How a New York Times journalist exposed an IP address and tipped off a major investigation

Journalists sometimes need to work under a veil of anonymity, and in the 21st century, that often means visiting websites without anyone knowing that a major investigation is underway. It's not always easy.
(Tomas Roggero / Flickr)

Journalists sometimes need to work under a veil of anonymity, and in the 21st century, that often means visiting websites without anyone knowing that a major investigation is underway. It’s not always easy.

One newly reexamined court document shows that the subject of a New York Times investigation was tipped off because the news organization’s IP repeatedly showed up in the subject’s web server logs — a clear sign that something was up.

The revelation comes from a 2015 document in the federal corruption case against former New York state Sen. Dean Skelos as well as his son, Adam.

As news media investigated the case, a federal informant testified that the son was tipped off to a New York Times inquiry when IP addresses from the Times’ office showed up in web server logs.


“Like I’m nervous about — okay, so there’s some reporter that — from the New York Times that might be putting together a story regarding like real estate,” he said, according to the confidential informant’s testimony.

Dean Skelos, who was accused of using his power for the benefit of the Arizona environmental tech company AbTech, was told that a senior executive at the company saw “that The New York Times had been on [the Company’s] Web site like 12 times that day — or that week. He thought — and maybe because of, you know, them wanting to do a story about water purification, I just have a feeling it might be this reporter snooping around, trying to build a story.”

The issue of reporters exposing their identity has been raised for years, most notably in 2014 when the Freedom of the Press Foundation and former ACLU technologist Chris Soghoian reported that “several major US news organizations, including NBC, Reuters, The Associated Press, USA Today/Gannett and CBS Interactive all leak their identity via the IP addresses assigned to journalists’ computers.”

Despite complaints from reporters, the issue had reportedly been ignored by IT departments.


Runa Sandvik, who has been the director of information security at the Times since 2016, said the issue highlights why virtual private networks (VPNs) and tools like Tor that can obfuscate or even anonymize your identity are necessary tools for any journalist in 2017.

Rory Byrne, co-founder at the human rights organization Security First, noted similar problems in his field. In addition to sometimes revealing their IP addresses exactly the same way this Times reporter did, non-governmental organizations have been identified by custom fonts loaded into their browsers that allows for fingerprinting and tracking.

“On a few occasions we found out that potential targets of NGOs were picking up on this,” Byrne told CyberScoop. “Which is really dangerous, as inevitably, even if the NGOs were trained to use VPNs etc., this was still a leak.”

Byrne, who could not speak on specifics, said he saw organizations fingerprinted and then targeted with malware served specifically to browsers matching that fingerprint. There are tools that can be used to fight fingerprinting. Tor Browser mitigates it and an add-on called Random Agent Spoofer is available for Chrome and Firefox.

Progress on the security front, however, has been mixed.

“For those that do recognise it’s a problem, it’s partly a discussion that has to take place with communications and marketing folks, as they see benefits to standard fonts vs security teams who are looking at it from the risk perspective,”Byrne said. “Though now that the NYT has flagged this issue publicly, it makes the issue easier to push on.”

Latest Podcasts