{"id":53286,"date":"2015-02-02T12:00:23","date_gmt":"2015-02-02T12:00:23","guid":{"rendered":"https:\/\/www.transcend.org\/tms\/?p=53286"},"modified":"2015-05-05T21:26:09","modified_gmt":"2015-05-05T20:26:09","slug":"how-to-leak-to-the-intercept","status":"publish","type":"post","link":"https:\/\/www.transcend.org\/tms\/2015\/02\/how-to-leak-to-the-intercept\/","title":{"rendered":"How to Leak to The Intercept"},"content":{"rendered":"

\"how-to-leak-intercept\"<\/a><\/p>\n

People often tell reporters things their employers, or their government, want to keep suppressed. But leaking can serve the public interest, fueling revelatory and important journalism.<\/p>\n

This publication was created in part as a platform for journalism arising from unauthorized disclosures by NSA contractor Edward Snowden. Our founders and editors are strongly committed to publishing stories based on leaked material when that material is newsworthy and serves the public interest. So ever since The Intercept<\/em>\u00a0launched, our staff has\u00a0tried to put the\u00a0best technology in place to protect our sources. Our website has\u00a0been protected with HTTPS encryption from the beginning. All of our journalists publish their PGP keys on their staff profiles<\/a> so that readers can send them encrypted email. And we\u2019ve been running a SecureDrop<\/a> server, an open source whistleblower submission system, to make it simpler and more secure for anonymous sources to get in touch with us.<\/p>\n

But caution is still advised to those who want to communicate with\u00a0us without exposing their real-world identities.<\/p>\n

What Not to Do<\/strong><\/p>\n

If you are a whistleblower trying to figure out the best way to contact us, here are some things you should not do:<\/p>\n

Don\u2019t contact us from work.<\/strong> Most corporate and government networks log traffic. Even if you\u2019re using Tor, being the only Tor user at work could make you stand out. If you want to leak us documents that exist in your work environment, first remove them from work and submit them using a personal computer on a different network instead.<\/p>\n

Don\u2019t email us, call us, or contact us on social media.<\/strong> Most of the ways that people communicate over the Internet or phone networks are incredibly insecure. Even if you take the time to learn how to encrypt your communications with us, your metadata will remain in the clear. From the standpoint of someone investigating a leak, who you communicate with and when is all it takes to make you a prime suspect, even if the investigators don\u2019t know what you said.<\/p>\n

Don\u2019t tell anyone that you\u2019re a source.<\/strong> Don\u2019t risk your freedom<\/a> by talking to anyone about leaking documents. Even if you plan on coming out as the leaker at some point in the future, you have a much better chance of controlling the narrative about you if you are deliberate.<\/p>\n

As journalists we will grant anonymity to sources if the circumstances warrant it \u2014 for example, when a source risks recrimination by disclosing something newsworthy. If we make such an agreement with you, we will do everything in our power to prevent ourselves from being compelled to hand over your identity.<\/p>\n

That said, in extreme cases, the best way to protect your anonymity may be not to disclose your identity even to us.<\/p>\n

What to Worry About<\/strong><\/p>\n

And here are some things you should be aware of:<\/p>\n

Be aware of your habits.<\/strong> If you have access to secret information that has been leaked, your activities on the internet are likely to come under scrutiny, including what sites (such as The Intercept<\/em>) you have visited or shared to social media. Make sure you\u2019re aware of this before leaking to us, and adjust your habits well before you decide to become our source if you need to.\u00a0Tools like Tor (see below) can help protect the anonymity of your surfing.<\/p>\n

Compartmentalize and sanitize.<\/strong> Keep your leaking activity separate from the rest of what you do as much as possible. If you need to use email, social media, or any other online accounts, don\u2019t use your normal accounts that are connected to you. Instead, make new accounts for this purpose, and don\u2019t login to them from networks you normally connect to. Make sure you don\u2019t leave traces related to leaking laying around your personal or work computer (in your Documents folder, in your web browser history, etc.).<\/p>\n

If possible, use a completely separate operating system (such as Tails, discussed below) for all of your leaking activity so that a forensics search of your normal operating system won\u2019t reveal anything. If you can\u2019t keep things completely separate, then make sure to clean up after yourself as best as you can. For example, if you realized you did a Google search related to leaking while logged into your Google account, delete your search history<\/a>. Consider keeping all files related to leaking on an encrypted USB stick rather than on your computer, and only plug it in when you need to work with them.<\/p>\n

Strip metadata from documents.<\/strong> Many documents, including PDFs, images, and office documents, include metadata that could be used to deanonymize you. Our policy is to remove metadata ourselves before publishing anything, but you might want to remove it yourself. Tails (discussed below) includes a program called Metadata Anonymization Toolkit<\/a> that can strip metadata from a variety of types of documents. If you\u2019re somewhat techie you can convert your documents to PDFs and then use pdf-redact-tools<\/a> to completely remove any information hiding in them. You could also choose to go analog: print out a copy of the documents and then re-scan them before submitting them to us (but be careful to securely shred your printout and not leave traces in your printer\u2019s\/scanner\u2019s memory).<\/p>\n

How to Actually Leak<\/strong><\/p>\n

Now that we have that straight, here\u2019s how to go about contacting us securely:<\/p>\n

Go to a public WiFi network.<\/strong> Before following any further directions, grab your personal computer and go to a network that isn\u2019t associated with you or your employer, such as at a coffee shop. Ideally you should go to one that you don\u2019t already frequent. Leave your phone at home, and buy your coffee with cash.<\/p>\n

Get the Tor Browser.<\/strong> You can download the Tor Browser here<\/a>. When you browse the web using the Tor Browser, all of your web traffic gets bounced around the world, hiding your real IP address from websites that you visit. If your network is being monitored, the eavesdroppers will only know that you\u2019re using Tor but not what you\u2019re doing. Websites that you visit will only know that you\u2019re using Tor, but not who you are (unless you tell them). It sounds complicated, but it\u2019s actually quite easy to use. In order to start a conversation with us using our SecureDrop server, you must use Tor.<\/p>\n

Consider using Tails instead.<\/strong> If you are worried about your safety because of the information you\u2019re considering leaking, it might be prudent to take higher security precautions than just using Tor Browser. If someone has hacked into your computer, for example, they\u2019ll be able to spy on everything you do even if you\u2019re using Tor. Tails<\/a> is a separate operating system that you can install on a USB stick and boot your computer to. Tails is engineered to make it hard for you to mess up:<\/p>\n