Sign up for the daily CJR newsletter.
On Christmas Eve, the Washington Post published a story by Hannah Natanson, a reporter who works as part of a team covering the ways Donald Trump is upending the federal workforce. “I am The Post’s ‘federal government whisperer.’ It’s been brutal,” the headline went. She described having been an education reporter who wandered over to Reddit, where she put out a call for “anyone willing to chat.” She provided her contact information on Signal, an encrypted app that Post reporters are encouraged to use. “The next day, I woke at sunrise to dozens of messages—the ruling pattern of my mornings ever since,” she wrote. Before long, “I would gain a new beat, a new editor and 1,169 contacts on Signal, all current or former federal employees who decided to trust me with their stories.” On Wednesday morning, the FBI searched her home and seized her phone, a Garmin watch, and two laptops—one of them issued by the Post.
Other journalists have been tracked, subpoenaed, or compelled to turn materials over to the government; rare is a newsroom raid, and Natanson’s experience is virtually without comparison. Even so, Runa Sandvik—whose life’s work is protecting journalists’ digital security, and who I got to know a few years ago in the course of profiling her for CJR—said that “the risk has been there for a long time.” Sandvik, the former head of information security for the New York Times, now runs a consulting firm, Granitt, advising reporters, lawyers, and political activists on how to keep their data safe. Though she shares guidance on best practices, when we first met, I asked her how someone could take steps to be fully secure, and she replied: you wouldn’t be online at all; you would have to live in the forest. “It is normal,” she told me when we just now spoke again, “for law enforcement to grab as much as they can and then later on figure out which one they can search, what they can look at, which ones are actually relevant to the investigation.” That the FBI could, with no prior warning and in the absence of an indictment, arrive at a journalist’s home with a warrant to seize the contents of her digital life reveals a vulnerability for every journalist facing the caprices of the Trump administration.
There are several ways to read what happened to Natanson. The first is what the FBI is claiming: that it had a warrant to investigate Aurelio Perez-Lugones, a government contractor and Navy veteran from Maryland with a top security clearance who was believed to be in correspondence with Natanson. (Per Politico, an affidavit for the search has been sealed.) A few days ago, according to the Baltimore Sun, federal authorities charged Perez-Lugones with illegally retaining classified documents; during a raid of his home, the FBI said in an affidavit, agents found classified intelligence reports in his basement and in his lunchbox. Natanson, in that telling, was collateral damage. “We are told Hannah, and The Post, are not a target,” Matt Murray, the executive editor of the Post, wrote to staff. “Nonetheless, this extraordinary, aggressive action is deeply concerning and raises profound questions and concerns around the constitutional protections for our work.” (Speaking to reporters on Wednesday, Trump alluded to a “very bad leaker” who was in jail for sharing documents related to Venezuela—the subject of Natanson’s most recent reporting.)
Over the course of the day, the Post updated its article about the FBI and Natanson to add: “The Post also received a subpoena Wednesday morning seeking information related to the same government contractor, according to a person familiar with the law enforcement action.” And yet, as Sandvik said, “it would not surprise me if the subpoena to the Post relates to the work laptop that was seized”—as well as information about an “internal tip-sharing Slack channel” that Natanson mentioned in her article from December. A second way to read this case, Sandvik suggested, is as a “fishing expedition masked as an investigation into a specific contractor.”
Kash Patel, the director of the FBI, posted a statement on X: “This morning the @FBI and partners executed a search warrant of an individual at the Washington Post who was found to allegedly be obtaining and reporting classified, sensitive military information from a government contractor.” Pamela Bondi, the attorney general, also tweeted a statement, saying the warrant was executed “at the request of the Department of War, the Department of Justice and FBI,” concerning “a Washington Post journalist who was obtaining and reporting classified and illegally leaked information from a Pentagon contractor.” (A Pentagon spokesperson referred CJR to the FBI. The White House referred back to Bondi’s tweet.) As Sandvik put it, “The fact that they have now seized the equipment that she used to communicate with, like, twelve hundred different sources, I think, is disturbing.”
The full extent of what the FBI will be able to gather from Natanson’s devices will rest on her, and the Post’s, digital security hygiene. “It really depends on, were the devices up to date?” Sandvik told me. “What type of authentication was used? Was encryption enabled on the drive? Was lockdown mode enabled on the phone? Were disappearing messages used on Signal?” If Natanson uses Macs, for instance, even if they are fully encrypted, “that encryption only kicks in when the device is fully powered off,” she said. “When you power the device on and you log in that first time, that is when you unlock or decrypt the drive.” The same would apply to a phone. “So if she knew this and she saw the FBI outside her door,” Sandvik noted, “the smartest thing to do would have been to go and power off all her devices.”
In that scenario, the FBI would not be able to get in and review her files. The government’s only recourse would be to sue Apple, which is precisely what it did in the wake of the 2015 San Bernardino shooting, though the effort was unsuccessful; the government then hired an Australian contractor to break into the suspects’ phones. “It would then require a lot of time and effort and money from the authorities,” Sandvik said. The worst-case scenario, she told me, would be if Natanson had not made use of disappearing messages and the devices were not encrypted: “They’d be able to see all the sources.”
Whatever the case, the situation highlights serious risks inherent to online communication between journalist and source. In her December article, Natanson, deluged in tips, described consulting with Post lawyers to develop the best approach to security: requesting that sources send her a picture of their government ID, never writing down names, using a private browser—and, notably, using an encrypted drive, which was not mentioned in the coverage of Wednesday’s FBI raid. And yet “there was no one consulted on a digital security or technology perspective,” Sandvik said. “I think that there’s certainly an opportunity here to come up with additional measures, like using a VPN like Mullvad, or using Tor for browsing.”
Over the course of the day, Post staffers, reeling from the news, wondered whether they had received enough guidance from the organization’s managers on how to handle digital security. “The Washington Post has a long history of zealous support for robust press freedoms,” Murray told employees. “The entire institution stands by those freedoms and our work. We have been in close touch with Hannah, with authorities and with legal counsel and will keep you updated as we learn more. In the meantime, the best thing all of us can do is to continue to vigorously exercise those freedoms as we do every day.” (The Post did not respond to questions from CJR.)
“The government has said that Natanson is not under investigation, nor should she be for simply reporting information provided to her by sources,” Seth Stern, the chief of advocacy at the Freedom of the Press Foundation (and a CJR contributor), said in a statement. “Even the Trump DOJ’s guidelines on searching reporters’ source materials (which were weakened from prior guidelines based on the administration’s proven lies about ‘fake news’) make clear that it’s a last resort for rare emergencies only. The administration may now be in possession of volumes of journalist communications having nothing to do with any pending investigation and, if investigators are able to access them, we have zero faith that they will respect journalist-source confidentiality.” Xochitl Hinojosa, a former head of public affairs for the Justice Department, noted that—despite the comments of public officials—Natanson obtaining material does not constitute a crime. “The Department in modern history has never charged a journalist for unlawfully publishing or receiving classified information,” she said, “and it’s scary to think that this might change.”
At the Post, Sandvik hopes the day’s events “prompted a conversation internally about, how do we handle this in the safest way possible? Is it a legal liability that she’s receiving all of this information on a personal device? Should we rethink how we’re receiving and how we’re storing and disseminating and working with all of this information? What is the safest way to do it, legally, from a physical security point of view, from a digital security point of view, and also emotionally?” More broadly, she said, “what I really, really hope that other newsrooms and journalists take away from this is to really look at their own practices internally and figure out, ‘Okay, well, what can we now learn from what happened in this case? What are we doing or not doing that could either put us in the same spot or prevent some of the things that have happened or may have happened or now could happen?’”
Has America ever needed a media defender more than now? Help us by joining CJR today.
