Session notes from the Investigative Practice Series
Chair: Gill Phillips
Director of Editorial Legal Services, The Guardian
Journalist, academic and author of Blacklisted
Investigations Editor, Computer Weekly
Senior Research Fellow, Reuters Institute for the Study of Journalism, Oxford
The need for stronger protection for whistleblowers is regularly discussed but far less attention is given to addressing the dangers of whistleblowing before the decision to raise concerns has even been made. How can we help those who want to speak up about corruption or abuse to do it in ways that minimise these dangers before it’s too late? And ways that maximise the chances of getting a good outcome for both journalist and source?
In this session, Investigative Practice aimed to move beyond general calls for whistleblower protection after the fact to identify more effective and safer methods for divulging information in the public interest.
"We’ve seen overreach of national security and anti-terrorism law in combination with the surveillance state, bringing disruption to the practice of investigative journalism and enormous risks to journalists and their sources."
While working on the UNESCO report ‘Protecting Journalism Sources in the Digital Age’, Julie Posetti has documented an increase in the undermining of source protection legislation and structures in the UK, US, EU, Australia and elsewhere. This threatens not only the confidentiality of journalist-source relations, but also leaves journalists and sources prone to criminal sanctions and imprisonment; financial sanctions such as loss of income, employment and opportunities; and in certain situations where journalists are reporting on national security agents or conflicts, the risk of kidnap, torture or targeted murder. This obviously produces a chilling effect that deters journalists from working on sensitive stories and sources from speaking to journalists in the first place.
Though there is a level of legal protection for sources in most jurisdictions, in practical terms there will still be a lot of pain for both journalists and sources. There’s a pressing need for both to be tech savvy before the fact, which is the Catch 22 in this situation.
"Whistleblowers tend to come to reporters at the end of a long, stressful and damaging internal process."
Blowback and risk can be interpreted slightly differently, for instance the example of Phil Saviano. There’s a scene in the film Spotlight in which Saviano arrives at the Boston Globe offices with boxes of source material and is asked why he hadn’t come in before. Saviano has to explain that he had approached the newspaper previously but wasn’t believed in large part because of his vulnerability.
Are we equipped to deal with people who have been damaged by their experiences in this way as journalists? Traditionally, journalists tend to approach a source quite coldly. Are we equipped to take on a duty of care, especially with mentally vulnerable and damaged whistleblowers.
The NHS seems to be especially bad in terms of how they treat those who raise issues internally. Often the reporter is the last person a whistleblower will come to, so there’s a need for journalists to prepare for this kind of ‘pastoral care’ as well as digital security care. But there’s also a duty of care to yourself as a journalist due to the kind of stress that comes from taking on this role.
Several questions arise around morality in these relationships:
- How far does the motive and background of the source matter?
- What ethical responsibilities does the journalist have for the source?
- Where does that ethical responsibility end?
There will always come a time when a journalist will need to find the point in which to step away from this relationship and say ‘I need to write what I need to write’ whether or not that’s what the source wants to tell you.
"If you blow the whistle it’s a life-changing decision, which is why Public Concern At Work’s advice is generally ‘don’t blow the whistle’."
Whistleblowers are different from confidential sources. They are often very traumatised people and see things through a traumatised lens, even when they appear to be very together. It can often be like being a counsellor, the main need of many whistleblowers is for someone to listen to them and journalists often end up taking on this pastoral role in which there are dangers from both taking on stress and getting too close to a story. The key thing for the journalist is to get hold of the documentary evidence, but they should bear in mind that there’s almost always a difference between what the whistleblower sees through their traumatised perspective and what’s in the documents.
The surveillance of whistleblowers and journalists is also very worrying. There have been several reports proving that the security services and police are targeting both for surveillance, including the 2015 report from the Interception of Communications Commissioner which revealed that police forces have used the RIPA legislation to spy on 82 journalists and 200 sources suspected of being in contact with the media.
Some good advice was given to Bill Goodwin at the first LOGAN Symposium by the New Zealand investigative journalist Nicky Hager: “If you’re meeting a source, you don’t ring them, you don’t text them and you don’t take your phone with you, that’s pretty simple. If you contact your source by phone you’re a bloody idiot these days.”
This is not just good advice when meeting a source, but it can apply to meeting your legal editor too. In Gill Phillips’ experience, for instance, similar measures were required when she met Ewen MacAskill in Hong Kong and was briefed on the Snowden case in a concrete park without any kind of electronic devices with them. These are basic journalistic toolcraft, but the pace of recent technological change in society has produced new context which takes some adjusting to.
Most concerning from a legal point of view is that with the passing of the Investigatory Powers Act, the state no longer needs to request source material from journalists, they can go straight to a telecommunications provider and request details of communications without the journalist or newspaper ever having any knowledge of either the request or the release of information. Under the previous legislation, PACE, while not a perfect situation, journalists and publishers at least knew what was being requested and were afforded the opportunity to make a case in court for refusal.
The Signals Network is a foundation which provides resources and support for both sides of this equation, helping media to work better with whistleblowers in France, UK, US, Germany and Spain. They provide their media partners with contacts of lawyers who work pro bono to advise whistleblowers pre-publication and can pay legal fees post-publication.
This can help in situations where paying for legal advice for whistleblowers can present a conflict of interest for a media organisation or where the legal team of a publisher is not in a position to provide independent advice to the whistleblower. It’s important, for both sides, to remember that the journalist’s interests are not always the same as the whistleblower, even though sources will often look to the journalist as their protector. Journalists need to be very wary about putting themselves too much in that position.
From the perspective of a media legal team, it can be difficult to strike a balance between directing a whistleblower to a place that can provide practical independent advice, while ensuring that they’re not dissuaded from blowing the whistle entirely. There’s not many places which can provide advice that strikes that balance and The Signals Network is trying to address that shortfall.
With regards to the motives of whistleblowers, Marty Baron of The Washington Post argues that it’s the duty of the journalist to look at the public interest in the information being provided, while it’s the work of civil society and the editorial page to examine the motives.
Q What should be the priority of concern between the risks of prosecution from the state, or physical harm from organised crime?
A From Posetti's experience within the Australian context, organised crime is becoming more and more problematic. While there’s a lot of awareness about the need to mitigate the threat of digital surveillance to sources and whistleblowers when working on national security-oriented stories, this is less well recognised when investigating organised crime. The technology and techniques available for digital surveillance are becoming cheaper, more user friendly and increasingly ubiquitous. Due to this, the threat to confidentiality of communications within organised crime reporting has become just as important to be aware of and develop countermeasures to as it is on the national security beat.
It depends to some extent on the national context, the political context and the nature of the story. However, one of the points that underpinned Posetti’s work was that reporters cannot reasonably argue that they’re just a sports reporter so have no need to increase their level of digital security because if they’re reporting on international football, or the Olympics, then there are real and credible digital surveillance risks that stem from links between those industries and organised crime. The same can be said of the fashion industry; organised crime connections exist with some of the international fashion houses as well as in the clothing manufacturing industry.
This territory constantly intersects so there is a need for every journalist, no matter what beat or patch they work on, to increase their base level of information security to get as clean as it practically can be. It is possible (though not necessarily advisable) to reduce your level of digital security while working on an investigation, but it is often almost impossible to effectively increase it after your work has begun.
Border crossing is a particular risk. Mohammed Rabbani spoke at the Symposium about his involvement in a situation in which Schedule 7 anti-terror legislation was used against him to attempt to force him to provide the passwords to his devices to law enforcement. There is a provision in the Regulation of Investigatory Powers Act that makes withholding a password in such a situation a ‘strict liability offence’ meaning it is an immediate criminal offence which carries a potential prison sentence.
The other problem with source protection in the technological age is that the authorities view a computer or a phone as one item, so all information can and will be collected from them. In the pre-digital context, authorities raiding a journalist’s office could be told that certain files contain journalistic material and would therefore be required to place that into what was colloquially called a ‘blue bag’ which would then be sealed. That seal could not be broken unless there was an independent lawyer present to go through the material and assess it.
That’s no longer possible when all kinds of information is stored on a single device and a journalist can’t argue that certain elements of the stored data are journalistic and therefore should require independent assessment. The only way today’s journalists can guard against this is by taking precautions before they find themselves in a situation where they’re faced with this problem.
Remote collaboration between journalists and whistleblowers across borders is another area where these issues can cause problems. There are secure tools available but journalists should take notice of which national jurisdictions the servers for such tools are based in, and check what restrictions or obligations there are on companies in those jurisdictions to hand over or allow access to servers to government authorities and security services.
There is an encroaching sense of danger to journalists from both the state and organised crime, particularly with the murder of Daphne Caruana Galizia in Malta a year ago, of Ján Kuciak in Slovakia in February and the recent murder of Viktoria Marinova in Bulgaria.
In the UK, the state is far more likely to attempt to crush the source rather than target the journalist. There are at least some protections for reporters here, but the state cannot allow it to be seen in any sense as easy to pass information to journalists. This is complicated by both the bleedover from other areas into organised crime, but also by the change in definition of what a reporter is, especially in the current context where so many are working as freelancers or in other contexts where they won’t necessarily have the protections afforded to them by the organisation that is publishing their work. That’s why some of the organisations represented at this Symposium who are working to address that lack of protection are so important, but in this context where the source will be the target, the protection of that source is absolutely fundamental.
Relevant legal cases
Goodwin was the subject of long-standing jurisprudence around source protection in the European Court of Human Rights case, Goodwin Vs the UK.
A little over three months into Goodwin’s first job as a journalist, he was contacted by a confidential source with information about the financial difficulties at a software company called Tetra Business Systems. Upon contacting the company for comment, Goodwin received a fax outlining a superinjunction against publication of the story, but also any mention of the injunction itself. Goodwin was forced to break the law in telling the NUJ about the situation and became the subject of civil litigation, the hearings for which took place in camera , excluding both the press and public.
During the court of appeal hearing Lord Donaldson requested that Goodwin put his notebook in a sealed bag, which would be opened if the appeal was lost, thus revealing the identity of the source and there were threats to obtain a search order for Goodwin’s flat. He enlisted the help of a friend who visited the flat and took everything that could be compromising for source protection to an undisclosed location, known to no-one else, including Goodwin.
The case eventually reached the ECHR, where the company had a right to send Goodwin to jail. In the end they declined to, ostensibly as ‘a gesture of humanity’, but in reality to avoid the negative publicity that would come from the company being named.
The other relevant ECHR case involving UK media is Interbrew SA Vs. Financial Times Ltd. and Others, which highlighted the pressure that this puts on the relationship between journalist and the organisation as there was a threat that the court would impose a £5,000 rolling fine for each day that a document that had been passed to journalists was not turned over. The lesson of this is the need to separate out responsibilities; with the journalist taking responsibility for the protection of the source’s identity, so that the organisation can legitimately deny knowledge of that identity. If the editor knows, then the organisation knows and this can make the situation more difficult. Even more important is not to disclose the identity or pass source material to an organisation’s legal team, as lawyers are bound by duties to the court that do not apply to journalists.
There is also a need to be aware of the risk of making a moral judgement to release notes, documents or the identities of sources in certain cases but not others. If a journalist releases such information in a case where they feel it is morally right to do so, this can leave them in a much more difficult position in future cases where the moral judgement seems less clear cut.
There are also questions around where lines need to be drawn. Many journalists would see it as acceptable to buy a drink for a whistleblower, or buy them dinner, put them up in a hotel or even buy a burner phone, but as you go further in this escalation you start to push against the boundaries of acceptability and put yourself of legal risk in terms of incentivising a source to provide a story. Phillips was involved in a case where the journalist had bought a burner phone for a source and the state argued that constituted bribery. In the end, it was proved that the purchase happened a considerable time after the contact between them began so the charge was undermined, but the case highlights how careful journalists need to be with their relationships with sources.
Q What measures can be taken to mitigate the risk of being prosecuted for refusing to disclose a password or decrypt files?
A There are some simple measures, such as splitting a password or asking someone else to set a new password when you are at particular risk (for instance, when crossing borders) so that you know only half of or only an old password and are literally unable to decrypt files when requested to.
There are also technological measures that can be taken, for instance setting up an encrypted file with ostensibly sensitive documents within, as well as a hidden encrypted drive in which to place the documents you are really worried about others accessing. In that case, you can then comply by revealing the password of the first encrypted drive, without compromising the actual confidential information you are storing or carrying. The TAILS system has a function dedicated to this purpose.
Q What resources and support are available for freelancers on these issues?
A The Journalists in Distress Network is a group of 18 international organisations who provide journalists with resources, help and referral services on both legal and technical issues regarding source protection. The Committee to Protect Journalists lists the organisations and how they can help.
The National Union of Journalists can provide members with advice and representation on issues such as protection of sources, production order applications and seizure of materials/equipment and restricted reporting orders.
The Media Legal Defence Initiative can provide training, advice, representation and in some cases funding to help with legal costs to journalists bloggers and independent media outlets around the world. They also run Media Legal Defence Centres in several countries.
The Signals Network is a foundation which provides resources and support for both sides of this equation, helping media to work better with whistleblowers in France, UK, US, Germany and Spain.
The Centre for Investigative Journalism can provide one-to-one guidance for journalists in securing their data and communications and run a drop-in information security clinic for all delegates at their Summer Conference and the Logan Symposia. They have also published several video tutorials on using encryption and information security tools.
The CryptoParty movement is a decentralised, global initiative organising free and open events where digital privacy rights are discussed and open-source anti-surveillance tools are taught.
The Freedom of the Press Foundation offer guides and training in digital security. They also support Signal, the end-to-end encrypted private messaging app, and SecureDrop, the anonymous secure whistleblowing system.
The Electronic Frontier Foundation run the project Surveillance Self-Defense providing tips, tools and how-tos for secure communications and data.
Whistleblowers and sources: some useful references and resources
Compiled by Gill Phillips
Universal Declaration of Human Rights (UDHR) 1948
Articles 8 / 10 of the European Convention on Human Rights 1950/1953
Articles 17/19 International Covenant on Civil and Political Rights (ICCPR) 1966/1976
Committee of Ministers Recommendation No. R (2000) 7 on the right of journalists not to disclose their sources of information
CoE Parliamentary Assembly Recommendation 1950, Final version, The Protection of Journalists’ Sources, 2011
CoE Parliamentary Assembly Resolution 1729 (2010) and Recommendation 1916 (2010) “Protection of “whistle-blowers”
Committee of Ministers’ Recommendation CM/Rec (2014)7 to member States on the protection of whistleblowers adopted on 30 April 2014
Committee of Ministers’ Recommendation CM/Rec (2016)4 to member States on the protection of journalism and safety of journalists and other media actors
Declaration of the Committee of Ministers on the protection of journalism and safety of journalists and other media actors (Adopted on 30 April 2014)
CoE Parliamentary Assembly Resolution 2045 (2015) on Mass Surveillance
Feb 2017 : Dr Judith Townend and Dr Richard Danbury IALS Report : ‘Protecting Sources and Whistleblowers in the Digital Age’
Julie Posetti : UNESCO - Protecting Journalism Sources in the Digital Age
Reporter’s Committee Compendium Guide on Reporter’s Privilege in the US
Council of Europe Factsheet on Whistleblowers and their freedom to impart Information
European Court of Human Rights Factsheet on Protection of journalistic sources
Carlo, S. & Kamphuis, A. (2016) Information Security for Journalists, Version 1.3, The Centre for Investigative Journalism
Endert, J. (2017) Digital security resources, DW Akademie
OSCE Safety of Journalists Guidebook, 2nd Edition 2014
This discussion was part of the Investigative Practice series at the Logan Symposium, Oct 2018