In source protection, first create a threat model.
A threat model is a way of organizing "who to protect from, what to protect, and to what degree."
The risk changes depending on whether the source is an employee, public official, activist, or whistleblower. The necessary measures also change depending on whether the adversary is an individual harasser, a corporate investigation department, or a state agency.
If you choose tools without a threat model, you may protect the wrong thing.
Who to protect from
First, think about who may try to identify the source.
Different actors can see different information, use different methods, and have different investigative capabilities.
Actor
What they can do
Workplace supervisor or colleague
Use work records, departmental information, and who knew the information
Company or organization
Use access logs, material viewing history, and internal investigations
Litigation opponent
Seek disclosure of records, pressure people involved, and collect evidence
State agency
Use communication records, device seizure, and broad investigations
Online attacker
Collect posting history, social media, images, and public information
The same measure cannot defeat every actor.
Deciding realistic threats first helps avoid both excessive measures and insufficient measures.
What to protect
Next, separate the assets to protect.
Protecting only "the source's name" is not enough. The fact of contact, the fact of accessing materials, the fact of being in a specific department, the place where something was photographed, writing style, and time are also things to protect.
Asset to protect
Specific examples
Identity
Name, face, affiliation, contact information
Fact of contact
When and with whom contact happened
Origin of materials
Creator, viewers, access permissions
Behavior time
Sending time, capture time, login time
Characteristics in the article
Internal circumstances, distinctive expressions, position
Sources may be suspected even if their names do not appear.
If only a few people can see a material, the type of material itself becomes a strong clue.
Through which paths information leaks
There are multiple leak paths.
Communication, files, article content, sharing inside the newsroom, and post-publication reactions. Any of them can be used to get closer to identifying the source.
Path
Information leaked
Contact method
Email, DMs, call history, IP, time
Files
Metadata, creator, edit history, capture information
Who reacted, who stayed silent, internal organizational investigation
Think about countermeasures for each leak path.
Even if or SecureDrop is used, it does not help if the article body reveals the source.
A common misunderstanding here is thinking that protecting only the communication channel protects the source.
A safer contact method is important. However, the contact method is only one part of source protection.
For example, even if a source sends materials through an anonymous submission form, the origin can be narrowed down if creator names, department names, edit history, or recipient-specific watermarks remain inside the materials.
If the article body says "according to a person who attended this meeting," candidates may be narrowed from the participant list inside the organization.
Place you thought you protected
Remaining danger
Anonymous form
Metadata or content of the sent material can reveal the source or origin
Encrypted messaging
Device notifications, contact time, and the other party's logs remain
Pseudonymous email
Writing style, attachments, and creation environment can narrow the source or origin
Anonymous wording in article
Testimony content or position narrows candidates
In source protection, contact paths, materials, article text, and post-publication reactions need to be reviewed together.
Separate risk levels
Not every reporting project needs the same strength of measures.
Risk differs between a light local topic and organized crime, corruption, national security, or whistleblowing.
Risk
Situation
Required way of thinking
Low
Reporting based on public information
Basic checks and consent
Medium
Testimony from someone requesting anonymity
Management of contact paths, quotations, and attribute information
High
Internal materials or reports of wrongdoing
Dedicated paths, material management, and preventing article content from allowing the source to be inferred
In high-risk reporting, it is also important not to proceed on your own judgment alone.
A structure for consulting the newsroom, specialists, legal advice, and security staff becomes necessary.
What to decide before reporting
Create the threat model before reporting, not after reporting.
Once you contact someone through real-name email or a social media DM, that trace cannot be erased later. If you upload materials to an everyday cloud account, logs and sharing history remain.
What to decide before reporting
Reason
Contact method
First contact is especially likely to become a trace
How to receive materials
Manage metadata and sharing history
Storage location
Limit the access scope inside the newsroom
Handling of quotations
Prevent the witness from being inferred from the wording
Publication timing
Avoid correlation with internal organizational investigations
Before telling a source "please send it for now," decide how you will receive it.
What to consider when turning information into an article
Work to protect the source does not end when information is received.
At the writing stage, decide how much detail that points to the source should remain. Separate information readers need from information that endangers the source.
For example, an industry such as "medical institution," "local government," or "logistics company" may be needed to explain whistleblowing content. However, it is not always necessary to include a specific branch name, meeting date, job title, number of people, or internal-only name.
Information in the article
What to check
Job title or department
Whether candidates narrow to a few people
Date and time
Whether it can be compared with access logs or meeting records
Appearance of materials
Whether recipient-specific watermarks or version numbers are visible
Quotation
Whether person-specific wording remains
Publication timing
Whether it overlaps too strongly with internal investigations or events
Blurring information for source protection may reduce the article's persuasiveness in some cases. When that happens, treat what to keep and what to remove as an editorial decision.
Writing "requested anonymity" is not enough. The article needs to be shaped so readers and people involved cannot infer who the anonymous person is.
Explain precautions to the source too
Source protection is not completed by the reporter or newsroom alone.
If the source uses a dangerous contact method, reacts on social media after publication, or tells people nearby, protection becomes weaker. For that reason, in high-risk reporting, explain minimum precautions to the source as well.
What to explain
Reason
Avoid everyday devices and workplace networks
They remain in internal logs or device management
Do not send materials as-is
Metadata and watermarks remain
Do not react too much after publication
They may be suspected as someone involved
Do not talk to people nearby
Information spreads from the person consulted
Do not change the contact path
Leaving the safer path increases traces
To protect sources, you need to share what kinds of actions are dangerous for the other person.
Summary
Protecting sources requires a threat model.
Organize who to protect from, what to protect, through which paths information leaks, and how strong the risk is.
Sources may be suspected even if their names do not appear.
Candidates can narrow from contact time, material type, article details, and publication timing.
Before choosing tools, deciding the actor and information to protect is the starting point for source protection.
Related tools
Whistleblower submission
SecureDrop
An external resource related to this article. Open it only when it fits your situation and threat model.
Why it is listed: It can help with the article topic, but it is outside Anonymity Sense and should be checked before use.