Store sensitive materials safely.
As a journalist you will be recording, storing and transmitting a large amount of material – some of which may be sensitive.
If so, take measures to ensure that this material is stored safely so you do not put yourself or your sources at risk.
Best practice: securing your materials
- Look at the content of your material and assess whether it could put you or your sources at risk.
- Assess whether the identity of the person you are in contact with could put either you or them at risk.
- Think about your storage options. You should weigh up whether it is safer to keep your materials online (in the cloud) or on hardware such as a hard drive or USB. Read our guide on Encrypted Cloud Services.
- Consider the best options for transmitting or sending material. Do not send sensitive material via social media sites. See our guides on Encrypted Messaging Apps and Encrypted Email.
- You may wish to encrypt your material. Please read our guide to Encrypting your Devices and Encrypting Files.
- Learn about metadata and how it can put you at risk. Metadata is information about data, and examples could include the time, location and contact details of both sender and recipient of an online message. See our section on metadata below.
Sharing a file privately
You may need to share a sensitive file with others over the internet, which could put you and others at risk. Below are some tips on how to share files more securely.
1. Setting up an anonymous email account
You may want to set up an email address that is not linked to your identity. If you do this, the person you are writing to should also set up an account that is not linked to their identity.
- Research your email service provider. Use one that is not located in your or your contact’s jurisdiction.
- Ensure that the email service provider’s host country has strong privacy laws and check what information the company records and keeps on your activity. Metadata can include information such as your IP address – you want the company to keep as little on you as possible.
- Check that the company uses an SSL connection. This means that the communication back and forth is secure. Type in the web address of the site you want to check here to check the SSL details of the site. An A or B rating is what is needed.
- Use a Virtual Private Network (VPN) when connecting to your anonymous email server and only access this account on an internet connection that cannot be linked to you; for example, outside your home and/or office. Please see our guide, Navigating the Internet, for information on VPNs.
- Check how much storage the email service provides and assess if it is adequate for your needs.
- Encrypt documents and files. See our guide to Encryption.
- Never link the account to any of your other accounts or use it for any other purpose. Always delete the account when finished using it.
2. Using a temporary file sharing service
If you don’t want to set up an anonymous encrypted email account and you cannot meet someone in person, then you might want to use a temporary file sharing service, which can’t be linked to your identity.
Commonly used temporary file sharing services include:
Your files can store information such as your name or initials, the name of your company or organisation and/or personalised information about your computer. They can also hold details about networks or other computers from which files have been copied, the names of any file editors or contributors, as well as your editing history.
Images and video contain a lot of data about the kinds of cameras used, plus the time, date, and sometimes the location, that the image or video was created. Your computer and/or phone will also contain information on you that is stored in files.
Note: if working on a sensitive story, use a device that is not associated with you.
Test to see what metadata is stored in documents and photos by uploading them to Exifdata. Do not upload any sensitive materials to the site; instead, use a file that does not contain important content.
You can check the metadata of photos taken with your iPhone using an app for iOS:
You can check the exif metadata of an image file found on the internet via an add-on in Chrome and Firefox:
You can also take steps to remove metadata from materials. The following can be used to do this:
- For Microsoft Office, use Document Inspector.
- For Android photos and video use ObscuraCam.
Keeping materials safe on your devices
a) Permanently erase files
Material that you delete from your trash stays on your hard drive and can be recovered. To ensure permanent deletion, you must wipe the file.
Tools for permanently erasing files:
b) Remote wiping
If your device is taken or lost, you should remote wipe your computer. See our guide to Computers for how to do this.