Solving the First Contact Problem

The First Contact Problem occurs when a journalist first reaches out to a source. Some aspects of this problem, at least as I understand it:

• Most likely, that source has little experience with secure communication and there is probably not a secure way to reach them electronically.
• No matter what happens after, the insecure first contact leaves a trail of metadata and content that can later become a problem.
• Very commonly, relationships with sources start out innocuous and only later (sometimes years later!) transition to a conversation about sensitive topics.
• It can be quite difficult to get sources to use secure comms tools in a secure way. And that's what I think when I'm feeling optimistic.
• Quite often, just discussing security can spook the source, and potentially lose the story.

Here was my best advice on this topic as of a few weeks ago (from these slides). I considered it basically an unsolvable problem, because getting someone to install an obscure app before you could even talk to them... uggh.

Then suddenly, WhatsApp had strong encryption.

Now you still have to meet the source in person first. And WhatsApp may require some care to use securely. But your source probably has it installed, and anyway their friends almost certainly use it so it's not so weird to ask them to install it.

Given the available options, my instinct is now to recommend WhatsApp as the go-to platform for journalist-source comms. It's as good a solution to the First Contact Problem as I've ever seen -- assuming Facebook is not your adversary or likely to cooperate with your adversary.

Thoughts?

I have a few thoughts on this. Perhaps some of them will be useful.

First off, journalists have obviously become more aware of the dangers of the first contact problem since 2001 or so, after which leak prosecutions became more aggressive at the same time that more of our everyday communications moved out of informal channels ("nice to meet you, what are you doing next Friday, want to get a drink?") and onto the cellular infrastructure and the internet. However, this isn't actually a new problem. Intelligence officers who specialize in HUMINT (CIA case officers and their counterparts overseas) have had to deal with this same basic problem set for years.

Journalists might not like to think of themselves as spooks, but what they are doing is essentially the same. Natsec journos trawl the D.C. social circuit, they spot, assess, and recruit sources, they fact check the information they receive, and they write up their findings - hopefully without getting their source arrested.

If you're an intelligence officer chatting someone up at a diplomatic party, you don't want to give that person a phone number that's associated with the US embassy. Ideally, you wouldn't want to give them a phone number at all; you would just set up another time and place to meet, on some social pretext. Does your developmental like rock climbing? You should arrange a time to meet at the local climbing wall. If you must give them a way to contact you, then that identifier and device should not be associated with you. You can even arrange to run into them socially, "by accident" at places you know they are likely to frequent.

The single most important criteria for communicating electronically with sources is sender-receiver unlink-ability. Confidentiality is secondary. You can be using Signal from day one, but that's likely not going to survive a retrospective FBI investigation if they are able to access NSA traffic logs that reveal the fact that you, a national security journalist, were in contact with the suspect, your source. Not good.

Then there's logs. Do you want your conversations with your source lying around on their personal phone, Signal or no? Do they have FDE (full disk encryption) enabled on their phone? Are you willing to bet 30 years of their life that no one will, at some point in the future, perhaps after your source is arrested, develop a tool to circumvent the FDE on their personal device? Do they have automatic updates turned on? These are all questions that you don't want to ask, because there are too many things to go wrong.

As a journalist, you should be proactively protecting your developmentals before they become sources. Handing people twenty different secure ways to contact you is only any good if your source is technically competent enough to defend against the two things most likely to sink them: traffic analysis and locals logs. In order to use any secure comms tool safely, they have to either use Tor or communicate from places that are not associated with them or their personal devices. They have to use a separate compartmented device (which shouldn't be stored at their home), and they had better have FDE so that the FBI can't just read logs or retrieve them forensically. That's kind of a high bar. Unless your source is Edward Snowden, they are probably going to mess that up. In my opinion, offering people a cornucopia of secure comms tools, each with different security properties, is sort of like laying out twenty different firearms, some of them complicated antiques with hair triggers, in front of a caffeinated toddler. Please, no.

I would boil all of this down into a few rules:

-Outside of friends, family, and fellow journalists, don't give out means of contacting you that are associated with you (besides SecureDrop), whether those means are end-to-end encrypted or not. You never know which acquaintance may become a source, so protect your sources by treating everyone as though they may become one.

-Get in the habit of making all social plans verbally and in advance with an agreed upon meeting time and place. If you must give someone a means of contacting you, make sure that the identifier and device are not associated with you.

-If you work for a large publication with a budget that can afford it: go out and buy a stack of iPod Touchs ($200 each) and install Signal on each one. Register each device with a different pay phone number. Treat these numbers and their corresponding devices like business cards: one per source. You keep the "burner" device, and they can contact you with their everyday device. This keeps things normal and social without linking the communication to you in an obvious way or burdening them with tradecraft and tools. Is that expensive? Sure it is. You're asking people to risk decades in federal prison in order to advance your career, and hopefully the public good in the bargain. If your publication can't spend $200 to protect someone's life, you really should find another profession. If you don't have the money, then arrange all social meetings verbally, beforehand (or, again, use SecureDrop).

-Don't discuss illegal activity (leaking) via electronic means unless you are talking with someone via SecureDrop, or unless they are very competent and are taking responsibility for their own security. If you are talking with a developmental or a source via a burner iPod (remember, they're still using their normal device, even though you're both using Signal), then only discuss meeting times and other pleasantries. Save the illegal discussions for your in person meetings or else discuss that via SecureDrop. Logs are deadly. They sunk Chelsea Manning (used OTR), they exposed Aaron Swartz to greater risks (Quinn Norton kept logs of their OTR chats, which could have been subpoenaed if his case had gone to trial). Do not rely on end-to-end encryption alone.

-Only use your normal identifiers (your phone number, your PGP key, your jabber address, your whatever) to communicate with friends, family, and colleagues. Never anyone else; they might become a source. Operational security, like STD prophylaxis, only works proactively.

-Since SecureDrop enforces Tor use, you can safely encourage people to get in touch with you that way, and your source won't even have to identify themselves to you there.

That about sums it up. Sorry that this ended up being pretty verbose.

Here's a condensed version of the above, since that one was sort of rambling:

1.) Do not distribute any means of contacting you which can be associated with you, except for SecureDrop, to any person besides friends, family, and colleagues. Anyone who is not a friend, family, or a co-worker is a potential source.

2.) All communication with persons who are not friends, family, or co-workers should have the property of sender-receiver unlink-ability. You may achieve this property by planning social meetings in person, in advance (by specifying the time and place of the next meeting), or you may achieve the same effect through SecureDrop. If you must communicate with a potential source electronically, but prefer a more casual means of secure communication that will not scare the source off, you may do the following: obtain an iPod touch, install Signal, register both applications with a number that is not associated with you (such as a payphone), provide the source with the contact number, and instruct them to contact you via Signal. Do not use a single number or iPod to communicate with multiple sources. If you do so, the compromise of one source may compromise them all, through retrospective metadata analysis. One iPod per source. If you use PGP as a journalist, publish a key that does not have an email address associated with it. A source may wish to encrypt documents for your eyes only, and then submit them via SecureDrop (or they may wish guard against the possibility that the SecureDrop server is compromised, since SecureDrop is not end-to-end secure by default), but they should not be provided with a means of emailing you. Unless they take precautions themselves, email does not provide the property of sender-receiver unlink-ability, even if it is PGP encrypted. Since it is cumbersome to use a PGP key without an email address (mail clients will not recognize it), you may wish to generate a separate key for emailing with other journalists. However, make sure not to publish it to the key servers, where a source may discover it and accidentally shoot themselves in the foot by emailing you without using Tor and creating an "operational" throwaway email address. You don't want to wake up and find this sitting in your inbox:

From: firstname.lastname@cia.gov
Subject: I Feel That It Is My Patriotic Duty To Insure That This Information Reaches The Public.
-----BEGIN PGP MESSAGE-----

3.) Never discuss illegal activity (leaking) outside of in person meetings or SecureDrop. If communicating via SecureDrop, it is preferable that the source never reveal their identity. If they are willing to provide documents, it is not necessary to verify the source's bona fides; an independent verification of the documents they provide is sufficient. End-to-end encryption will not protect your source from a retrospective investigation. Signal should be used for planning meetings, not discussing illegal activity. No logs, no crime. Discussions in person are forward secure. Discussions via SecureDrop cannot be (easily) linked to your source (provided that neither of you use their name in your SecureDrop conversations).

4.) There are many secure communications tools available besides those described above. There is nothing wrong with many of them, except that they require some expertise on the source's part to insure that their communication is not linked to you, the journalist. As a journalist, you should provide only the failsafe means of communication that have the property of sender-receiver unlink-ability by default as described above (imho). An advanced source may contact you and wish to use Pond running in a Whonix TemplateVM on Qubes, or some other setup. Any such advanced source will be able to contact you via SecureDrop, after which you can both agree on the details of your communication from there on out. However, do not provide other means of contacting you to the public, besides those discussed above, since potential sources may not be capable of understanding the operational security implications of their tooling choices. Stick to pre-planned in-person meetings, SecureDrop, and, if you must, the iPod touch & Signal approach described above.

A note on style: The requirement that you plan all social meetings (outside of your inner circle of friends, family, and co-workers) in person, in advance, may seem onerous. However, this is how everyone planned their social lives only a few decades ago. It's not impossible, it just takes effort. If it helps you excuse your behavior to your peers, you might cultivate a luddite philosophy or espouse some sort of hipster preference for the old ways. In any case, it's a small price to pay to proactively protect the lives of those who will come to entrust you with secrets. A mistake on your part could cost them decades in prison or deprive their children of a parent. If you are a national security journalist in the United States, and you think that the above is paranoid or extreme, then please find another profession. Your adversary is the combined expertise of the entire U.S. intelligence community. Mistakes cost lives.

Small note: WhatsApp does not install on an iPod Touch.

I suspect this will continue to be a problem for some time - not because we don't have the right tools, but because people don't always know the right channels to use in advance. There's a technology challenge here, but also an educational challenge.

Thanks @ethannorth that's a lot to consider. I think there's a lot of good stuff here if you are a national security reporter or otherwise up against an adversary who has access to communications metadata. Giving out ordinary phone numbers to unlinked phones is a clever tactic.

I will say it's also very unlikely to be followed by a working journalist. Leaving aside the expense of having one phone per source, this is really problematic:

1.) Do not distribute any means of contacting you which can be associated with you, except for SecureDrop, to any person besides friends, family, and colleagues.

This is going to be tremendously difficult. It basically makes it impossible for anyone to contact you or even verify that you are who you say you are when you contact them. And can you even have a social media account? While some of your sources are going to be very sensitive, the vast majority will not and this effectively cuts them off. Journalists are, and need to be, fundamentally public people. We are not spies. Our names go on the bylines, and it's not just for ego.

One of the things that would advance the field here is a more careful enumeration of the common threat contexts that journalists face. There is no one-size fits all security. So here's a very rough list of threats that journalists I have spoken to face:

• various actors in various conflict zones
• narco-cartels
• other organized crime
• authoritarian governments
• non-authoritarian governments
• individual politicians or political organizations
• large companies or industrial groups
• competitors
• local law enforcement
• hackers unaffiliated with the above (in it for the lulz or $)

I would imagine the appropriate strategy varies for each of these contexts, and that there are many further variations based on what part of the world you're working in, and what story you're reporting.

Can anyone think of a better way to classify threats? If we could find a good way to group similar situations together it would go a long way toward developing good operational advice.

I realize that this approach is extreme. It may only be appropriate for national security journalists who are in the business of regularly talking to people with security clearances and encouraging them to disclose classified information. If this describes you, I still stand by what I wrote.

Plans may not survive first contact with reality, but I think it's important that if the rules are bent, that the source and the journalist should both understand that they are making an expedient exception that may come back and bite the source later. Informed consent is important.

I think that social media accounts are completely fine (and indispensable to journalists for may reasons). Most people understand that leaking classified documents via Facebook, Instagram, or Twitter is not a good idea. I'm more concerned about providing the public with "secure" means of contact, other than SecureDrop (such as a PGP key with an email address), when each of those "secure" tools have different security properties and many must be used in concert with other tools (like Tor) in order for a source to contact you without potentially exposing themselves down the line. Placing the burden of understanding those technical distinctions onto a potential source is too much to ask, I think.

For all of the cases where one is not a national security journalist who is regularly meeting people with security clearances and encouraging them to disclose, other approaches may be valid, but there are still many ways that things can go wrong with "secure" tools, even when your adversary may not appear very powerful.

For example: let's say that your source is a police officer. You asked them to install Signal on their phone, and you've been communicating that way. Seems pretty safe. Your adversary isn't some super-secret spy agency. However, your source, the police officer, didn't think to disclose to you that their everyday phone is actually a department-issued work phone. You didn't think to ask, and now you're both sunk: the police department IT team has remote access to everyone's department-issued phones as a matter of standard procedure. They may not be actively trawling through everyone's communications, but if they realize that they have a leak, that could change overnight.

This is just one example. I strongly believe that SecureDrop is the best electronic means of having secure conversations with sources. It's very easy to use. The only barrier to entry is installing Tor Browser. If you're a freelancer, you may want to consider holding a crowdfunding campaign to get your own SecureDrop setup. The Freedom of the Press Foundation has helped journalists raise funds for the necessary hardware in the past, and they also provide technical assistance to help you get SecureDrop up and running.

Obviously, it's easy for me to expound on the most water-tight possible way of operating, but at the same time, I want to stress that the failure modes are numerous and not always obvious. SecureDrop was designed for journalists. If you can, it's really best to use it as much as possible, unless you are planning and conducting meetings in person.

Thanks for catching that. I've never tried installing WhatsApp on an iPod Touch; I just assumed that it would work, just as Signal does. I edited the post to remove references to WhatsApp.

If a source contacts you through an insecure channel - for example by calling from his of her office in a public building or company, the damage is already done.
A metadata trail will betray the source at a later stage, if there is an internal investigation. The thing to do, is to quickly start obfuscating this first contact, by creating a larger data trail - through contacting several/many others in the same company or department, asking them to call back. They will either call you back or not - and most probably deny talking to a reporter or giving out information on the particular subject, which might or might not have to be related to the original "tip".
When there is an internal investigation at a later stage, the other employees will confirm that they were called by a reporter and maybe also that they called him/her back if they did - and denied to comment.
What this does, is that it gives the source the opportunity of admitting that the actual call with the reporter took place - which is undeniable because of the metadata trail- but still not admitting that he or she was the one who gave the reporter the actual information.

This sounds really plausible, but basically it would lose the reporter a day of their life whenever someone new contacts them. Can any of the journalists here estimate how often they get a new cold contact from a source?

Ordinary telephone billing records generally show who initiated the call. They would show one call initiated from your source's office, to you, and then a bunch of calls from you, to other people in the same building.

This is of course not something you do every time someone calls you, but only in very, very rare situations where you get a very credible, important and good piece of information and you immediately understand that the source has compromised himself/herself because of the call. It works. Sure, they might be able to see who called first- but there are various ways of mitigating this, if it is important enough - by using more channels- calling mobiles, private numbers, leaving notes etc - better than doing nothing at all and making the source stand out after a damaging first contact if is important and the goal is to protect the source as much as possible. The frequency of cold contacts depends on the story, really. No clear pattern. Nowadays people are much more conscious about digital trails. They know that it's a bad idea to use company infrastructure.

It seems the problem remains unsolvable in the general case, especially if you're up against the state. But can we put any restrictions on this problem? What about various instances of the various adversaries on my list? What if your adversary can't compel Google to give them data, for example?

I think there are probably too many variables at play in each of the example situations in your list to make any hard and fast (or even general) technical rules of thumb. The decisions would have to come down to the journalist's judgement.

I also don't think that this is a problem that can be solved with tool-centric thinking.

Let's say that your source is a fighter in the Colombian FARC, for example. If the FARC finds out that you have a reporting relationship with your source, then bad things will happen to them. You choose Gmail to communicate with your source because the FARC obviously can't legally compel Google to do anything. Unfortunately, your source (like most users) has their browser remember their Gmail password, so they remain logged in all of the time. One day, one of your source's fellow fighters asks to borrow their laptop to surf the web...

Ultimately, I don't think that this is a technology problem. It's an OPSEC problem.

These tips probably apply everywhere:

1.) Don't leave your source with written records of incriminating conversations with you, whether those conversations are end-to-end encrypted Signal chats, emails, your (known) phone number or email address in their address book, or hand written notes. Voice conversations are preferable to written messages (so use Signal calls rather than Signal text messages, for example).
2.) Keep your communications off of the infrastructure controlled by your adversary. That "infrastructure" might be a local market where local police or informants are likely to spot you meeting your source, or it might be the cellular infrastructure. If your adversary controls all of the telecommunications infrastructure, then insure that all of your communications with your source have the property of sender-receiver unlink-ability, whether your conversations are electronic (use Tor - SecureDrop is ideal because it forces the source to protect themselves by using Tor) or in-person meetings where you plan the time and place of the next meeting face to face.

After El Chapo was arrested, it was easy to make fun of Sean Penn for his silly and obviously ineffective security measures (he was "mirroring through the black phones"), but ultimately Sean Penn's problem wasn't that he was using the wrong tools, or using them in the wrong way. He didn't need technology to make good security decisions, and if he had made good tech choices, those choices would have flowed from an understanding of universal OPSEC principles.

The Grugq's work is really on point here. Most of these problems aren't new. There are references to "safe houses" in the Old Testament of the Bible. SecureDrop is just an internet equivalent of a cold war style dead drop. Technology is just a different terrain where different actors grapple with timeless trade offs.

If you want to keep your sources safe, then read about the history of espionage, read about how criminals are caught, don't ever use a tool that you don't understand, at least at a conceptual level... and read everything the Grugq writes.

Yes, I think everyone here agrees that "tools" won't solve the problem. But telling a journalist "use best judgment" won't work either. They don't have the necessary knowledge and experience.

I've told a lot of people that they should use threat modeling to plan security. The response is invariably "...okay. So what's an appropriate threat model for my situation?"

Which is why I think it might be productive to research how people handle specific kinds of threats to see if we can come up with useful patterns to pass to others.

"Keep your communications off of the infrastructure controlled by your adversary." Okay, so if I'm in Colombia covering FARC, what infrastructure is that, and am I going to be able to do my job if I avoid it? Let's talk about this in terms of specifics, not general principles. General principles are not very helpful to reporters, in my experience.

I say "research" because experience is a much more reliable guide than theory -- just like you can only guess at usability, ultimately you have to do user testing.

Can anyone here share their operational experience? What was the story, what was the threat and how did you mitigate it?

Here is my "operational experience," from the perspective of an activist working with journalists:

The location is an EarthFirst! training camp. The objective is to train a mixed group of locals and out-of-town activists in various blockading techniques (aerial blockades, sleeping dragons, etc) and, at the end of the week, non-violently blockade access to a particular industrial site as a part of a larger, regional campaign against the company that owned and operated the site.

There were two independent journalists present. One was a documentary filmmaker and the other was a still photographer. Both were sympathetic to the goals of the activists and had some experience working closely with activist groups.

The action failed because the journalists did not follow the security rules that everyone was supposed to abide by.

Security was managed as follows:

-Everyone used pseudonyms, or "forest names," which are one-time-use names, to be used only at that training camp and during the action. Outside of the people you arrived with, you didn't know anyone's real name. This is useful in case anyone is arrested and chooses to cooperate with police; it limits the damage by restricting the amount of information that people know about each other. Pseudonyms are also useful because they limit what undercover officers or informants can learn.

-Only a small core of experienced activists (five to eight people), who had longstanding histories working together, knew what the target was. This same small core planned the logistics for the training camp. Everyone knew the name of the company we were protesting (naturally), but our training camp was located within a three hour driving distance of dozens of targets owned by the company.

-Attendees were sorted by their comfort level with risking arrest. People self-sorted by "red" (you will be arrested in this role - these were the people who were to lock down in a sleeping dragon or sit in an aerial blockade), "yellow" (you may face arrest - a direct support role), and "green" (low risk of arrest - you will be located at a site next to the action, on public property, holding protest signs).

-Once we were all sorted by self-selecting risk level, the "red" and "yellow" groups were subdivided into two compartmentalized training groups (so there were both "red" and "yellow" people in each of these two training groups), and the "green" group formed a third training group. We were told not to tell other activists outside of new training groups what we doing inside of those groups. Each group was led by one to two activists from the small experienced core. Only this small core of experienced activists had the whole picture; they were the single point of failure between the compartmented groups and only they knew the target location and the time of the action.

-As I later found out, during the action, one training group was learning aerial blockading, and the other was learning how to form sleeping dragons. The third group was learning how to support the first two with media, logistics, and jail support. I was in one of the two blockading groups.

-To thwart the possibility of audio surveillance via cellphones, everyone would put their phone in a plastic bucket at the beginning of a training session or discussion. This bucket would then be placed well out of earshot, but where everyone could see it. Since we didn't know each others' real identities, there was no trusted person who could hold all of the phones. Keeping the bucket in plain sight solved this.

-The aerial blockading equipment to be used on the day of the action was kept off site. Only activists from the trusted core knew about this offsite location. We practiced with identical equipment at the training site. This was done to thwart any attempts to steal, destroy, or otherwise sabotage the equipment. The operational equipment was brought on site on the morning of the action, as we prepared to depart.

-On the morning of the action, everyone woke up at 2am, grabbed their gear and staged with their training team. Each team piled into several cars with a designated driver and navigator. Everyone was instructed to turn off their cell phones. The trainer activists from the trusted core handed a sealed envelope to every driver. We were to drive in convoy up the highway, behind a lead vehicle, until we passed a particular exit number. Then we could open our envelopes. They contained the address of the target, a hand drawn map of the area (to include some terrain features), and a separate street map with our route to the target. Every vehicle had a different route to the target, in order to throw off any vehicle surveillance. The idea was to arrive just up the road from the target at about the same time, and then drive in and "hit it" by rapidly setting up our two blockades.

-What's known in activist communities as "security culture" was followed. People didn't discuss their private lives, past actions, or illegal activity. No one used substances at the site, illegal or otherwise (break one law at a time, don't impair your judgement).

These security measures may seem elaborate, but keep in mind that this event was open to the public and advertised in advance, as a part of a very public campaign against a fossil fuel company that involved legal protest, legal advocacy through the courts, organizing popular support through NGOs, as well as non-violent direct action. While the planned action would be illegal (trespassing), this was not an invite-only event for a small clique of activists. It was a large gathering of unconnected environmental activists with various risk tolerances, ages, and political views. Everyone was aware that an undercover officer or informant could easily be present, and we all conducted ourselves as though anyone not previously known to us could be an informant. There wasn't paranoia or an accusatory atmosphere, we just kept our mouths shut about personally identifying information and the details of what we were learning in our training group. As it turned out, there were in fact two undercover police officers present at the training camp.

Security failed for two reasons:

First:

One of the "core" experienced activists told the still-photog journalist the exact target location, the day before the action. The activist trusted the journalist and must have figured that it was fine. As it turns out, the journalist was trustworthy, insofar as they weren't an informant, but their opsec judgement was poor. One of the two undercover officers elicited the target's location from the journalist by offering to help them buy extra camera memory cards on the day of the action (typically, on the day of the action, one person is employed as a runner to get the memory cards from the photog journalist at the action, to a safe legal space like a nearby church, where those photos can be uploaded to the internet, since the photographer is at risk of arrest and may have their equipment confiscated at any moment after the cops arrive on site). The journalist told the undercover police officer the name of the nearest town where they could buy camera memory cards on the day of the action. This was enough information for the officer to learn the location of the action, in advance.

Now, most of the activists at this training camp suspected that the two undercover cops were, in fact, cops. They acted like cops. One of them wore Gates boots and Oakleys. It was not a big mystery. However, no one expelled them or publicly accused them, because left-wing activists have learned the hard way that runaway snitch witch hunts can do far more to damage to movements than actual informants. Fear is deadly, so there is a cultural norm against accusation, unless there is proof. Otherwise, people share their suspicions in private, with trusted friends, and then they ice the suspected cop out of sensitive conversations. Since the two journalists were out of the loop, they didn't learn that these two guys were probably cops. Since they didn't have experience as activists themselves, they didn't know to be suspicious of these two undercovers (the proof came later when their identities as police officers was revealed in legal discovery, during the trial of another activist who was arrested at a different action in course of the same campaign).

Second:

The second journalist, the documentary filmmaker, drove his own car to the action site on the morning of the action. He asked one of the "core" trainer activists where to go on the morning of the action (so, two in the morning), and he was told the location. However, he was also told to follow any of the other activists' cars to the target location, and to turn off his phone. He ignored that advice.

Instead, he punched the target location into his iPhone and drove directly to the target site. Since everyone else was driving along their unique, circuitous routes as specified in their envelopes, in the hopes of confusing following vehicles and converging at the same time, the journalist got to the target site before anyone else. He got there forty minutes early.

When we all arrived at our convergence position and drove in convoy the remaining mile to the target, we found that the cops were already at the target site. Within minutes, they had ample re-enforcements and going through with the action proved impossible. Since we didn't have a chance to deploy, we weren't arrested, but the action failed.

In addition, the journalists were explicitly asked to get consent before filming anyone at the camp, but they chaffed at this and had to be asked not to film on several occasions.

That's my experience.

Edit: I realize that this post may come off as a little hard on journalists. I'll just add that documentary filmmakers have made some incredible short films about this kind of activist work, like this one:

It's just important to remember, as a journalist, that the people around you may have good reasons for being cautious.

Isn't it possible for authorities to track cellphones even when they are turned off? And does taking out batteries stop tracking? Or is leaving phones behind or getting a burner phone safest?

Meantime, as per your concluding comment, journalists are hard on everyone else, so we should be fine with criticism. The fact that we're often not, I guess just proves we're human like anyone else (positive-spin-alert).

Isn't it possible for authorities to track cellphones even when they are turned off?

Yes, but I believe this would only be true if the phone had been compromised with malware, and was thus "playing dead" while actually remaining on. So, yes certainly possible, but not default behavior.

And does taking out batteries stop tracking?

Yes, this solves the "playing dead" problem, except that many newer phones don't have removable batteries, which leads one to faraday bags (which can still leak enough RF to track you, sometimes, even if you can't succeed in making a call to a handset in the bag - consequently faraday bags are sort of a WTF opsec tool. Maybe it's working, maybe not? They're not a bad idea, it's just difficult to verify that they are working as intended when they really matter, and when they don't you probably don't need it anyway).

Or is leaving phones behind or getting a burner phone safest?

Yes, this is safer, especially leaving it behind. This was actually a use-ability compromise on our part. It would have been safest for everyone to leave their phones behind, but this would have vastly complicated jail support and caused other hassles. Ditching the phones entirely would have been safest.

If your gonna do this it's really worth sweeping for magnetic vehicle trackers. Only takes a few minutes for the most common ones.

The phone doesn't have to have malware already in it. AFAIK even dumb phones can be turned on remotely once the battery is still in. Mark Bowden talked about that in "Killing Pablo" for example. Also, phone companies can analyse patterns of phones being turned off - in certain locations, at certain times, when near other phones etc.

If your gonna do this it's really worth sweeping for magnetic vehicle
trackers. Only takes a few minutes for the most common ones.

This turns into a rabbit hole pretty fast, unfortunately; there are a lot of places to hide something like that on a car.

The one thing we had going for us (initially) was that the opposition didn't know our target, and we were in a target rich environment. By splitting up and driving in different directions, we were trying to prevent law enforcement from setting up in force on the site before/as we got there. We just needed to buy ourselves 10-15 minutes to set up on the target; after that the blockades are up and the site is shut down for the day while the fire department figures out how to clear the aerial/oil drum blockades without killing anyone accidentally.

So, the real killer wasn't that the journo left his phone on (which was still bad), but that he drove there early. This, combined with the photog's slip-up, totally sunk us.

Remember, these types of actions are supposed to work even when undercover police are among the protestors. These things are open to the public (and held regularly in the Pacific Northwest, where clear cut logging is a real problem), so anyone could be carrying a tracking device or just have their cell phone set up to share GPS location with law enforcement.

Bug/tracker sweeps are a problem because you never know if they succeeded or if you missed something. They tend to induce paranoia more than anything, in my experience.

Better to use robust techniques if that's a concern (switch vehicles, leave phones behind, etc). This leads to less feeling-like-a-crazy-person, too, which is always a plus.