When a “backdoor” is not a backdoor: Science and tech reporting in a tl;dr world
The Guardian’s decision to report on messaging app’s WhatsApp perceived security flaws in an article published on January 13th has been soundly criticized in the information technology community as wildly overstating security risks and causing unnecessary alarm. Most critically, some have pointed out serious real-world risks to activist users as they may migrate to less secure platforms because of misplaced concerns about the vulnerability of WhatsApp.
A key criticism was that the initial article referred to a “backdoor” to WhatsApp encryption. That is plainly not true — there’s no backdoor. Technopedia defines backdoor as “a system security mechanism is bypassed undetectably to access a computer or its data.” WhatsApp uses a public key encryption system that does have some potential vulnerabilities but is clearly no backdoor as it does not “bypass” security systems (feature…not bug) and is detectable to users. The developer Moxie Marlinspike explains it in more detail here.
What concerns me as a scholar of technology and society is the criticism of The Guardian piece in terms of reporting norms from voices outside of journalism. For example PhD scholar Peter Monnerjahn was quite pointed in using terms like “pseudo-journalism” and scare quotes around every use of the word journalist in his response. And again, the details of some of this criticism are fair; for example, using the term “backdoor” was plainly wrong. These errors, say critics, demonstrate a lack of understanding on the part of The Guardian and the article’s author(s) to understand cyber security in either its technical for social aspects.
However, many of these critics are similarly failing to understand the practice of 21st-century journalism in either its technical or social aspects. For my dissertation I spent two years researching the practices of science and technology journalist freelancers. I believe it is impossible to sensibly critique what went on with the WhatsApp story in The Guardian without an understanding of the practices the processes in modern journalism.
The Guardian story relies primarily on the research of a doctoral student at UC Berkely, Peter Boelter. Peter Monnerjahn blasts The Guardian for “tak[ing] Boelter’s claims at face value.”
But journalism has always relied on “authorized knowers” in finding sources for reporting. From Mark Fishman’s 1980 foundational ethnographic study Manufacturing the News:
“If somebody else draws the inferences — and usually this someone else is an official empowered to do do — then the journalist can treat these inferences as hard facts
“…we need to examine the journalist’s general criterion of facticity. This fundamental principle of new fact can be stated like this: something is so because somebody says it. Newsworkers take their facts from other people’s accounts. … reporters rarely sift through physical evidence or run tests on it.” (p. 88)
And it wasn’t just Boetler. In the initial WhatsApp article the author provided sourcing from five authorized knowers:
- Tobias Belter — a computer scientist and doctoral student at UC Berkeley (the initial source of the security claims about WhatsApp).
- Steffen Tor Jensen — head of information security and digital counter-surveillance at the European-Bahraini Organisation for Human Rights
- Kirstie Ball — co-director and founder of the Centre for Research into Information, Surveillance and Privacy
- Jim Killock — executive director of Open Rights Group ()
- An unnamed WhatsApp spokesperson
These sources were placed in context by links to regulatory and financial news related to WhatsApp’s owner — the social network Facebook. (I would say this is not an inconsequential association given ongoing events in the U.S. and around the world regarding misleading news and the role of social networks in propagating certain political perspectives.)
It is fair to be critical of the choice of sources and how their words were framed within the article, but this work exists fairly within journalistic norms. We (academics, activists, and other journalists) are similarly absolutely working within our norms in criticizing this article and clarifying the details of encryption in response writing online. I know I’ve learned more about encryption standards since this piece of “pseudo-journalism” — I suspect I’m not the only one.
I agree with critics there was misleading and incorrect information in the article, and yes, the article and its writers and editors should be held accountable. And particularly at this point in history our goal should be to protect the most vulnerable users of any technology —these may be activists working under authoritarian regimes with unknown levels of surveillance and facing grave risks.
But by attacking individual reporters and specific articles for not adhering to some Platonic ideal of “journalism” which never really existed, we are missing the forest for the trees.
Journalism — and science and technology coverage in particular — functions the way it does in 2017 because of the economic, political, and social pressures that surround it. Rather than labeling inaccurate reporting as “bad journalism” we need to understand the systemic forces constraining the work of news writers. Hold journalists accountable, but to assume individual malfeasance is to miss the bigger picture.
In 1989, there were 95 weekly science sections in newspapers in the United States. In 2012 there were 19.
In my own research I have interviewed dozens of freelance science and technology writers who were distressed by the limited resources and tight deadlines under which they were trying to communicate complex technical information to everyday readers. Editorial and fact-checking staffs are minimal to non-existent for many online publications, and many seasoned science writers I interviewed were leaving the field since they simply could make a living in a largely freelance environment. I do no know the specifics of the environment at The Guardian, obviously, and they seem better-resourced than many outlets. Yet, these pressures are clearly affecting journalism as a whole.
Reporters are working for and alongside of us — and, like it are not, we are all complicit in a system that prevents them from doing good reporting. When is the last time you paid money out of your pocket to read a piece of science reporting online? If we want accountability from our governing bodies in this alarming new era, we need to work from a place of collaboration with journalists and understand our shared goals.