Online only, so far

Protecting your sources

Don't worry, this isn't going to be technical. In fact I've abandoned some of the technical advice I gave in 2001 and taken seriously my joke motto of the time: Bronze Age methods rock.

This is a discussion document. No guarantees are possible, and nothing impossible is given. Send comments to sources@londonfreelance.org

Why protect sources?

A It's worth reminding ourselves again that the ability to protect sources is essential to journalism that holds power to account. And source must be seen to be protected. As Duncan Campbell reminded the Branch in February, News International "acted as 'classic grasses' and 'poisoned the well' of confidential information."

The new law

B The new Investigatory Powers Act doesn't change anything about the ways your sources can be unmasked. It provides a legal framework for what the security services and other branches of govt are doing anyway. Previous legislation - such as the Regulation of Investigatory Powers Act 2001 - did the same.

C Just so you know: among the things the Investigatory Powers Act sets up procedures for are:

  1. Interception warrants (targeted, thematic or bulk)
  2. Equipment interference warrants (targeted, thematic or bulk) including installing a key-logger on your computer or phone.
  3. Bulk communications data acquisition warrants - in essence gathering "metadata" - see below.

D After lobbying - including stalwart work by the NUJ - there is recognition in the text of the need for journalists to protect sources.

E BUT just look at Section 264(5) of the Act:

For the purposes of this section -

(a) material is not to be regarded as created or acquired for the purposes of journalism if it is created or acquired with the intention of furthering a criminal purpose, and

(b) material which a person intends to be used to further such a purpose is not to be regarded as intended to be used for the purposes of journalism.

So, most obviously, none of the protections apply if your source is revealing something covered by the Official Secrets Acts. We await governments being creative with the definition of "criminal purpose" to remove the protections, such as they are, in other cases.

F These provisions may be unconstitutional. You may win a ruling to this effect in the European Court of Human Rights or even the Court of Justice of the European Union eventually, but by that time your source may have spent time in jail on trumped-up tax charges and is likely to have lost their job - and their pension.

So, what do we have to think about?

G It is often necessary to distinguish between information that may identify your source and that which could be used to prosecute. Recall that electronic intercept information is still not used in court in the UK.

H It is usually necessary and very practical to distinguish between content interception and collection of "metadata" - particularly information about who has communicated with whom.

Listening to content is expensive; it doesn't just mean employing a human to transcribe your chatter, but also someone - probably better-paid - to understand the significance of, er, any significant bits. (Machine transcription of speech is not reliable enough. Try training such a system to recognise a Scot if you don't believe me. What I did establish through talking to technologists was that some security services can go back through the archives identifying some instances of you uttering a particular word for which they already have records of your pronunciation.)

Setting up a computer to build a map of who communicates with whom, and timelines of propagating conversations is, however, cheap. And - if you take no precautions - it can rapidly produce identify your source or at least a list of candidates for being your source, for further investigation including possibly going back through the archive as mentioned above.

I You may be protecting a source from non-state actors too - for example if you're interviewing people who've suffered at the hands of gangmasters. In some cases the reverse of the advice given below may apply - for example it may be safer to talk on the phone, so long as your source takes care about being overheard.

For the sake of making some general points, I'll assume that it's the state that's interested in your source, and that the case really is high-value.

J There are no magic technological fixes. Indeed, using an unusual and partially-secure channel of communication may draw attention to you and to your source. (I wouldn't be surprised if someone discovered in 2067 that there'd been a single warrant in 2017 to list everyone who uses Tor or Hushmail or even PGP. Don't bother looking up what they are, because I'm not recommending them for this reason, which saves me going into the other reasons not to recommend them. which is a relief.)

KRemember, again, that usually the authorities are more concerned with who you spoke to than what you said.

So what, then, is to be done?

L In May 2016 Ross Anderson - Professor of computer security at the University of Cambridge - suggested we avoid using computers if possible. Meet in person. Take notes with a pencil. Impenetrable shorthand is a valuable extra.

The key points he made are:

  1. Privacy loves company. Meeting your contact at 3am in Trafalgar Square is not a good idea; 3pm is.
  2. Do not take your own phone with you to a face-to-face meeting. Tell your source when you first make contact not to bring theirs.
  3. Instead of arranging a time and place with your source, you could tell them you'll be in Guido's Greasy Spoon daily at 2pm...
  4. Pay attention to "shoe-leather stuff" - making sure you're not followed. Talk to old hands.

M That "shoe-leather stuff" is what spooks call "counter-surveillance". Trying to look this up leads you into a rabbit-hole of bullshitters. The stuff we actually care about, however, is little different to the old tactics journalists used to throw the opposition newspapers off the scent of a scoop.

So what might you consider to avoid being followed, for example?

  1. Simple things like doubling back... rather than going to a meeting by the shortest route. In London, you may want a mental map of the Underground and where you can cross a platform to change direction, such as Bank on the Central Line, King's Cross on the Circle... or cycle there. (Given the existence of autmatic number plate recognition, doubling back in a car is of little use.)
  2. If you're really suspicious consider a "Surveillance Detection Route" - which means recruiting a friend to follow you on a route that fits your normal routine, and, at its simplest, watch for people who show up repeatedly who have no other reason to do so.
  3. A sense of humour helps. Back in about 1961 members of the anti-nuclear-weapons direct action group the Committee of 100 met in a large open space (bad plan) and agreed to make a lot of phone calls organising a demonstration. They did not meet again, but chatted a lot on the phone. The place discussed was conveniently located opposite a café; at the time discussed some sat there drinking coffee and watching the puzzled police in an otherwise empty street.
  4. Never take your own phone with you when meeting a source.
  5. Tell your source not to bring theirs either.
  6. Get someone else to buy what is popularly called a "burner" phone - a phone not used previously, connecting through a SIM card not used previously. Ideally, both for cash.
  7. Hang on, though: if your calls were already being logged, how much of a clue would the change in your pattern of phone use offer? Perhaps you could make a habit of leaving your main phone at home at random intervals, just in case...
  8. Be thankful you can still buy a prepaid Oyster card for cash.
  9. Remember, and remind your source, that if you were being followed, you're as likely to be picked up as you leave your meeting as you are on the way there. Keep vigilant until you're back in your usual routine. In fact stay as close to it as possible at all times.
  10. Email links to this page to lots of random people at random times.
  11. Do not back up the burner phone to "the cloud" - any storage accessed over the internet. Use a thumb-drive if you need to back up. Tell your source not to do this. In fact, don't back up your main phone or your main computer to the cloud either.

N All this is mostly about pushing up the cost of tracking you. Again, digital surveillance is cheap. A 24-hour tail involves 9-20 salaried posts.

O If you have to use electronic communications, on balance use WhatsApp.

  1. It uses the SIGNAL protocol, which is solid.
  2. The "flaw" that was much publicised in January concerns what happens when you re-install the app. We assume you're installing it on a clean phone. See the footnote.
  3. Again: privacy loves company. There is a communications app called SIGNAL built on the SIGNAL protocol... but it's a minority pursuit.
  4. I don't think we can guarantee, though, that the authorities cannot get information on who called whom, even with SIGNAL.
  5. And there's that "equipment interference" stuff: keep that phone clean.

On this question, Ross Anderson comments:

There is a real debate about WhatsApp vs Signal vs Skype. Is it best to go for safety in numbers or safety from warrants? It depends on the application, of course.

I reckon that Signal is much more resistant to warrants than Facebook [owner of WhatsApp] or Microsoft [owner of Skype, which also allows you to send SIGNAL-encrypted messages]. But you can never tell really, and of course you don't know about hacks and backdoors till later.

PIf the story requires a computer - if for example there are databases or spreadsheets to process - get one for the job and run it off a TAILS DVD. There is no space here to go into detail what that means. It's what Professor Ross Anderson recommended to us.

QYou do want to back up your own main computer, phone and any other machines with important content. Again, do it to physical storage, not to "the cloud" - and keep the backups in your granny's greenhouse.

RDo not take a computer or phone with anything across it across certain borders. The Committee to Protect Journalists has issued a Safety Advisory saying, basically, don't go to the US and, if you have to go, encrypt everything on your device and ship it and the password separately. The Guardian ran similar advice from London lawyers on the morning of the meeting where I presented this:

"Given the degree of discretion given to US Border forces by relevant legislation, it appears to me quite clear that all options - choosing a burner phone, using heavy encryption with the password only being supplied after the traveller has entered the US, and changed prior to leaving and so forth - risk creating a catch-22 situation in which any attempt to mitigate the effects of the procedures are likely to be interpreted as 'probable cause' for searching," said Susan Hall, head of technology and intellectual property team partner at law firm Clarke Willmott.

The CPJ has also declared that "Surveillance forces journalists to think and act like spies".

Need to know

SThe most basic principle of security is "need to know". Only people who need to know a given piece of information should know it.

TBut at some point you're going to have to stand the story up to an editor and her lawyers. Recall what Duncan Campbell said about News International; and remember Sarah Tisdall, shopped by the Guardian in 1983 as the source of a story about the deployment of Cruise missiles in the UK and jailed for six months in 1984.

URecall Merion's suggestion to the April 2017 London Freelance meeting that you "get the source to meet the editor, without the editor knowing the name of the source..."

The care and feeding of your source

VAs Andrew Bousfield told the Branch in September 2011: if you can't deal with someone who's on an emotional roller-coaster, "don't do whistleblower stories." The person who risks losing their job - quite possibly one they love, since they're motivated to uphold standards in it - and their pension is your source.

WWe have to be honest with sources: we will do everything we can to protect them. "Yes, I will go to the European Court of Human Rights rather than give anything away about you" is true. Or it better be - if it's not, don't do the story.

XMostly, all the precautions you take are likely to be about "flying under the radar" and not giving hostages to fortune while you do so.

YIf you have an absolute need to be certain you're safe, and aren't willing to deal in merely reducing the probability of you or your source coming to harm, then no amount of precaution will make you a very good person to handle this story. If your source wants certainty, you're in trouble (and so, likely, is the story).

ZPoint Z is reserved for future use.


WhatsUpp?

Merion Jones told the April London Freelance meeting that he had been told by a senior person from Google that there is a "backdoor" in the messaging service WhatsApp. The only printed source the Freelance can find for this is a 13 January 2017 article in the Guardian. The vulnerability it describes is not a "backdoor".

That article prompted an open letter to the Guardian initiated by information and security researcher Zeynep Tufekci and now signed by more than 70 other security and press freedom researchers - calling on the Guardian to withdraw the story.

What graduate student Tobias Boelter described to the Guardian was this: if you install WhatsApp on a new phone using the same user identity, the "server" computer that handles your messages will create a new "encryption key" for it. (If "encryption key" puzzles you, think of it as a very clever password that machines use in talking to each other.) By default it will re-send messages that are queued to be sent to you, using the new key, without telling you or the sender. And, in principle, someone who seized control of the "server" computer could do more, but they'd have to force your phone offline for a few days, which you'd notice.

The solution is simple: don't do that, then.

  1. Get a phone for the job and stick to it.
  2. Consider going to the Settings menu and enabling "safety number" change notifications; but be aware that, as developers Open Whisper Systems point out, this could flag you as someone thinking especially hard about security.
  3. Your WhatsApp will now behave, as far as I can tell, exactly like the Signal app that Boelter prefers.

But in looking up the references for the above I came across a piece for Forbes by Thomas Fox-Brewster, looking into what WhatsApp has actually provided to the (US) government. He reported that his inspection of court records revealed several instances of WhatsApp being ordered to produce records of who had communicated with whom - that "metadata" that is more important to identifying sources than is the content of communications, as noted above. It must be presumed that Facebook, WhatsApp's owner, complied. It must be noted that there are procdedures for secret orders with heavy penalties om internet service providers that reveal their existence: those in the US "Patriot Act" were in essence copied from the UK Regulation of Investigatory Powers Act 2001.

It should be noted that Signal is also known to have received such orders, but responds that it retains the minimum possible information.

Before plumping for Signal, though, consider, though, the point above about safety in numbers, above. As Zeynep Tufekci says, "switching to Signal may not be advisable in some settings, because it marks you as an activist".