Assume You're Being Watched: A Journalist's Guide to Source Security
Years ago, I was working as a newspaper reporter in West Virginia when the Pittsburgh Post-Gazette broke a major story about WVU. Former Governor and Senator Joe Manchin's daughter, Heather Bresch, had risen through the ranks at Mylan Pharmaceuticals to CEO, but when the reporters checked her published bio, they found a problem. Bresch had claimed a degree from WVU that didn't seem to exist. The reporters checked with the school, but instead of confirming the truth, they schemed to retroactively protect Bresch by claiming the degree was valid. Several university officials resigned in the wake of the Post-Gazette's stories.What stands out to me most of all, though, is a side story in the entire saga. At one point, the reporters met with confidential sources in a busy McDonald's in Morgantown. They were overheard talking, and the sources were identified and exposed. For all the Post-Gazette's stellar work, this particular episode was a spectacular failure of source security.
Journalists have an ethical obligation to protect their sources and to minimize harm. This isn’t controversial, but too few really understand what that takes, particularly in the modern era. Your sources’ identities can be exposed through a single careless tap, a convenient default setting, or an adversary’s ability to reconstruct who you’ve been talking to through a variety of data points. Even if you don't choose to talk to them in a McDonald's. If you work with sensitive sources, and you probably do, assume you are being watched. Start building habits now that hold up under pressure, not just in ideal conditions.
When talking about security, we start with threat modeling — what we’re trying to protect, who might target it, how they could do it, and how likely and costly those outcomes are. Start by asking yourself who might want your sources' identities, what powers they have, and what your security weaknesses are. For many reporters, the biggest risks are metadata and physical compromise. Metadata is the “who/when/where/how” around your communications. These could be actual call logs, message headers, location history, Wi-Fi associations, contact graphs, and device identifiers. Even if your message content is encrypted, metadata can still sketch the contours of source relationships with enough detail to reconstruct the source's identity. Physical compromise — such as a seizure, search, or compelled unlocking — makes the process even simpler.
Reduce what your devices retain. Turn off cloud backups for sensitive apps, disable message previews on lock screens, and limit notification content (see this story about Signal notifications on Apple devices). Audit app permissions. Microphone, camera, location, Bluetooth, and contact access should be granted only when needed and revoked when not. Keep your operating system updated. Most real-world compromises exploit known vulnerabilities, not zero-day exploits or state-level hacking. However, LLM-based and other artificial intelligence solutions are rapidly changing the landscape, so assume your devices are never secure at baseline.
Use strong authentication, but avoid biometric locks for high-risk work. Biometrics are convenient, yet in many jurisdictions, you can be compelled to unlock with a fingerprint or face, and your biometric markers can be used while you’re unconscious or restrained. Prefer a long passcode (more than four digits), ideally alphanumeric (not just numbers), and set the device to lock immediately when closed. Enable full-disk encryption (modern iOS and Android do this by default, but only if a passcode is set) and make sure the device requires the passcode after reboot. If your phone is taken, the difference between “locked” and “locked with a strong passcode” is often the difference between inconvenience and catastrophe. Apple devices have stolen device protection. Turn it on. You can also set a delay before security settings can be changed.
For communications, use end-to-end encrypted messaging. Signal is a common choice for sensitive conversations because it’s designed to minimize what it can learn about you and supports features like disappearing messages. Still, disappearing messages are not magic. Screenshots, secondary devices (such as having Signal on your phone and computer), and backups can still preserve content. Treat encryption as one layer in a broader plan. When exchanging documents, encrypt files before sending. Use tools that support modern encryption and strong passwords (or even better, passphrases), and share the password out of band. For email, encrypted services like Proton can help, but remember, email is fundamentally metadata-rich and often long-lived. Proton also offers encrypted document storage and encrypted video calls.
A VPN can be useful, but keep expectations realistic. A VPN hides the destination of your traffic from the local network (hotel Wi-Fi, cafés, possibly the ISP) and shifts trust to the VPN provider. It does not make you anonymous, and it won’t protect you if your device is compromised or if you log into identifiable accounts while using the VPN. Use a reputable paid service with a track record of independent audits (Proton and Mulvad are two currently recommended by most security experts), and treat it as security hygiene, not invisibility.
The safest communication channel is sometimes no channel. High-risk sourcing often benefits from meeting in person, without bringing a primary smartphone. Phones broadcast identifiers and can be tracked through cellular networks, Wi-Fi probing, Bluetooth beacons, and location services. If you must meet, choose a location that reduces surveillance opportunities, vary routines, and avoid discussing sensitive details while transiting or if other people are around. Consider using a dedicated “clean” device for certain work, kept separate from personal accounts, contacts, and habitual locations. But again, be careful where you meet.
Assume surveillance is both digital and physical. Practice basic surveillance detection: notice repeated vehicles, unfamiliar people mirroring your route, or patterns around your home and workplace. Digitally, watch for sudden battery drain, unexpected heat coming from your devices, new device admin apps, configuration profiles you didn’t install, or logins from unfamiliar locations. These signals are imperfect, but they are prompts to slow down, change plans, and consult a security professional if needed. If physical surveillance is a real possibility in your threat model, take some time to learn how to execute a surveillance detection route.Finally, operational security is a team sport. Agree with editors on what you will record and what you won’t. Document secure workflows and digital security policies, train for them, and rehearse worst-case scenarios: device seizure, account takeover, and legal demands. Tools do matter, but habits protect sources.
If you want a deeper dive, here are a few good resources.
WIRED Staff
