Working with Leaks and Whistleblowers, Part Two

May 16, 2017

WatchDog: Working with Leaks and Whistleblowers, Part Two

EDITORS NOTE: In this two-part WatchDog series, we look at the hows and whys of working with leaks and whistleblowers. Last week, we looked at why not to use anonymous sources, and finding sources, then building trust and establishing groundrules. This week, we focus on basic security measures, the importance of documents and the legal status of leaked information.

By Joseph A. Davis, WatchDog TipSheet Editor

If you do get to the point where a confidential source is giving you significant amounts of risky information, secure communications are essential to you both. The tradecraft and technology of secure communications is evolving, but some principles endure.

First, personal conversations should be private. Almost anything relegated to email can probably be read by the government. Avoid easily surveilled email. If you must use email, do not use work accounts (at either end) or normal personal accounts. Anonymous or one-use accounts are better, and encrypted accounts are also needed.

Encryption is a huge subject covered elsewhere, but PGP encryption is good, and Proton has a decent reputation.

Text-messaging is hardly safer than email. If you must text, WhatsApp and Signal are considered pretty safe. Telephones, as well, are less than ideal. But Signal helps make cell phone voice calls safer.

Image: ©
Image: ©

In the end, meeting your source face-to-face in a safe, un-surveilled location may be best. Someplace noisy, without security cameras, or sparsely populated might be good. Think in terms of an out-of-the-way park bench, a sleazy diner, a personal car or … a parking garage.

And sometimes transferring documents the old-fashioned way — on paper — is the best defense against electronic surveillance. For large volumes of documents, electronic media may be necessary. In those cases, secure channels such as SecureDrop can be good. And don’t forget about thumb drives that can be sent via U.S. mail, with a fake return address.

Today, many of the best watchdog reporters routinely include their PGP public keys (needed for encrypted communication) to their signatures and business cards. It’s a way of saying, “Leak to me, please.”

Importance of documents

Anonymous sources and whistleblowers may be the start of a good story, but they are rarely the last word. Verification of what they tell you is key for the accuracy of your story, which is important not only for your audience but for your professional reputation. Your job is to say, “How do you know that?” “Prove it” and “Show me.”

Documents are often the answer.

Documents are the kind of evidence or record that can be used in court. They do not usually depend on the credibility or identity of your source. Because something like a memo may often go to many people within an agency, it becomes possible to mask the identity of your source without reducing the credibility of the evidence.


A document that comes in

anonymously over the transom

is not enough — it must be authenticated.


Very often one document leads to another. It may refer or respond to it. Or you may get a chain of emails. Once you are in the realm of documents, you are in the realm of things that can be requested under FOIA.

But a document that comes in anonymously over the transom is not enough. Documents must be authenticated. Reasonable standards usually apply (Is it on letterhead? Is it signed? Will the signer acknowledge it?) The more anonymous the source, the more authentication is needed.

A document is not always a memo. Documents may include notes, emails, texts, calendars and phone logs, to name a few examples.

Ask your leaker to get you documents.

If documents are important to what your source is disclosing, it is important to scrub them to protect the source, while maintaining enough information to demonstrate their authenticity.

The document you receive may retain evidence of the source’s identity — for example, as an addressee, or in the undisplayed authoring information of a Word or Acrobat document. For everyone’s safety, transform such documents to a safe format before posting them on DocumentCloud for the public or your collaborators to see.

Legal status of leaked information

As great as the First Amendment is, the law actually matters in many stories based on whistleblowers, leaks or anonymous sources.

It is very much worth knowing, for example, whether your source faces any criminal or civil liability for giving you the information. If you promise to protect a source, you have an ethical obligation to know. You do not want your defense in a libel suit to depend on a source to whom you have promised anonymity.

When the information is classified as national security information, disclosure to you by the source may be illegal. Fortunately, only a small amount of information on the environment, energy and resources beats is classified.

At the U.S. Environmental Protection Agency, some information about radioactive incidents may be classified. At the Energy Department, information about nuclear weapons (which they produce) may be classified — but not information about cleanup of legacy pollution from nuclear weapons production.


In most cases, it is perfectly legal

for an agency employee to disclose information

that an agency like EPA does not want disclosed


There is other information on the environmental beat whose disclosure to you is made illegal by specific statutes. An example is some information about the vulnerability of drinking water systems to terrorism or other security risks. The Bioterrorism Act of 2002 (42 U.S. Code § 300i–2) requires drinking water utilities to prepare vulnerability assessments, but makes unauthorized disclosure a criminal offense.

Disclosing trade secrets can get a source who works for the government in trouble. Not only does the Uniform Trade Secrets Act authorize civil damages for wrongful disclosures, but individual environmental statutes like the Toxic Substances Control Act also make unauthorized disclosure by EPA officials illegal. The Privacy Act is another law that criminalizes unauthorized disclosures.

Still, in most cases, it is perfectly legal for an agency employee to disclose information that an agency like EPA does not want disclosed. Many things that may be exempt from disclosure under FOIA — such as “predecisional” memos — can be disclosed without legal penalty.

But if the leaker is revealed, that may not prevent retaliation against the employee, even when such retaliation is illegal under the Whistleblower Protection Act. The WatchDog has reported on this more fully in its Leaker's Guide.

The legal perils of disclosure, as well as the potential harm to an employee making unauthorized disclosure, may in certain cases add to the justification for anonymous sourcing.

Today, especially in Washington, D.C., leaks are abundant, but too often focused only on palace intrigue. Many top news organizations, nonetheless, welcome information from true whistleblowers who want the public to know about government actions that do not serve the public interest.

In the end, leakers and whistleblowers can be an essential ingredient in helping the public understand how its government works. But they are only the beginning of further reporting and verification.

Also see our Leaker’s Guide, Parts One and Two.

* From the weekly news magazine SEJournal Online, Vol. 2, No. 20. Content from each new issue of SEJournal Online is available to the public via the SEJournal Online main pageSubscribe to the e-newsletter here.  And see past issues of the SEJournal archived here.




SEJ Publication Types: