Many people in government and the private sector are feeling concerned that they or their colleagues may be required to do something unethical or illegal, and speaking up can lead to negative consequences for their livelihood or freedom. Giving tips to journalists can be risky, but can also be an effective and courageous way to call attention to abuses. This guide describes basic steps for minimizing potential risk when sharing sensitive information with a news organization.
Before moving ahead, do you have a strong tip?
A good tip requires clear evidence, and should be the basis for a story that the broader public should know about.
Whether or not you have evidence, the broader public might not need to know that a neighbor refuses to pick up after her dog on the morning walk. Allegations of corruption or illegality among public officials are certainly newsworthy, but those claims will not make it into a published story without verifiable evidence.
Who are you concerned about, and what can they do?
Think about the sensitivity of the information you’re sharing, and who might be willing to investigate the source of the leak. What are the organization’s capabilities? What resources (e.g., attention, legal, financial, technical resources) can they invest in discovering the source? And how likely do you think it is that they will actually investigate?
If you share information about a large, well-resourced organization that requires discretion from employees, such as a government agency, it may have enormous legal, financial, and technical resources available for investigating a leak. If you’re sharing information about a small organization, such as a local restaurant that muzzles workers, its resources are much more constrained and it may not have the capacity or willingness to investigate. Proceed accordingly.
Proceeding with caution
First, be cautious about behaviors that could make you readily identifiable as a source.
Keep all of your tipping activities outside the view of your organization. For essentially everyone, that means no calling from work, no emailing from a work email address, and staying off work devices for any leaking activities.
Be cautious about giving tips on anything that only you could know, or materials that only you could access. Only share these kinds of materials if you think the increased risk of being caught is worthwhile, or if you feel you have a strong moral obligation to do so.
If you are the only one at your organization surfacing a specific grievance, and information about that grievance is later reported by the press, it may give your organization a strong hint about who shared the information.
Don’t tell anyone about your leaking activities, except in cases where you may want legal advice from a practicing lawyer.
Tactics for minimizing risk
Minimize the risk of a tip being tied to you, and potentially in your continued communications with reporters. There are a lot of ways to do that.
- Send your materials through physical mail. You can mail electronic documents (e.g., on an SD card) or physical documents through ordinary mail. Be warned: the U.S. postal service takes pictures of the exterior of physical mail. So don’t use a return address that is associated with you, and mail it in from a sidewalk mailbox in a location you don’t usually frequent. If you have a particular reporter you want to look into your story, copy them on the envelope.
- Call from a phone number unconnected to you. For example, go to a business you don’t usually go to, and ask to use their phone. You can also buy a cheap cell phone and prepaid phone card that cannot be traced back to you, but know this involves several careful steps: You must pay with cash, and if your organization can have access to phone location records, it’s best to only turn on the phone in locations unassociated with you. That also means not using the phone in locations separate from your permanent phone. Remove the battery when it’s not in use.
- Use Signal for private messaging. Signal is a free and open source, secure messaging app for iPhones and Android devices. Signal gives you free end-to-end encrypted messages and phone calls. Signal only retains your phone number, your signup date, and when you were last active. You can also make messages self-destruct for everyone in the conversation automatically after a set amount of time. This makes it significantly harder (but not impossible) to eavesdrop on your conversations. If you want help getting started, read this beginner-friendly guide on using Signal.
Note that Signal requires both users to share their phone numbers. When reaching out to journalists, consider registering Signal with a number that your organization is unlikely to connect to you and also understand that Signal is not designed to facilitate complete anonymity.
- Use a whistleblower submission system. Tools such as SecureDrop can provide protection by allowing you to share documents and communications through an anonymous and encrypted dropbox.
More technical, but more secure: SecureDrop
A growing number of news organizations are using SecureDrop to allow sources to reach out and share files or communications anonymously (e.g., The New York Times, The Washington Post, ProPublica, The Intercept; more here). With SecureDrop, not even the news organization knows who you are unless you choose to tell them.
You can access a news organization’s SecureDrop page through Tor Browser, which is a modified version of Firefox. Tor encrypts and tunnels your web traffic within a global network of computers before connecting you to your final destination. When you access a website through Tor (e.g., Amazon.com) you will appear to connect from a remote location – likely another country.
People on your network can’t see what you’re doing on Tor, but it’s still possible to tell that you’re using Tor. With that in mind, don’t use it at work. For greater security, consider using Tor Browser only over a wi-fi network in a location that is not tied to you (e.g., a coffee shop you don’t normally visit) and pay with cash.
As opposed to a “.com” web address, you get to SecureDrop through a unique .onion web address, which can only be accessed through Tor.
Using SecureDrop is easy
- Follow the directions to download the Tor Browser here and install it.
- Launch the Tor Browser application.
- Copy the news organization’s .onion URL on their SecureDrop instruction page (e.g., ProPublica: http://pubdrop4dw6rk3aq.onion). Paste it into the address bar in Tor Browser.
- From here, you can leave messages and files that the news organization will check from time to time.
- You will be given a random “codename.” Keep this information safe, and don’t share it with anyone. If you lose your codename, they can’t reach you any more. Use this codename to have continued conversations with the news org.
(For more technically-adept users, consider accessing SecureDrop through an operating system designed for privacy and anonymity such as Tails.)
Reporters generally take their commitment to protecting your identity very seriously, and will do everything in their power to fight potential legal requests for identifying information about you. But often, it’s even safer not to give your identity if you don’t have to. Keep in mind that journalists prefer to have proof of your claims, and information to demonstrate your identity is a part of that.
Dealing with file metadata
Sharing information may be less risky than sharing documents, because they can be embedded with information about the file, which we call metadata. For example, if you create a .docx file, it may have identifying information about you embedded in the file. Consider carefully whether you really need to share files or just the information.
To deal with hidden metadata, rather than sending the file itself, consider taking a picture of a document with a traditional camera (not a smartphone), or take a screenshot of the document. On most operating systems, screenshots come with little useful metadata. For more technical users, you can find metadata removal tools here.
Where to reach out
Here are just a few organizations that support the approaches outlined above, and how you can contact them. An enormous number of news organizations have set up tip pages where you find information about secure communication channels. Here are several news organizations with multiple secure communication avenues where you can contact them. This is becoming standard, and news organizations looking for great tips will follow suit.
Avoid tip pages that use unsecured HTTP instead of (secured) HTTPS. You might wonder, what’s the difference? With HTTP, network eavesdroppers can see which pages you’re visiting, while with HTTPS, they can’t.
- How to reach out: https://securedrop.propublica.org/ and “How to Leak to ProPublica"
- SecureDrop address: pubdrop4dw6rk3aq.onion
- Mailing address: ProPublica, 155 Avenue of the Americas, 13th floor, New York, NY 10013-1507
- Signal numbers for reporters available on “How to Leak to ProPublica”
The New York Times
- How to reach out: https://www.nytimes.com/tips
- SecureDrop address: nytimes2tsqtnxek.onion
- Mailing address: Tips, The New York Times, 620 8th Avenue, New York, NY 10018
- Signal: 1-646-951-4771
The Washington Post
- How to reach out: https://www.washingtonpost.com/anonymous-news-tips/
See also https://www.washingtonpost.com/securedrop/ and “Here’s how to leak government documents to The Post”
- SecureDrop address: vbmwh445kf3fs2v4.onion
- Mailing address: The Washington Post, 1301 K Street NW, Washington DC 20071
- How to reach out: https://contact.buzzfeed.com/
- SecureDrop address: 6cws3rcwn7aom44r.onion
- Mailing address: BuzzFeed News NY, c/o Mark Schoofs, Investigations & Projects Editor, 111 East 18th Street, BuzzFeed Newsroom, New York, NY 10003
- Signal: 1-646-379-1975
The Associated Press
- How to reach out: https://www.ap.org/tips/
- SecureDrop address: 3expgpdnrrzezf7r.onion
- Mailing address: The Associated Press, c/o Ted Bridis, investigations editor, 1100 13th Street NW, Suite 500, Washington, DC 20005
- How to reach out: https://securedrop.theguardian.com/
- SecureDrop address: 33y6fjyhs3phzfjj.onion
- Mailing address: The Guardian, 222 Broadway, 22nd – 23rd Floors, New York, NY 10038
The New Yorker
- How to reach out: http://projects.newyorker.com/strongbox/
- SecureDrop address: strngbxhwyuu37a3.onion
- Mailing address: The New Yorker, 1 World Trade Center, New York, NY 10007
- How to reach out: https://theintercept.com/leak/
- See also https://theintercept.com/2015/01/28/how-to-leak-to-the-intercept/
- SecureDrop address: y6xjgkgwj47us5ca.onion
- Mailing address: The Intercept, P.O. Box 65679, Washington, DC 20035 or The Intercept, 114 Fifth Avenue, 18th floor, New York, NY 10011
- How to reach out: https://news.vice.com/securedrop/
- SecureDrop address: cxoqh6bd23xa6yiz.onion
Sharing information with the press is not always an easy decision, but your information can help to hold powerful people and institutions accountable. Move ahead with a strong understanding of your organization’s capabilities and how to share tips safely.