This is the most detailed documentation I have seen on what happened with Reality Winner, the source who provided a document on Russian election hacking to The Intercept and is now in jail for it. There are multiple security failures here, but the case is complex. I think we, the journalism security community, should study it closely to try to understand if we can learn any lessons that might translate into policy.
Of particular concern to me here is the First Contact Problem, that is, Winner’s first contact with The Intercept was not secured. Winner emailed them several months earlier to ask for a transcript of a podcast, which is part of what made her a suspect. However, there was no way for The Intercept to know that the person who later snail mailed the document to them was someone who had already emailed. Still, there were clearly some poor practices around, in particular, document metadata handling.