The primary objective of this paper has been to provide an overview of the legal and technical infrastructure that shapes the practical requirements for source protection in the age of digital communications. In the preceding section, I presented some tools and approaches for protecting source communications in the context of the two primary use cases for journalists: linkable and unlinkable sources. While the above discussion is not exhaustive, evaluating source communications within a framework of linkability does offer a valuable mechanism for designing digital communication solutions for journalists.
Integrating the strategies discussed above into the current workflow of journalism is no small task, and the suggestion to do so is not made lightly. I do believe, however, that this integration is both necessary and feasible, and will outline some possible approaches to it below. Before elaborating on these further, however, it is worthwhile to consider some of the additional advantages that these source-protection methods offer to journalists and their organizations.
Verification–the process of confirming one’s ownership of a particular digital identity–is an essential aspect of encrypted digital communications. But verification has an additional value for journalists–the ability to protect their reputations in the case that one or more of their digital identities (e.g., email, Twitter, or Facebook accounts) are compromised. Digital signatures, for example, can be attached to emails whether they are encrypted or not, and, for all practical purposes these signatures cannot be forged. If an account is hacked remotely, the attacker will not be able to replicate the digital signature, immediately tipping off any recipients that the communication is not genuine. Likewise, one can message essential contacts from a new account and they will be able to confirm it is really “you” by checking the signature.
Conversely, verification also supports the possibility of working with truly anonymous sources. Over time, the handles and email accounts used by such a source may change, but as long as the digital signature remains consistent, one can be confident that the person (or, in some cases, organization) on the other end of the exchange is the same.
On an organizational level, this can be achieved by implementing a tool like SecureDrop
Moreover, a source wishing to make secure contact can do so by encrypting a message with the journalist’s public key. This message could be an email or even a file that the journalist is directed to by another means. Whether sent from a throwaway email address or posted anonymously, that information will only be accessible to the journalist for whom it was intended.