How to protect off-the-record information

Mar 6, 2019 in Digital and Physical Safety
Two men talking

The concept of off-the-record material can be confusing for sources, the public and journalists alike. It represents a pitfall for dangerous misunderstandings, and often deals with sensitive information that needs to be adequately protected.

Dr. Suelette Dreyfus is a journalist and a researcher in cybersecurity and privacy at the University of Melbourne who co-authored The Perugia Principles on working with whistleblowers. She defines off-the-record as “not to be published unless consent is given by the source.”

“Then I know I have to double check it, plus it has the added benefit of forcing me to be rigorous about making sure the quotes are exactly right, and complex topics are crystal clear to me,” she says.

Philip di Salvo, a freelance journalist and lecturer at Università della Svizzera Italiana’s Institute of Media and Journalism in Switzerland who specializes in digital security and surveillance, agrees that off-the-record information is usually shared with journalists under the condition that it will not be published in any form. He urges colleagues to avoid the practice, as sources may leak information in an attempt to manipulate the news.

The most common off-the-record scenario, Dreyfus says, is journalists being contacted by an insider who will  disclose sensitive information on something the journalist has not understood, especially when it comes to broader investigations.

“That might be a giant original story, or it might be an angle or subtext on an existing story, such as an invisible hand behind an action,” she explains.

That material then poses three big reporting challenges: first, negotiating what can be used and attributed; second, how to securely store the data; and third, if the source is at risk, walking them through basic training to improve the level of cybersecurity of data and communications.

“That might take an hour or more of your time to do, and might make a source jittery. But it’s important. And today, [it’s] part of source protection,” Dreyfus says.

Source protection in the digital age is a complex issue, and Di Salvo says it also depends on the threat model of the single journalist. “[T]he security set up for someone investigating a local corruption case is very different from the one of a reporter receiving information from an intelligence whistleblower,” he explains.

In any case, it’s important to be conscious about any potential risk, and to be cautious. Here is some advice from the two experts:

Define and evaluate “off the record”

When it comes to off-the-record conversations, it’s important to have an explicit agreement in place with a source, especially if it’s a sensitive one who may be vulnerable to retaliation.

“A confidential source, with whom you have a close and long-standing relation, for instance, could differentiate between on and off the record information, depending on the case,” Di Salvo says.

The greatest challenge is to understand why you’re receiving that information and why you’re prevented from covering it. Sources could leak information for political or personal gains and it’s important to understand if it’s bona fide news, or just an attempt at getting a partisan message amplified through the news.

Keep communications encrypted

Encryption is one of the best ways to keep sensitive information safe. On phones, both Dreyfus and Di Salvo suggest using the messaging app, Signal.

“[Signal] shields communications from indiscrete eyes and makes them only available through the source and the journalist’s devices, without even granting access to the manufacturing companies,” says Di Salvo.

For online chats that also need to be anonymous, Dreyfus recommends Ricochet IM for desktop, as an option. “It uses Tor [software]. It’s not perfect anonymity, but it’s better than not using it,” she says.

Never talk to a sensitive source on social media, not even in private chats, she warns.

Whistleblowing platforms, like GlobalLeaks or SecureDrop, are also a potential solution, and almost all British and American news organizations already use them, according to Di Salvo.

“In these cases, media outlets can launch some drop boxes online where sources and whistleblowers can forward information anonymously, thanks to Tor protection,” he explains.

Handle data safely

Keep your stored data encrypted, transcribe handwritten notes for sensitive stories to text files and encrypt them, too, Dreyfus suggests. “Don’t cross international borders without a fully encrypted-with-strong-password phone, tablet and [computer],” she adds.

Also, do not forget to delete data securely, when a source asks or when you think it is wise to do so. “That isn’t just dropping a file in a desktop bin and clicking ‘empty trash.’ It takes some research to do it correctly, and it may require physically destroying a hard drive for sensitive info,” she explains.

Take responsibility, assess risks for you and your sources, and respond appropriately.

Main image CC-licensed by Unsplash via LinkedIn Sales Navigator.