Feature
EU files: How to get them, how to leak them, and what's the point?
My first juicy leak came in 2013 when an EU source gave me an inch-thick dossier of files documenting EU Commission cock-ups on diplomatic security in Afghanistan.
They brought it to my home in Brussels and told me they felt morally compelled because lives were being put at risk and taxpayers' money was being wasted.
Join EUobserver today
Become an expert on Europe
Get instant access to all articles — and 20 years of archives. 14-day free trial.
Choose your plan
... or subscribe as a group
Already a member?
It was a jumble of email correspondence, minutes of internal meetings, and procurement contracts.
One gem was a "restricted" report in which an EU ambassador bitched about his security guards also in Gaza. Another, marked "confidential", said the EU wrote off €1m overpaid to a security firm.
My source first reached out to me by phone after I'd written a series of articles about EU private-security companies.
They'd printed the files to avoid leaving a digital trace for internal investigators to follow.
What is a leak?
The Afghanistan story did what a leak is meant to — it brought greater democratic scrutiny, for instance, by the EU Parliament's budgetary-control committee.
Leaks are needed to hold the EU to account on matters of public interest because documents constitute evidence of allegations.
You can't deny you let a Russian diamond firm off the hook if it was on a draft EU blacklist one day, then vanished from the final sanctions.
And you can't say your human-rights dialogue with Russia is saving souls when your own internal report admits in black-and-white that it isn't.
My Afghanistan leak was exceptional, but less sensitive stuff gets out in Brussels every day.
Routine leaks are draft summit declarations and sanctions proposals, draft EU laws, and internal reports on EU projects.
They are almost all labelled "LIMITE" — the lowest level in the EU's Francophone classification system.
The higher levels are RESTREINT, CONFIDENTIEL, SECRET, and TRES SECRET — you can lose your job or face criminal charges if you leak them.
I've seen very few RESTREINT or CONFIDENTIEL files in my 20 years covering foreign policy and zero of the top ones.
The EU ambassador's report on Gaza was RESTREINT. A leaked CONFIDENTIEL paper was an assessment by IntCen, the EU foreign service's joint intelligence branch, of the reasons behind the failed coup in Turkey in 2016.
According to EU contacts, SECRET and TRES SECRET files might contain information such as advance warning of an overseas coup d'état or cryptographic keys to EU communications networks.
You'd have to ask yourself if you'd want to publish anything like that.

Who leaks and why?
The main sources of mundane leaks are the 27 EU countries' embassies in Brussels.
Diplomats and some EU Commission and EU Council officials divulge draft proposals to media in the hope that a political or public outcry on some issue will help them get what they want in final talks.
But whichever country is holding the EU presidency at a given time tends not to leak, in Brussels etiquette.
You might think the ideal leaker is one acting on their conscience, but even saintly whistleblowers tend to be tactical, revealing information which substantiates their side of the story.
An even better source is one who leaks files in bulk for the sake of transparency, leaving the press free to find their own angle — and sources like these exist in Brussels.
Some people also become sources by mistake: A draft EU law might be a big deal in the agricultural sector for instance, but a friendly EU official dealing with the digital market might have access to it and think it's OK to give it out to press.
In any case, for me, the substance of the information is more important than the leaker's motives.
When someone brought hidden evidence of deaths linked to Russia's Sputnik V coronavirus vaccine to EUobserver in 2021, a Russian MP later called us an agent of rival US pharmaceutical firm Pfizer.
Our source wasn't Pfizer, but does it really matter if it was a whistleblower, a rival, or a fool given the gravity of the issue at stake?
For all that, it still leaves a bad taste in your mouth if you ever learn your source's motives were less then pure.
And the Afghanistan private-security story I was at first so proud of taught me a lesson in due-diligence on background checks.
My whistleblower subsequently turned out to be a shadow partner in a firm trying to screw a rival for an EU contract in Kabul.
And it has left me wondering how I should have written the story if I'd known everything from the start.

Which EU files are interesting?
The vast majority of LIMITE documents circulated in the EU capital are banal kitchen-sink items, such as meeting agendas.
But even these can be useful for journalists' work, for instance by disclosing names and emails of all the EU officials involved on a project.
The most commercially valuable documents come out of EU Commission departments on agriculture, competition, consumer affairs, energy, environment, fiscal affairs, health, the single market, and trade.
Draft EU legislative proposals, which can run into hundreds of pages, need a specialised lawyer to make head or tail of.
But these exist at law firms, NGOs, and think-tanks in Brussels and they can sometimes help reporters to find a market-moving story in a tiny amendment in an EU regulation.
More obviously catchy LIMITE files are those which summarise EU countries' remarks in talks on sensitive political issues, such as asylum seekers or the rule-of-law dispute with Hungary.
Documents dealing with refugees, EU joint policy agency Europol, counter-terrorism, and data-privacy can yield important stories for human-rights activists.
Internal EU foreign-service reports also give unvarnished insight into conflict zones in Africa and the Middle East in potentially serious revelations.
One LIMITE file seen by EUobserver said EU-trained soldiers in the Central African Republic (CAR) were being used by Russian mercenary group Wagner, prompting a chain of further coverage in French media, and ending in an EU decision to wind down its CAR training mission.

How to get your leak
There are few shortcuts to cultivating sources.
In my experience, the best way is to write a series of stories on a niche subject using open-source information and, eventually, sources start reaching out to you by themselves.
One's talent and charisma aside, it helps to work for an important media, so the leaker gets credibility and maximum impact for their efforts.
It helps to make the most of tribal connections. EU states' diplomats in Brussels favour journalists of their own nationality because there's a tacit assumption they share patriotic interests and values, but the same is true of blue-and-gold flag EU officials, who all come from somewhere.
It also helps to know how the EU-sausage machine works.
EU Commission drafts of new laws are first circulated to relevant departments via "inter-service consultations" weeks before they're adopted by the full college of 27 commissioners.
They're then pre-agreed by the 27 directors general and the 27 chefs-de-cabinet in two final steps a few days prior to adoption.
The process creates several opportunities for scoop-chasers to try to gain access.
On one hand, sources feel safer if they're part of a larger circle of people with access to a file, as in the inter-service stage. But on the other hand, the smaller and more senior the circle, the hotter the version of the document you get.
EU countries' diplomats also feel comfortable leaking because once an EU Commission proposal has been circulated to 27 embassies hundreds of people have access.
Meanwhile, one leak can lead to another, in the way EU documents are traded between the journalists, politicians, lobbyists, and gossips who seek them in the EU capital.
Your competition will publish first if it gets a scoop, but if they owe you a favour, their correspondent might send you the leaked file and let you publish second, citing material "seen by EUobserver" as if you'd unearthed it yourself.

How to leak safely
LIMITE files are normally sent to journalists via fairly secure email servers such as Proton or apps such as Signal (on a disappearing-message setting).
EU-leak investigators can't hack or subpoena phones and laptops the way some national authorities might.
The worst the EU Commission ever did to me was go on my unsecured Facebook page in 2010 to see who my EU-official "friends" were (I stopped using Facebook years ago).
But sending encrypted files still poses a risk because digital documents contain metadata.
If online media upload the whole file or it gets back to leak investigators in some other way, they can use it to help trace the source.
This is why some sources create their own JPGs or PDFs of the files to first scrub them clean.
There are more creative, if time-consuming, methods. An official in the EU Council used to invite journalists to his office, conspicuously place a file on his desk, then pop out for 15 minutes on a spurious errand, leaving you to read and take notes at high speed as if you were a spy.
If the leak is sensitive enough to merit the effort you can print the documents and hand them over personally in an out-of-the-way cafe, where you are unlikely to bump into colleagues.
If you don't want to leave trace you printed a file, open it on your computer screen, photograph the screen with a phone, print those photos somewhere, and meet EUobserver at the cafe.
The way to leave the least digital trail means trusting the journalist to meet them face-to-face.
And if some fear being followed by security services, in reality Belgium's intelligence agencies have had better things to do than snooping on hacks long before the Russia war broke out.