Tag Archives: sources

Sometimes we talk to bad people, and they have to trust us – a podcast talking point

Radiolab’s recent podcast The Buried Bodies Case is a brilliant piece of storytelling. The producers’ newsgathering; the choices of elements and how they are arranged; the tight editing and use of silence — all these make for a masterclass in longform narrative that any journalism student would benefit from exploring.

But it’s not that which prompted me to blog about it.

The content of the podcast is perhaps the best exploration of journalist-source ethics I’ve heard, without it actually being about journalists.

Spoiler alert: if you want to enjoy the podcast without knowing where it goes, then stop here, listen to it, and then come back. Continue reading

Research: regional publishers may be risking their sources and their brands

Whistle with spikes

Journalists say sources are less willing to talk because they are afraid of employers. Image by Terry Border

Local journalists don’t know how to protect their social media accounts, or the law regarding sources, and they don’t know what their employers are doing about online security.

That’s the upshot of research that I conducted with dozens of reporters around the UK – and it’s so important I’ve organised an event to tackle it.

Here are some of the key findings…

Journalists could be compromising colleagues – but they don’t think security affects them

Over the past year it’s been revealed that UK police forces have been accessing regional journalists’ communications, and at least one local authority has used its powers to spy on journalists meeting an employee: security isn’t just about GCHQ and Edward Snowden.

Social media accounts that have been hacked in the past few years include those reporting on subjects as innocuous as entertainment and the weather, while commercial organisations including Microsoft and Vodafone have hacked journalists’ communications when they wrote about them. This week a journalist was found guilty of helping hackers access a newspaper CMS, causing almost $1m in damage.

But local journalists’ and editors’ perception of the issue is that security is “another planet”, there’s no strategy for protecting branded social media accounts, and it is assumed reporters who routinely need to protect their sources are “usually pretty conversant with that kind of issue”.

Unfortunately, on the whole they are not. More than one experienced crime reporter that I spoke to operated on the basis that police requests to access their sources would come through the newspaper. “They’ve never taken action to gain that information from me,” one said.

But the key thing that I’ve discovered is that networked working practices in modern newsrooms mean that information regarding sensitive stories can still be accessed through communications with colleagues who do not consider security to affect them.

1 in 5 lack even basic password security

Despite feeling that security issues did not affect them, around half of journalists had made some changes to their behaviour online in the past year.

But a significant proportion of journalists were not even using different passwords for different accounts – one of the most basic security practices.

22% of journalists do not use different passwords for different accounts


16% of journalists did not do any of the following: use different passwords, clear their browser history, turn off cookies, turn off geolocation or use enhanced privacy settings on social media.

What are publishers doing about information security?

Despite hundreds of journalists and many editors signing Press Gazette’s Save Our Sources petition last year, there is no indication of leadership or communication from the top on the issue of source protection.

Journalists overwhelmingly said that they did not know what their organisation was doing about internet security. But perhaps more importantly, editors did not know either. “I should know the answer to that,” said one, “and it’s worrying that I don’t.”

88% of journalists do not know what their employers are doing regarding security

31% of journalists said their employer was doing enough to protect employees and sources


Strangely, even though only 4% of respondents said that their employers had taken steps in the last 12 months on the issue, almost a third of respondents made the leap of faith to say that their employers were “doing enough”.

Newsroom processes aren’t set up for modern law and technology

One thing became very clear: newsrooms and work processes are still set up for an analogue world where protecting sources is a reactive process. Discussions about sensitive sources focus on a potential legal defence if approached directly. No processes are in place to anticipate or prevent sources’ identities being accessed indirectly.

Likewise IT policies focus on protecting email – but there is little consideration to securing social media accounts.

And journalists felt unable to advise sources who were unwilling to talk because of workplace surveillance and contracts with ‘gagging’ clauses.

What I’m doing about it

I’ve organised an event to try to begin to address these issues, with people who have been directly affected, experts on law (including employment law) and people who can advise on the technical side. It’s in Salford at BBC in Media City on Friday November 6 – you can sign up here.

Protecting whistleblowers, anonymity – and Daniel Ellsberg. Day 2 of the Logan Symposium

In a guest post for the Online Journalism Blog, Natalie Leal reports on Day 2 of the Logan Symposium on secrecy, surveillance and censorship. You can find a post about Day 1 here.

The surprise of the Logan Symposium‘s second day was the appearance of Pentagon Papers whistleblower Daniel Ellsberg, who leaked those documents in 1971. “Secrets are not kept so much by technical means but by people,” he said. Continue reading

Four examples of different threat models

My post on threat models for journalists is quite lengthy, so I thought I’d put the sample threat models from that in their own, separate post. Here they are – note that these are very simple, sketchy threat models and you would want to expand on these. But hopefully they provide a starting point. I’d also recommend checking out this resource from Privacy for Journalists.

What info do you want to keep? Passwords. Why might someone want it? To spam. What can they do? Guess password, phishing. What might happen? Damage to brand, trust.

A basic threat model for anyone with access to a key social media account – or colleagues who do.

What info do you want to keep? Communication with sources. Why might someone want it? To prevent publicaiton, smear. What can they do? Guess/hack password, phishing, legal avenues. What might happen? Story killed, credibility, trust.

This is an example of a threat model for anyone who deals with protestors, complainants, or others who might be targets of others

What info do you want to keep? Identity/location of sources. Why might someone want it? To intimidate, attack, smear. What can they do? Guess/hack password, phishing, metadata, mobile trail, more. What might happen? Source attacked, imprisoned, trust.

When dealing with whistleblowers, leaks, or sources in oppressive regimes, you need to protect identity and location. Here’s a sample threat model for that.

What info? Documents. Why? To prevent publication, identify sources. What can they do? Guess, hack, phish passwords for cloud services. Legal avenues etc. What might happen? Story killed, credibility damaged, sources don't trust.

When working with documents, you may need to prevent others getting access to them. Here’s a sample threat model for that.

A lesson from Superstorm Sandy: How to find sources using social media

By Ian Silvera

In a world where an extraordinary amount of people own smartphones, it’s easier than ever to connect instantaneously with those affected by significant news events wherever you happen to be based. But what tools can help reporters find those affected?

Simple searches on Twitter or Facebook may present too many ‘junk leads’ to wade through. Tools like TweetDeck are better, but what if you were able to find social media users more quickly through geolocation? Surely that would be a much more efficient method?

There are numerous websites out there that offer this functionality.

Continue reading

Dispatches’ Watching the Detectives: why journalists should be worried about the Communications Data Bill

Consider these two unrelated events:

  1. A bill is proposed to record every contact (and possibly search) made by every UK citizen, to be available to law enforcement agencies and stored by communication service providers
  2. An inquiry into press standards and a leaked Home Office report both uncover the ease with which private investigators can access personal records through law enforcement and other agencies

I’m worried about 1. because of 2. And tonight’s Dispatches: Watching the Detectives does a particularly good job of illustrating why. It is “the ease and extent to which the unregulated private investigation industry is willing to acquire personal data for a price” – not just from the police services, but the health services, benefits system, and other bodies, including commercial ones such as communications service providers (for an illustration of the data security of private companies, witness the Information Commissioner’s Office targeting them after a series of data protection breaches).

If you’re a journalist, student journalist or blogger with any interest in protecting your sources, you should be watching the Communications Data Bill closely and understanding how it affects your job.

In the meantime, it’s also worth developing some good habits to protect your stories and your sources against unwanted snooping. More on my Delicious bookmarks under ‘security’.