Oct 17, 2014 · 2 minutes

Early today, the Guardian delivered a remarkable scoop: that anonymous app Whisper employees claim to be tracking users in ways that would make the NSA rise to its feet in applause. Even more remarkable, the claims were made directly to Guardian staffers visiting Whisper to discuss a possible partnership with the app.

The Guardian witnessed this practice on a three-day visit to the company’s Los Angeles headquarters last month, as part of a trip to explore the possibility of an expanded journalistic relationship with Whisper.
Whisper has rejected the entirety of the Guardian report, with Whisper editor in chief Neetzan Zimmerman even vowing that "The Guardian made a mistake posting that story and they will regret it." Quite how Whisper plans to exact revenge on a newspaper which routinely swats down threats from the US and British governments is unclear. What's also unclear is what precisely Whisper is denying: The company's actual user monitoring capabilities or that its staffers made exaggerated boasts to visiting Guardian dignitaries in order to seal a content partnership.

What is clear is that the Guardian's reporting highlights why journalists visiting tech companies should never, ever agree to sign non disclosure agreements.

Almost without exception, major tech companies now require visitors to sign in to their offices using digital touch screens. Also almost without exception, those screens include a "standard" visitor agreement which includes a clause preventing visitors from disclosing anything they see or hear during their visit. If you ask the companies using these screens (or their lawyers) they'll explain that the clause is simply to avoid trade secrets accidentally leaking out after a visitor spots something juicy on a whiteboard. "Nothing to worry about," they'll say. "It's just standard."

Visitor NDAs are certainly increasingly standard. But what they're definitely aren't is "nothing to worry about."

As is clear from the Guardian's reporting, the reason they were able to tell Whisper readers about an absolutely egregious breach of their privacy is because they weren't asked to agree to any kind of confidentiality clause during their visit:

At no stage during the visit were the journalists told they could not report on the information shared with them.
It's precisely for that reason that Sarah Lacy and I always refuse to sign automated NDA agreements when visiting tech companies -- even when we visit companies like Rackspace or Autodesk to record our regular podcasts. As the Guardian's reporting showed, you just never know when you're going to witness something unequivocally newsworthy.  (Other Pando staffers are encouraged to adopt the same policy, although we allow individual writers to decide for themselves the terms on which they interact with sources.)

Yes, a polite refusal frequently leads to sighing, rolling of eyes and the intervention of a PR person but not once have I ever been turned away from a meeting for refusing to sign away my obligations as a reporter.

And yet, while this should be a standard policy amongst reporters, I know it isn't. Rather, over the years I've watched countless of my (non-Pando) journalistic colleagues blithely signing on the digital line, often without realizing what they're agreeing to.

"It's just standard. Nothing to worry about."

Hopefully that'll change after today.