Sources should not contact advocacy groups using work-related email accounts, computers, or telephones. Whistleblowers who are current employees should use non-work computers scanned for monitoring software or malware that could be used to record their activities. They also should consider using both secure operating systems that the individual controls and an anonymous web browser (such as Tor).
Be careful about how you ask for documents. It’s always better to phrase a request as “How could I obtain documents to back up what you’re saying?” rather than directly ask a source to provide actual documents. For classified documents, note that it might be illegal to instruct or directly aid a source in sharing classified information with someone who does not have the proper clearances or “need to know.”
Handle electronic documents with care. Be careful about transmitting documents electronically, especially if they are going through a third party. Anything sent via email (e.g., Gmail), stored on Google Drive, or added to an internal calendar could be subject to a subpoena issued to the third-party service that may not be as committed to protecting the identities of its users.
Use Signal or encrypted email for communication and document exchange. Encrypting emails makes it so the content is only readable by you and the recipient. If encrypted properly and without compromise (i.e., free from malware that allows spying on your or the whistleblower’s computer activities), the government will only be able to see the metadata of the email (e.g., the header information containing details about the email recipient and sender, the date and the subject line), but the content of the message will remain encrypted and unreadable.
Use SecureDrop for the most sensitive communications and documents. Journalists that actively communicate with whistleblower sources should consider employing SecureDrop to receive documents, a secure platform developed primarily to protect source communications with journalists. The information remains encrypted until it is transferred to an air-gapped computer that never connects to the Internet.
Store sensitive documents securely. Ideally, sensitive paper documents should be stored in a secured office, safe or locked file cabinet. Electronic documents can be encrypted and stored on a flash drive that can then also be stored in the secured physical location after deleting unencrypted copies stored elsewhere.
Be cautious about original documents. Do not post the originals online, where identifying features could be discovered. Printers leave nearly invisible identifying markings that can be used to track down the source of the disclosure. If you insist on posting sensitive documents, consider re-creating or re-typing your own version for use or disclosure.
Remove metadata from documents or photos posted online. Make sure to remove the metadata, such as the location a photo was taken, a watermark, or track changes. You can use tools like Document Inspector (which can remove metadata from Microsoft Office files) to remove much of this information. If you are redacting names or other information from a PDF by covering it with black bars, make sure you’ve actually permanently hidden the information. Export your file as a JPEG, then make it a PDF again, otherwise someone will be able to delete the redactions you made and see the information hidden under them. When hiding an image, doing it with a full black block will always be safer than blurring it.
Do not give original documents, or anything else, to another source while verifying your source’s allegations. You may trust your other contact, but you should not take the risk—many agencies and businesses have implemented “insider threat” programs to deter and detect perceived threats to information security. These programs encourage employees to report suspicious activity. Be careful even describing the information and how you obtained it to avoid putting your verifying source in a position of choosing between loyalty to you or loyalty to their employer.
Protect your communication with your coworkers about your source. At times, the government and corporate sectors have spied on advocacy organizations to monitor their work and to find their information sources. Locking sensitive files in a dedicated room, locking computers, using encrypted tools to discuss sensitive issues or the source are all important best practices to implement in the workplace.
Install an app to remotely wipe your phone if it is lost or stolen by activating the Android Device Manager for Android devices and the Find My iPhone on iCloud.com for iOS devices.
Be careful about crossing international borders, particularly U.S. borders, with sensitive information on your phone and computer, including names and contacts.