Most sources are not exposed by a broken encryption algorithm. They are exposed by metadata (who contacted whom, when, and from where), by a device that was already compromised, or by a careless habit on either end. Strong tools matter, but they only help if the whole chain holds.
First contact
- Offer a channel that hides metadata, not just content. A newsroom SecureDrop instance (or Signal with disappearing messages) protects far more than email or a phone call, which leave a clear record of who talked to whom.
- Publish how to reach you securely— and let the source make the first move from a device and network you do not control, so the initiation is on their terms.
During the relationship
- Minimize what you collect.The safest record is the one that was never made. Avoid logging the source’s identity where you do not have to; prefer disappearing messages for routine coordination.
- Strip metadata before you handle documents. Photos and office files can carry GPS coordinates, device IDs, and author names. Remove them before sharing internally.
- Assume either device could be watched.If a source may be on a monitored phone, plan around it — and never have them remove suspected spyware in a panic, which can tip off a watcher and destroy evidence.
Storing and preserving what you receive
Encrypt material at rest, limit who can open it, and keep an honest record of how it was handled. If a document may later need to stand up — in a legal challenge, or against a claim that it was altered — preserve the original untouched and work from copies. Done right, that record is court-ready; a court, not the journalist, decides admissibility.
The legal reality
Technical care is not a legal shield. There is no federal reporter’s shield law in the United States, and protections vary by state. Tools reduce the metadata that can be subpoenaed; they do not eliminate legal exposure. When the stakes are high, pair this checklist with a media lawyer.
When you need forensic help
To verify whether a source channel or device was actually compromised — or to preserve a leaked document defensibly — a credentialed examiner can help without exposing the source. See source protection & digital forensics for how that works, and free expert help for no-cost first options.
