If you have information for a possible story, ONLY reach out via the app Signal. (Signal works like any other text-based messenger.) That’s because, even if you reach out with Signal later, if you’ve used something else first, the trace of that “something else” remains. Signal doesn’t leave anything behind to be found.
Send possible story information from a personal device that doesn’t have any software from your employer on it. Brandon’s number is 740-505-0038. If your information is a matter of national security, skip down to the special starred section. If it’s not “NatSec” but you still want to try to remain anonymous, read the three pointers herein:
1. Again, don’t reach out over any channel other than Signal.
2. Think about who has access to what you need to share. If only, say, three people have access, you face much greater odds of being discovered than if 40 people can access the material. In the former case it might be easier to pass along a description of what I (Brandon) should ask for in a Freedom of Information request. Unless you think it’s so egregious that the material is at risk of being destroyed or hidden if I asked for it or eventually sued for it.
3. If you’re preparing sensitive documents to send, every move on a computer or smartphone—printing, emailing, copying to a flash drive—leaves a digital trace that can be found later with enough expertise. So, try to only make these moves from devices or accounts that would make the moves in the course of normal work. Then we’ll discuss how long is feasible to wait to publish, so as to lose the signal your adversaries want amid the noise of business.
*****If your information is a matter of national security*****
…You’ll attract the attention of investigators that are far less bound by public law and far more well-equipped with forensic and surveillance tools. Thus you’ll have to take additional precaution. Don’t send information or documents immediately. It’s more secure to arrange an in-person meeting with security safeguards built into the meeting itself. Using Signal on a personal device should be an adequate way to set up that meeting. (Just so long as the device isn’t likely to have been compromised with targeted surveillance prior to this exchange. In that case, maybe use a non-NatSec friend’s device for the contact.) Please remember that if you haven’t downloaded Signal some time ago, the time stamp of downloading it just prior to our contact could be used to identify you. Again, the phone of a distant friend could come in handy. Prior to meeting, Brandon will ask:
1. Whether you have document evidence
2. What you think the document(s) show(s)
3. Whether you obtained them via work, or otherwise how you obtained them
If you have had PGP/GPG set up for some time and you’re fully certain that no machine on which your private key has been stored has been the recipient of malware… I suppose you can send me an encrypted email. Just be aware that it’s difficult to ensure the absence of malware at any point your private key has been on a machine.
For truly secure transmissions, I have another key whose public portion has not been on public servers and can find a way to relay that to you. But here is the fingerprint of the public key I make available for reasonably secure messages:
828F D717 DDD3 7D96 577A 3ACD 3F8E C591 9DB6 D943
My address again is hey -at- brandonsmith -dot- com.
Look forward to hearing from you.