Best practices for leaking to media.
- Use Signal
Signal (I’m 202-510-1268) is the most thoroughly audited encryption platform and is open-source, meaning the code is public. Many common encryption platforms have encryption added as an afterthought (e.g. WhatsApp), as opposed to having it “baked in” from the beginning of the app’s development (Signal). Should come as no surprise that it is trivial for law enforcement to extract WhatsApp messages during forensics investigation.
2. Set disappearing messages
A big advantage of the Signal app is it allows you to set disappearing messages. Do this immediately so that any correspondence will disappear after the specified timeframe. This ensures evidence of your correspondence is deleted on both ends. Don’t assume that the reporter will wipe the correspondence on their end.
3. Never use your work computer
Many employers install keylogging software. If documents you want to send are only available on your work computer, take a picture of them on your (non-work) smartphone so it doesn’t leave a trace accessible to your employer.
4. Use snail mail
(My office address is 110 Maryland Avenue NE, #308 Washington, DC 20002.) Don’t include a return address, obviously.
5. Do not Google anything related to your leak
Google searches can be subpoenaed. I get that you want to see what effect your leak had, so do this instead: go to a public WiFi (e.g. a coffee shop) connect to Tor and search for the article from there. Tor will anonymize your search.
6. Consider how many people have access to the info you leak
The more people who do, the harder it would be for leak investigators to narrow down the number of potential suspects.
7. Shut the fuck up
Do not tell anyone about your leak. Not even your significant other or best friend. Relationships are dynamic and you cannot know where you will stand years from now. Even assuming they don’t change, what makes someone a good friend does not make them disciplined at maintaining secrecy. Also, why burden them?
8. Don’t follow the reporter on social media
Although I haven’t seen this used as evidence in any indictment, if I was a leak investigator, I’d cross-check my list of suspects with the reporter’s followers.
9. Leave your phone behind
Smartphones are geysers of geospatial information, constantly sending GPS coordinates back to cell towers. If you meet with a reporter at a coffee shop and you both bring your phones, these GPS coordinates could (in theory) be correlated.
Destroy all records once the reporter has received them — screenshots, documents, text messages, anything.