At this stage it’s unproven speculation that Sean Penn’s interview had anything to do with the capture of Joaquin Guzman-Loera or “El Chapo” — it still could still be possible that it was a coincidence of timing, or a cover-story to protect another human or technical intelligence source. Also, few sensible people are going to be unhappy about the capture of a drug kingpin like “El Chapo”, with a background like this.

However, the subject does highlight the increasingly complex issue of physical and digital security for journalists (and human rights defenders) in the field. Journalists are busier than ever, have less resources and are working more as freelancers (e.g less backup/support) than in the past, and they, along with their sources, are increasingly targeted because of their sensitive work. Being a journalist increasingly requires skills previously associated with working as an intelligence handler (such as source protection — skills few are trained in at University), which, as we saw when Glen Greenwald initially refrained from contacting Edward Snowden, is often too much to ask. This frequently leaves the source themselves as the person who must be responsible for operational security.

Know thyself

Threat Modelling, compartmentalisation, and ‘need-to-know’

“First contact” is often the hardest part of any work with a journalists source in the field. Even if strong security measures are implemented at a later stage, if they are not put in place at the beginning, it can already be too late.

Penn’s description of his technical abilities — Rolling Stone Magazine

Even before he left the USA, Penn had for months been connecting physically and digitally to people possibly already under surveillance — indeed he admits to having little technological ability. Actress and friend, Kate del Castillo, was already known as having a connection to “El Chapo”, thus she was likely to have been under surveillance for considerable time. The hunt for “El Chapo” was given significant priority and included the resources of both Mexico and the US (DEA and probably including access to assets from the CIA and NSA) — this should immediately have suggested avoiding a tool like BlackBerry Messenger (BBM), as it it widely suspected that a number of states, including the US government, have the ability to intercept these communications. (Update 19:28 GMT - Now confirmed in this case. It appears the BBM communications between Kate del Castillo and “El Chapo” were intercepted for many months.)

What we saw was thus a common failure of journalists to be able to accurately access and work within their own security profile, (ie. the hazards they create to their source). More often than not journalists fit the risk assessment to fit their objectives — as opposed to vice versa.

Celebrities like Sean Penn are surrounded by dozens of people — friends, family, household staff, publicists etc, so trying to compartmentalise the number of people who know about the trip would have been difficult. Penn is a globally recognisable figure and his presence would immediately gather third party interest — from hotel/restaurant workers, aircraft staff etc. Arriving on the ground in Mexico, only a few people probably had a real “need-to-know” about the trip — Penn, Espinoza, El Alto Garcia, Andrés Granados Flores (El Chapo’s Lawyer) and Kate del Castillo.

El Chapo Wanted Poster

Our experience with working with journalists and activists all over the world has shown us that human intelligence leaks seem to be more common than digital security leaks. How tempting would it have been for someone with advanced knowledge of the trip to make a tip off to collect the $5 million reward for the capture of “El Chapo”?

What basic questions should a journalist ask before working with a source?

Everyone hates risk assessments but they have a useful role in forcing us to sit down and think about threats, ways to reduce the likelihood of something happening and also the impact if it does happen.

What is your objective, mandate, mission etc? How far are you allowed to go to write the story? What level of risk are you willing to take?

What increased risks may your profile pose to your source? What are your vulnerable points? What is your training or capability?

What are the likely risks that the source poses to you? What is their real agenda? What value do you pose to them? What profile do they have? (Verify this — don’t just accept the profile they say they have). Can you test them to see if they are reliable and telling the truth (for example, using ‘control’ questions that you know the answer to)?

What capability and discipline does the source have to conduct security measures? Are they security conscious? Do they recognise their own weaknesses? Do they really care enough about security to take it seriously? (Many don’t, and just shrug off the risk — in which case you often have to get them to focus by emphasising the dangers they may cause to others, including you). What is their technical ability? Do you need to start with simple and easy to use, but arguably less secure, tools like Cryptocat [update March 2016: Cryptocat is currently under maintenance, so not available] and move them slowly towards something more secure but more difficult to use like PGP?)

care enough about security to take it seriously? (Many don’t, and just shrug off the risk — in which case you often have to get them to focus by emphasising the dangers they may cause to others, including you). What is their technical ability? Do you need to start with simple and easy to use, but arguably less secure, tools like Cryptocat [update March 2016: Cryptocat is currently under maintenance, so not available] and move them slowly towards something more secure but more difficult to use like PGP?) What other affiliations does your source have that may increase risk? (Often we find that a person is targeted not because of an obvious primary reason like journalist but because of secondary reason, like being associated with activists)

What/who are your sources adversaries? What is their known/suspected capability? (Digital and human intelligence) What is their past method of operations? How have they reacted to journalists in the past? Is there information that can be gathered on them by studying similar industry profiles (an example would be if you’re a journalist and you know that NGO’s looking at certain issues have been attacked — you might consider that similar methods may be used by your adversary against you)

What information will your meeting with a source create and how can you prioritise it? (e.g source contact is high priority so justifies more time spent on protective measures like encryption)

Who needs to know about what you are doing? (Try to think deeply about this, some may say “only my editor”, but who has access to their information — their assistant, cleaner, IT staff, intern, partner etc.) What information do you need to share with your family? What third parties can also access this information? (In the El Chapo example: the aircraft/car rental and hotel companies, the payment processor, the airport immigration etc). Who are your trusted parties who can take control of managing a security incident happening to you? (Kidnap, arrest etc). What level of information do they need to know and how can they access it when they really need it? (No point in them having the routes, timings etc encrypted on their office computer that they can’t access it at a weekend)

When should you tell other people what you are doing? (If you have to tell people, they should only find out at the last possible moment, so that if you do have a leak, an adversary has less time to prepare)

Do you need a cover-story for what you are doing? What would it be? (It needs to be realistic, fit your pattern of life, verifiable or at least unable to be proven untrue, carried out by you, extremely well practiced/tested, coordinated with others whom it effects etc). What levels does it have? When would you deploy those levels? (Everyone will eventually talk but how much time do you need to buy yourself to protect your source and initiate a response?) What about basic but potentially risky questions from a casual third party? (Hotel staff, person in a cafe etc) What happens if you accidentally bump into someone who knows you?

UPDATE: Part 2 is now available to read here. It covers the operational lessons learnt related to travel, accommodation, counter-surveillance and arranging meetings with sources in the field.