The leak investigation involving a Senate staffer and a New York Times reporter raises significant issues about journalists, digital security, and the ability of journalists to protect confidential sources.

The New York Times recently revealed that the FBI had been investigating a former aide to the Senate Intelligence Committee, James Wolfe, for possibly leaking classified information to reporters. So far Wolfe has only been indicted for making false statements to investigators about his contacts with reporters.

The investigation appears to have been focused on how New York Times reporter Ali Watkins, when she worked for Buzzfeed News, learned that Russian spies had attempted to recruit a former advisor to President Trump, Carter Page.

Reading the New York Times article, three things jumped out at us.

First, according to the article, FBI agents “secretly seized years’ worth” of Watkins’ phone and email records. “Among the records seized were those associated with her university email address from her undergraduate years.” However, “Investigators did not obtain the content of the messages themselves.”

We read this to mean that the FBI obtained “metadata” such as to/from and date/time information for each call and email, probably using a subpoena or court order authorized by the Electronic Communications Privacy Act (ECPA)/Stored Communications Act (SCA).

Many digital security resources, including EFF’s own Security Self-Defense (SSD) guide, emphasize using end-to-end encryption. However, it’s important to understand that while encryption protects the contents of communications, encryption does not mask metadata. Thus, without listening to or reading the communications themselves, government agents can see who you talked to and when, and sometimes from what location.

Metadata can be extremely revealing. Just the fact that Wolfe denied talking to reporters, when the metadata showed otherwise, earned him criminal charges.

Unfortunately, completely masking communications metadata is nearly impossible. Creating a temporary email account through an anonymizing tool like Tor can make it more difficult to associate that account with a particular person. Features like Signal’s Disappearing Messages will automatically delete some metadata after a set period of time, making it harder for law enforcement to acquire it after the fact.

Second, the government obtained the contents of communications Wolfe had with reporters over encrypted messaging apps (apparently Signal and WhatsApp).

Our guess is that the FBI got a warrant for Wolfe's phone and somehow accessed the apps—perhaps his phone wasn’t locked, agents had his password, or they used a forensic tool to bypass the lock screen and any device-based encryption. It’s also possible investigators found backups stored in the cloud or on a hard drive that contained the unencrypted messages. (This issue has also come up in the Mueller investigation.)

If this is what happened, then it's important to understand that although end-to-end encryption thwarts interception of communications content, if that content is sitting unencrypted at an end point—that is, in an app or a backup—then anyone who has access to the journalist’s or suspected source’s phone or backup may be able see those messages. Therefore, deleting unencrypted messages is an added security precaution. Once again, Signal’s Disappearing Messages feature is an effective way to defend against future device searches.

Third, a non-technical question is: did the Justice Department follow its own news media regulations? These regulations have been around for four decades and were most recently revised in 2014 after the shocking revelation that President Obama’s Justice Department in 2013 seized two months’ worth of phone records for reporters and editors of the Associated Press.

Among other requirements, such as first exhausting other avenues of information, the regulations require Justice Department investigators to provide journalists with prior notice and an opportunity to negotiate before seizing their records. But this is not what happened—as the New York Times article explains, Watkins received a letter from the Justice Department only after her phone and email records had already been obtained.

It wouldn’t be surprising if it came to light that the Justice Department invoked the exception to the prior notice requirement: where “such negotiations would pose a clear and substantial threat to the integrity of the investigation, risk grave harm to national security, or present an imminent risk of death or serious bodily harm.” But these details have not been revealed.

The bottom line is that journalists shouldn’t expect to always be notified ahead of time. Accordingly, they should take as many precautions as possible—digital and otherwise—to protect their confidential sources.

In addition to EFF’s Security Self-Defense (SSD) guide, we published a digital privacy guide to crossing the U.S. border that journalists might find helpful, as journalists have been harassed at airports and border crossings. Other journalism groups have useful digital privacy and security guides, such as those from Freedom of the Press Foundation, the Committee to Protect Journalists, and Reporters Without Borders.

Finally, the seizure of Watkins’ phone and email records has once again highlighted the desperate need for a federal shield law so that the government can’t go after journalists—whether through their service providers or in court—to try to uncover their confidential sources. Vice President Mike Pence was a lead sponsor of the Free Flow of Information Act when he was in the House of Representatives.

We renew our call for Congress to pass a robust federal shield law to protect not only journalists and their confidential sources—but also the public’s right to know.