INTERVIEWING THE MOST WANTED MAN in the hemisphere is not something any sane person undertakes lightly. Aside from weighing the risk to one’s personal safety, a journalist must also protect his or her source by taking careful precautions — some reporters have gone so far as to risk or actually receive jail time rather than break the confidence of their sources. As the Snowden revelations have brought ubiquitous mass surveillance into sharp relief, these considerations have become far more complex and personal fortitude isn’t always enough.
On Saturday, Rolling Stone published a major scoop: Actor Sean Penn traveled to northwestern Mexico to speak with Joaquín Archivaldo Guzmán Loera — “El Chapo” — the notorious leader of the Sinaloa drug cartel. It was El Chapo’s first (and perhaps last) press interview as a free man. At the time of the visit, El Chapo was a fugitive in hiding, but the day before the article went live, Mexican marines, with support from the U.S. Drug Enforcement Administration and U.S. Marshals, captured him after “a fierce gun battle.”
Mexico’s Attorney General Arely Gomez has said that Penn’s face-to-face meeting with Guzmán “was an essential element” in the operation that led to the fugitive drug lord’s apprehension. Mexico City’s El Universal published a photo gallery of what appears to be a series of surveillance images of Penn and actress Kate del Castillo’s arrival in Mexico to meet with Guzmán.
The photos notwithstanding, there are still plenty of reasons to maintain a healthy skepticism of the official line that Penn inadvertently helped Mexico and the U.S. catch El Chapo and there is no public suggestion that his digital security practices led to the raid.
Penn clearly made an earnest effort to cover his digital tracks, and it’s easy for even the most skilled operators to make costly errors, but the self-described “single most technologically illiterate man left standing” details a litany of seeming operational security mistakes in his communications. Most of these descriptions are vague and could be misinterpreted, and, of course, he could also be omitting other, more effective security measures he employed. Thus, this article is intended as a case study in source protection based on the limited information available. The Intercept reached out to Rolling Stone for this article but they did not respond.
In the age of mass surveillance, technological ignorance is no longer an option, but even best practices are far from foolproof. If you’d rather skip the don’ts and jump right to the do’s, technologist Micah Lee, my colleague at The Intercept, has written some of the handiest explainers out there on how to implement operational security best practices, which can be read here, here, here, here, here, and here.