How to safely send sensitive files to CBC News
From encrypting emails to protecting yourself
Over the past year, CBC News has worked carefully and diligently on top secret government documents leaked by U.S. whistleblower Edward Snowden.
Protecting sources and documents has always been a vital part of what we do, but the extreme care demanded by the Snowden stories boosted CBC's know how and tools for handling ultra-sensitive information.
As a result, the public broadcaster is better equipped to keep sources and files as safe and secure as possible. In a digital world, this task can be increasingly difficult.
So, we wanted to outline the ways you can send sensitive information to CBC News — and also give you some tips on protecting yourself.
As you read, keep in mind the nature of the documents or information you have. Not all security and privacy measures may be necessary.
How to send sensitive files
CBC is equipped to handle and store even the most sensitive files. A number of our reporters know how to encrypt their emails. We have an air-gapped laptop — isolated from the network — that allows us to give maximum protection to documents. A safety vault can safeguard USB flash drives and other memory devices containing sensitive files.
But first, we have to get the files. Here's a few ways to safely send them to us.
Snail mail and paper files
Sometimes the old-fashioned approach can be the best.
For decades, journalists have been receiving manila packages stuffed with paper documents sent from anonymous sources. If you go this route, you might want to use a different post office than your usual one and write a false return address (if you need to remain anonymous to the journalist).
But be careful to triple check the sending address since it can't be returned. And beware that choosing to keep your identity secret even from the journalist might create difficulties verifying the document and telling the story.
Snail mail and electronic files
You can also mail an envelope with the documents in electronic format, either on a USB flash drive, CD or DVD. This is ideal when dealing with large volumes of information.
If you are concerned about privacy, you may want to purchase the flash drive, CD or DVD with cash. If you are also worried about the package being opened in transit, you can save your files in a Tails operating system and then later contact the journalist with the password they need to open the files.
Electronic transfer
There are ways to securely transfer files using email, but they require several layers of protection. If there's a low-level of risk involved, it may suffice to set up a separate email account using a false name. For extra security, do so while using either public Wi-Fi or a browser like Tor that hides the identity of its users.
To add a layer of security, get a PGP key so you can send encrypted emails. Once you have that, you can send files via encrypted email.
One possible tool you can use is Onionshare. The free software, which was recently developed by a staff technologist at the U.S. news site The Intercept, allows you to anonymously email documents to a reporter. Only the sender needs to download the software, but both users must use the anonymous Tor browser.
The sender uploads the file onto a temporary protected site, then sends the URL and password for that site to the recipient, ideally in an encrypted email or instant message. The recipient simply visits the URL and downloads the file. Then the sender can just shut down the server. One disadvantage is that both the recipient and sender need to be online at the same time.
Contacting reporters
The most common ways to get a hold of reporters are by phone and email. But to protect your anonymity and ensure there's no record of extremely sensitive information, arrange a face-to-face meeting, with mobile phones or recording devices left at home.
A number of CBC News reporters use email encryption so the content of the message can't be revealed without knowing their personal key.
Using email encryption allows you to communicate securely with CBC journalists. But keep in mind that your email address and subject line are still visible to those viewing metadata or via access-to-information requests.
Alternately, you can set up a separate email account to communicate with the reporter. Just make sure not to log into the new account while logged into your regular email account. And whatever you do, don't contact the reporter from your work computer. For maximum security, visit a Wi-Fi hotspot such as a café.
Here's a list of CBC reporters who use PGP email encryption (listed in alphabetical order, by last name):
Tips for protecting yourself
Strip hidden data from documents
If you are sending an electronic file, it's important to know that there's a wealth of invisible data linked to the document. For example, a Microsoft Word document might have metadata that includes mundane details such as file size and date of the document's creation, but also more revealing information such as the author, the person who most recently modified the file and any tracked changes to the material.
The simplest way to strip such data is to print the document, scan it and then send the scanned version. Various programs — such as Microsoft Word — have menu options that enable you to remove personal information.
There are also tools that remove metadata in batches of documents. Converting a Word document to a PDF can also help. But be careful: these tools may not remove all the metadata.
How to hide your documents
Once you have the documents in hand, you want to be able to protect yourself and keep the files safe. There are ways to hide the files both on your own computer and on a USB key, DVD or other memory device if you want to transport them to someone. Tails is an operating system that can hide itself on your computer without a trace and keeps your files encrypted. You need to install Tails on a memory device, such as a USB key. That key can then be used on any computer. It leaves no trace of the operating system or any changes made to files contained within it.
These sites also have handy tips on how to protect yourself and send sensitive files to journalists:
- Electronic Frontier Foundation: Surveillance self-defence: Want a security starter pack?
- U.S. National Security Agency's guide to redacting with confidence
- How to leak to The Intercept