A journalist friend of mine approached me with a question about whether it is smart or not to use encryption to secure email conversations with an anonymous source. In the article Story-Based Inquiry: A manual for investigative journalists by Mark Lee Hunter that he had read, the author claims that “secure email contact requires encryption, a method that stands out and can bring unwanted attention.” The author also points out that both the journalist and the source should “use mobile phones with prepaid cards”, and that the journalist should “lock up all material related to the source, ideally in a place that is not identified with yourself.”

While Mr. Hunter is right that encryption is the only way to truly secure email, his point about encrypted email standing out is only partly valid. If while looking through someones files, emails or computer in general, all an investigator can find is a single or maybe to-three encrypted emails or files among hundreds or thousands, then sure. That email or file is going to stand out like Rudolf’s big, red nose showing up at Easter. But if someone, like the journalist in this case, makes a habit of encrypting all his files and most of his email, then there will be a lot less suspicious about that one email to the anonymous source.

Another important point to remember though, is that the ‘to’ and ‘from’ addresses in emails cannot be encrypted. If they were, the email servers wouldn’t know where to send them or who the reply is going to. To cope with this, I would suggest opening anonymous accounts for both the journalist and the source so that the fact that the two people are communicating isn’t obvious. Then I would use encryption to secure the content of the emails. There are webmail services that offer both anonymity and encryption, but the encryption part can also be done offline by writing the content in a separate document/file, encrypt the file with your favorite crypto software, and just paste the ciphertext (the encrypted document/text) into the body of an email. This utilization of anonymous email accounts is equivalent to Hunter’s suggestion on using prepaid mobile phones.

There are several other issues to be aware of, though. For example, logging into a webmail service (or any mail service or other type of resource that requires authentication) can leave tracks on your computer which a skilled examiner can extract, forensically if so required. Necessary care should be taken whenever accessing an email account or any other resource that you don’t want to have associated to your name. (I’ll leave this for a later post.)

While I am on the subject, I would like to point out that if the journalist can find some way to solve the association issue, encryption can be employed to “lock up” any notes, documents, files, digital recordings or photos the journalist may receive from or create while dealing with the source. The same point about the single encrypted file standing out is valid for this material as well, but again – it’s hard to tell equals apart.

Issues like key how to exchange crypto keys/passwords and what encryption tool to choose are topics for later discussions. For now, if you have any questions or comments, feel free to post them right here at stigFromOslo.com.