Leaking on the clock: What your sources need to know

David Huerta 2019

Digital Security Trainer

Art lab punch clock

Photo by Bernard Polet.

Last week, Eric Trump tweeted a screenshot of an email that circulated through the Trump Organization by Washington Post reporter David Fahrenthold. Although the tweet sensationalized Fahrenthold’s emails, it should fall short of qualifying for reality TV levels of drama, since reporters do this sort of thing all the time.

Want someone to give you the scoop on a company you're investigating? Start by letting the people who work there know you're ready to take that scoop. However, these emails can lead to a tragic ending, if a trail of data between a reporter and their source leaves evidence that could get them fired.

Let's take a look at what can go wrong, and how to land on a happier ending instead.

Scenario 1: They hit the reply button

“The 'e' in 'email' stands for 'evidence'" - Cybersecurity proverb

When people receive a curious email, it’s not unusual to reply with a follow-up. The source could reply to ask how to use the "encrypted apps" Fahrenthold mentions or, not yet knowing why encrypted apps should be preferred, could start spilling the tea right in the email thread.

You, concerned journalist, reply and let them know that they should contact you over a more secure channel, such as Signal or SecureDrop, and maybe they do.

But fast forward to the end of the season: They're fired. What happened?

Of course email is accessible on the computer you view it from, but it’s also accessible to computers that belong to the email provider—in other words, the email server.

When a potential source emails you from their work address, they’re probably emailing you and their employer, whether they intended to or not.

Although there's some variation between the technology protocols being used behind the scenes to store and transfer email between servers, we should assume that any message a would-be source receives, sends, deletes or drafts can be viewed by their employer. In fact, services like Google Vault, a feature available to companies using Google's G Suite, even lets employers to see every revision made to a message saved in their drafts.

Scenario 2: They use an encrypted messenger app like Signal... on their employer's Wi-Fi network

When we connect to workplace Wi-Fi, we’re typically giving the network administrator tremendous power to monitor our online activity. In fact, encrypted messaging apps are still noticeable to network administrators, even if they can’t read the messages being sent.

Circling back to encrypted messaging apps, Signal is a fantastic resource for truly confidential conversations between journalists and their sources. Unlike email, Signal messages are "end-to-end encrypted," meaning no one beyond the sender and recipient can read the messages—not even the owners of Signal.

Although messages and other metadata are protected from eavesdropping by Signal itself, its usage may be detectable by the operator of the network you're connected to.

On a smartphone, this network can be the cell phone network or the Wi-Fi network. If a source is using a Wi-Fi network operated by their employer, their boss won't be able to see what they're saying on Signal, but may be able to see that they're using it and, in the case of work-provisioned smartphones, possibly more. Although Signal is popular among security enthusiasts and many journalists, it's far less popular than other messenger apps and may stick out to a network administrator in a sea of otherwise normal-looking online activity.

Using a network that your employer controls means the network administrator can see some degree of your online activity. And even encrypted activity may be telling about what you could be up to.

In 2013, an anonymous bomb hoax by a Harvard student was thwarted by the FBI, not because they could see the threat came from him, but because he was the only person using the Tor anonymity network over Harvard's Wi-Fi network when the threat was made. Tor is encrypted, giving the user a secure connection to the web. But even if a network administrator can’t tell what a Tor user is doing with it, the usage of Tor itself is detectible. The student’s connection to the Tor network was suspicious enough to narrow down the list of potential suspects to one person on the Harvard network.

This, however, becomes less of a problem the more people use Tor, since the more common an online activity is, the less suspicious it is. Same thing goes for Signal. Ubiquitous use of tools like Tor and Signal can give potential whistleblowers a kind of herd immunity from being singled out for using them, and we can all help them out by normalizing their use. So, even if we're only using them for particularly bland chats and searches: Use Signal, use Tor.

Speaking of Tor...

Scenario 3: They use SecureDrop, but from their work computer.

Much to the delight of many of my colleagues, Fahrenthold suggests using SecureDrop, a whistleblowing platform actively developed right here at Freedom of the Press Foundation. SecureDrop is designed to go beyond confidentiality and provides a way to communicate with sources whose anonymity is enforced by its design, rather than by a mere promise. SecureDrop sites (such as the one the Washington Post operates) rely on the Tor network for anonymity, the recommended way to use it is through the Tor Browser, a web browser similar to Firefox, but designed to only operate within the Tor network.

Aside from the aforementioned detectability of anonymous Tor usage on an employer's network, the Tor Browser itself may look suspicious if found on a work computer. Many employers have a means of monitoring and operating their computers using remote PC access software, and see everything a source can see on their work computer's screen. Including their conversations with you or a visit to a tips page.

Consider asking your sources not to reach out to you from work

Ultimately, the panopticon of the modern workspace and work-provisioned computers and smartphones leave little room for whistleblowing on the clock, which is why SecureDrop landing pages generally include a recommendation to use it from a place with public internet, rather than a work or home computer that can potentially be traced back to you. When soliciting potential sources, this is an important recommendation to include.

Cold-emailing potential sources at a company you're investigating is a time-honored tradition, but a tradition that should be updated to take the dangers of modern workplace surveillance into consideration and let sources know how to reach out without getting fired.

If your news organization doesn’t have a SecureDrop instance, check out our online documentation on how to get started, or reach out to us to learn about more options for secure tip lines and source protection.

Photo by Bernard Polet. CC BY-NC-ND 2.0