Digital Security For Journalists

Challenges and Opportunities in Digital Security Technologies

“‘Encryption works,’ said Snowden. The problem, in real life, is nothing that *runs* encryption works.”
–Quinn Norton

The acknowledged usability of much digital-security software at the moment could probably be best summarized as “abysmal.”52 While less generally true of mobile-based offerings–such as SilentCircle, Wickr, TextSecure etc.–the difficulty of creating keys with GPG or installing Tails on a USB drive is still prohibitive to most users. Setting up each of these requires several steps and, often, some amount of risk to the user’s computer if something goes wrong.

There are several reasons for this overall lack of usability. First and foremost, many secure-communications projects lack the steady revenue stream and well-defined user-base that are prerequisite for effective usability testing and development. Many of the tools recommended here are dependent on periodic government grants that do not prioritize usability, and as the recent “Heartbleed” bug illustrated, the level of donations to even widely used security libraries is often abysmally low.53 The result is that many of these tools are materially unusable, unstable, or unreliable– and they are liable to disappear entirely if their funding is not renewed.

Yet it is these very challenges that also offer an opportunity for news organizations to diversify their revenue streams. By partnering with existing projects or building their own, large news companies can invest in the development of secure digital tools specifically designed to meet the needs of journalists and then sell or license those solutions to other organizations.

To be clear, my suggestion is not that journalistic organizations begin developing the kind of “black box” software produced by some commercial security vendors; transparency is as essential to software development as it is to journalism.54 As in journalism, transparency in digital-security software is both an ethical and a practical concern: either you must be able to see the code, trust the community to validate the code, or trust the person who wrote it. If you don’t know the code, you don’t know what it does.

Being able to “see the code,” however, does not require that the code also be free. Though many of the security projects listed above are both free and open source, alternative economic models are possible. “Source available” software,55 for example, makes the code available for review and even reuse in other open-source projects, but commercial use or distribution requires a license fee; the widely used MySQL employs this type of dual-licensing. Alternatively, a service-and-support model, similar to that offered by RedHat is another possibility for generating revenue.