Security news that informs and inspires

Privacy & Security Challenges in Investigative Journalism


Last week, I attended the talk, Privacy & Security Challenges in Investigative Journalism, hosted as part of the University of Michigan speaker series, Dissonance: Conversations at the Confluence of Technology, Policy, Privacy, Security & Law.

The talk featured two guest speakers, Knight-Wallace journalists Bastian Obermayer and Laurent Richard, moderated by Gautam Hans, Clinical Fellow in the U-M School of Law.

Bastian is the deputy head of the investigative unit at Süddeutsche Zeitung in Munich - he is also the reporter initially contacted by the anonymous source of the Panama Papers. Laurent is investigative reporter and editor-in-chief at Premières Lignes Télévision in Paris. He leads investigations into dictators in the Caucasus region and Central Asia.

How do privacy and security concerns affect your current, ongoing investigations?

Now with technology, there are many more possibilities to encrypt and secure communication. But the government also has the best tools to track and surveil journalists, as well, as Laurent pointed out. He was concerned about what would happen in the U.S. in regards to privacy and safety of journalists and sources.

The main concern is known as the “first contact” problem - you may lose or risk losing your job if you send an initial email to a journalist. It’s best to know how to secure oneself from the very first point of contact to avoid exposing oneself as a source.

According to Bastian, during the Panama Papers project before publication, there was an entire team dedicated to only this project, working in a room without any Internet contact whatsoever. His boss used faxes and other low-tech ways to work and communicate with his team. They had to work an entire year in secrecy, using PGP (Pretty Good Privacy) - a protocol for encrypting email communication using public key cryptography.

There are monetary costs involved with ensuring private and secure communication for journalists and their sources - it can be expensive and difficult to design secure systems. Plus, there is the human cost that requires a lot of training and retraining. One point of weakness can jeopardize the investigation and reporting, whether from the government, private entity or competitor.

Safety means nothing if just two people don’t respect the chain of security, according to Laurent. He suggests talking about the most sensitive things in person, one on one, as well as establishing some type of code in order to privately communicate with your contacts.

Another caveat is, many companies will track sources and fire them to set strong examples and a precedent to discourage employees from talking to journalists.

Additionally, if your source has sensitive information on the server of his or her company, don’t let them send it to his private email. If you ask them to send the information to his private email, you could be named an accomplice in the crime of stealing information from a company. Make sure to ask your source how they are procuring the information and if they are doing it in a legal way.

What kind of tools do you advocate using for other journalists and sources?

According to Laurent, PGP for email communication, Signal and Wire for encrypted chat. Most big newsrooms like The New York Times or The Washington Post use SecureDrop via Tor. SecureDrop is the open-source whistleblower submission system that media organizations can use to secure accept documents from and communicate from anonymous sources, according to

Back in 2014, Duo hosted a Duo Tech Talk featuring guest speaker Runa A. Sandvik who was working at the Freedom of the Press Foundation at the time. She is now the Director of Information Security, Newsroom at The New York Times. In her talk, she described how Tor and SecureDrop work - check out Encryption Works: A Look at Tor and SecureDrop to learn more.

While using certain tools can make communications between journalists and sources safer and more difficult to surveil, no method is 100 percent safe. Again, as Bastian said, it is sometimes safer to meet in real life. It can also be wiser to stay in the dark - it can be safer to not know the name of your source, so there is no way a journalist could accidentally leak it.

According to Bastian, during an investigation abroad, their team had to buy burner phones for Russian sources to use for a limited amount of time. There is always going to be a balance between safety and productivity - trying to find that balance between security and usability is a constant issue.

There have been advances in tools and security technology that address that issue. Two-factor authentication is one good example of that. And while PGP sounded complicated in the beginning of Bastian’s career, he learned how to use it.

How do you prepare for legal, government or company pressure?

They must employ a lawyer to reply to company lawyers. And oftentimes, they have to cut many news articles due to legal issues, according to Bastian. They also must hire international lawyers to address issues abroad, which is extremely expensive. The biggest fear for a small newspaper is that legal fees would be the end of the paper - one mistake could end the history of a longstanding newspaper.

According to Laurent, one strategy used to shut journalists down is to arrest and sue them. The state of France used their best lawyers to sue him personally. The main signal the government was sending to international reporters was, don’t come to our country to write these stories; look at what happens to journalists in France.

Bastian and other reporters bought insurance to protect themselves in case they got sued, as private citizens. For other reporters, this is warning, as they can be sued individually for anything they write as journalists, and their newspaper can fire them, forcing them to show up in court and pay a lawyer on their own. Many insurance companies do not want to insure journalists in the event of libel cases.

The Panama Papers

Finally, Bastian was asked to describe the Panama Papers briefly for anyone that wasn’t aware of the incident.

He received a leak of 11.5 million financial and legal documents that belonged to a law firm in Panama revealing offshore companies that were technically legal, but used for financial crimes, such as drug cartels, tax evasion, human trafficking, the mafia, etc.

They found a lot of politicians, head of states, and political family members implicated in the papers. There were massive demonstrations, many officials had to resign or step back, new laws and policies were established, etc.

Due to the size and gravity of information, it was shared with many other news organizations worldwide that published their stories on the same day.

Future Events

The Dissonance speaker series explores topics related to technology, law, privacy and security. To stay informed of upcoming Dissonance events, you can sign up for their email list.