Security considerations for confidential tip pages
Dr. Martin Shelton
March 5, 2024
Confidential tip pages are a great resource for journalists, making their tip channels available to would-be sources all in one place. While these tip pages can be found on the websites of many news organizations and even some individual journalists, reporters can do a great deal to gather more tips, and better protect sources.
Screenshot from The New York Times' confidential tip page.
We know most of the material that filters through newsroom tip lines are noise, and even useful tips are not necessarily sensitive. But occasionally information shared through tip lines or in conversations with journalists could put sources at risk of retaliation. However, it’s not always apparent when a source or tip is sensitive. We can minimize risk by taking a more proactive security posture by default, and ensuring sources have the information they need to make an informed decision when reaching out.
Threats to press freedom around the world are at an all-time high. Sign up to stay up to date and take action to protect journalists and whistleblowers everywhere.
Thanks for signing up for our newsletter. You are not yet subscribed! Please check your email for a message asking you to confirm your subscription.
Think about who your source is likely to upset by sharing details for a story — maybe their employer, or another group they are affiliated with. If you were to publish information that could link back to this source, ask yourself a few questions:
If a source has a tip about a small, under-resourced outfit (e.g., a local restaurant), they can reach out essentially anywhere outside of work with minimal fear of retaliation. However, if the concern is a better resourced investigator (e.g., a large, famously litigious company) they’ll need to be much more mindful about how to reach out safely.
Just like sending a postcard, the content of any message sent through the web can often be read by intermediaries. Likewise, intermediaries require certain types of information about the message, such as the name and address of the recipient, to ensure it gets to its destination. We call this metadata — information about the conversation, such as who spoke to whom, and when they spoke.
News organizations will typically accept ordinary phone calls, emails, or Twitter DMs for tips. These channels are fine for many conversations, particularly sources who offer tips that are not sensitive, and whose identities don’t need to be concealed in publication. The issue with using these platforms to gather sensitive or confidential tips is they are not end-to-end encrypted, meaning that the service provider can eavesdrop on the conversation without any issue. Some simple chat tools (e.g., Signal) offer end-to-end encryption that can be easily accessible to less technical sources.
However, even end-to-end encryption does not mean the participants in conversation are anonymous. If someone truly doesn’t want to be recognized in conversation with the newsroom — either by the newsroom itself, or intermediary service providers — they need to take extra precautions to be sure they don’t “out” themselves with a trail of metadata.
Metadata is a necessary part of how all messages are delivered on the web. But much like we don’t have to write the return address on an envelope, there are some techniques anyone can use to make metadata less useful to eavesdroppers.
In any tip page, journalists ought to list some baseline precautions. For essentially everyone, this means…
It might sound obvious, but .
Regularly placing information about tips in social media feeds and print is one way to ensure someone doesn’t have to look hard for this information. This also minimizes the risk to sources. When, without conscious effort, anyone can stumble over information about how to reach out to your organization, would-be sources have much more plausible deniability.
Think about it: If your source isn’t searching for tip pages, they can leave behind fewer digital breadcrumbs, such as browser history, connection logs stored by the Internet Service Provider, or websites visited along the way (e.g., by googling the tip page). Advertising widely has clear benefits to both the newsroom and would-be sources.
https://web.archive.org/web/20200321044010/https://twitter.com/nytimes/status/1241223028006105088
For example, the New York Times regularly tweets links to its tip page, and their Twitter profile includes a link to its tip page. Twitter may log who clicked on the link, but this approach introduces more plausible deniability.
Print media should also proactively advertise confidential tip channels. For example, The Globe and Mail advertises its SecureDrop on the front page of its print edition.
This also matters for getting unfamiliar sources to contact you from safer channels, the very first time they reach out. Why does this matter? Conversations with sources can quickly move from mundane to sensitive, and it’s generally easier for everyone to have chosen reasonably safe channels from the outset. When you don’t, it makes safe conversations with some of your most interesting sources much more complicated.
https://web.archive.org/web/20221215182842/https://twitter.com/normative/status/1005104335913734144
When it comes to your readers’ privacy, there’s a big difference between tips.nytimes.com and nytimes.com/tips. One introduces needless risk to readers, while the other is benign. What’s the big deal?
Most modern news websites now offer HTTPS (e.g., ://freedom.press), which helps secure users’ browsing traffic between their computer and the website itself. However, the fact that someone visited an HTTPS website is still visible to intermediaries, such as the Internet Service Provider (e.g., Comcast, Verizon). How’s this possible?
When you connect to a website, something called the Domain Name Service (DNS) is working in the background to ensure that the name you type in (e.g., https://freedom.press) will automatically connect to a number (e.g., 172.67.6.99) associated with the server where the website is hosted. In the course of connecting, DNS needs to see the domain name the user is trying to access. Internet Service Providers provide DNS for their customers, and can therefore see what websites users connect to.
To the Internet Service Provider, DNS requests to subdomains (e.g., tips.nytimes.com) look different than domain names (e.g., nytimes.com). That’s why there’s a big difference between tips.nytimes.com and nytimes.com/tips — while the first web address reveals this request is directed to the tip section of the media organization’s website, the second reveals that someone is requesting something on nytimes.com. The first URL signals the reader is potentially curious about sending a tip, but the second looks like a simple visit.
The short version: To better protect would-be sources, news organizations should place tip pages on their website’s subdirectory (e.g., nytimes.com/tips) rather than create a subdomain for tips.
While you don’t want to scare folks away, to ensure they’re reaching out safely it’s important to share the properties of the communication channels you support. In practice this means describing the advantages and disadvantages of each channel as concisely as possible.
At Freedom of the Press Foundation, we surveyed over 80 news organizations’ secure tip pages to learn what communications channels they support for accepting tips. Newsrooms commonly support a small handful of tools that help facilitate private conversations, and that can obscure the identity of the sender. These tools include encrypted messaging apps, Signal and WhatsApp, secure emails with PGP encryption, postal mail, as well as SecureDrop, the whistleblowing submission system. To ensure sources reach out safely, it's necessary to outline some of the benefits and tradeoffs of these channels.
Signal is a free and open source encrypted messaging app for Android and iOS. Signal supports end-to-end encryption for text messages, voice, and video calls. It also has a convenient “disappearing messages” feature that allows for messages in a conversation to self-destruct after a set amount of time, from seconds, to a full week. Signal is considered one of the most secure messaging apps in widespread use, and is designed to keep as little user data as possible.
While Signal retains nearly no metadata and provides some powerful techniques for obscuring the participants in conversation, secure tip pages should note that Signal is not designed to facilitate complete anonymity.
Signal gives users the option to enable usernames. If sources do not want to share their personal phone number with media organizations, they should enable a username before reaching out.
For media organizations that have not yet enabled a Signal username, it’s important to understand that sources can also inadvertently put your organization’s phone number in their phone’s contact list, which in some situations may place them at risk if their device is ever seized or if their contact list is uploaded to a cloud service provider like Google Drive or iCloud. This is also a good reason for newsrooms to consider using Signal usernames by default.
With over two billon users, WhatsApp is the most widely used communication app in the world to support end-to-end encryption for Android and iOS. Under the hood, it purportedly uses the same encryption protocol as Signal.
WhatsApp makes it easy to accidentally upload users’ unencrypted messages to backup services, such as iCloud or Google Drive, potentially leaking users’ conversations. Tip pages should warn users to ensure their backups are turned off within the app’s settings.
WhatsApp also retains a lot more metadata than Signal (e.g., users’ contact lists), and shares this data with its parent company, Facebook. The company may be forced to hand over this data in compliance with a law enforcement request. If sources are looking for anonymity, it is therefore important to caution sources not to use WhatsApp, and to instead reach out through SecureDrop.
Email is a lot like sending a postcard: Anyone who picks it up along the way can give the message a read. It takes some getting used to, but PGP (Pretty Good Privacy) can help address this problem.
PGP allows users to encrypt messages and files to specified recipients. While it can be used to send encrypted messages over other channels, it's most commonly used over email. Users generate a public key, a file which can be used to encrypt messages and can be shared publicly, and a private key, a file used to decrypt messages, and must be kept secret. This arrangement allows savvy users to email newsrooms securely.
While PGP can be used over other channels, news organizations accept PGP primarily over email. This means all of the usual issues with email persist: The participants in conversation are visible to the email service providers, and some intermediaries. News organizations should therefore warn users that PGP email subject lines, and the identities of the users in conversation are not end-to-end encrypted. Users should also consider using a new email that is separate from their persistent identity.
Likewise, it might be worthwhile to simply caution unfamiliar users that PGP requires some technical know-how.
Sending in physical mail can be a convenient and low-tech way to share documents, or even media with newsrooms (e.g., over a small USB device or SD card). Postal mail also has a somewhat unique advantage: It doesn’t necessarily require the sender to identify themselves.
In the United States, the main issue with postal mail is that the U.S. postal service scans each parcel’s exterior. If they are concerned about withholding their identity, secure tip pages should caution sources not to use a return address on the envelope. They can still, however, optionally keep their contact details for continued correspondence inside of the envelope.
Because the location of each parcel is so closely monitored, sources may want to use a postal drop-off point that they don’t use every day. Newsrooms should also be aware that printed workplace materials may also be risky to share in print, as many printers will stamp paper with nearly-invisible tracking dots, which can be used to identify documents and print dates. (See The Intercept’s tip page for suggested language.)
Unlike other digital tip channels, SecureDrop is designed to support source anonymity by default. By encrypting and tunneling traffic over the Tor anonymity network, newsrooms can host a secure dropbox. Any tips sent to this dropbox can only be decrypted on a special, hardened machine that is disconnected from the web. This allows sources to reach out anonymously with fairly little effort, while the newsroom isolates potentially dangerous software on their “offline” computer.
Sources should know that when using SecureDrop, the Internet Service Provider (e.g., Comcast) can’t tell what they’re doing, but they can still tell the user is using Tor. This might be a problem if you are connecting from a network where Tor traffic draw suspicion from the network administrator, or the local government. (For example, in some countries there are few users making connections over Tor, which could call unwanted attention to those users.)
To maintain real anonymity, sources should also take care to remove metadata from any documents they submit — for example, by taking a screenshot of a document and sharing the screenshot, rather than sharing the original document. Read this, or reach out to Freedom of the Press Foundation to learn more about metadata redaction techniques.
Speaking about the tradeoffs of each channel is a great way to demonstrate that the newsroom takes tips seriously, and in turn, reassures sources about their relative safety when reaching out. Likewise, we know sources will reach out over channels that are not necessarily safe or appropriate for the information that they’d like to share. Advertising your channels widely and their tradeoffs will invite more tips, help sources build confidence they are reaching out over appropriate channels, and help journalists accept more tips with relative safety.
Read more about how to minimize risk to sources reaching out through secure tip pages. You can also reach out to our Digital Security Training team to learn more about building secure tip pages, or for assistance setting up tip lines.