News Organizations Routinely Expose Journalists Through Hostnames and IP Addresses

Kevin Gallagher

Journalists doing investigations online are often unknowingly giving away their identity to the very people they’re investigating. And the issue illustrates why journalists should regularly be using the Tor Browser or a Virtual Private Network (VPN) when working on any story—whether it's about national security or not.

Every internet connection is associated with an IP address (ex. 74.125.226.1) that is broadcast to every website you visit, and in turn, the operator of any website can see every IP address that visits it. Worse, often times the actual name of your newsroom is logged in place of the string of numbers that is your newsroom’s IP address, known as a hostname. [1]

While there are practical reasons for hostnames, they are optional, and for investigative journalists at major news organizations, it can be highly problematic. Often in order to get the story they must go undercover, remain unknown, or appear to be an ordinary member of the public. But when the internet connection at your workplace is configured in a certain way, it trivially reveals who you're working for.

Get Notified. Take Action.

Think of your IP address and the name associated with it as your phone number and caller ID. You really want to keep both the IP address and hostname private, but having your name associated with your number is an obvious giveaway. You can be sure that corporations up to no good will keep an eye on who is visiting their websites and will be tipped off if a reporter is onto them.

Christopher Soghoian, the ACLU's chief technologist, who is also a member of our Technical Advisory Board, recently conducted an informal survey on Twitter, asking journalists to let him know if their own organizations broadcast the hostnames of IP addresses. According to those who contacted him, several major US news organizations, including NBC, Reuters, The Associated Press, USA Today/Gannett and CBS Interactive all leak their identity via the IP addresses assigned to journalists' computers.

According to Soghoian, "several of the reporters who responded to the survey said that they had complained about this issue to their management and their IT departments, but that their complaints had been ignored." Soghoian added, "News organizations need to step up and take digital security seriously, starting with this easy-to-address issue."

To prevent this problem, news organizations should be encouraging their journalists to use Tor, proxies or VPNs in order to mask their IP and hostname. Using the Tor Browser will bounce and encrypt your connection through multiple relays all over the globe so when it comes out the other end it will have no attachment to the point you started from. Likewise, a Virtual Private Network (VPN), often a paid service, is an effective privacy solution that “tunnels” all of your activity through a point that isn't identifiable as your home or workplace. All of these safeguards change what your IP address appears to be, and without them, your rough geographical location can be determined too.

Other trace information includes which browser you're using and its unique version number. The data shown below is an example of what you might leave behind when visiting a website and registering a hit in a server's access logs (don't worry, we're not logging this).

<!--//--><![CDATA[// ><!-- jQuery(function($) { $.getJSON('/sites/all/modules/custom/pressfreedom/includes/PrintIPHost.php', function (res) { $('.tracking').html('<strong>Your IP address<\/strong>: ' + res.ip + '<br><strong>Your hostname<\/strong>: ' + res.hostname + '<br><strong>Your user agent<\/strong>: ' + res.browser + '<br><strong>Your location<\/strong>: ' + res.location); }); }); //--><!]]>

All this is to say: be aware that you are being tracked online no matter what site you visit, and realize there are simple steps you can take to avoid it.


[1] Technically speaking, the “reverse DNS lookup” is enabled by something called a PTR or "pointer" record, which is rooted in the top-level domain of the internet, with allocation records typically held by the American Registry for Internet Numbers (ARIN). The PTR record is voluntarily entered and has limited usefulness — it's only really beneficial as an anti-spam feature if you're running a mail server, and not much else. Yet it's extraordinarily handy for tracking people and identifying their ISP, company, organization, institution, etc.

Donate to support press freedom

Your support is more important than ever.

Read more about Security

One nation under RISAA: What the US election could mean for surveillance of journalists

No matter what happens this November, spying on members of the news media may be an ongoing problem

That USB drive might not be safe. What now?

To be curious is to be human — including about what’s on that USB drive. But first, let’s think through how to access it safely.

Reporting on the 2024 elections? We're here to help

Our Digital Security team is on hand to help you and your devices stay safe in the 2024 election year