Security Compromises in Journalism

The New York Times Newsroom (1942). Source: Marjory Collins via Wikimedia Commons

As a researcher, my sources are journalists. I talk to U.S. journalists about how digital security fits into their work and I learn from security specialists and press advocates about digital attacks against newsrooms. As part of the Knight-Mozilla OpenNews Fellowship, I work on security guides and trainings for journalists. All too often, I’ve seen how strong security practices suggested by specialists can be at odds with the reality of most reporters’ jobs. And there’s a good reason for that — security is only one of many competing interests.

A typical U.S. newsroom looks something like this: reporters are hunched over at cluttered desks, chattering on keyboards or quietly speaking on the phone. Each person is chatting in multiple windows, and tabbing in and out of Twitter. They’re desperate to push out the next article, and they’re taking messages from every channel they can, accepting tips and attachments from strangers. Most sources don’t have amazing tips, but occasionally, the hints from many people become an interesting lead. They get a lot of noise in their inboxes, and it feels frustrating to go through an elaborate process to secure a conversation when so few are fruitful. Encrypting or decrypting an email can feel like a time suck. People constantly walk away from unlocked computers to grab coffee. You get the picture.

A newsroom is a security compliance nightmare, and causes digital security trainers to scream into their pillows at night. But traditionally, that’s how the work gets done.

Journalists make themselves available to talk any time, and the nature of news itself depends on extraordinary visibility. In other words, journalists are not very secretive. Yet while many journalists assume the role of a watchdog, when they are watched, they protest.

As we now know from disclosures by ex-NSA contractor Edward Snowden, after September 11th 2001, U.S. intelligence agencies expanded their surveillance powers dramatically. The National Security Agency has authority to gather data on foreign targets, inevitably including both innocent foreigners and Americans. Separate surveillance authorities allow the government to gather information from businesses through the PRISM program, and even gather data from the physical fiber optic cables at the core of the web’s infrastructure. NSA intelligence collected “incidentally” may be used by the FBI for routine investigations of Americans, unrelated to national security. Time will tell how these authorities will be used by the coming administration under Donald Trump, who has been openly hostile to media organizations.

Snowden’s revelations have already been troubling for journalists with sensitive or confidential sources. And frankly, journalists have already been enormous targets to state actors for a while. For example, in 2014, Google researchers reported discovering state-sponsored digital attacks against 21 of 25 top news organizations through phishing emails designed to steal data.

Governments around the world purchase commercial exploitation software to target journalists and activists. Toronto-based Citizen Lab has published dozens of reports dissecting malware attacks on journalists and media activists. They are routinely targeted with malware, usually delivered through PDFs and Office documents — precisely the formats reporters need to do their work. Encrypted communications channels provide little protection to an attacker who gets remote access to the device itself.

Digital security sometimes requires assistance, and freelance journalists don’t always have this kind of institutional support. Even in large newsrooms, sometimes there are little to no staffers to help identify common digital security threats, such as phishing emails.

As researchers Susan McGregor and Elizabeth Anne Watkins describe, many journalists’ approaches to security can be characterized as security through obscurity, or “the belief one need not take particular security precautions unless one is involved in work that is sensitive enough to attract [targeted surveillance].”

There’s a common perception that targeted surveillance only involves journalists reporting on national security, intelligence, the Justice Department, terrorism, and other stereotypically sensitive areas. Investigative reporters focused on national security and foreign affairs have been more likely than others to view electronic surveillance as a serious issue in their work. However, even investigative reporters — arguably those who are key users of encryption software — use secure communications in low numbers.

It’s tempting to imagine secret conversations between reporters and sources, or in-person meetings in empty parking garages. But the fact is, most sources and stories aren’t very sensitive.

For security specialists who work with the press, the idea of “security through obscurity” is also frustrating because it can be destructive to news organizations, enabling attackers to infer the weakest links in the organization before choosing targets. Sometimes the news organization, not a journalist, is the target. In some cases, the attacker just wants access to something else, like the news org’s Twitter account.

It’s no one’s fault individually; there’s a systemic issue at work here. Many of the best ways to secure our communications are fundamentally at odds with most journalists’ normal days.

For security and technology reporters, whose sources may prefer secure channels, they often use Signal for encrypted text messages and phone calls, off-the-record messaging, or encrypted email. However, when I ask the vast majority of journalists where they talk to sources, it’s usually at their desk phones, over text messages, Google Hangouts, Facebook, or Twitter. They prefer to use the simplest and fastest communication channels. Most journalists don’t use encrypted messaging applications in their work unless they provide a clear benefit for connecting with sources.

Most sources are using proprietary software or making phone calls that leave records of who spoke to whom and when. Providers may be obliged to hand over user data or call records in case of a law enforcement request.

For example, during a 2012 leak investigation, the Justice Department subpoenaed phone companies used by the Associated Press for phone records from 20 AP journalists over the course of two months. Federal investigators gave no notice to the news organization, allowing the government to observe communications with sensitive sources.

It’s possible to distance yourself from your electronic communication records with anonymity software, and to protect the content of communications with encryption. Yet, network effects and usability issues have often created a cycle of poor adoption. To paint a clearer picture of how this works in practice, let’s pause for a moment to talk about *inhales deeply* Pretty Good Privacy email encryption, or PGP.

PGP is a protocol for encrypting messages, and it’s become a tool both security specialists and journalists both love to hate. Today, its open source implementation, GnuPG, is widely used by journalists and media activists around the world to encrypt the body of their emails. PGP isn’t easy to set up, and once it’s running, users can very easily make mistakes. For example, users can send an encrypted message using an incorrect or expired key, essentially making the message unreadable to the recipient.

Glenn Greenwald, who broke the early Snowden disclosures with the Guardian, is perhaps one of the most famously resistant PGP users. Edward Snowden provided detailed instructions on how to set up the protocol, but Greenwald held off for months. In an interview, I asked Greenwald about the challenges of using PGP. He told me, “PGP hasn’t really evolved that much since [the 1990s] in terms of being user friendly because it’s mostly been used by nerds and hackers, and people who almost like the fact that it’s so complicated.”

And he’s right. Encrypted communications software can help to open doors to compelling sources, yet no reporter wants to tell sources to use these tools. Reporters are often afraid they will spook a contact and lose out on a valuable story.

Even if a source wanted to anonymously share a tip or leak documents, when they ask the journalist for help using a personal phone or email, they’ve already created a digital trail that links them to the journalist. This “first contact problem” is why it’s important to use anonymity tools such as Tor Browser or SecureDrop to share sensitive tips with a news organization when there are serious concerns about network surveillance. There are many other ways for sources to muddy their data trails as well, such as calling with someone else’s phone instead of their own, but the problem remains. People need to know what to do in advance.

Most secure chat tools come with usability or reliability issues. Even one of the most user-friendly secure messaging apps, Signal, occasionally drops messages or calls, forcing users to fall back to regular phone calls. Journalists: don’t feel bad. When I talk to security specialists about this in my research, they often laugh knowingly before they admit to doing the same thing.

There’s certainly room for growth, and yet the security toolbox can help advance other things we care deeply about, such as making oneself available to more sources with sensitive tips. Security tools can also be productivity tools. For example, password managers can speed up work by helping to auto-fill long, unique passwords. Learn about ways that these tools and practices can advance your agenda, and integrate those practices into routine work.

It’s getting easier. Encrypted web connections are slowly becoming the new norm, and large messengers like WhatsApp are rolling out end-to-end encryption by default, quietly protecting against digital attacks and surveillance in the background. Take advantage of this momentum. Understand realistic threats and with a clear head, encourage sources to use secure communications when practical. We’re in abnormal times; normalize new habits. There are some simple steps journalists can take to better protect themselves and their sources.

Get started now — we have work to do.


This article is crossposted at mshelt.onl/stories.