Protecting sources is one of journalism's central tenets. But in a world with sweeping legal powers and global surveillance, it is also one that is only getting harder, says James Ball, the Guardian's data editor.
Ball previously worked for WikiLeaks and is currently investigating stories relating to the Guardian's scoop on the National Security Agency's secret Prism electronic surveillance programme. He is therefore accustomed to communicating and receiving information outside the convenient channels of email, mobile phone calls and text messages, arranging covert face-at-face meets, sometimes at deserted railway stations in the dead of night.
Earlier this week he gave a presentation to Hacks/Hackers London (via Skype), a meet-up group of journalists and technologists, on how to communicate securely with sources, particularly whistleblowers, sharing his experiences of when it is necessary to communicate securely, why cumbersome security procedures may lead to breaches, and why burner phones may gain the attention of those monitoring communications.
Here are seven lessons shared by Ball:
1. Making contact: The source may give away information when contacting the journalist
A source may give away details as to his or her identity as they track down and make contact with a journalist. In which case there is not much the reporter can do to protect them as security may already be compromised.
"If sources have taken material from a corporate network or from a work email account, the way they first contacted you, if they have done that from a system they don't control, be it their work computer or work mobile, you will not be able to retroactively help them. So a large part of our role is actually being very honest in what we can and can't do."
2. Keeping safe: Follow the source's lead and assume messages are being intercepted
Once contact has been made, the next step is to ensure the source remains anonymous. A journalist will often follow the source's lead, Ball said.
"If you have a source who very cleverly contacts you through an anonymised system, don't then phone up or email your editor," he said.
"Given what we know and are learning about NSA and GCHQ you essentially should be working on the assumption that anything you say via phone, email, or text is going to be intercepted."
Ball said it may well be an overly cautious approach, "but it's not a bad principle to start from".
3. Protecting your material: Identify how to communicate around documents or data
A journalist may be trying to protect leaked documents rather than an individual, perhaps to avoid injunctions, Ball explained
In this case "you have a very different set of priorities, and the way you try and communicate may be quite different."
If the aim is to protect material rather than a person, he said it is important to work out what your goal is and why you are communicating securely.
4. It is not practical to communicate securely all the time
Ball said that it is important to use sound judgement when you need to communicate securely as it is impractical to rely solely on face-to-face meets.
"It's really important – and this is something that isn't said – not to go around only communicating securely all the time," he said.The less glamourous side to these stories is that you are usually left waiting in the cold, you usually end up pissed off, and you usually wish you had an iPhoneJames Ball, the Guardian
"Not being able to pick up a phone, not being able to use email gets expensive. You have to fly around to have conversations, you have to use encrypted chats (which go down all the time), you have to do all sorts of things that are very difficult. It makes life miserable and it stops you being able to work and cooperate effectively.
"You have to know when to use security and when not to, when it's appropriate and when it isn't, when it will just make you ineffective."
To judge when to communicate securely you need to look at who you are dealing with. Ball advises taking legal advice to make sure you have handled and tracked material in an appropriate way.
"For example, a very basic thing is if you are doing something based on documents and you want to make it harder for them to be obtained, do you say you have possession of documents, if you are worried about a subpoena or similar, or do you say that you have had sight of documents?"
For obvious reasons Ball could not share a list of the security measures he takes when carrying out investigations. "I would love to list to you now everything the Guardian does or doesn't use and why, but even that in itself is useful information."
But he did give some general principles.
5. Open source is better than closed
"Open source is better than commercial," Ball said. Commercial platforms may be in a position where they have "voluntarily or been compelled to make deals to create 'back doors' and you will not be in a position to know", Ball said.
"Lots of open source security software has vulnerabilities, but it's a lot harder for these conscious back doors to exist."
Ball recommends using anonymous web browser Tor – but says its essential to learn to use it correctly. "If you are using Tor and logging in to anything with an account name, you are using it incorrectly," he said explaining how he has seen people using Tor and then logging into Gmail which compromises security.
Tor also provides an example of the problematic nature of staying secure, in that "Tor makes your internet traffic really slow", Ball added.
He explained how when he worked with WikiLeaks he was based in a manor house in Norfolk. "It was a slow internet connection to start with. And by the time we had run three security measures, it would slow to a standstill for about 20 minutes about once an hour."
6. Are your security principles workable?
It is sometimes not appropriate to carry a mobile phone as location details can be intercepted, hacked and tracked.
Ball explained that he was once stuck for two hours at midnight at a train station in Diss did not have a phone, laptop or access to emails.
"The less glamorous side to these stories is that you are usually left waiting in the cold, you usually end up pissed off, and you usually wish you had an iPhone."
He suggests making a security plan presuming the project may go on for some time.
"When you are setting down your security principles and the way you are going to approach a story, you do a lot better if you think about it first," Ball said.
"It might extend for four weeks, for six weeks, in which case people are going to be tired and the right IT person isn't always going to be around.A lot of the time the thing you do to make yourself secure is what flags you upJames Ball, the Guardian
"Are your security procedures cumbersome or are they pared down to the minimum? Is someone who is really tired at 11pm, just trying to get something done urgently, going to follow them or are the procedures so slow and so awkward that they are going to be tempted to break them? When you make the rules that's the balance you have to strike.
"Security is set up for dream people who will always follow it, and if you look at how any hacker or alleged hacker got arrested, it's usually not because they didn't have security set up, it's because they didn't use it, perhaps once for five minutes when they were tired."
Ball said there are always "lots of people happy to pontificate on security in great detail with almost no regard to how real people use computers or what they understand or what they don't".
"We need security that we can understand and use day-to-day," he said.
7. Burner phones are not necessarily as sensible as The Wire might make out
Anyone familiar with US TV series The Wire will be aware of the burner phone, a pay-as-you go mobile with no name registered to it that is used to communicate a few times and then dispose of.
Ball said you first need to think about your regular phone. "You'll have phoned your bank on it, you'll have phoned your mum, you'll have phoned friends, and it all ties up into this huge big web. Any new phone after a week or two will be part of a huge tangled connection of thousands and thousands of phones. A burner phone, on the other hand, may only ever link up to one or two other phones, it never touches the network.
"But imagine you are some hypothetical organisation that was collecting data on every single phone call. You could very easily build an algorithm that found those phones and concentrated on them.
"Let's say the phones always gave out their location, which of course they do, it would be very easy to check if there are any phones like that within a mile of where you are known to be and trace you.
"And this is kind of the issue with security. A lot of the time the thing you do to make yourself secure is what flags you up. It's a horrible moveable feast, lots of things you think you know you don't, lots of things you hope work don't. But it's all about trying to be proportionate, remembering what you are trying to do, using free open software, and urging any really super-smart hacker-types you know to build stuff that real humans can use."
Disclaimer: Sarah Marshall is one of the organisers of the Hacks/Hackers London monthly meet ups.