Module: File safety

- The Latest Issues
  Regular reporting on government secrecy, surveillance, and the rights of reporters and whistleblowers.
  - Key Issues
  - News Releases
- Technology
  Working open source software products to protect journalists, newsrooms, and their sources.
  - SecureDrop
  - Dangerzone
- U.S. Press Freedom Tracker
  A database of press freedom incidents in the United States.
  - Data visualizations
  - Explore the database
- Digital Security Education
  Digital security trainings and resources for journalists.
  - Request a Training
  - Guides & Resources
- About Us
  Protecting and defending press freedom when we need it the most.
- Our Team
  - Staff & Contributors
  - Board of Directors
- Transparency
  - Reports & Financials
  - Announcements
- Get in Touch
  - Jobs & Internships
  - Contact Us
Donate

This module begins with a short discussion about information hidden in files, and the potential risks tied to file metadata. It follows with a short exercise to have students find the file metadata embedded in a photo, followed by discussion of risk minimization.

Prerequisites

Threat modeling
(Good to know) Malware

Estimated time

30-35 minutes

Objectives

Upon successful completion of this module, students will be able to find file metadata, as well as printer micro-dots and physical markers hidden in the content of a document.
Students will be able to identify techniques for removing file metadata.
Students will be able to analyze the risks associated with publishing sensitive original documents.

Why this matters

Getting work done without compromising the newsroom, or information shared by higher-risk sources, means looking closely at what is in a file, and thinking through how to minimize risk before sharing documents beyond the newsroom, if at all.

Homework

(Before class)

Read this piece from Ted Han and Quinn Norton on minimizing metadata hidden within your documents (e.g., invisible printer dots): "Protecting Your Sources When Releasing Sensitive Documents"
Read this piece from David Huerta, on risks when leaking from the workplace: "Leaking on the clock: What your sources need to know"
(Optional) Read this, on dangerous files and mitigations against embedded malware: "Get Your Malware Shots"

Sample slides

File safety (Google Slides)

Activities

Have students find John McAfee's secret location, using only this photo. http://fpf.training/mcafee-metadata

Note: You may need to send the link around via a trusted channel. Because link shorteners are sometimes abused to deliver malicious links, we do not encourage using a link shortener unless you can also qualify this issue for your students.

Questions for discussion

How might the Vice News example we saw have been avoided?
Suppose you want to report a story that includes original documents a source shared. They've been verified, and you and your editor feel confident in them. How might you report on those documents to minimize risk to your source?