Protecting Sources, Stories, and Yourself By Liz Howard, The Multiverse School
You are NOT "most people." When security experts say "this is probably fine for most people," they're talking about average users, not journalists. You face state-sponsored actors, corporate espionage, and targeted harassment. Your threat model is in the top tier.
Your sources' lives may depend on your security practices.
State-Level Adversaries: - NSA/Five Eyes surveillance - Foreign intelligence services - Law enforcement investigations - Court-ordered disclosure - Border searches - FISA warrants
Corporate Threats: - Private investigators - Corporate security teams - SLAPP suits with discovery - Hacked law firms - Competitive intelligence
Individual Threats: - Doxxing campaigns - Harassment networks - Source compromise - Metadata exposure - Physical surveillance
Security fatigue is real. You can't maintain perfect security 24/7, so:
You WILL be doxxed. Plan for it now:
[ ] Use verbal passwords with agencies
Financial Fortress:
[ ] Consider credit union over big banks
Document Security:
Confuse the bots and trolls:
[ ] Keep them semi-active
Poison the Well:
1. Daily Driver (Your regular phone/laptop): - Assume compromised - Never for sensitive sources - Public-facing work only - Full encryption enabled
2. Source Device (Dedicated secure device): - Never connects to personal accounts - Tails OS or GrapheneOS - Tor/VPN always - Different location use only
3. Burner Device (Disposable): - For high-risk temporary needs - Cash purchase, no activation - Destroy after use - Never bring home
Your Phone is a Hot Mic:
Daily Phone Security: - [ ] Keyboard apps spy - don't type keywords - [ ] Assume all apps can access all data - [ ] Lockdown mode when possible - [ ] Biometrics = legally compellable - [ ] Cover cameras when not using
Signal Configuration: - [ ] Disappearing messages ALWAYS for sources - [ ] Registration lock enabled - [ ] PIN reminder frequency to never - [ ] Screen security enabled - [ ] Relay calls through Signal servers
Location Discipline: - [ ] WiFi/Bluetooth OFF except at home - [ ] Yes, Bluetooth headphones identify you - [ ] Location services fully disabled - [ ] Airplane mode isn't enough
The Basics: - [ ] NOTHING plugs into journalism computer - [ ] Camera covered with tape - [ ] Microphone physically disconnected if possible - [ ] Full disk encryption mandatory - [ ] Separate user accounts for different work
Backup Strategy: - [ ] Daily to offline drive - [ ] Weekly to large memory card - [ ] Monthly mail backup to trusted friend - [ ] Multi-cloud with different emails - [ ] Test restore process quarterly
Never Compromise at First Touch: - SecureDrop for anonymous tips - Signal with disappearing messages - Separate device for source comms - Meet in person when possible - Assume all digital = recorded
Compartmentalization is Key: - One source = one device ideally - Never mix source pools - Different passwords per source - Separate encrypted volumes - Regular security reviews with sources
The Printer Problem: - [ ] Printers add tracking dots - [ ] Reality Winner was caught this way - [ ] Use DEDA to add noise - [ ] Better: Don't print sensitive docs - [ ] Best: Old printers from flea markets
The Golden Rules: 1. Separate device (never your main) 2. Different location (never home/office) 3. Different network (never your WiFi) 4. Different habits (posting times, style) 5. Never cross the streams
Device Selection: - [ ] Secondhand older phone - [ ] Factory reset twice - [ ] No SIM activation - [ ] WiFi only (public/borrowed) - [ ] Wear mask if using FaceID device
Location Discipline: - [ ] Pick dedicated "posting location" - [ ] Never bring device home - [ ] Store in separate location - [ ] Different transport route - [ ] Cash for everything
Digital Hygiene: - [ ] No weather apps (location) - [ ] No personal accounts ever - [ ] Different email per identity - [ ] VPN + Tor for all access - [ ] Regular device rotation
48 Hours Before: - [ ] Scout location without devices - [ ] Memorize routes (no Google Maps) - [ ] Identify safe houses/exits - [ ] Coordinate with legal support - [ ] Prep all equipment
Device Decisions: - [ ] Leave primary phone at HOME (not car) - [ ] Bring only burner if needed - [ ] Hidden cameras > obvious ones - [ ] Memory cards, not WiFi/Bluetooth - [ ] Faraday bag for transport
The Stingray Problem: - Assume IMSI catchers present - All phones in area surveilled - Airplane mode insufficient - Better to have no phone - If livestreaming, accept compromise
Alternative Comms: - [ ] Mesh networking (Meshtastic) - [ ] Pre-arranged signals - [ ] Dead drops for footage - [ ] Courier handoffs - [ ] Time-delayed publishing
Immediate Actions: 1. Don't go straight home 2. Check for physical surveillance 3. Transfer footage to secure device 4. Wipe/destroy burner devices 5. Debrief with team securely
When You Need Different Voice: - Speech Conversion Tools - Coqui TTS for generation - Amphion Toolkit for processing - Real-time vs. post-processing - Test with voice printing tools
What VPNs Actually Do: - Hide IP from websites (not governments) - Prevent ISP data collection/sales - Change apparent location - That's it.
What VPNs Don't Do: - Make you anonymous - Protect from state surveillance - Hide traffic patterns - Prevent browser fingerprinting
Best Practice: - Mullvad VPN (accepts cash) - VPN + Tor, not VPN alone - Different VPN per identity - Assume VPN provider compromised
Avoid: - Zoom → Use Jitsi - Gmail → Use ProtonMail - Dropbox → Use Tresorit - WhatsApp → Use Signal
More alternatives: prism-break.org
Never: - Use your Amazon account - Use credit cards - Buy from big box stores - Create patterns
Always: - Pay cash at sketchy electronics stores - Buy at flea markets/yard sales - Use different locations - Vary purchase times - Consider proxy buyers
The Truth: - True burner phones barely exist - All phones have unique identifiers - Activation = identification - "Burner phone dealers" often compromised - Better: Rotating old devices
What Kills Sources: - Call records (who, when, duration) - Location data (where you met) - Message timestamps (patterns) - File metadata (creation, edits) - Network connections (IP addresses)
Every File, Every Time: - [ ] Photos: Remove EXIF data - [ ] Documents: Clear properties - [ ] PDFs: Sanitize with tools - [ ] Audio: Strip recorder info - [ ] Video: Remove all metadata
Tools: - ExifTool for images - MAT2 for multiple formats - PDF Redactor for documents - Metadata Cleaner for bulk
Daily (5 minutes): - Check device for new apps - Review recent logins - Clear browser data - Check for updates
Weekly (30 minutes): - Full device backup - Security news review - Source OPSEC check - Tool updates
Monthly (2 hours): - Threat model review - Complete security audit - Rotate passwords - Test disaster recovery
Warning Signs of Security Fatigue: - Skipping steps because "tired" - Paranoia affecting relationships - Not leaving house - Checking locks repeatedly - Isolating from colleagues
Recovery Practices: - Regular offline time - Security buddy system - Professional support - Boundaries with work - Exercise and nature
``` Before: □ Leave all devices behind □ Counter-surveillance route □ Cash for everything □ Meeting location secured □ Legal contact ready
During: □ No phones present □ White noise/music □ Visual surveillance check □ Note-taking discipline □ Establish future comms
After: □ Different route home □ Transcribe notes immediately □ Secure all materials □ Schedule followup □ Update threat assessment ```
``` Morning: □ Check overnight alerts □ Review day's risks □ Select appropriate devices □ Verify backups current
Workday: □ Source comms on secure device only □ Metadata stripped from all files □ Disappearing messages enabled □ Location services managed
Evening: □ Devices backed up □ Accounts reviewed □ Tomorrow's security planned □ All devices charging securely ```
Your security protects:
- Your sources' lives
- Your stories' integrity
- Democracy itself
- Future journalists
- The truth
You're not paranoid if they're really watching you.
Stay sharp. Stay safe. Keep reporting.
Secure support: liz@themultiverse.school
Private consultation: https://jitsi.themultiverse.school
The best security is the security you'll actually use.
Clear your browser history. Protect your sources. 📰
For Journalists Needing Untraceable Devices
Best for: Old laptops, printers, basic phones - Pay cash only - Different markets each time - Wear hat/sunglasses - No small talk about use - Test before leaving
Best for: USB drives, cables, accessories - The dustier, the better - Independent shops only - Cash transactions - Buy common items too - Never fill out warranty cards
Best for: Older smartphones, tablets - Meet in public places - Bring exact cash - Use different email each time - Factory reset immediately - Never meet near home
Best for: Diverse device selection - Negotiate prices down - Check multiple locations - Avoid shops with cameras - Don't provide ID - Pay cash only
Before Shopping: - [ ] Cash prepared (mixed bills) - [ ] Transportation planned - [ ] Cover story ready - [ ] Hat/sunglasses packed - [ ] Shopping list memorized
During Shopping:
- [ ] Stay in character
- [ ] No personal conversations
- [ ] Check for cameras
- [ ] Count change carefully
- [ ] Get generic receipt only
After Shopping: - [ ] Indirect route away - [ ] Check for surveillance - [ ] Remove batteries - [ ] Secure devices properly - [ ] Document nothing
Remember: The goal isn't perfection, it's breaking patterns and avoiding easy tracking. Every layer of anonymity costs your adversaries more resources.
"The best technology is technology they don't know you have."