M.K., a senior procurement analyst at her regional transit authority, had spent a year documenting bid-rigging from inside: three paving firms trading wins on a rotation, kickbacks routed through a sham consulting LLC. Internal complaints went nowhere, so she took it to an investigative reporter at the region’s largest paper. They spoke on an encrypted calling app, after hours, from her own couch, on her phone. She never touched agency equipment.
What she’d forgotten was a choice from months earlier: to get work email on her phone, she had enrolled it in the agency’s BYOD program, and enrollment installed a profile that kept the phone on the agency’s VPN. At home, her traffic still ran out through her employer’s network, and her employer’s logs.
The reporter was careful too. He used his personal cell connected to a commercial VPN, not the newsroom network. But every device signed in to his messaging account took part in the call’s setup, including the desktop app on his work laptop1. He never picked up on it. He didn’t have to. Just by being signed in, the laptop was one of the candidates M.K.’s phone reached for during setup, and its STUN response came back from the newsroom’s network. Her phone was on the agency’s VPN, so that response landed straight in the agency’s logs, source IP and all2.
The series ran in the spring. Within six weeks M.K. was escorted out, walked through a “data exfiltration investigation,” and terminated for cause — a case circumstantial and decisive. The agency’s outbound logs, retained far longer than she’d have guessed3, showed the paper’s network address in her call metadata on the weekday evenings before each story. The call cadence formed a tight pattern, trivially correlatable to a publication calendar4.
No one obtained the content of a single call. They didn’t need to. M.K. settled to avoid prosecution and was barred from public-sector work in the state.
What changes if SourceNote is in the loop
On the first call, SourceNote shows the source’s side: her public IP whoises to a state government network5, and her phone offers two private addresses — home wifi and an address on her employer’s VPN. That first call is already in the agency’s logs; that can’t be undone. But it stays one connection, not a pattern. Seeing the leak is what makes the rest possible: the calls move to a relay, so no network sees more than the calling service6; her phone comes off the agency’s VPN; the linked laptop gets dropped; the call times stop tracking her workday. And the same metadata cuts both ways — the connection that could burn her is also what corroborates her to the newsroom: the contact is real, the documents came from inside. Visibility is the greatest liability when only the adversary has it.
The series still runs. The referral collapses for lack of corroboration. She leaves on her own terms.
We’re looking for journalists, newsrooms, and researchers to beta test SourceNote. If you work with sensitive sources and want early access, reach out at sourcenote@dowserlabs.com.
Footnotes
-
peter-signal, “Multi-device calls with ICE forking,” Signal Blog, 20 October 2020. https://signal.org/blog/ice-forking/ ↩
-
Plixer, “Network Forensics and Incident Response Using NetFlow and IPFIX.” https://www.plixer.com/blog/network-forensics-and-incident-response/ ↩
-
R. Danford, “Security Log Retention,” SANS Internet Storm Center, 22 March 2005. https://isc.sans.edu/diary/487 ↩
-
D. Monsivais et al., “Tracking urban human activity from mobile phone calling patterns,” PLOS Computational Biology, 21 November 2017. https://journals.plos.org/ploscompbiol/article?id=10.1371%2Fjournal.pcbi.1005824 ↩
-
American Registry for Internet Numbers, “Using Whois,” ARIN registry documentation. https://www.arin.net/resources/registry/whois/ ↩
-
Electronic Frontier Foundation, “How to: Use Signal,” Surveillance Self-Defense. https://ssd.eff.org/module/how-to-use-signal ↩