Digital Security For Journalists

Digital Security for Journalists:A 21st Century Imperative

In the spring of 2013, Guardian reporter Glenn Greenwald received a set of classified documents from a former NSA employee who would later be revealed as Edward Snowden. Among the leaked documents eventually published by both the Guardian and the Washington Post were some revealing that the United States’ National Security Agency had for some time been performing bulk collection of digital communications metadata records, allegedly from corporations ranging from U.S. telecom companies to digital service providers like Google and Yahoo. 7 Though met with public outrage, the response of U.S. lawmakers to these revelations was decidedly measured: Not only was the program in question legal, but these collection practices had been taking place for some time.

“As far as I know, this is the exact three-month renewal of what has been the case for the past seven years,” said Feinstein.

Nevertheless, continued reporting by the Guardian and the Washington Post–for which they would both eventually win a Pulitzer Prize–indicated a heretofore unconfirmed fact: that the digital communications systems that many Americans believed to be importantly private were, in fact, anything but.

The shocking nature of the Snowden revelations catapulted Greenwald to the center of the ongoing debate about the future of journalism. In October of 2013, Bill Keller, former managing editor of the New York Times, invited Greenwald to debate their views on the essential principles of journalism in the 21st century in his Times newspaper column.8 Yet while Keller and Greenwald’s exchange in that column did highlight their philosophical differences, it glossed some of the practical ones that were arguably no less significant to the story: Snowden took his documents to Laura Poitras and Glenn Greenwald in part because they could meet his communication-security requirements.

In the past 15 years, digital publishing and communications have changed the landscape–and even the nature–of journalism in innumerable ways. Old business models have collapsed, and are yet to be reasonably replaced. Private individuals and citizen journalists have access to the same platforms for publication and can cultivate the same profile as reporters at major news organizations. The power of the crowd can be used both to document and condemn. 9 And yet every corner of our industry–from fashion to finance, the national desk to national security–is still driven by a single, essential imperative: Get the story.

There are no stories without sources. Unless researchers, executives, parents, politicians, religious figures, heads of state, whistleblowers, and widowers–unless people–are willing to share information with journalists, our profession cannot function. Whether what they share with us is a trove of secret documents, the location of a meeting, or the story of a loved one lost, without them journalism as we know it ceases to exist. And yet the missing acknowledgment in Keller and Greenwald’s debate was exactly this: that a perhaps fundamental difference in their journalism was a question of neither form nor philosophy, but of capacity. Greenwald and his colleagues were able to offer Snowden the digital protections he demanded. How many of today’s practicing journalists, independent or institutional, can effectively do the same?

That certain professional practices are essential not just to the integrity but the viability of the journalistic enterprise is already codified into our professional practice. Libel training and editorial review help protect journalists and their institutions from debilitating lawsuits. Reputable news organizations have articulated codes of conduct designed to sharply limit the personal benefit reporters may derive from their professional activities; many also have explicit conflict of interest surveys that reporters must file on a regular basis.10 And yet in many newsrooms, the consideration given to the systematic protection of our most valuable assets–our sources–is uneven at best.

There can be little dispute at this point that journalism, even within the United States, is under legal and technical attack.11 The year 2013 saw virtually unprecedented criminal charges leveled against both journalists and their sources. In some cases, members of the press have been forced to risk jail time to defend their sources; in others, they never had the chance.12 And major news organizations

e.g. The New York Times, Washington Post, Bloomberg, Wall Street Journal

have acknowledged repeated hacking attempts on their systems, at least some of which are known to be direct efforts to uncover sources. Major communications companies have also acknowledged that a significant proportion of digital hacking targets are journalists.

Whatever the dollar cost of a lawsuit or a system recovery, the detriment that these events pose to our industry is incalculable. At the same time that Snowden’s conscious choice to share his information with recognized journalists may inspire confidence in the continued importance of professional journalism, the difficulties he experienced in doing so securely13 point to a significant deficiency in our existing practices. Moreover, his very revelations only confirm how thin is the veil that protects our digital communications from the eyes of others, whether they be governments’, lawyers’, service providers’, or hackers’. As this understanding rightly permeates the public consciousness, the chilling effects will be immeasurable.

In order to maintain the confidence of–and therefore the access to–our sources, it is imperative that the journalistic profession as a whole develops a coherent set of professional practices around their protection. While judicial decisions and statutes in 49 states and the District of Columbia provide some form of reportorial “privilege,”14 the legal and technical realities of digital communications systems today are such that many journalists will never have the opportunity to invoke it.

For robust journalistic security practices to be effective, they must both offer the real protections that sources deserve and be reasonable enough to integrate into the process of newsgathering and publication. To achieve these ends, any approach must be grounded in a fundamental understanding of the technical and legal frameworks in which our digital communications exist, and how their sometimes strange intersections influence the way that journalists must operate. The goal of this paper is to provide a coherent and salient introduction to these frameworks, as a foundation for developing supportable security practices for the journalism industry.

The genesis of this research stems directly from recent events: the Associated Press phone records scandal and the Snowden revelations that took place in the spring of 2013. Though I came to this topic well-versed in the basics of digital communication technologies, my collaborative development of a mobile application for secure, anonymous, authenticated communication had made me acutely aware that creating better tools for secure digital communications was only a part of the problem, and I was happy to leave the job of offering practical digital security advice to those with more experience than I. Yet as I reviewed existing guides and recommendations, I found that few of these resources were comprehensive in their discussions of the “when” and “why” of digital security. This is with good reason. There is no such thing as generic “security”, and even when contextualized, its practices must effectively navigate any number of legal and technical pitfalls.

As I began this work, I spoke anecdotally with journalism colleagues who employed secure digital communication technologies in their work. In the process, the first outlines of a pattern began to emerge. Those who understood and applied digital security practices to their reporting, even occasionally, were either themselves covering sensitive topic areas like the NSA–and therefore came to these understandings of professional necessity–or, like me, they had a sufficiently technical background to parse these topics for themselves. This paper strives to provide an accessible level of technical and legal understanding for the broader journalism community, so that as an industry we can begin to have an informed conversation about how the realities of today’s digital communications systems should be appropriately addressed within our work.

The remainder of this paper is organized into four sections. First and second, I present overviews of the current state of law and technology as they exist in and shape the realities of digital communications, privacy, and security with a focus on the needs of source protection for journalists. Third, I present some models for conceptualizing and implementing digital communications practices for journalists and newsrooms, in the context of current tools and communities. Finally, I offer recommendations for both industry development and academic research in the areas of digital privacy and security.

Interlude: Addressing Complexity

The difficulty of creating simple models to describe digital security risks and solutions stems from the fact that they must operate at the place where two major social systems–whose properties are almost perfectly juxtaposed–intersect. First, there is the law, which is intentionally slow, exhaustive, cautious, and reactive. Then, there is technology, which is inherently fast, emergent, experimental, and constructive. And while our lives are shaped by both of them on a daily basis, their inner workings remain almost entirely invisible to all but the most highly initiated.

The crafting of laws and rendering of legal decisions often hinge on the byzantine interleaving of statutes, case law, and judicial inference that is argued in courts and described in documents away from the public view, and ultimately codified as binary decisions on the particulars of a given case. Technologies, meanwhile, exemplify the unpredictably complex expression of equally binary decision trees as they interact with the human world, yet their public form is often intentionally not readable by humans. The result is that nearly all of the workings of both systems are inaccessible to the public, expressed as they are in coded language and housed on largely proprietary systems.

In a healthy democratic society, the collective effect of citizens’ individual actions in the political, economic, and social spheres constitute cultural “forces of nature.” In this ecosystem, individual technologies are like cultivars–while their general features are known, their ultimate forms and behaviors are inextricably tied to their interaction with the broader environment. Law, meanwhile, is the “gardener” of that environment, and its role is necessarily reactionary and unequivocal. Prune here, thin there, tie back some stems and add support to others. Law does not determine what technologies come into being, and only once a “species” is known can law attempt to proactively influence its characteristics. As law and technology react and respond to one another, they create an ecosystem whose state is both dynamic and unpredictable. In order to be successful, digital security practices must be adaptive enough to acclimate to the changing circumstances of this emergent system.

Fortunately, our worlds are comprised almost entirely of similarly emergent systems–from the flow of traffic to the workings of party politics–and all of us capably navigate untold numbers of them in the course of our daily lives. The main difference between these and our digital communications systems is that most of these others operate largely in the visible and/or physical world, and follow rules that are accessible to us. The key, therefore, to creating a set of principles that supports journalistic values within digital communications systems is to make these systems at least conceptually “visible,” and to translate the rules by which they operate into language that is broadly accessible to our community.

Digital Security is Not Sui Generis

In the physical world, we accept that privacy and security are context dependent. We appreciate that jaywalking is generally less safe than crossing at a stoplight, that postcards and loud public telephone conversations are less private than sealed letters and whispered exchanges. If we latch our yard gate, we do so knowing it will probably not stop a determined criminal, but may deter an opportunistic one. We know our front door deadbolt will not stop a SWAT team, but may delay an intruder long enough for our loved ones to escape to safety. An alarm system cannot extinguish a fire, but it may alert professionals to an emergency.

We are able to make informed judgments about our physical privacy and security because the rules and assumptions of the systems they involve are generally apparent and understandable to us. We also appreciate that these judgments–and the choices we make on their basis–are inherently probabilistic and imperfect. Crossing the street involves making numerous estimates about the speed of traffic, one’s own crossing pace, and even the conditions of the road. An incorrect estimate may put you or those around you at substantial risk. Simiarly, a “shoulder surfer” may read our email at a cafe; a fellow passenger on a train may read documents we are holding. At all points we appreciate that neither our security nor our privacy is absolute.

This is exactly the same appreciation we must develop in our interactions with digital communications systems. As the forthcoming sections illustrate, the digital world is subject to all of the same complexities and probabilities as the physical one. And just as we have all learned the skills necessary to cross the street safely despite ever-changing road conditions, so too we can all learn to navigate the digital world in a way that keeps our sources–and ourselves–safe. We just need to learn how to look both ways.