Nieman Foundation at Harvard
Are you willing to pay for Prepare to be asked before year’s end
ABOUT                    SUBSCRIBE
Jan. 16, 2019, 11 a.m.

Here are 12 principles journalists should follow to make sure they’re protecting their sources

“We’re being forced to act like spies, having to learn tradecraft and encryption and all the new ways to protect sources. But we are not an intelligence agency. We’re not really spies. So, there’s going to be a time when you might make a mistake or do something that might not perfectly protect a source.”

In the public imagination, reporters working with whistleblowers has traditionally meant All the President’s Men-style cloak-and-dagger stealth — meetings in shadowy underground garages, potted plants turned into signals, Hal Holbrook’s whispered exhortations to “follow the money.”

But today, journalists’ interactions with whistleblowers are more likely to come in Signal chats or secure dropboxes than D.C. garages. And that shift has changed the terms of engagement in often confusing ways.

“We’re being forced to act like spies, having to learn tradecraft and encryption and all the new ways to protect sources,” says James Risen, The Intercept’s senior national security correspondent, who has written often about secret government deeds. “But we are not an intelligence agency. We’re not really spies. So, there’s going to be a time when you might make a mistake or do something that might not perfectly protect a source. This is really hard work. It’s really dangerous for everybody.”

That quote is from a new report just released that aims to compile a set of best practices for dealing with confidential sources in an environment of digital surveillance and rampant data leakage. It’s called the “The Perugia Principles for Journalists Working with Whistleblowers in the Digital Age” and its authors are Julie Posetti, Suelette Dreyfus, and Naomi Colvin.

They’re called the Perugia Principles because they’ve been derived from discussions held there last April, along with further research and consultation since, under the banner of Blueprint for Free Speech.

“The Digital Age has also brought many opportunities for high impact investigative journalism — as evidenced by the Snowden Files and the Panama Papers,” the report states. “It is now possible for whistleblowers to move and leak masses of valuable data in the public interest on an unprecedented scale, with appropriately strong digital security methods in place…However, this is also the era in which whistleblowers are being jailed because security agencies have unprecedented powers of interception and discovery. It is not an equal struggle when your adversary is a national security agency.”

The journalistic response must be a mix of both digital and “human” practices — both the foresight to use the right tools in the right ways and the personal commitment to minimize, to the greatest extent possible, the risks faced by those leaking us important information.

There are 12 “Perugia Principles” in all — compressed from a preliminary list of 20 last year. I’ve listed them below, along with a brief excerpt from the appropriate section of the report — but there’s much more to be found in the actual document.

1. First, protect your sources. Defend anonymity when it is requested.

It is generally accepted that a journalist’s commitment to protect the anonymity of confidential sources and whistleblowers should only be breached in the most exceptional circumstances (e.g. when it is established that there is no other way to determine identity where it is critical to avert imminent loss of human life). Legal protections in many jurisdictions reflect this.

2. Provide safe ways for sources to make “first contact” with you, where possible.

Help potential whistleblowers by publicizing ways they can contact you using anonymized and encrypted channels32, and the risks associated with each.

3. Recognize the costs of whistleblowing for the whistleblower, and prompt them to think through ahead of time how to cope when the story breaks.

Treat the whistleblower or confidential source you’re working with in the manner they deserve — with dignity and respect, as a person taking a significant risk to entrust you with their secrets and their identity in an effort to reveal information in the public interest.

4. Verify material focusing on the public interest value of the information, not on your view of the attitudes or opinions of the source or whistleblower.

While judging the information supplied on merit, it remains important to assess the motivation of the confidential source or whistleblower to determine veracity — is there malicious intent? Could there be inaccuracies secreted in the dataset, for example?

5. Take responsibility for your digital defense and use encryption. Even though encryption may not completely defend your source, it offers important first-line protection.

Recognise that encryption defends press freedom through support for the privacy of confidential digital communications with sources and whistleblowers. While encryption is a minimum standard, it is not a guarantee of confidentiality. For example, digital data trails, including mobile phone geolocation information captured when meeting a source face-to-face, can lead to discovery of the source’s identity.

6. Determine the biggest threats to you and your source and what specific steps you need to take to protect both of you.

There is no one-size-fits-all security. Threat modeling is a general approach to thinking through your security needs and coming up with a plan that suits your unique circumstance.

7. Explain the risks of digital exposure to your source or whistleblower. On sensitive stories, train your whistleblowers in basic digital security.

I think we’re literally going back to that age, when the only safe thing is face-to-face contact, brown envelopes, and meetings in parks.

8. Publish original documents and datasets in their entirety where possible and safe to do so, recognizing the importance of datasets in stories.

When databases of source material are made available to researchers and the public at large, they can become part of the historical record and continue to generate insights and inform reporting for years to come. But be aware that there are digital safety risks entailed where identifying data exists within document sets — for example, microdots from a printer appear to have led to the identification of Reality Winner.

9. Securely delete data provided by sources, when asked, to protect confidential sources, consistent with ethical, legal, and employer obligations.

Be aware that documents and their metadata can be used to identify a source. Investigate ways of securely erasing, or scrubbing, metadata from documents and be cautious of who they are shared with. Encrypt data entrusted to you, on your computer’s hard drive or a portable device, in order to mitigate the risks of it falling into the wrong hands.

10. Ensure any digital drop boxes for confidential sources and whistleblowers offer a good level of security and, for higher-risk materials, anonymity.

Some digital drop boxes allow sources to send documents to journalists, and continue communicating with them, without revealing their identity. They may make use of the Tor network, or a dedicated operating system. There are a number of drop box systems available. SecureDrop, and the GlobaLeaks platform are used by a number of media and civil society organizations internationally.

11. Understand the country, regional, and international legal and regulatory frameworks for protecting confidential sources and whistleblowers.

Sources and whistleblowers enjoy the right to impart information, but their legal protection when publicly disclosing information rests especially on the public’s right to receive it.

12. Encourage news publishers to practice their responsibility to provide proper data security for journalists, sources, and stored materials, along with appropriate training and policies to guide journalists.

Ensure that your organization has an appropriately integrated strategy for defending digital security that recognizes the implications for confidential communications with sources and whistleblowers (i.e. there is a need for a holistic approach that integrates analogue safety, digital security, legal policy, and training). If you are a freelance journalist, contact your trade union or an NGO working in this space (e.g. Blueprint for Free Speech or The Signals Network) for assistance.

Illustration of whistleblower protection by Arthur Duarte used under a Creative Commons license.

Joshua Benton is the senior writer and former director of Nieman Lab. You can reach him via email ( or Twitter DM (@jbenton).
POSTED     Jan. 16, 2019, 11 a.m.
Show tags
Join the 60,000 who get the freshest future-of-journalism news in our daily email.
Are you willing to pay for Prepare to be asked before year’s end
The cable news network plans to launch a new subscription product — details TBD — by the end of 2024. Will Mark Thompson repeat his New York Times success, or is CNN too different a brand to get people spending?
Errol Morris on whether you should be afraid of generative AI in documentaries
“Our task is to get back to the real world, to the extent that it is recoverable.”
In the world’s tech capital, Gazetteer SF is staying off platforms to produce good local journalism
“Thank goodness that the mandate will never be to look what’s getting the most Twitter likes.”