File:Deep throat garage.jpg

Source Handling is the practice of protecting confidential sources while verifying their information. It's the foundation of investigative journalism.

• Protection is paramount: Never burn a source
• Verification is mandatory: Trust but verify, always
• Compartmentalization is survival: What you don't know can't be compelled
• Documentation cuts both ways: Protect your notes like your sources depend on it

Before accepting any information:

1. Who are they? Position, access, potential motivations
2. What do they want? Recognition, revenge, public interest, money
3. Can they deliver? Do they actually have access to what they claim?
4. What's the risk? To them, to you, to the story

For initial contact:

• SecureDrop (news organization hosted)
• Signal (verify safety number)
• ProtonMail to ProtonMail
• Air-gapped systems for high-risk sources

Never:

• Regular phone calls
• Unencrypted email
• Work devices
• Social media DMs

• Meet in person when possible
• Public place, not their workplace or yours
• No phones (both parties)
• Explain ground rules before any information changes hands
• Document the meeting immediately after, securely

For sensitive claims, seek independent corroboration:

1. Source provides claim
2. Second source confirms independently
3. Documentary evidence supports both

One source can be wrong. One source can lie. Three sources rarely align on a false narrative.

Physical documents:

• Examine paper, printing, formatting
• Check dates against known events
• Look for anachronisms
• Compare to verified samples

Digital documents:

• Check metadata (but know it can be manipulated)
• Verify file creation dates
• Look for signs of editing
• Cross-reference content with known facts

Everyone has reasons. Understanding them helps assess reliability:

Motivation	Reliability Concern	Mitigation
Public interest	Generally reliable	Verify independently anyway
Revenge	May exaggerate/fabricate	Extra corroboration required
Career protection	May have limited view	Seek broader perspective
Financial gain	High fabrication risk	Documentary proof essential
Ego/recognition	May embellish	Stick to provable facts

Establish clear procedures:

• Regular check-in schedule (or no schedule at all - depends on risk)
• Code words for emergency contact
• Signal/verification protocols for voice calls
• Backup communication methods

Within your organization:

• Minimize who knows source identity
• Use code names in internal communication
• Separate identity from information in your files
• Editor may need to know; others don't

Ongoing sources require ongoing evaluation:

• Has their access changed?
• Are they under investigation?
• Have their motivations shifted?
• Is the relationship becoming unsafe?

Physical notes:

• Encrypted storage
• Off-site backups
• No identifying information in plain text
• Secure destruction when no longer needed

Digital records:

• Encrypted drives (VeraCrypt, LUKS)
• Air-gapped storage for highest-risk sources
• No cloud storage for source-identifying information
• Consider disappearing messages for routine communication

• Strip metadata from shared files
• Be aware of timing patterns in communication
• Vary contact methods and schedules
• Assume your communications may be monitored

For high-risk situations:

• Vary routines when meeting sources
• Check for physical surveillance
• Use burner devices for sensitive contacts
• Know your legal situation (shield laws, etc.)

Many jurisdictions protect journalist-source privilege:

• Federal: No federal shield law (DOJ policy offers some protection)
• New York: Strong shield law, absolute privilege
• California: Constitutional protection
• Texas: Qualified privilege

Know your jurisdiction. Protection varies widely.

If subpoenaed or facing legal compulsion:

1. Consult legal counsel immediately
2. Explore all appeal options
3. Warn source if legally possible
4. Document your decision-making process
5. Be prepared to face consequences

Some journalists have gone to jail rather than reveal sources. Know your limits before you're tested.

Signs a source may be compromised or fabricating:

• Story too perfect - fits narrative exactly
• Unable to provide documentary evidence
• Pressuring for publication before verification
• Claiming exclusive access but information appears elsewhere
• Inconsistencies when asked for details
• Unwillingness to explain how they know something

• Never promise what you can't deliver
• Confidentiality agreements are binding
• "Off the record" must be agreed before information is shared
• Clarify terms: off the record, on background, deep background

Sources can use journalists:

• Leaking for political purposes
• Floating trial balloons
• Damaging competitors/enemies
• Building cover stories

Be useful for the public interest, not someone's agenda.

• Maintain professional distance
• Don't become friends (makes decisions harder)
• Don't promise outcomes
• Don't share details of other sources

• PGP - Encrypted communication
• Threat Modeling - Assessing risks
• Digital Security Incident Runbook - When things go wrong
• FOIA - Public records (the non-confidential kind)
• Journalism - Broader journalism practice

• CPJ Journalist Security Guide
• Freedom of the Press Training
• Reporters Committee for Freedom of the Press

Journalism & Investigations
Core	Journalism · Investigations · Source Handling
Methods	FOIA · Data Journalism · Dataviz · Documentation Discipline
Tools	ArchiveBox · Scrapbook-core · Personal APIs
Culture	Hacker Culture · PGP Communication Guide

Security & Opsec
Crypto	PGP · PGP Communication Guide · Key Management
Incident	Security Incident Runbook · Threat Modeling · Account Recovery
Hardware	Flipper Zero · HackRF · Yubikey
Culture	Hacker Culture · Operational Security