Having good note taking hygiene


As a follow-up to Solving the First Contact Problem, I wonder what feedback folks have for note taking.

Say you have a good sender-receiver unlinkabile situation and are setting up future meetings in face-to-face interaction, how are you collecting and storing information for your research and story?

  • Note pad at the meetups?
  • Air gapped computer?
  • What else?


Edit: So, after reading through this thread, I've changed my mind. The advantage of paper notes being transparently secure to the source seems really valuable. Maybe the best approach is to take notes on paper and then write them up on a locked-down laptop as soon as possible?

Original post:

Personally, I would prefer a dedicated "air gapped" laptop, since one can easily encrypt the hard drive, whereas with hand written notes you either have to risk getting stopped with them or you can try to make up awkward codes for yourself, which will probably prove unworkable and not very secure.

A used Thinkpad laptop would be ideal for this application - something small like an x60, x200, or x220, which can be had for ~$80, ~$200, and ~$300, respectively on Ebay or a used computer store. They have good battery life (you can purchase Chinese knockoff 6 cell batteries for them that last for 10+ hours). They're easy to disassemble with a jewel screw driver set, which makes it fairly easy to remove the microphone, the Bluetooth antenna, and the WiFi antenna. Newer netbooks that cost as much or more tend to be glued together, so you're more likely tor ruin a good laptop with those.

As for the operating system, any Linux distro with full disk encryption enabled should be fine (use diceware to make a passphrase). You've eliminated most of your potential threats by keeping it off of the internet. However, you still need to be careful about inserting USBs into the machine (they must be clean - only insert newly purchased USBs to extract your notes). If you don't know which Linux distro to choose, just use Tails.

If you want to be more confident in your note taking laptop's security, especially when leaving it somewhere other than on your person, or if you don't like keeping track of whether your USBs are clean, you could install Qubes OS on the machine. However, since Qubes OS is a resource intensive operating system, only the x220 can support it, and you will still need to modify it by replacing the stock RAM (2.7GB) with twin 8GB chips (for a total of 16GB - as much RAM as a brand new fully kitted out MacBook Pro). The good news is that the new RAM will only set you back $32.

If you want a fun project and you like learning about hardware, you could also increase your note taking laptop's security by replacing the BIOS with Libreboot (an open source bios alternative). However, this is probably overkill, since the machine is off the net. If you really like learning new things, try this, otherwise, you're fine. Libreboot only works on the x60 and the x200. If you want Libreboot, but you don't want the hassle, you can buy machines with it pre-installed from "The Ministry of Freedom," which is an outfit that re-furbishes old Thinkpads with Libreboot. Overall, Libreboot is not necessary for this application. The other stuff above may be a good idea.


Your note pad is not encrypted, unless you have a doctor's handwriting :slight_smile:

Use Tails with persistence

(the above, plus)
Airgap the machine by ripping out networking cards (wifi, bluetooth), removing the hard drive, and plugging up the ethernet port.

(the above, plus)
Use Tails on DVD, keep only your persistent partition on a USB stick. (This insures that your Tails OS is non-writable)


Agreed. The cheapest, easiest (but somewhat less secure) go-to solution is just to boot Tails with persistence on your normal laptop.


I'm going to differ slightly.

I think it's probably best to use a cheap notepad (e.g. the 3-for-99-cents type) at the meeting itself, with no electronics present. Then, transcribe the notes to your persistent storage of choice at a later time, and pulp or burn the notebooks in question.

This means both you and your source can be assured of no on-person electronic surveillance during your meeting; notebooks aren't terribly conspicuous, and are cheap to acquire and dispose of; and are also very easy to carry inconspicuously. Plus, having a couple blank notepads on your person all the time is easy and not suspicious - you have the opportunity for meetings that are not previously scheduled.


I was waiting for this.

Reporters know that tech of any kind can spook sources, even for completely innocuous interviews. I feel like the intermittent notepad solves any potential question your source may have, 'Hrm, wonder if they properly gapped this machine??' It also gives them a chance to say, 'Hey what are you going to do with those notes when we're done here.'


The most important thing is to leave one's phone at home. The security trade off or preference of a paper notepad versus a dedicated-note-taking-laptop pales in comparison to the importance of not taking your phone to the meeting, or anything else with a SIM.


Certainly - and I'd note that "no electronics" is a lot more confidence-inducing than "oh, but this laptop is safe" :wink:


Paper can be a great solution. It has the remarkable property that everyone understands exactly how it works and what its vulnerabilities are. You can't say that for any other tech.

But if I were to go with electronics honestly I wouldn't bother with Tails, ripping out the wifi etc. I'd get an iPad and use a note taking app that does not have any sort of network sync capability. And turn off iCloud and fingerprint unlock, and make sure you have a nice long passcode. And set it to airplane mode before heading to the meeting.

I'd rather trust Apple's security engineers than almost anyone else -- especially under-funded open source developers and journalists playing spies. And I feel there's pretty good evidence now that a nation-state adversary will have trouble getting into one of these.


I'm going to agree with @jonathanstray here...

Also, spies use paper. #justsaying


Sure, sure. Paper is a thing! be sure to use the hotel suite tea kettle to pulp your notes properly...


...and beware of the "palimpsest effect" :ghost:


not an iOS person (no shade towards apple; I'm not in the habit of trusting mobile devices of any kind, ironic i know.) What are good apps that don't sync and don't attempt to call back to home base? This would be a good list to have!


Good question @harlo. I wonder how Apple's new "secure notes" feature fares here. http://www.cnet.com/how-to/how-to-secure-the-notes-app-on-ios-9-3/


Good point there. Cheap is the most important bit....we get journalists all the time who have bought an expensive Moleskin and are those very reluctant to rip out pages!


Going to +1 @jonathanstray and @grugq on this one. iOS device without cloud sync, iCloud off, in airplane mode if you're going to go tech.

@grugq I've read a lot of your writing/guides, have you ever done one explicitly on paper? I'd be interested in reading a post on proper opsec management of paper notes/documentation for an operation.


I haven't done anything specifically on paper. It is not something I know too much about, and what I do know is limited to impractical things.

For example, write on a single sheet of paper at a time on a glass surface. This will prevent a copy of your writing getting impressed on anything.

Various issues about how to limit the amount of information on a paper (using coded shorthand and such).

I am not familiar enough with the techniques, or with the workflow of practising journalists, to make recommendations.


I have read (but now can't find the source) about a reporter who simply never wrote a real name down. They replaced names with random letters (e.g. "C said that...") and simply memorized who was who.

This won't stop a real adversary who already knows who you might be talking to and can make guesses based on context, nor will it stand a chance of holding up in court. But it will prevent accidental discovery in the event you lose your notes.

The other piece of advice I've heard is simply, don't write down incriminating information. Remember it. Perhaps write it up later when you get to your secure storage.



I saw these slides and thought about this thread.




On a somewhat related note, how often do you recommend scrubbing old emails, notes and correspondence? I'm not necessarily talking top-secret stuff here, but rather routine correspondence with colleagues, etc. I find it's hard to tell what may be "sensitive" communication in the future, and have heard from a legal standpoint that it helps to have an established pattern of behavior that you follow as a rule, i.e. "sorry not sorry, your honor -- every two months I delete everything as a matter of course."