The Ten Leak Commandments

Best practices for leaking to media.

  1. Use Signal

Signal (I’m 202-510-1268) is the most thoroughly audited encryption platform and is open-source, meaning the code is public. Many common encryption platforms have encryption added as an afterthought (e.g. WhatsApp), as opposed to having it “baked in” from the beginning of the app’s development (Signal). Should come as no surprise that it is trivial for law enforcement to extract WhatsApp messages during forensics investigation.

2. Set disappearing messages

A big advantage of the Signal app is it allows you to set disappearing messages. Do this immediately so that any correspondence will disappear after the specified timeframe. This ensures evidence of your correspondence is deleted on both ends. Don’t assume that the reporter will wipe the correspondence on their end.

3. Never use your work computer

Many employers install keylogging software. If documents you want to send are only available on your work computer, take a picture of them on your (non-work) smartphone so it doesn’t leave a trace accessible to your employer.

4. Use snail mail

(My office address is 110 Maryland Avenue NE, #308 Washington, DC 20002.) Don’t include a return address, obviously.

5. Do not Google anything related to your leak

Google searches can be subpoenaed. I get that you want to see what effect your leak had, so do this instead: go to a public WiFi (e.g. a coffee shop) connect to Tor and search for the article from there. Tor will anonymize your search.

6. Consider how many people have access to the info you leak

The more people who do, the harder it would be for leak investigators to narrow down the number of potential suspects.

7. Shut the fuck up

Do not tell anyone about your leak. Not even your significant other or best friend. Relationships are dynamic and you cannot know where you will stand years from now. Even assuming they don’t change, what makes someone a good friend does not make them disciplined at maintaining secrecy. Also, why burden them?

8. Don’t follow the reporter on social media

Although I haven’t seen this used as evidence in any indictment, if I was a leak investigator, I’d cross-check my list of suspects with the reporter’s followers.

9. Leave your phone behind

Smartphones are geysers of geospatial information, constantly sending GPS coordinates back to cell towers. If you meet with a reporter at a coffee shop and you both bring your phones, these GPS coordinates could (in theory) be correlated.

10.  Sanitize

Destroy all records once the reporter has received them — screenshots, documents, text messages, anything.



Posted in Uncategorized | 1 Comment