they could temporarily relocate to for safety reasons.

Assessing the risks vs. the reward

Always consider the sensitivity of the story and the source’s information, as well as their identity.

  • Is there a significant risk to you or your source from engaging with each other? Using classified or stolen information may have serious ramifications for you as well as your news organization.
  • How useful and reliable is their information? Consider their motivation and whether they could pose a risk to you or your organization.
  • Take into account their identity, including factors such as ethnicity, gender, profile, sexuality, religion and criminal record. If their identity is compromised, might such factors be used to discredit the story, or increase the risk of them being harmed or arrested?

Digital safety best practices

There are a number of ways that data can be accessed, including but not limited to government subpoenas, physical access to devices, hacking, and spyware. Consult with a digital security expert if you have doubts about how to protect a source’s identity.

  • Follow best practice when it comes to digital safety and be familiar with the tools and services you may need to keep your source as secure as possible.
  • Do a digital risk assessment. This will help you assess and, where possible, mitigate the risk both to you and your sources. The Rory Peck Trust has a comprehensive digital risk assessment template for journalists.
  • Think about who may target you or your source and how much authority, money, and technological capacity this adversary may have. 
  • Where possible, do not use your personal or work devices to contact sensitive sources. Buy devices specifically for communicating with them, and keep your work and personal data separate. If possible, pay for such devices and SIM cards in cash and avoid linking it to something that can identify you, such as a credit card or an ID card. (This will not always be possible depending where you live and work.)
  • Turn on two-factor authentication for all accounts and use long, unique passwords and a password manager. See CPJ’s guide to protecting accounts for more information.
  • Regularly update your devices, apps, and browsers to the latest version to better protect against malware and spyware.
  • Make the source aware of digital best practices and the risks involved so that they can contact you in the most secure way possible.
  • Limit contact with the source as much as possible.

Researching your source

  • Be aware that your internet service provider (ISP) keeps a copy of your browsing history which can be subpoenaed by governments or accessed by people in the company.
  • Research ISPs in your country to see who owns them and whether the government is accessing user data through legal or other means.
  • Use a VPN to better protect your internet history from being logged by your ISP or platforms like search engines. Choose a VPN service that does not log your browsing history and does not have a track record of sharing data with governments and others. Governments may create or manage approved VPN companies or require compliant services to share user data.
  • If you are detained and your devices are searched, be aware that browser history can give away details about your online research. Delete your browser history regularly, but be aware that governments may still be able to request the relevant data from companies involved, like a VPN service or a search engine operator.
An encryption message is seen on the WhatsApp application on an iPhone in Manchester, Britain on March 27, 2017. (Reuters/Phil Noble)

Communicating with sources

  • Use a pseudonym when saving contact details instead of the source’s real name, and encourage them to do the same for you. Both of you should delete each other’s contact details from your respective devices and online accounts once contact is over.
  • Be aware that cell phone companies and internet service providers collect data on their users, including data that can be used to identify and locate you or your contacts.
  • SMS messages and landline or cell phone calls made via a telecommunications company, are not encrypted meaning governments and others can access the information.
  • Your cell phone can be used to locate both you and your source. If meeting in person, both of you should leave your phones behind. Meeting in person may be safer than communicating online. (See “Meeting sources” below.)
  • Research any online services that you use, such as messaging apps or email providers, to see whether user data has been subpoenaed by a government. Most technology companies release an annual transparency report detailing requests for user data and whether they have complied.
  • Communicate with sources using end-to-end encrypted messaging apps where possible, such as Signal, WhatsApp, or Wire. When using Signal and WhatsApp, turn on disappearing messages. These services have important differences when it comes to security – see CPJ’s guide to encrypted communications for more details.
  • If a source reaches out to you via a service that is not end-to-end encrypted, move the conversation to an encrypted service as soon as possible. Where possible, erase the original message and encourage your source to do the same. This will only delete the message from the account, a copy is likely to still exist on the server of the company.
  • If you do need to contact your source via email, set up a new email account to use only for this purpose. The account should not contain any personal data such as your real name, and should not be linked to your phone number or any online account in your name. Read more about how to set up an email account in the Rory Peck Trust’s digital security guide.

Receiving and managing documents

  • Be aware that almost anything you do on your devices is likely to leave a trace even after you have deleted it. IT experts can recover deleted content even if you have used specialized software to scrub your computer.
  • Keep sensitive documents on an air-gapped computer, one which has been modified so that it is unable to connect to the internet. This reduces the possibility that an outsider could access them.
  • For very sensitive stories, consider using Tails, a portable secure operating system for use on any computer. Seek help from a security specialist to set it up.
  • Send sensitive documents via SecureDrop using the TOR Browser if your newsroom or organization has it set up. You will need a digital security specialist to help with this.
  • Journalists without SecureDrop should ask to receive documents under 100MB via Signal or another end-to-end encrypted service. Documents over 100MB can be sent using OnionShare.
  • Be aware that metadata contained in documents, files, and messaging apps – such as the time and date a document was sent – is not always encrypted and could help someone identify your source.
  • Have a process for backing up and deleting content stored in messaging apps. Speak with your source about how they can better manage data stored in their apps and on their devices. Consult with a digital security professional on how best to manage this data.
  • Review devices regularly for documents and data that could put you or others at risk, especially if you are crossing borders or checkpoints.
  • Encrypt your devices, documents, and external drives where possible, and ensure that your encryption password is long and unique. Be aware of the laws around encryption in the countries you live, work, and travel to. You may be asked to unlock encrypted devices. Whether you do so or not is a personal choice.

Meeting sources

  • Assess the advantages and disadvantages of meeting in person vs. communicating via a secure digital platform.
  • Decide who is in charge of the meeting and responsible for changing any plans on the day.
  • Meet in a neutral location that cannot be associated with your source’s home or work address. Ensure it has multiple exit routes.
  • Monitor for any signs of surveillance during the meeting. Have a trusted contact on hand to raise the alarm if necessary.
  • Determine how you will securely transport sensitive information from the meeting back to your workplace, especially if it may help someone else identify the source.
  • Consider transportation options, noting the possibility of being monitored via CCTV:
  • If using public transport, pay in cash rather than using a bank card, which can be traced.
  • Withdraw cash at least a day in advance of the meeting to reduce the chance of any ATM footage being matched with the day of the meeting.
  • Private vehicle registration plates can be tracked by cameras. Try to park a vehicle out of sight in a secure area, and always park facing the direction of escape.
  • If you suspect you are being surveilled, turn around and call off the meeting.

Anonymizing sources

If taking photos or footage of the source, consider the following:

  • For audio, will you use a robotic voiceover or somebody else’s voice altogether?
  • Will you anonymize their face? Or will you not include their face at all?
  • How will you refer to them? Even a coded nickname may help somebody identify them.
  • Be aware that the following all offer clues as to who the source could be or where they live:
    • Distinctive body markings, such as a tattoo, mole, scar or birthmark;
    • Certain items of clothing or jewelry;
    • Identifiable features in the background, such as landmarks, buildings, or mountains;
    • Unique items in the background like a photo, trophy, furniture, a vehicle, or wallpaper.

Publishing content

  • Remove metadata from files, including photos, before sending to others. A file’s metadata can give away information about the person who created or sent it, and can include location, date, and time information, as well as the make and model of the device used.
  • Screenshots or photos of a source’s computer or phone screen may contain information that could be used to identify them, including imperfections in the screen like a broken pixel, or the color and style of a mouse icon.
  • Printed documents can contain embedded information such as the time and data the pages were printed as well as details about the printer they were printed from.
  • Content redacted or blurred out in documents can be revealed using specialized software.

Maintaining confidentiality

  • Avoid telling anybody who the source is unless absolutely necessary. The more people who know, the greater the risk.
  • Avoid writing down or printing any corroborating information. Even small details like the source’s initials or the name of a location could help identify them.
  • Monitor social media. If there is any indication the source may be uncovered, consider temporarily relocating them to a safe place based upon the risk level.