• Security

When Speaking with Reporters

  • Written By: Matt Mitchell

The motivations of your average reporter are complex.

Journalism is more a calling than a job — thankless work all for a headline and a byline.

Even a well-meaning editor or journalist can complicate your personal situation or put you at risk. We cannot expect all reporters to be experts on the latest ways whistleblowers are exposed or how to handle sensitive data. At the end of the day, a team of many people is involved in handling a modern news story. It’s impossible to expect them all to meet you and agree to your privacy terms. This is the risk taken when working with the media.

When communicating with a reporter, it’s okay to lay out the ground rules and find out how they feel about them. This might include an agreement not to list anything from a “short list” of items without written permission. There is nothing holding a reporter to anything they agree to, however, it does not hurt to take a stand and ask. This list might include personally identifiable information, parents’ names, your legal or maiden name, home address, hometown, age, childrens’ name, etc.) If you do not explicitly say it’s not okay, the assumption will be that it is okay.

End-to-end encrypted apps should be used when communicating. Metadata light apps like wire.com, threema.com, ricochetrefresh.net and wickr.com (now owned by Amazon) are good examples. Signal app is the gold standard of encryption, but deniability is difficult if communication goes sideways and must be broken (unless you are using a new account tied to a clean SIM or virtual phone number).

Understand that the best privacy and security comes when avoiding email altogether. If you do use email to communicate, consider emailing from a newly created email account. Also know that emails are more private if sent from the same platform as your recipient (e.g., Gmail/Google workspace to Gmail/Google workspace or Protonmail to Protonmail). This often allows for messages to stay within the servers of the email service you choose, and not travel on the open internet. Some services, like Protonmail and Gmail/Google Workspace, offer some form of timed or locked message after a period of time. Google has confidential mode; Protonmail has message expiration. Google holds the keys to its encrypted messages and can open them if compelled or if they choose to. Protonmail offers better protections. Tutanota.com is another private email service; new accounts can take 24 hours or more to approve and accounts are locked if not used in six months. Tutanota, like Protonmail, offers encrypted messages that cannot be opened by the email service. While email messages on these two services cannot be opened, the IP address of the phone or computer you use to access them is logged. If you must use e-mail, Protonmail is recommended. 

To protect your identity when using a privacy-preserving email service, always use a VPN (and/or Tor browser) when accessing them. When choosing a VPN it makes sense in this case to use a trusted no-login VPN like Bitmask/RiseupVPN, Psiphon, and Lantern. These services do not need your payment information or even a username and password to work. For the best protection when accessing your email include a VPN and the Tor browser, available at TorProject.org.  Protonmail offers a special “hidden service” version of their website that provides additional privacy and security for Tor browser users.

  • Ask the reporter if they have worked on stories similar to this and what the outcomes were for the sources/interview subjects.
  • Ask the reporter if they received training on how to handle sensitive data. 
  • Before speaking, have a short list of what is off limits and what information you prefer never be listed without express specific written permission. 
  • Consider using secure end-to-end encrypted messengers to communicate. Get the reporter on the app you choose.
  • When possible, use a messenger that allows you to have a username, instead of revealing your email or phone number.
  • When picking an account or username, choose something unconnected to you, like a word from a news headline.
  • Ask about a timed release of your findings/claims/grievances to disrupt the corporate damage control PR and spin consultants.
  • Consider using a new clean email address and access the account using a VPN.
  • Whether using Gmail, Protonmail or Tutanota, it makes sense to ask the reporter to get on the same email service you use.

Statement of transparency

This entire project is worthless if the tech workers who come to it cannot trust where the information is from, who is behind its creation, and who manages the site. For that reason, I have identified every organization and individual who has been instrumental in its development.

The time and resources required to put together the Handbook were funded by Omidyar Network. This is a wholly independent project owned and managed by me. No identifying data will ever be collected or shared about who accesses this site — with anyone. That said, I do NOT advise accessing this from a company device. Your employer can, and will likely, track visits to a resource like this Handbook. 

You can find a list of the data WordPress automatically collects about site visits here.

 

— Ifeoma Ozoma, Founder of Earthseed, Creator of the Tech Worker Handbook