How to Leak to a Journalist – Source: www.schneier.com

Clive Robinson • April 9, 2025 10:38 AM

@ ALL

No method currently available to ordinary individuals is secure not even close.

This is due to the simple fact that what is available technology wise is “consumer/commercial” and none of it has been designed to be even remotely secure.

Secondly because all the technology is like a “fish trap” designed to funnel every electronic communication into a single net.

There are two solutions to this,

1, Don’t put your toe in the water.
2, Ensure the stream you swim in is not the one that ends in the net.

As those who want to communicate with journalists are putting their toe in the water then that leaves only the second option to them.

There are two types of communication “half duplex” and “full duplex” the first is unidirectional and more secure than the bidirectional second.

Journalist almost always betray their sources because they want to ask questions first of which is almost always “verify who you are”…

This means that journalists will almost always want “full duplex” bidirectional communications and will do just about everything they can to force a source into it and in effect betraying themselves.

I’m not saying “don’t communicate with journalists” I’m saying that the process is always risky and relinquishing control of it is very very unlikely to reduce your risk, in fact the very opposite.

So if you are going to maintain control you have to be responsible for not just yourself, but all others directly or indirectly involved, including the journalist and all at their organisation, and those you work(ed) with and your friends and family.

It’s safe to assume that all communications you do not 100% control will get you caught. So all modern consumer or commercial electronic communications are unwise to use, unless you really understand the technology to the lowest levels.

Likewise all commercial post and package services will be risky to use because everything gets tracked these days one way or another. Primarily for “accounting and auditing” reasons which means they are “third party business records” that have no legal protection from inquisitive authorities.

Thus unless you are a technologist of wide scope you are better considering “Old School Field Craft”. But due to modern technology like wireless CCTV units that can fit in a cube the size of a games dice your golden rule has to be “never the same place or way twice.”

Unless of course you know how to lay a false scent that leads the blood hounds away. However that usually means giving them a sacrificial goat or more to rip the belly out of…

You might think that you can “start safe” unfortunately you can not and this is often the most dangerous step. History shows that during the cold war anyone working in a diplomatic mission was watched around the clock 24×365. But also anyone who approached or entered a diplomatic building or even NGO with foreign funding was photographed and where possible identified and checked.

It’s safe to assume with the paranoia about journalists that some are clearly displaying, and the unlimited resources they effectively command, that journalists today have the same level of surveillance or worse on them that cold war diplomats had.

Why worse?..

Well because technology is at least 20 generations advanced on the cold war thus the human resources needed are almost vanishing in comparison. Also they give a “time machine effect”. Think about CCTV tapes from cameras in a shopping center car park or cafe etc etc. As long as the exist, an investigator can “flip back in time” through the glass eye of the camera recording. They don’t need a human every place they only need one to go through the hundreds or thousands of tapes “facial identification software” pulls up as “possibles”.

None of this is SciFi it’s all very mundane today.

Oh and don’t forget all those “lets make history” devices you have on you like your Smart Devices such as fitness and medical devices, mobile phones, and just about anything with electronics in it these days even toys those in your family have even your pacemaker or other implanted medical electronics.

Bluetooth Low Energy is ubiquitous in “System On a Chip”(SoC) microcontrollers these days. Such microcontrollers are in so many products that avoiding them is at best difficult, at worst impossible. Those “air tags and tiles” luggage tags that people got briefly paranoid about are many times bigger than they need to be for just the electronics because batteries have a lousy power density. If you can find an alternative power source then think a fat grain of rice…

It’s what RFIDs became before we forgot about them. We know some RFIDs can be scanned from outside a shipping container they are in, or from the “bumper badge” to toll gate gantry 20ft up as you drive under it.

Making Smart-RFIDs to work with BLE Beaconing is a trivial manufacturing job these days (though expensive per unit below the 100,000 unit volume).

Old school field craft will if both parties have good OpSec enable you to have diminished risk. But history shows all to often journalists don’t do good OpSec. In part this is because the editors under guidance from the legal people want “full verification” at all costs otherwise they wont touch a story.