How to Leak to the Press

Feels a bit overkill and way too identifying - security cameras + internet records + GPS locations will all help track you down, even if they are intermittent.<p>Buy a stack of envelopes from a supermarket. Buy a stack of stamps. Buy a USB. Acquire all with cash. Transfer all files to the USB via live CD - make sure all meta-data is stripped and files are redacted to avoid fingering you. Handle the envelopes&#x2F;stamps&#x2F;USB with care - gloves + hairnets + have a shower before handling (skin cells). Print the addresses (be careful here - printers sometimes put identifying marks - get the most common inkjet that doesn&#x27;t use dots). Print a message and stick it in the envelope - e.g. &quot;USB contains leaked NSA documents on massive domestic spying. Copy files to your computer then destroy and dump USB then burn the envelope to ensure your own security.&quot; Put the stamp on. Drop the letter in the mailbox - try and get a journalist&#x27;s home address, they&#x27;ll read it.<p>Repeat for multi-journalist dump.<p>Make sure you don&#x27;t lick the stamps and drop the letters off in physically separated postboxes without security cameras.<p>You <i>do not</i> want to be in constant communication with journalists&#x2F;people whilst doing any of this, because the more you talk with them, the more you leak. You want to just strip all identifying data, dump your leak, and run. This tactic has been used for ages to transfer sensitive data, most notably by kidnappers (ransom notes), spies (easy data transfer), whistle blowers (documents) and serial killers (think Ted Kaczynski).

This advice is dangerous, because the author fails to mention other precautions the user can and should take, such as:<p>* Use a Linux live CD on the &quot;burner laptop&quot; -- don&#x27;t trust the preinstalled OS<p>* Change the MAC address of the Wifi used to connect at the internet cafe<p>* Use Tor, most easily via the Vidalia browser bundle<p>The author also does not mention that leaking documents can expose the whistleblower via watermarking and user information embedded in the file (most infamously in MS Word documents with versioning).<p>Edit: update formatting

<i>...feeding the information to the phone company which retains this information for weeks, months, even years. Just a warrant-step away.</i><p>The warrant comment suddenly sounds old-fashioned.

FTA: &quot;There’s another option I didn’t originally mention here — leaking over mail. Investigative journalist Julia Angwin of the Wall Street Journal points out that physical mail, dropped in a random post-box with a bogus return address, is perhaps the best way for anonymous one-way communication.&quot;<p>DO NOT DO THIS! Every printer leaves a microscopic fingerprint on every printout. The printouts can be traced back to your printer. If it&#x27;s an office printer, that still narrows it down considerably.<p>Even electronic documents can have watermarks, etc. For photographs, there&#x27;s the EXIF information, for instance. If you want to share a photo, pipe it through &quot;djpeg | pnmscale 0.99 | cjpeg -quality 90&quot; first. It will get rid of EXIF, and also re-compress the image, changing its signature.

What about &quot;simply&quot; using DeadDrop?<p><a href="http:&#x2F;&#x2F;deaddrop.github.io" rel="nofollow">http:&#x2F;&#x2F;deaddrop.github.io</a><p><a href="http:&#x2F;&#x2F;www.newyorker.com&#x2F;online&#x2F;blogs&#x2F;closeread&#x2F;2013&#x2F;05&#x2F;introducing-strongbox-anonymous-document-sharing-tool.html" rel="nofollow">http:&#x2F;&#x2F;www.newyorker.com&#x2F;online&#x2F;blogs&#x2F;closeread&#x2F;2013&#x2F;05&#x2F;intr...</a><p>Or Retroshare:<p><a href="http:&#x2F;&#x2F;retroshare.sourceforge.net" rel="nofollow">http:&#x2F;&#x2F;retroshare.sourceforge.net</a><p><a href="https:&#x2F;&#x2F;retroshareteam.wordpress.com&#x2F;2012&#x2F;12&#x2F;28&#x2F;cryptography-and-security-in-retroshare" rel="nofollow">https:&#x2F;&#x2F;retroshareteam.wordpress.com&#x2F;2012&#x2F;12&#x2F;28&#x2F;cryptography...</a><p><a href="https:&#x2F;&#x2F;retroshareteam.wordpress.com&#x2F;2013&#x2F;01&#x2F;06&#x2F;privacy-on-the-retroshare-network" rel="nofollow">https:&#x2F;&#x2F;retroshareteam.wordpress.com&#x2F;2013&#x2F;01&#x2F;06&#x2F;privacy-on-t...</a>

In Russia you have to provide passport in order to buy a sim card.

Question about cash: do banks keep track of the bills that are dispensed through ATMs? If so, it&#x27;s probably safer to break your bills first.<p>Also, be aware of cameras near the internet cafes or places you intend to use the burner phone.

Love the quote &quot;Even the head of the CIA can’t email his mistress without being identified by the FBI.&quot; :-)

The leaking via gmail has an issue:<p>In many cases when creating a new gmail account, you have to provide a phone number for an automatic text verification code.

Pull the sim card, and smash THAT with a hammer. Don&#x27;t just smash the whole phone - you&#x27;re unlikely to destroy the sim card, which is the most incriminating part of your phone.

Or use a website that has an Anonymous Drop Box. Wikileaks did have one, but its no longer operational. I think a few mainstream media organisations copied the idea and claimed to have anonymous drop boxes?<p>e.g New Yorker has one, called Strongbox - <a href="http:&#x2F;&#x2F;www.newyorker.com&#x2F;online&#x2F;blogs&#x2F;closeread&#x2F;2013&#x2F;05&#x2F;introducing-strongbox-anonymous-document-sharing-tool.html" rel="nofollow">http:&#x2F;&#x2F;www.newyorker.com&#x2F;online&#x2F;blogs&#x2F;closeread&#x2F;2013&#x2F;05&#x2F;intr...</a> - powered by Tor, designed by Aaron Swartz and others, and open-sourced as DeadDrop <a href="http:&#x2F;&#x2F;deaddrop.github.io&amp;#x2F" rel="nofollow">http:&#x2F;&#x2F;deaddrop.github.io&amp;#x2F</a>;

Out of curiosity, why not just send a letter in the post?<p>Pretty hard to trace an anonymous letter.<p>EDIT: Just spotted the update. Question answered.

The Boston bombing also shows that you should cloak your identity physically. Hat and sunglasses at least. The one who didn&#x27;t hide his identity is the one who was easily identified.

This discussion revolves a lot around printer watermarking documents. It seems that it mostly concern color printers. Here is an advisory by the EFF which tested quite a few of them <a href="https:&#x2F;&#x2F;www.eff.org&#x2F;pages&#x2F;list-printers-which-do-or-do-not-display-tracking-dots" rel="nofollow">https:&#x2F;&#x2F;www.eff.org&#x2F;pages&#x2F;list-printers-which-do-or-do-not-d...</a>

Honest question: what prevents someone from feeding misinformation to the press if all IDE tidying info is stripped away? If the journalist has no way to contact you, why should they trust your leak? Could the FBI or NSA send out bogus leaks and the go after journalists that publish the fake info for revealing what they believed to be confidential information?

&quot;I don&#x27;t need to be fast. I just need to be faster than you!&quot;<p>Your trail-covering only needs to be better than the investigation capability of those who are investigating your leak.

Last time I purchased a prepaid cell phone, I had to show government photo ID. The RadioShack clerk entered my license number in a database.<p>So the burner phone may not be the best route.

A test would at least increase my confidence. I guess step 1 is to find something worth reporting, and the article pretty well demonstrates how hard that is.

&quot;When you are done you must [...] turn off the Wi-Fi before turning off the computer and removing the battery. The dedicated computer should never be used on the network except when...&quot;<p>This is silly on a &quot;behind 7 proxies&quot; level. Just go the library. If you&#x27;re worried that investigators are going to swoop down CSI style to track you down because of your important secrets, maybe you should speak to a psychiatrist.