In the year since Edward Snowden’s leaks revealed the extent of the National Security Agency’s snooping, American journalists have shored up our defenses. I see more reporters with their public PGP keys—the first step to sending encrypted messages using the Pretty Good Privacy program—published on their Twitter feeds and websites. News organization have picked up tools like SecureDrop, which facilitates document leaks from sources who want to stay anonymous. Working journalists and journalism students are more often being taught to use tools like the email-encrypting LEAP, browsing-anonymizer Tor, and the messaging service Jabber.
Whenever you help get a journalist on jabber w/OTR an internet kitten is born.— Gabriella Coleman (@BiellaColeman) April 23, 2014
And these tools are only improving. Just last week, another tool, Signal, was released: The free app promises end-to-end encryption, which keeps intermediaries like ISPs from eavesdropping. It’s available for the iPhone and soon will be compatible with a parallel Android app and with Web browsers, according to its maker, Open Whisper Systems.
But just as one source never has the whole story, one security measure never can guarantee safety. In July, the Tor Project found that someone—it’s not clear who, although it may have been a group of security researchers—had been working, with some success, to identify Tor users and to locate the hidden services that they use.
The sort of information the attackers were looking for could have revealed the location of a SecureDrop user dropping off documents, as Freedom of the Press Foundation, which runs SecureDrop, explained.
“It is for this very specific reason that we recommend sources use the Tails operating system,”—an operating system that can be run from a thumb drive and leaves no trace of activity on a computer—“restrict their usage to SecureDrop related functions as long as Tails is running, and never visit SecureDrop sites while at home or at work,” FPP explains. As useful as these tools are, none are strong enough on their own to keep information or sources from powerful government agencies or private companies that are determined find them. They’re like seatbelts—they can limit your risk, but not necessarily protect you from the worst.
If security software isn’t foolproof, though, neither are journalists, and we may still be one of the weaker points in this system. We are learning: Danny O’Brien, the international director at the Electronic Frontier Foundation (who worked previously with the Committee to Protect Journalists), says that he receives more encrypted email than ever from reporters. But most of us are B+ students, at best:
Not gonna lie. When a journalist tells me I can "securely" communicate with them through Wickr, I wince.— Christopher Soghoian (@csoghoian) July 28, 2014
Wickr is a messaging app, not unlike Snapchat, that lets users send “self-destructing messages.” It calls itself a “Top Secret Messenger,” like a brightly colored spy toy in the kids’ section of Target. Communications security experts, like Soghoian, object to it because its code is closed source, and no one except the private company that owns it can check for back doors that would expose the encrypted communications to attacks or to government surveillance. That’s essentially what happened to Skype, which many journalists once considered secure.
The problem with tools that aren’t cheerily packaged as James Bond playthings is that they can be difficult enough to use that they interfere with the ease of communication journalists have come to depend on. Most reporters don’t do anything to protect themselves, their reporting, or their sources; the ones that do invest time and effort in privacy measures sometimes go overboard. “You have privacy nihilism and then doing so much that you can’t always do your job,” says EFF’s O’Brien.
As security experts learn more about threats to privacy and about what journalists need, some have offered less technologically complicated solutions than installing a suite of software for anonymous chatting, browsing, and emailing. The best security, in some situations, might be keeping information off electronic devices altogether and in a simple reporter’s notebook.
“We always think about the threat model when we’re giving advice,” says O’Brien. “It has to be about the situation you in. So much about being skilled at journalism is knowing the right questions to ask, and that’s the case in protecting yourself as a journalist, too.”