Tuesday, April 3, 2018

Solving the First Contact Problem


The first contact problem is the problem of making initial contact with a confidential source. Maybe you are a journalist reaching out to a potential source within a government agency, or maybe you are a whistleblower reaching out to an investigative journalist. Perhaps you work for a major corporation and want to provide information about high level criminal activity to the police or to a regulatory agency.

Any identified link between the source and a person in the investigative agency (be that a journalist at a news agency or a government investigator) puts the source at risk. If you call the New York Times and arrange to meet with a reporter, your telephone records show that initial contact. If you send an e-mail from your corporate e-mail account to a government agency asking for a meeting, your IT Department may be able to see that connection or even have a copy of the e-mail. Is your initial contact with a government agency subject to being released in a Freedom of Information Act (FOIA) request? Sure, an investigative file may be confidential, but did that initial e-mail requesting a meeting get added to the file? If you mail a letter to an organization, are you sure that it will only be opened by the addressee? Administrative offices may open some incoming mail, and how many secretaries open and even respond to mail addressed to their bosses? The US Postal Service photographs the outside of all mail. Could copies of those photographs be obtained to make a list of return addressed?

This is the first contact problem. You must ensure that establishing contact with a source does not leave clues that can later be used to identify that source. Ask yourself, what resources does the opposition have to identify your source (e.g., legal, financial)? How likely is it that anyone will make an effort to identify the source of a leak? (Very likely? Not at all?) What are the potential consequences for your sources if they are discovered?

An article, by Micah Lee, in the Intercept from 2014 discusses how Edward Snowden worked to resolve the first contact problem when contacting Laura Poitras.

Based on the capabilities of those attempting to identify your source and the likely consequences for your source if identified, consider which channels are appropriate for your communications. For example, if you are concerned about an organization with few resources to investigate, then your sources have a lot of options for communicating with you; anywhere outside of work. If the potential investigator is from a large government agency, however, chances are that agency has resources for investigating the leaked information, so your source needs to be very cautious.

A major news agency, investigative reporters, a police department, a government agency that might receive reports from outside sources, should all consider having a way for potential confidential sources to contact them securely and anonymously. The New York Times is a good example of an organization that provides a number of ways to communicate with them confidentially.  


 Ask yourself these questions:
  • How can someone outside of your organization send you an encrypted e-mail?
  • Is there a way for a potential source to speak with you on a secure telephone line?
  • Can you exchange encrypted messages with a potential source?
  • Is there a way for a potential source to provide you with a large number of documents or files securely?

There is no one perfect way to communicate with confidential sources (if there was then everyone would use it). What is important however is to have a number of secure communication channels available for potential sources to use. Remember that while a source may possess valuable information, he or she may not possess any technical skill or tradecraft allowing him or her to get that information to you securely. Keep this in mind as you develop your solution to the first contact problem.


No comments:

Post a Comment

Note: Only a member of this blog may post a comment.