There are now lots of journosec training materials for journalists. Less so for sources. The fact that govt folks are using Confide makes me cringe (this is why.)
Anyone know any good resources for sources?
I think the "high end," where people might be contemplating a serious leak, is reasonably well covered, e.g. SecureDrop tutorials like this. What I'm looking for is something else: "everyday" communication. I'd frame this like "How to have a private conversation with a journalist" not "how to leak" because not everyone is a leaker, and if they do become a leaker, you want them to have been using more secure methods all long.
So any good guides of this type? And what would you put in such a guide if you wrote it?
This is a very broad topic, so I will just stick to things I've learned from my own experiences, with one technical tip thrown in at the end.
1) Unless you plan to go public and be quoted by name, never provide personally identifying bona fides to a journalist. If you do, the journalist essentially owns you. While it's not exactly ethical, there is nothing preventing the journalist from subtly or overtly pressuring you to provide more information, since they have the power to expose you. The journalist is not your friend. They don't care about your job, your family, your activist cause, or your cat. They care about clicks. A relationship with a journalist can be parasitic or symbiotic, but it is always adversarial. Each of you want different things. You want to disclose information, shape the public narrative, settle bureaucratic scores and climb the greasy pole, raise awareness about "x" cause, or whatever else it is that you want as a source. They want to advance their career as a journo. This is fine. Just don't confuse a journalist with a friend, a therapist, a lawyer, or a date (especially that last one, if you encounter a journalist who is anything less than utterly professional in this regard, then AVOID AVOID AVOID AT ALL COSTS).
Even if they aren't this bent, most journalists are unlikely to stand up to serious legal pressure. This is just a fact. It's equally true of both activists and journalists. There are exceptions, but generally speaking, it is very foolish to assume that someone is going to go to jail for you, fight expensive legal battles for you, or have their livelihood threatened or taken away from them, in order to protect you from professional, legal, or personal consequences. Journalists are just people, and as a rule, people are a pretty rotten lot.
If you do not provide personal bona fides and you choose not to leak documents, a journalist is naturally going to be skeptical that you are who you say you are, or that anything you tell them is true. This is fine. If you are an insider of some sort, you can establish your credibility over time by providing accurate information, before it becomes publicly known. It is the journalist's job to triangulate their way towards the truth. If they are a subject matter expert, then they will have other sources who can help them vet your disclosures. If the journalist isn't a subject matter expert, then why are you talking to them?
2) Get media training. This doesn't have to be formal, you can educate yourself, but you should have a passing familiarity with "off the record," "deep background," and other journo concepts. Stay concise. Don't ramble or leave yourself open to cherry picked quotations. Stay on message. Read this:
3) Research your journalist before you contact them or agree to speak with someone who contacts you. Is this person professional, knowledgeable, and reasonably trustworthy? What kind of work have they done in the past? If you are an activist, is this person likely to be sympathetic (or at least fair) to your cause?
4) If you want to have a discrete relationship with a journalist, but they don't have a SecureDrop instance, and you are not worried about truly terrifying network adversaries, then: buy an iPod Touch ($200), install Signal, and then register it to a pay phone or some random number that is not associated with you at all (ask to use the landline at a local business). Use the iPod on public WiFi networks, such as a coffee shop. Leave your phone and other devices at home, pay for your coffee with cash. Power the iPod off when not in use. This is pretty safe, for most applications. If you're concerned about being caught and searched, for whatever reason, then keep the iPod on your person as little as possible. Consider caching it someplace safe, instead of keeping it at home.
I've been thinking about this topic a lot, @jonathanstray. My work is not this sensitive at the moment, but I'm wondering if and when people I often approach for stories, such as government climate and ice scientists, are going to become anxious about speaking to reporters.
Face to face meetings are not an option when we're hundreds or thousands of miles apart, and SecureDrop isn't realistic for a solo freelancer, which is what I am at present.
I'm starting to include my Peerio, Protonmail, and Signal info with my email .sig, to give folks some options. That does mean they must already be clued in to what's unique and somewhat more secure about those options, however. Maybe an explainer web page would be helpful...
The most immediate one-to-many options would be putting that info up on Twitter and Facebook, and in .sig files. Then scientists and other potential sources who already follow a reporter, say, or are corresponding with that reporter, would have a good chance of seeing it.