Coming to terms with ‘digital footprints’

National security reporters spoke sourcing and encryption at CATO's conference on the NSA

Almost everyone at The CATO Institute’s conference—“NSA Surveillance: What We Know; What to Do About It”—on Wednesday agreed that government surveillance has an alarmingly wide scope, and that the latest revelations by Edward Snowden have had a big impact on public opinion surrounding privacy issues. Participants in a journalism panel there all said that they were pleasantly surprised by the level and quality of public discussion that their work on the Snowden documents had kicked off.

Though his leak made the stories possible, the daylong conference featured little discussion of the government’s crackdown on whistleblowing—Snowden is currently on the lam. Instead, most focus was on dissecting the actual contents of the information deluge, as participating politicos, journos, lawyers, and techies argued about what the surveillance revelations may mean for the future of the industry.

But toward the end of the press panel—after New York Times reporter Charlie Savage’s valiant effort to put the NSA scoops into manageable categories—participants were finally asked about what the NSA revelations meant for how they do their jobs cultivating sources with sensitive information. Julian Sanchez, the CATO research fellow moderating the panel, pointed out that the Obama administration has charged more people under the 1917 Espionage Act than all of the previous administrations combined, and mentioned the Department of Justice’s collection of telephone metadata from the Associated Press. So, Sanchez asked the reporters sitting around him, how has their ability to communicate with sources changed over the past few months or years?

The consensus answer: To do their job well going forward, reporters need to be educated about how to use encryption and anonymity on the internet.

“We are now seeing the overwhelming ease with which journalists can be treated as, in the NSA sense of the word, targets,” said Spencer Ackerman, the US national security editor of The Guardian. “The intelligence community seems to want to shrug and say that, if you don’t want your information to be viewable, then you wouldn’t be communicating online or over the phone, he added. “And that seems to be a rather exotic explanation of how we live in the 21st century.”

Ackerman added that what he has learned from the Snowden scoops over the past few months has made him internalize how much of a “digital footprint” journalists (and everyone, really) leave on a day-to-day basis. In general, given the extremely sensitive and delicate nature of so much investigative reporting, said Ackerman, he doesn’t believe that many journalists in the industry have “come to terms with the full implications of how much information we just leave in the ether that we just assume is protected.”

But Wall Street Journal intelligence correspondent Siobhan Gorman didn’t seem overly impressed. “I actually don’t know how much these revelations have really affected communications with sources,” she said. “I think that people who have been following this stuff on and off over time have taken precautions for a while.”

A question from the audience, from ACLU technologist (and encryption evangelist) Christopher Soghoian, extended the conversation further. “Some of you have been using encryption for years, and some of you are more recent arrivals to the crypto club, even though you’ve been covering national security for decades,” said Soghoian. He asked the panelists how their views specifically about encryption have changed in the last six months, and how they felt they and their colleagues were equipped to handle the surveillance challenges that they were likely facing.

(Later in the day, when Soghoian sat on his own panel, he also criticized news organizations—the Guardian and the Washington Post were implied—for redacting too many specific details when they published the NSA slides, details of vital importance to people in the computer security industry such as “the names of the algorithms that NSA has broken or subverted, the names of the companies that NSA has colluded with to subvert the security of their products and to sabotage their products.”)

Barton Gellman, a national security reporter at The Washington Post who has been the lead author of several Snowden-NSA articles in the past few months, answered Soghoian’s question first. Gellman said that he considered himself a member of “the tin hat club”; he has been encrypting his own notes for about a decade and has been capable for quite some time of communicating with sources through encrypted methods if necessary.

But, he added, encryption isn’t a panacea. First of all, encrypted communication, because it is still relatively rare, can actually draw attention to users and make them surveillance targets. Secondly, anonymity tools are just as important as encryption, if not more important, in order to protect the identity of sources. Still, not many people tend to take advantage of both—even though they should.

“I can count on one hand the number of people whose only electronic communications with me ever have been both anonymous and encrypted,” said Gellman. “Snowden was sort of the hundred-year storm on that: if I hadn’t known how to communicate with him in very highly secure ways, then I wouldn’t have talked to him at all; that was the only choice.”

Gellman also said that what he has learned through the Snowden leaks has made him more skeptical about his ability to remain safe from the most determined encryption-crackers. Technology helps, he conceded, but it’s not enough if someone really wants to get to you and your information.

“I’ve lost confidence,” he said, “that there is any technological set of steps I can take once I become, in particular, the targeted interest of the government.” He continued, “They don’t break down the wall of encryption; they simply go around it, and they’re very, very good at it. In fact, there is zero-percent chance that I could protect myself from surveillance if a sophisticated opponent is determined to put resources into me—and if there is a leak investigation, it won’t be the NSA, it’ll be the FBI, but using substantially the same tools.”

At the end of the hour, someone in the audience who identified herself as a Wall Street analyst asked the panelists, “How do you handle the oppression and the heavy hand of the NSA, attempting to impede or thwart you people from coming out with these stories?”

No one seemed eager to answer the question, but Gellman finally did, and he gave the panel a strong endnote. He assured the questioner that accountability reporting in the US, overall, was not under threat—and that, while Edward Snowden’s contributions have been significant, the national security press certainly managed to do plenty of good work before he showed up on the scene. Without Snowden, Gellman said, the media has successfully reported and published explosive stories in the past few years, from the scoops about the NSA’s warrantless surveillance back in 2005, to the CIA’s secret prisons and torture. In addition, there are the less explosive but equally important smaller stories that regularly expose various aspects of the national security field.

“So I wouldn’t agree that, collectively, the news media haven’t done that pretty darn well, and I can say, from my own experience, that the suspicion that some people have that the government somehow intimidates us into not doing stories, that just isn’t the case,” said Gellman. “It just doesn’t happen.”

Has America ever needed a media watchdog more than now? Help us by joining CJR today.

Lauren Kirchner is a freelance writer covering digital security for CJR. Find her on Twitter at @lkirchner Tags: , ,