Protecting confidential sources is a cornerstone of ethical reporting. When journalists have agreed to protect someone’s identity, they should make every effort to do so, especially in circumstances where a source could be arrested or harmed.
Maintaining confidentiality has become more challenging due to increasing levels of digital surveillance and monitoring by authorities and the public. Journalists should therefore consider the following safety advice to help protect the identity of confidential sources.
Be aware, however, that media organizations may have a policy that requires journalists to share a source’s identity with their editors.
In some countries, organizations may also have the legal right to hand a journalist’s notebooks or equipment over to a court or the authorities, if they are considered to belong to the organization.
Research any such rules before making any promises.
Please note that this is a general introduction written for a global audience. Seek additional advice for country-specific contexts and questions.
Contents
Planning
Assessing the risk vs. the reward
Digital safety best practices
Researching your source
Communicating with sources
Receiving and managing documents
Meeting sources
Anonymizing sources
Publishing content
Maintaining confidentiality
Planning
Preparation before engaging with confidential sources for the first time is critically important, as is ongoing cooperation, secure communication, and trust.
Never presume that a source is willing to be named. Always seek consent.
Research any legal obligations regarding working with confidential sources. This will vary by country and employer.
Try to find out if the source has previously spoken to other journalists, or if other organizations might be trying to contact them.
Is there a risk that the source is being monitored, or are they already in hiding? If authorities or hostile actors already have them on their radar, engaging with them could put you in danger.
Establish a method of verification such as an unusual phrase or a question to answer, and use it each time you speak to the source.
Depending on the risk involved, you may need to identify a place they could temporarily relocate to for safety reasons.
Assessing the risks vs. the reward
Always consider the sensitivity of the story and the source’s information, as well as their identity.
Is there a significant risk to you or your source from engaging with each other? Using classified or stolen information may have serious ramifications for you as well as your news organization.
How useful and reliable is their information? Consider their motivation and whether they could pose a risk to you or your organization.
Take into account their identity, including factors such as ethnicity, gender, profile, sexuality, religion and criminal record.
If their identity is compromised, might such factors be used to discredit the story, or increase the risk of them being harmed or arrested?
Digital safety best practices
There are a number of ways that data can be accessed, including but not limited to government subpoenas, physical access to devices, hacking, and spyware.
Consult with a digital security expert if you have doubts about how to protect a source’s identity.
Follow best practice when it comes to digital safety and be familiar with the tools and services you may need to keep your source as secure as possible.
Do a digital risk assessment.
This will help you assess and, where possible, mitigate the risk both to you and your sources. The Rory Peck Trust has a comprehensive digital risk assessment template for journalists.
Think about who may target you or your source and how much authority, money, and technological capacity this adversary may have.
Where possible, do not use your personal or work devices to contact sensitive sources. Buy devices specifically for communicating with them, and keep your work and personal data separate. If possible, pay for such devices and SIM cards in cash and avoid linking it to something that can identify you, such as a credit card or an ID card. (This will not
always be possible depending where you live and work.)
Turn on two-factor authentication for all accounts and use long, unique passwords and a password manager. See CPJ’s guide to protecting accounts for more information.
Regularly update your devices, apps, and browsers to the latest version to better protect against malware and spyware.
Make the source aware of digital best practices and the risks involved so that they can contact you in the most secure way possible.
Limit contact with the source as much as possible.
Researching your source
Be aware that your internet service provider (ISP) keeps a copy of your browsing history which can be subpoenaed by governments or accessed by people in the company.
Research ISPs in your country to see who owns them and whether the government is accessing user data through legal or other means.
Use a VPN to better protect your internet history from being logged by your ISP or platforms like search engines.
Choose a VPN service that does not log your browsing history and does not have a track record of sharing data with governments and others. Governments may create or manage approved VPN companies or require compliant services to share user data.
If you are detained and your devices are searched, be aware that browser history can give away details about your online research.
Delete your browser history regularly, but be aware that governments may still be able to request the relevant data from companies involved, like a VPN service or a search engine operator.