Before we get onto Truecrypt, Tor and Tails, let's look at the legal context for using those things. Many thanks to Steven Price and John Edwards for their help and advice on this section.
The main protection for journalists comes from s68 of the Evidence Act, which says that journalists and their employers cannot be compelled to give evidence, answer questions or produce documents which would reveal the identity of confidential sources, unless:
A judge decides that the public interest in naming the source outweighs the potential harm to the source and the public interest in keeping sources confidential
Note that s68 of the Evidence Act is quite limited:
- It does not cover third-parties (such as cellphone or email providers), only journalists and their employers
- It does not cover cases which doesn't involve confidential sources (though s69 provides more general protection for confidential information)
When journalistic privilege might apply, Police have to give the media outlet a reasonable opportunity to claim privilege. It is therefore much easier for investigators to target known service providers (i.e. Phone numbers and emails associated with the journalist) rather than try to seize information directly from a journalist.
Surveillance vs Search
Data in transit (e.g. Phone calls, internet traffic) can only be legally captured with a surveillance warrant, which can only be obtained for offences which are punishable by sentences of 7 years or more, or for offences related to restricted weapons.
Data at rest (e.g. Text messages, logs of phone calls, anything on your computer) can be obtained with a search warrant or production order, which can be obtained for any imprisonable offence.
By definition, it is only possible to retrospectively obtain data at rest. This means if an investigation is only likely to occur after a story becomes public, only data at rest will be available.
As an example, in the Bradley Ambrose (“Tea Pot Tapes”) case, even if the Police were interested in ongoing communications, the offence he was being investigated for did not qualify for a surveillance warrant; even if they could get a surveillance warrant, it would've been impossible for them to retroactively capture the period they were interested in. They were, however, able to obtain his texts and call records directly from his phone provider.
Norwich Pharmacal Orders
While private individuals can't get warrants, they can apply for a Norwich Pharmacal Order. These are pre-trial or interim orders against a third party, which can be used to reveal the identity of a person to allow legal action to proceed.
For example, a plaintiff might file papers against an unknown person in court, then apply for an NPO against a third party (e.g. An ISP or telco) for information that would reveal that person's identity. That third party would have a legal obligation to provide that information (or be in contempt of court), and they would not be able to claim privilege, since they would not necessarily know there was a journalist-source relationship there.
Harddisk encyption such as the operating system's default encryption would protect you against hackers and thieves, but it may not help you against law enforcement.
Under s178 of the Search & Survelliance Act, anyone who:
Fails without reasonable excuse to assist a person exercising a search power under section 130(1) when requested to do so (relates to searches of computer systems or data storage devices - a person may be required to assist with access to data).
..will be committing an offence, and can face up to 3 months of imprisonment.
Nor would the right against self-incrimination help you or your source. Self-incrimination doesn't protect against search and seizure, and the Police Search Manual specifically states:
A specified person may not be required to give any information tending to incriminate themselves. However, this does not prevent you from requiring them to provide information or assistance that is reasonable and necessary to allow you to access data held in, or accessible from, a computer system or other data storage device that contains or may contain information tending to incriminate the person.
This means that if they are able to seize your computers, they'll also be able to force you to give up the password, on threat of 3 months imprisonment. Unless, somehow... more on this next time.
- Journalists and their employers are protected by the Evidence Act.
- The minute data goes to a third-party (such as your ISP or telco) it's not protected.
- Sources aren't protected.
- Search warrants are easier to obtain than surveillance warrants.
- Private individuals (including companies) can use Norwich Pharmacal Orders to root out sources.
- Normal encryption doesn't help, as you can be legally compelled to give up the password.