Security considerations for confidential tip pages

Martin Shelton

Principal Researcher

Header image showing pattern of mail envelope icons

Confidential tip pages are a great resource for journalists, making their tip channels available to would-be sources all in one place. While these tip pages can be found on the websites of many news organizations and even some individual journalists, reporters can do a great deal to gather more tips, and better protect sources.

Screenshot from The New York Times' confidential tip page.

Screenshot from The New York Times' confidential tip page.

When is a secure tip line needed?

We know most of the material that filters through newsroom tip lines are noise, and even useful tips are not necessarily sensitive. But occasionally information shared through tip lines or in conversations with journalists could put sources at risk of retaliation. However, it’s not always apparent when a source or tip is sensitive. We can minimize risk by taking a more proactive security posture by default, and ensuring sources have the information they need to make an informed decision when reaching out.

Think about who your source is likely to upset by sharing details for a story — maybe their employer, or another group they are affiliated with. If you were to publish information that could link back to this source, ask yourself a few questions:

  • What kind of resources might an investigator have to look into the source? (E.g., time on their hands, and technical, financial, or legal resources)
  • How likely is it that a would-be investigator actually investigates?
  • What are the likely consequences for the source? (E.g., a slap on the wrist, excommunication, loss of livelihood)

If a source has a tip about a small, under-resourced outfit (e.g., a local restaurant), they can reach out essentially anywhere outside of work with minimal fear of retaliation. However, if the concern is a better resourced investigator (e.g., a large, famously litigious company) they’ll need to be much more mindful about how to reach out safely.

Just like sending a postcard, the content of any message sent through the web can often be read by intermediaries. Likewise, intermediaries require certain types of information about the message, such as the name and address of the recipient, to ensure it gets to its destination. We call this inevitable metadata — information about the conversation, such as who spoke to whom, and when they spoke.

News organizations will typically accept ordinary phone calls, emails, or Twitter DMs for tips. These channels are fine for many conversations, particularly sources who offer tips that are not sensitive, and whose identities don’t need to be concealed in publication. The issue with using these platforms to gather sensitive or confidential tips is they are not end-to-end encrypted, meaning that the service provider can eavesdrop on the conversation without any issue. Some simple chat tools (e.g., Signal) offer end-to-end encryption that can be easily accessible to less technical sources.

However, even end-to-end encryption does not mean the participants in conversation are anonymous. If someone truly doesn’t want to be recognized in conversation with the newsroom — either by the newsroom itself, or intermediary service providers — they need to take extra precautions to be sure they don’t “out” themselves with a trail of metadata.

Metadata is a necessary part of how all messages are delivered on the web. But much like we don’t have to write the return address on an envelope, there are some techniques anyone can use to make metadata less useful to eavesdroppers.

Journalists can help sources avoid stepping on a rake by listing some precautions. For essentially everyone, this means…

  1. Don’t reach out from work. Avoid workplace devices, online accounts, or networks.
  2. Don’t reach out over any channel your employer can likely see (e.g., Facebook groups, Twitter).
  3. Keep your circle small. The fewer people who know about your tipping activities, the better.

Marketing successfully

While you don’t want to scare folks away, to ensure they’re reaching out safely it’s important to share the properties of the communication channels you support. In practice this means describing the advantages and disadvantages of each channel as concisely as possible.

It might sound obvious, but the secure tip page needs to be widely marketed.

Regularly placing information about tips in social media feeds and print is one way to ensure someone doesn’t have to look hard for this information. This also minimizes the risk to sources. When, without conscious effort, anyone can stumble over information about how to reach out to your organization, would-be sources have much more plausible deniability.

Think about it: If your source isn’t searching for tip pages, they can leave behind fewer digital breadcrumbs, such as browser history, connection logs stored by the Internet Service Provider, or websites visited along the way (e.g., by googling the tip page). Advertising widely has clear benefits to both the newsroom and would-be sources.

For example, the New York Times regularly tweets links to its tip page, and their Twitter profile includes a link to its tip page. Twitter may log who clicked on the link, but this approach introduces more plausible deniability.

Likewise, The Markup invites readers to reach out, prominently in-line on their front page.

Screenshot of an in-line graphic reading, "Have a Tip?" from the front page of The Markup

Print editions should do the same. For example, The Globe and Mail advertises its SecureDrop on the front page of its print edition.

SecureDrop advertisement on the front page of The Globe and Mail.

This also matters for getting unfamiliar sources to use from the right channel, the very first time they reach out. Why? Conversations with sources can quickly move from mundane to sensitive, and it’s generally easier for everyone to have chosen reasonably safe channels from the outset. When you don’t, it makes safe conversations with some of your most interesting sources much more complicated.

The web address format matters

When it comes to your readers’ privacy, there’s a big difference between tips.nytimes.com and nytimes.com/tips. One introduces needless risk to readers, while the other is benign. What’s the big deal?

Most modern news websites now offer HTTPS (e.g., https://freedom.press), which helps secure users’ browsing traffic between their computer and the website itself. However, the fact that someone visited an HTTPS website is still visible to intermediaries, such as the Internet Service Provider (e.g., Comcast, Verizon). How’s this possible?

When you connect to a website, something called the Domain Name Service (DNS) is working in the background to ensure that the name you type in (e.g., https://freedom.press) will automatically connect to a number (e.g., 172.67.6.99) associated with the server where the website is hosted. In the course of connecting, DNS needs to see the domain name the user is trying to access. Internet Service Providers provide DNS for their customers, and can therefore see what websites users connect to.

To the Internet Service Provider, DNS requests to subdomains (e.g., tips.nytimes.com) look different than domain names (e.g., nytimes.com). That’s why there’s a big difference between tips.nytimes.com and nytimes.com/tips — while the first web address reveals this request is directed to the tip section of the media organization’s website, the second reveals that someone is requesting something on nytimes.com. The first URL signals the reader is potentially curious about sending a tip, but the second looks like a simple visit.

The short version: To better protect would-be sources, news organizations should place tip pages on their website’s subdirectory (e.g., nytimes.com/tips) rather than create a subdomain for tips.

Speaking to the tradeoffs

At Freedom of the Press Foundation, we surveyed over 80 news organizations’ secure tip pages to learn what communications channels they support for accepting tips. Newsrooms commonly support a small handful of tools that help facilitate private conversations, and that can obscure the identity of the sender. These tools include encrypted messaging apps, Signal and WhatsApp, secure emails with PGP encryption, postal mail, as well as SecureDrop, the whistleblowing submission system. To ensure sources reach out safely, it's necessary to outline some of the benefits and tradeoffs of these channels.


Signal

Signal logo

Why Signal?

Signal is a free and open source encrypted messaging app for Android and iOS. Signal supports end-to-end encryption for text messages, voice, and video calls. It also has a convenient “disappearing messages” feature that allows for messages in a conversation to self-destruct after a set amount of time, from seconds, to a full week. Signal is considered one of the most secure messaging apps in widespread use, and is designed to keep as little user data as possible.

What should they know about the tradeoffs?

While Signal retains nearly no metadata and provides some powerful techniques for obscuring the participants in conversation, secure tip pages should note that Signal is not designed to facilitate complete anonymity.

Signal is also working to make it easier for users to withhold their phone number from conversational partners, but Signal currently uses your phone number as the “username.” This could be a problem if a source or journalists’ device is seized in an investigation, or if their contact list is automatically backed up to a cloud service, such as Google Drive. It may therefore benefit sources to tell them to only put the newsroom tip number into the Signal app. (See ProPublica’s tip page for suggested language.)


WhatsApp

WhatsApp logo

Why WhatsApp?

With over 2 billon users, WhatsApp is the most widely used communication app in the world to support end-to-end encryption for Android and iOS. Under the hood, it purportedly uses the same encryption protocol as Signal.

What should they know about the tradeoffs?

WhatsApp makes it easy to accidentally upload users’ unencrypted messages to backup services, such as iCloud or Google Drive, potentially leaking users’ conversations. Tip pages should warn users to ensure their backups are turned off within the app’s settings.

WhatsApp also retains a lot more metadata than Signal (e.g., users’ contact lists), and shares this data with its parent company, Facebook. The company may be forced to hand over this data in compliance with a law enforcement request. If sources are looking for anonymity, it is therefore important to caution sources not to use WhatsApp, and to instead reach out through SecureDrop.


Encrypted email, with PGP

PGP email icon

Why PGP?

Email is a lot like sending a postcard: Anyone who picks it up along the way can give the message a read. It takes some getting used to, but PGP (Pretty Good Privacy) can help address this problem.

PGP allows users to encrypt messages and files to specified recipients, and is typically associated with email. Users generate a public key, a file which can be used to encrypt messages and can be shared publicly, and a private key, a file used to decrypt messages, and must be kept secret. This arrangement allows savvy users to email newsrooms securely.

Speaking to the tradeoffs

While PGP can be used over other channels, news organizations accept PGP primarily over email. This means all of the usual issues with email persist: The participants in conversation are visible to the email service providers, and some intermediaries. News organizations should therefore warn users that PGP email subject lines, and the identities of the users in conversation are not end-to-end encrypted. Users should also consider using a new email that is separate from their persistent identity. (See ProPublica’s tip page for suggested language.)

Likewise, it might be worthwhile to simply caution unfamiliar users that PGP requires some technical know-how.


Postal mail

Mail icon

Why postal mail?

Sending in physical mail can be a convenient and low-tech way to share documents, or even media with newsrooms (e.g., over a small USB device or SD card). Postal mail also has a somewhat unique advantage: It doesn’t necessarily require the sender to identify themselves.

Speaking to the tradeoffs

In the United States, the main issue with postal mail is that the U.S. postal service scans each parcel’s exterior. If they are concerned about withholding their identity, secure tip pages should caution sources not to use a return address on the envelope. They can still, however, optionally keep their contact details for continued correspondence inside of the envelope.

Because the location of each parcel is so closely monitored, sources may want to use a postal drop-off point that they don’t use every day. Newsrooms should also be aware that printed workplace materials may also be risky to share in print, as some printers will stamp paper with nearly-invisible tracking dots, which can be used to identify documents and print dates. (See The Intercept’s tip page for suggested language.)


SecureDrop

SecureDrop logo

Why SecureDrop?

Unlike other digital tip channels, SecureDrop is designed to support source anonymity by default. By encrypting and tunneling traffic over the Tor anonymity network, newsrooms can host a secure dropbox. Any tips sent to this dropbox can only be decrypted on a special, hardened machine that is disconnected from the web. This allows sources to reach out anonymously with fairly little effort, while the newsroom isolates potentially dangerous software on their “offline” computer.

Speaking to the tradeoffs

Sources should know that when using SecureDrop, the Internet Service Provider (e.g., Comcast) can’t tell what they’re doing, but they can still tell the user is using Tor. This might be a problem if you are connecting from a network where Tor traffic may make the network administrator, or the local government, suspicious. (For example, in some countries there are few users making connections over Tor, which could call unwanted attention to those users.)

To maintain real anonymity, sources should also take care to remove metadata from any documents they submit — for example, by taking a screenshot of a document and sharing the screenshot, rather than sharing the original document. Read this, or reach out to Freedom of the Press Foundation to learn more about metadata redaction techniques.

Safeguard sources while getting stories

Speaking about the tradeoffs of each channel is a great way to demonstrate that the newsroom takes tips seriously, and in turn, reassures sources about their relative safety when reaching out. Likewise, we know sources will reach out over channels that are not necessarily safe or appropriate for the information that they’d like to share. Advertising your channels widely and their tradeoffs will invite more tips, help sources build confidence they are reaching out over appropriate channels, and help journalists accept more tips with relative safety.

Read more about how to minimize risk to sources reaching out through secure tip pages. You can also reach out to our Digital Security Training team to learn more about building secure tip pages, or for assistance setting up tip lines.

Donate to protect press freedom.

Your support is more important than ever.