Essential tech tools and tips for protecting your sources

Auther: Sam Berkhead 

In the post-Snowden era of investigative journalism, many journalists seek out encryption technologies to protect themselves and their sources from government surveillance.

The most recent data from the Pew Research Center reveals more than half — 64 percent — of investigative journalists in the U.S. believe the government has “probably” collected their phone calls, emails or online communications. Eight in ten said they believe they are more likely to have data collected because they’re journalists.

However, today’s investigative journalists are more likely to face threats in the form of subpoenas and investigations into whistleblowers, said Jennifer Valentino-DeVries, a reporter at The Wall Street Journal who works on its data investigations team. Criminal hackers have also been known to target prominent news outlets and individual journalists alike.

“Not only is that a problem for you and your private information, but you can also have your sources’ information be disclosed in that manner, even if that’s not what the hackers were originally looking for,” Valentino-DeVries said.

Another threat more likely than the NSA? Accidental disclosure of information. Journalists might not realize how much data they’re revealing through their work, allowing anyone with a basic knowledge of web scraping to easily glean sensitive data.

Take Vice’s 2012 piece on John McAfee, in which they followed the software executive’s life on the run in Latin America for several days. Vice published a blog featuring a photo with McAfee and Vice editor-in-chief Rocco Castoro taken with an iPhone 4S — a photo whose geolocation data hadn’t been wiped before publishing. Using this data, it was shockingly easy to pinpoint McAfee’s location by a swimming pool along Guatemala’s Rio Dulce.

Knowing this, how can investigative reporters maintain privacy between themselves and their sources? Valentino-DeVries covered the best tools and tips for protecting sources at last month’s Investigative Reporters and Editors (IRE) conference. Here are our top takeaways:

Threat modeling

A key first step in determining the security steps you need to take is through the practice of threat modeling, Valentino-DeVries said. Typically used in computer security circles, threat modeling can help journalists evaluate who an adversary is most likely to be, what information they might want and the consequences of a story’s sensitive information getting out. From there, you can determine your best options for security tools and techniques.

Because threat modeling isn’t static — security threats often vary from story to story — it’s important to be flexible with your security routine. This is especially true when your biggest security threat might actually be a source’s unwillingness to follow your security regimen, Valentino-DeVries explained.

“I find that sometimes sources don’t exactly want to think that they’re sources,” she said. “If you say ‘You need to encrypt this,’ it freaks them out. They don’t want to think they’re doing anything dangerous. Instead of worrying about whether the tool you’re using is 100 percent perfect against a state-level attack, it might be a better step to make sure your source is comfortable using it.”

Tech basics

“Before you worry about whether everything you have is encrypted, make sure you’re taking basic security steps,” Valentino-DeVries said. “If you don’t have the basics covered, it’s pointless to do the more complicated stuff.”

Using antivirus software, a Virtual Private Network (VPN) and the latest software version are all important basic steps that can help keep your computer secure. Be wary of using USB drives that come from unfamiliar sources. Journalists should also practice good password hygiene, creating secure, randomized passwords with a Diceware password generator, and taking advantage of two-factor authentication whenever it’s available.


Encryption, a process of encoding messages so only authorized parties can read them, can be useful when communicating private information with sources. Several encrypted messaging apps are available, and it’s possible to encrypt one’s emails using PGP or GPG keys. Off-The-Record Messaging lets you send encrypted instant messages, but shouldn’t be confused with Google’s off-the-record chat feature, which isn’t secure.

However, it’s important to remember that encryption isn’t fully impenetrable — encrypted emails still contain geolocation data and other metadata that can get you or your sources into trouble.

Other security steps

Valentino-DeVries offered up several other security tools to use during investigations. The Tor browser routs your internet browsing activity through servers around the world, preventing people from finding out what sites you visit. HTTPS Everywhere places the more secure HTTPS protocol on all websites you visit, protecting your web browsing. OnionShare allows for the secure sharing of documents and is based off the Tor browser’s software. Similarly, SecureDrop allows whistleblowers to anonymously and securely share documents with news organizations. Lastly, journalists can securely erase files from their computer using tools like CCleaner — Valentino-DeVries recommended erasing your data regularly.

Main image CC-licensed by Flickr via Perspecsys Photos.