When thinking about protecting sources, you may first imagine not naming them in the article.
But that is not enough.
Sources are inferred not only from names in the article text, but also from contact paths, interview dates and times, material content, photo backgrounds, file metadata, and reactions after publication.
Especially in small organizations, whistleblowing, local communities, politically sensitive topics, and stories related to workplaces or schools, candidates can narrow just from "who knew that information."
This article organizes which information to look at and in what order when protecting sources.
Sources Are Inferred From More Than the Article Text
The first thing to look at in source protection is not whether a name appears directly in the article text.
How many people know that information? When, where, and with whom did contact happen? Within what range were materials distributed? Who will be suspected after publication?
This perspective is necessary.
Clue
Why the source is inferred
Information content
If few people know it, candidates narrow
Reporting date and time
Compared with work schedules, entry/exit records, and movement history
Place
People involved are inferred from the meeting place or region
Distribution scope of materials
Reveals who had the materials
Tone of quotation
Way of speaking and position remain
Photos and audio
Backgrounds, voices, reflections, and metadata become clues
In anonymity, even if a name is removed, "the person who could release this information" remains.
That is why the article needs to be reread from the source's position before writing.
Choose contact paths according to source risk
In source protection, the choice of contact method matters.
If you contact a source through the workplace email they normally use, records remain with the organization. If you use a social media DM, logs remain with the platform. If you use a phone, call history and cell tower information are involved. Even if you meet in person, movement history, surveillance cameras, and payment records remain.
Contact method
Information that remains
Caution
Workplace email
Send/receive history, attachments, search logs
Records are likely to remain with the source's organization
Real-world records remain even if nothing remains online
A safe contact method changes depending on the situation.
For low-risk reporting, ordinary contact may be enough. For high-risk reporting, after consulting an editor in charge or a trusted specialist, it may be necessary to use a dedicated intake point or anonymous submission system.
SecureDrop is an open source system for media organizations and NGOs to receive anonymous submissions. It assumes access through and metadata reduction, and is used by many media organizations for source protection.
However, even when using Tor or SecureDrop, the source may still be correlated through their device, files, behavior time, or submitted content. Tools are important, but the operation around them must also be considered.
Do not hide too little or too much about where materials came from
In reporting, you need to show the reliability of materials.
However, if you reveal too specifically where materials came from, the source is put at risk.
For example, writing "a document distributed at the department meeting on the morning of June 12, 2026" increases reliability. But if that meeting had few participants, the pool of possible sources narrows.
Information disclosed
Benefit
Risk
Specific date and time
Readers can understand the facts more easily
The pool of attendees or people with access narrows
Department name
The location of the problem becomes clear
The source's affiliation is inferred
Document number
Evidentiary value increases
Can be compared against distribution records or management history
Original quotation
The meaning of the statement is conveyed accurately
Speaking style and internal terminology remain
Material image
Persuasiveness increases
Watermarks, margins, layout, and metadata remain
Source protection does not mean weakening facts. It means choosing the necessary granularity.
Separate information needed to tell readers from information that only endangers the source.
Read from a third-party perspective before publication
The person who wrote the article becomes used to the clues.
Even if you think "this much will not reveal anything," people inside the organization, people in the region, or people involved may understand it.
Before publication, ask an editor who does not know the source or a trusted third party to read the article and check the following points.
About how many people the pool of possible sources narrows to
Whether dates, places, departments, and titles in the article text are too specific
Whether the tone of quotations or internal terminology reveals a person
Whether photos, PDFs, or audio contain metadata or background information
Whether publication time or the way follow-up reporting is released makes the source look suspicious
This is not censorship.
It is a check for delivering necessary facts to readers while protecting sources.
Do not break protection through replies after publication
Source protection continues after publication.
After the article is published, if the reporter adds too much on social media, information hidden in the article text may appear. Clues about the source may also be released through replies to inquiries, added explanations, lectures, podcasts, and email handling.
Post-publication action
Risk
Talking about background on social media
The timing or place hidden in the article text appears
Answering inquiries in detail
The reporting path or material scope leaks
Adding details in follow-up reporting
Information known only to the source increases
Getting heated during rebuttals
Unnecessary specific clues become easier to release
Replacing materials
Metadata remains in the new file
Post-publication handling is also part of source protection.
Look not only at the article body, but also at surrounding statements by the same standard.
Look at real-world records too
In source protection, focusing only on online communication causes blind spots.
If you met in person, station movement, entry/exit, payments, surveillance cameras, and hotel or cafe usage history remain. If you spoke by phone, call history and carrier-side records also matter. Even if a name is completely withheld online, the source may be suspected when real-world behavior overlaps with the article publication timeline.
Real-world record
Why to check it in source protection
Entry/exit records
Shows who was in a building and when
Payment history
Becomes a clue to meeting place and time
Surveillance cameras
Contact or movement may be recorded
Transit history
Unusual movement may remain
Call history
The person contacted and the time remain
For high-risk reporting, include real-world behavior in the threat model as well as communication paths, materials, and article text.
Summary
Anonymity for protecting sources is not achieved only by withholding names.
Sources are inferred from information content, contact paths, interview dates and times, distribution scope of materials, tone of quotations, metadata in photos and files, and post-publication statements.
Choose contact methods according to the source's risk. Systems such as SecureDrop and Tor Browser can be useful in some situations, but tools alone do not complete source protection.
Before publication, check from a third-party perspective how far the pool of possible sources narrows. After publication, avoid releasing unnecessary clues through social media or inquiry handling.
Source protection is not work done at the end of an article by withholding a name.
It is an operation that continues from the beginning of reporting through after publication.
Related tools
Metadata inspection
ExifTool
An external resource related to this article. Open it only when it fits your situation and threat model.
Why it is listed: It can help with the article topic, but it is outside Anonymity Sense and should be checked before use.
Source protection goes beyond hiding names: contact paths, reporting time, material content, backgrounds, metadata, and post-publication reactions can all identify sources.