One of the fundamental problems with digital is that there are a lot of things we can extract from the data that aren’t immediately obvious.
Always delete unwanted audio
Here is a simple example. An ambulance driver posted a video of him going to a scene, but to protect the victim’s privacy, he had lowered the audio of the video. He didn’t mute the audio, or better, deleted it. He just made it so low that you couldn’t really hear it.
Now, of course, anyone who has ever edited a podcast knows that this doesn’t do anything. If the audio is simply lowered, all you need to do is to import the file into your audio editor, and bring it back up again.
It takes two seconds to do, and suddenly there is no longer any privacy.
The same is true if you add something on top of the audio. If you are trying to hide a section of an audio track, you might add a beep on top of the file.
Normally, that masks the audio (all you can hear is the beep), but what you may not know is that a beep is usually limited to a specific frequency. So, again, all you need to do is to open your audio editor, identify where that beep is and delete just that part of it, and then level the remaining audio back up. Now, you have the audio in its original form … without any of the beeps.
Again, this is only possible because, in this case, the beep was added on top of the existing audio (and the audio was lowered to mask it). If they had instead replaced the original with the beep, none of this could be done.
So, whenever you work with audio and there is a section that you don’t want people to hear, make sure that you completely delete that part of the audio. Don’t just lower it, or mask it, or do anything else. If there are any remaining elements of the audio left, most audio editors can very quickly recreate it.
Be very careful about blacked out text
Another example is with blacked out text. This is something journalists have to work with all the time, and it’s really critical that you do it right, otherwise you can bring the original text back.
If you have some documents where you don’t want people to see, for instance, your source name, don’t just use a black marker because even if it is blacked over, you can probably just open the image in Photoshop and adjust the brightness levels and reveal it again.
It’s sometimes the same with digital apps. Some ‘marker’ apps don’t do a full black marker, they do a marker with a bit of transparency, meaning it doesn’t actually hide anything.
So you think it’s blacked out, but it isn’t.
It’s the same thing with PDF files. Many apps that allow you to do things with PDFs, like drawing a completely black box on top of an address you don’t want people to see … can often be removed simply by opening the PDF up as ‘open images’ … or worse, it can be deconstructed to extract the text only making all those black boxes you added meaningless.
Here is a simple example. This PDF has a number of black boxes added to it, but if I open it up on my editing program, I can simply select these boxes and delete them to reveal the text underneath.
In other words, when you work with blacked out boxes, you need to save the result as a new image (flattened). Don’t just export it as a PDF.
Today’s cameras are huge!
Speaking of images, one of the things I often come across is journalists taking pictures of their desks (maybe someone gave them a cake?) The problem is that today’s mobile phones have absolutely crazy big cameras, and while the picture looks tiny on Instagram, you can often just download the original resolution.
The problem of this is that, as journalists, we often have things around our desks that we don’t want people to see. But now they can just zoom in on your high-quality picture.
Here is a simple example: Here is a picture I took of my (old) home office. At first glance, you can’t see anything. The text on the screen is too tiny to make out.
But, let’s zoom in.
At first, it still looks too blurry, but the more you look at it, the more of it you can start to make out. For instance, you can read that it starts with: “The reason for this is obvious.”
Now, in this case, there is nothing secret about this. I was just writing one of my articles. But imagine if it had been Outlook that I had open on my screen. Or imagine if you had a post-it note with someone’s contact information, or anything else.
Today’s mobile cameras are so good that people can see way more than you think.
More than that, often the revealing information is sometimes things you don’t realize. Remember that there are many places on your computer that can reveal information that you might not want others to see. Like the apps started in the taskbar, the title of those apps, or if you have a browser open, the name of the tab, etc.
Here is an example from a politician from a few years back. He was complaining about something on Yahoo, and had taken a screenshot to prove his case … but look at the other browser tabs… right?
But, as journalists, we face this problem. Most journalists have tons of browser tabs open all the time, and while the contents might not be as embarrassing as this, what if instead it showed the chat session title with one of your sources?
So, do not share screenshots of your screen unless you are absolutely sure it’s safe to show. This goes for Zoom or Microsoft Teams too. If you share your screen …. oh boy… that can be bad!
And remember, sometimes you don’t know when it’s happening. Most people today, including journalists, have notifications turned on on their computers. And so if you are sharing your screen, and everything on it is absolutely safe to show, at any moment your computer can decide to show you a notification about something that you really did not want other people to see (like the name of a source, or a document that was just shared with you).
Screen sharing is a journalistic nightmare!
Hidden tracking information
Another really big danger, when it comes to protecting your sources, is that it’s really easy to embed hidden trackers into the documents that a source might share with you.
Obviously, if a source sends you a link to a website … I mean, the amount of tracking that can be done with that is immense. Most newspapers already know about this, and they would never communicate with a source via something as unsafe as Twitter DMs or similar.
But the tracking doesn’t even have to be digital.
For instance, never post screenshots of documents you have received from whistleblowers. The reason being is that it’s so incredibly easy to embed hidden tracers into some text that can be individualised like I just did here. Notice the double space?
My guess is that you didn’t, but it is trivially easy to add tiny unique variations to a document, so that you can precisely identify who leaked it afterwards. It can be a space, or anything else. Maybe a document sent to one executive is using Oxford commas in one paragraph, where the document sent to another executive isn’t.
You will never notice this when you read the text, but it instantly reveals your source. So, never, ever, share any documents that a source has provided you with.
Also, remember the metadata. Metadata is data that is embedded into a file but that you cannot normally see. This metadata can contain a lot more information than you think.
You can do image watermarks that are completely invisible to the naked eye, but can contain the precise data to reveal your sources. But most times, the meta is just plainly visible. All you have to do is to look it up.
This could be things like the “author” of a document or who last modified it (which might reveal your source to the public), the original path where the document is saved on your source’s internal company network (revealing their username), or all kinds of other information.
Also remember that many modern word processors have version control, meaning the document has all the revisions made to it stored within. This can potentially reveal so much problematic information, including early notes used when first drafting the documents, as well as comments made by different team members when discussing what to write.
None of this is visible in the final document, but with revision control, you can just go back and see it. That’s really problematic.
Finally, there are a lot of ways that people can identify where you are, which might be problematic if you are working on a story involving a source.
Let me show you something scary. Back in August, I took this picture out of my window (from my old apartment, I have since moved), and in just a minute, a person used Google Maps to precisely identify where that is.
Now, I didn’t feel particularly threatened by this (I don’t think he meant any harm), but when I shared it with some of my female acquaintances, they really didn’t like this. And as journalists, this is even more scary considering the threats we often face.
But also, notice that the image I shared contained no identifying marks. There were no signs, or anything. But, by seeing the name of the Fire Department (identifying my city), and the shape of buildings, roads, etc. … that was enough.
And keep in mind, it doesn’t even have to be a picture out of your window. Take a picture like this one. This, again, was my old home office from before I moved. It’s just my desk… right? Except, you can also see what is outside the window, and, as you can see above, this is enough to precisely identify where I lived … in just a minute of work on Google Maps.
Of course, we can use the same techniques the other way around. In fact, publishers like Bellingcat are famous for using these techniques to identify the exact location of news events.
So, it goes both ways. Every one of these examples can be used by journalists and newsrooms to reveal information that others don’t want us to see or know, but it can also be used against us.
And the mistake I see most often is when we think we have protected ourselves or our sources, but reveal it anyway because we don’t realise all the ways this can be done.
As I mentioned in the beginning, I was reminded of this because I came across a journalist who had done just this. They shared a picture that had nothing to do with anything, but it contained information in a small part of it that revealed a contact.
So, be very mindful of these things. It is easy to manage the big stuff, like only talking with sources via secure channels. It’s hard to not make all of these other mistakes because, at the time, they look completely innocent.
This article first appeared in the weekly newsletter of media analyst Thomas Baekdal. Subscribe to the Baekdal Plus newsletter or visit his website.
The post Operational security and the dangers of online sharing for journalists appeared first on WAN-IFRA.