Late last year, journalists working on a story about communications censorship were interacting with a potential source, and the central problem they faced was establishing whether that source was genuine; if they were where they claimed to be, and using the purported technical stack to reach the outside. In today’s world of AI and deep fakes, vetting that kind of claim proved to be a genuinely difficult task.
Having used manual packet analysis of encrypted messaging app metadata for source validation in the past, I suggested it as a solution and was surprised to learn there were no commercially available products that let non-technical users work with their own messaging app metadata. This presented a double-sided problem: on one hand, many journalists, sensitive sources, and others who depend on privacy to stay safe are unaware of the extent of their data exposure when they use encrypted messaging apps; on the other hand, despite being mined by service providers and nefarious actors, this data isn’t readily available to the actual owners of it, the end users themselves.
In the end, the source was who they claimed to be, but that was confirmed in the worst possible way. Separately from the newsroom’s verification efforts, the source’s own work to get the truth out had drawn the attention of hostile actors, and they were identified and arrested. The newsroom’s process never put the source at risk but it also never got the chance to resolve. The proof the journalists had been looking for arrived as tragedy.
That outcome stayed with me.
After months of building and refining, I’m announcing the launch of SourceNote, a metadata intelligence tool for journalists, newsrooms, and others in the business of truth.
SourceNote inspects the data being exposed during calls on Signal, WhatsApp, and other popular messaging apps, and presents that data back to the user, giving them the same view that any telecom, internet provider, or hostile actor monitoring either end of the call already has. That information can then be used to improve editorial assessments of source veracity, to conduct threat assessments for users on both ends of a call, and to inform risk mitigation.
To be clear about what SourceNote does not do: no message or call content is ever captured, decrypted, or stored. It reads only the network-layer signals that are already visible to everyone else on the wire.
The first delivery of SourceNote runs on Android, and a cross-platform network utility edition is in the works. We’re looking for journalists, newsrooms, and researchers to beta test SourceNote. If you work with sensitive sources and want early access, reach out at sourcenote@dowserlabs.com.