Ensuring sensitive materials are stored safely.
As a journalist you will be recording, storing and transmitting a large amount of material. Some of this material may be sensitive.
If so, you should take measures to ensure that sensitive materials are stored safely and do not put you or your sources at risk.
Best practice: securing your materials
- Look at the content of your material and assess whether it could put you or your sources at risk.
- Assess whether the identity of the person you are in contact with could put either you or them at risk.
- Think about your storage options. You should weigh up whether it is safer to keep your materials online (in the cloud) or on hardware such as a hard drive or USB. Read our guide on Encrypted Cloud Services.
- Consider the best options for transmitting or sending material. Do not send sensitive material or material that you do not want made public via social media sites. See our guides on Encrypted Messaging Apps and Encrypted Email.
- You may wish to encrypt your material. Please read our guide to Encrypting your Devices and Encrypting Files.
- Learn about metadata and how it can put you at risk. Metadata is information about data. Examples of metadata could include the time, location, and contact details of both a sender and recipient of an online message. See our section on metadata below.
Sharing a file privately
You may need to share a sensitive file with others over the Internet which could put you and others at risk. Below are some tips on how to share files more securely.
1. Setting up an anonymous email account:
You may want to set up an email address that is not linked to your identity. If you do this the person you are writing to should also set up an account that is not linked to their identity.
- Research your email service provider. Use an email service provider that is not located in your or your contact’s jurisdiction.
- Ensure that the email service provider’s host country has strong privacy laws and check what information the company records and keeps on your activity. This is known as metadata and can include information such as your IP address. You want the company to keep as little metadata on you as possible.
- Check that the company uses an SSL connection. This means that the communication back and forth is secure. Type in the web address of the site you want to check here. This site will check the SSL details of the site. An A or B rating is what is needed.
- Use a Virtual Private Network (VPN) when connecting to your anonymous email server and only access this account on an Internet connection that cannot be linked to you, for example, outside your home and/or office. Please see our guide, You and the Internet, for information on VPNs.
- Check how much email storage the email service provides and assess if it is adequate for your needs.
- Encrypt documents and files. See our guide to Encryption.
- Never link the account to any of your other accounts or use it for any other purpose. Always delete the account when you have finished using it.
2. Using a temporary file sharing service
If you don’t want to set up an anonymous encrypted email account and you cannot meet someone in person then you might want to use a temporary file sharing service. These allow you to send a file without linking it to your identity.
Commonly used temporary file sharing services include:
Your files can store information such as your name or initials, the name of your company or organisation and/or personalised information about your computer. They can also hold details about networks or other computers from which files have been copied, the names of any file editors or contributors, plus your editing history.
Images and video contain a lot of data about the kinds of cameras used, plus the time, date, and sometimes the location, that the image or video was created. Your computer and/or phone will contain information on you that is stored in files.
Note: if working on a sensitive story, use a device that is not associated with you.
Test to see what metadata is stored in documents and photos by uploading them to Exifdata. Do not upload any sensitive materials to the site; instead use a file that does not contain important content.
You can check the metadata of photos taken with your iPhone using an app for iOS:
You can check the exif metadata of an image file found on the Internet via an add on located on the Chrome and Firefox browsers:
You can also take steps to remove the metadata from materials. The following can be used to do this:
Keeping materials safe on your devices
a) Permanently Erase Files:
Material that you delete from your trash bin stays on your hard drive and can be recovered. To ensure that material is permanently deleted you will need to wipe the file. There are a number of tools that you can use to do that.
Tools for permanently erasing files:
b) Remote Wiping:
There may be times where your device is taken or lost. To protect your material and data and to minimise risk you should remote wipe your computer. See our guide to Computers for information on how to do this.