Much, much longer online version

Point Z added 20 March 2018

Protecting your sources

Don't worry, this isn't going to be technical. In fact I've abandoned some of the technical advice I gave in 2001 and taken seriously my joke motto of the time: Bronze Age methods rock.

This is a discussion document. No guarantees are possible, and nothing impossible is given. Send comments to

Why protect sources?

AIt's worth reminding ourselves again that the ability to protect sources is essential to journalism that holds power to account. And source must be seen to be protected. As Duncan Campbell reminded the Branch in February 2017, News International "acted as 'classic grasses' and 'poisoned the well' of confidential information."

The new law

BThe new Investigatory Powers Act doesn't change anything about the ways your sources can be unmasked. It provides a legal framework for what the security services and other branches of government are doing anyway. Previous legislation - such as the Regulation of Investigatory Powers Act 2001 - did the same.

CJust so you know: among the things the Investigatory Powers Act sets up procedures for are:

  1. Interception warrants (targeted, thematic or bulk);
  2. Equipment interference warrants (targeted, thematic or bulk) including installing a key-logger on your computer or phone (which essentially records and reports everything you do); and
  3. Bulk communications data acquisition warrants - in essence gathering "metadata" - see below.

DAfter lobbying - including stalwart work by the NUJ - there is recognition in the text of the need for journalists to protect sources.

EBUT just look at Section 264(5) of the Act:

For the purposes of this section -

(a) material is not to be regarded as created or acquired for the purposes of journalism if it is created or acquired with the intention of furthering a criminal purpose, and

(b) material which a person intends to be used to further such a purpose is not to be regarded as intended to be used for the purposes of journalism.

So, most obviously, none of the protections apply if your source is revealing something covered by the Official Secrets Acts. We await governments being creative with the definition of "criminal purpose" to remove the protections, such as they are, in other cases.

FThese provisions may be unconstitutional. You may win a ruling to this effect in the European Court of Human Rights or even the Court of Justice of the European Union eventually, but by that time your source may have spent time in jail on trumped-up tax charges and is likely to have lost their job - and their pension.

So, what do we have to think about?

GIt is often necessary to distinguish between information that may identify your source and that which could be used to prosecute. Recall that electronic intercept information is still not used in court in the UK.

HIt is usually necessary and very practical to distinguish between content interception and collection of "metadata" - particularly information about who has communicated with whom.

Listening to content is expensive; it doesn't just mean employing a human to transcribe your chatter, but also someone - probably better-paid - to understand the significance of, er, any significant bits. (Machine transcription of speech is not reliable enough. Try training such a system to recognise a Scot if you don't believe me. What I did establish through talking to technologists was that some security services can go back through the archives identifying some instances of you uttering a particular word for which they already have records of your pronunciation.)

Setting up a computer to build a map of who communicates with whom, and timelines of propagating conversations is, however, cheap. And - if you take no precautions - it can rapidly produce information that identifies your source or at least a list of candidates for being your source, for further investigation including possibly going back through the archive as mentioned above.

IYou may be protecting a source from non-state actors too - for example if you're interviewing people who've suffered at the hands of gangmasters. In some cases the reverse of the advice given below may apply - for example it may be safer to talk on the phone, so long as your source takes care about being overheard.

For the sake of making some general points, I'll assume that it's the state that's interested in your source, and that the case really is high-value.

JThere are no magic technological fixes. Indeed, using an unusual and partially-secure channel of communication may draw attention to you and to your source. (I wouldn't be surprised if someone discovered in 2067 that there'd been a single warrant in 2017 to list everyone who uses Tor or Hushmail or even PGP. Don't bother looking up what they are, because I'm not recommending them for this reason, which saves me going into the other reasons not to recommend them, which is a relief.)

KRemember, again, that usually the authorities are more concerned with who you spoke to than what you said.

So what, then, is to be done?

LIn May 2016 Ross Anderson - Professor of computer security at the University of Cambridge - suggested we avoid using computers if possible. Meet in person. Take notes with a pencil. Impenetrable shorthand is a valuable extra.

The key points he made are:

  1. Privacy loves company. Meeting your contact at 3am in Trafalgar Square is not a good idea; 3pm is.
  2. Do not take your own phone with you to a face-to-face meeting. Tell your source when you first make contact not to bring theirs.
  3. Instead of arranging a time and place with your source, you could tell them you'll be in Guido's Greasy Spoon daily at 2pm...
  4. Pay attention to "shoe-leather stuff" - making sure you're not followed. Talk to old hands.

MThat "shoe-leather stuff" is what spooks call "counter-surveillance". Trying to look this up leads you into a rabbit-hole of bullshitters. The stuff we actually care about, however, is little different to the old tactics journalists used to throw the opposition newspapers off the scent of a scoop.

So what might you consider to avoid being followed, for example?

  1. Simple things like doubling back... rather than going to a meeting by the shortest route. In London, you may want a mental map of the Underground and where you can cross a platform to change direction, such as Bank on the Central Line, King's Cross on the Circle... or cycle there. (Given the existence of autmatic number plate recognition, doubling back in a car is of little use.)
  2. If you're really suspicious consider a "Surveillance Detection Route" - which means recruiting a friend to follow you on a route that fits your normal routine, and, at its simplest, watch for people who show up repeatedly who have no other reason to do so.
  3. A sense of humour helps. Back in about 1961 members of the anti-nuclear-weapons direct action group the Committee of 100 met in a large open space (bad plan) and agreed to make a lot of phone calls organising a demonstration. They did not meet again, but chatted a lot on the phone. The place discussed was conveniently located opposite a café; at the time discussed some sat there drinking coffee and watching the puzzled police in an otherwise empty street.
  4. Never take your own phone with you when meeting a source. (Why? For a dramatic example, see the relevations concerning Pegasus spyware.)
  5. Tell your source not to bring theirs either.
  6. Get someone else to buy what is popularly called a "burner" phone - a phone not used previously, connecting through a SIM card not used previously. Ideally, both for cash.
  7. Hang on, though: if your calls were already being logged, how much of a clue would the change in your pattern of phone use offer? Perhaps you could make a habit of leaving your main phone at home at random intervals, just in case...
  8. Be thankful you can still buy a prepaid Oyster card for cash.
  9. Remember, and remind your source, that if you were being followed, you're as likely to be picked up as you leave your meeting as you are on the way there. Keep vigilant until you're back in your usual routine. In fact stay as close to it as possible at all times.
  10. Email links to this page to lots of random people at random times.
  11. Do not back up the burner phone to "the cloud" - any storage accessed over the internet. Use a thumb-drive if you need to back up. Tell your source not to do this. In fact, don't back up your main phone or your main computer to the cloud either.

NAll this is mostly about pushing up the cost of tracking you. Again, digital surveillance is cheap. A 24-hour tail involves 9-20 salaried posts.

OIf you have to use electronic communications, on balance use WhatsApp.

  1. It uses the SIGNAL protocol, which is solid.
  2. The "flaw" that was much publicised in January concerns what happens when you re-install the app. We assume you're installing it on a clean phone. See the footnote.
  3. Again: privacy loves company. There is a communications app called SIGNAL built on the SIGNAL protocol... but it's a minority pursuit.
  4. I don't think we can guarantee, though, that the authorities cannot get information on who called whom, even with SIGNAL.
  5. And there's that "equipment interference" stuff: keep that phone clean.

On this question, Ross Anderson comments:

There is a real debate about WhatsApp vs Signal vs Skype. Is it best to go for safety in numbers or safety from warrants? It depends on the application, of course.

I reckon that Signal is much more resistant to warrants than Facebook [owner of WhatsApp] or Microsoft [owner of Skype, which also allows you to send SIGNAL-encrypted messages]. But you can never tell really, and of course you don't know about hacks and backdoors till later.

PIf the story requires a computer - if for example there are databases or spreadsheets to process - get one for the job and run it off a TAILS DVD. There is no space here to go into detail what that means. It's what Professor Ross Anderson recommended to us.

QYou do want to back up your own main computer, phone and any other machines with important content. Again, do it to physical storage, not to "the cloud" - and keep the backups in your granny's greenhouse.

RDo not take a computer or phone with anything across it across certain borders. The Committee to Protect Journalists has issued a Safety Advisory saying, basically, don't go to the US and, if you have to go, encrypt everything on your device and ship it and the password separately. The Guardian ran similar advice from London lawyers on the morning of the meeting where I presented this:

"Given the degree of discretion given to US Border forces by relevant legislation, it appears to me quite clear that all options - choosing a burner phone, using heavy encryption with the password only being supplied after the traveller has entered the US, and changed prior to leaving and so forth - risk creating a catch-22 situation in which any attempt to mitigate the effects of the procedures are likely to be interpreted as 'probable cause' for searching," said Susan Hall, head of technology and intellectual property team partner at law firm Clarke Willmott.

The CPJ has also declared that "Surveillance forces journalists to think and act like spies".

Need to know

SThe most basic principle of security is "need to know". Only people who need to know a given piece of information should know it.

TBut at some point you're going to have to stand the story up to an editor and her lawyers. Recall what Duncan Campbell said about News International; and remember Sarah Tisdall, shopped by the Guardian in 1983 as the source of a story about the deployment of Cruise missiles in the UK and jailed for six months in 1984.

URecall Merion's suggestion to the April 2017 London Freelance meeting that you "get the source to meet the editor, without the editor knowing the name of the source..."

The care and feeding of your source

VAs Andrew Bousfield told the Branch in September 2011: if you can't deal with someone who's on an emotional roller-coaster, "don't do whistleblower stories." The person who risks losing their job - quite possibly one they love, since they're motivated to uphold standards in it - and their pension: that person is your source.

WWe have to be honest with sources: we will do everything we can to protect them. "Yes, I will go to the European Court of Human Rights rather than give anything away about you" is true. Or it better be - if it's not, don't do the story.

XMostly, all the precautions you take are likely to be about "flying under the radar" and not giving hostages to fortune while you do so.

YIf you have an absolute need to be certain you're safe, and aren't willing to deal in merely reducing the probability of you or your source coming to harm, then no amount of precaution will make you a very good person to handle this story. If your source wants certainty, you're in trouble (and so, likely, is the story).

Data protection issues

ZOne way in which those you are investigating may try to uncover sources is through "subject access requests" under data protection legislation. These have been part of UK law for decades, but may be more likely following the publicity around the EU's General Data Protection Regulation (GDPR) coming into force in May 2018.

In brief: if you are investigating a story that is truly in the public interest, then you can reply to such requests to say that you have considered them individually and do not need to tell them anything, under the exemption for journalism. So you may feel that they constitute little more than bureaucratic harassment, or an attempt to snare the under-informed. See this briefing document, which is being updated as the law changes in stages during 2018.


Merion Jones told the April 2017 London Freelance meeting that he had been told by a senior person from Google that there is a "backdoor" in the messaging service WhatsApp. The only printed source the Freelance can find for this is a 13 January 2017 article in the Guardian. The vulnerability it describes is not a "backdoor".

That article prompted an open letter to the Guardian initiated by information and security researcher Zeynep Tufekci and now signed by more than 70 other security and press freedom researchers - calling on the Guardian to withdraw the story.

What graduate student Tobias Boelter described to the Guardian was this: if you install WhatsApp on a new phone using the same user identity, the "server" computer that handles your messages will create a new "encryption key" for it. (If "encryption key" puzzles you, think of it as a very clever password that machines use in talking to each other.) By default it will re-send messages that are queued to be sent to you, using the new key, without telling you or the sender. And, in principle, someone who seized control of the "server" computer could do more, but they'd have to force your phone offline for a few days, which you'd notice.

The solution is simple: don't do that, then.

  1. Get a phone for the job and stick to it.
  2. Consider going to the Settings menu and enabling "safety number" change notifications; but be aware that, as developers Open Whisper Systems point out, this could flag you as someone thinking especially hard about security.
  3. Your WhatsApp will now behave, as far as I can tell, exactly like the Signal app that Boelter prefers.

But in looking up the references for the above I came across a piece for Forbes by Thomas Fox-Brewster, looking into what WhatsApp has actually provided to the (US) government. He reported that his inspection of court records revealed several instances of WhatsApp being ordered to produce records of who had communicated with whom - that "metadata" that is more important to identifying sources than is the content of communications, as noted above. It must be presumed that Facebook, WhatsApp's owner, complied. It must be noted that there are procdedures for secret orders with heavy penalties on internet service providers that reveal their existence: those in the US "Patriot Act" were in essence copied from the UK Regulation of Investigatory Powers Act 2001.

It should be noted that Signal is also known to have received such orders, but responds that it retains the minimum possible information.

Before plumping for Signal, though, consider, though, the point above about safety in numbers, above. As Zeynep Tufekci says, "switching to Signal may not be advisable in some settings, because it marks you as an activist".