So, has that changed? Contacted again this week, Penenberg said that “in response to all the NSA hullaballoo” he has incorporated encryption into his syllabus and invited guest speakers like Witness.org’s Bryan Nunez to discuss digital security especially when reporting abroad. But, his overall opinion remains unchanged: “The truth is that very few reporters will ever need to encrypt communications and communicate with top secret sources,” Penenberg wrote in an email.
Steve Doig, who, when not delivering standing-room-only “Spycraft” lectures, teaches at Arizona State University’s Walter Cronkite School of Journalism, echoed Penenberg’s point. While some students may go on to do highly sensitive national security reporting, others may cover Hollywood or the like, Doig says—but all students should at least be aware of the issues at stake, whether or not they end up needing to act on them. An occasion where a source’s life is at stake is relatively rare, but if that occasion arises, it’s vital that everyone involved knows how to handle it.
Doig says he’s certainly no techie, but he tells his students about the basics, like buying burner phones, using cash, and doing anonymous searching, and then he recommends tools and resources where they can learn more if they need to. “Who knows what people will wind up doing?” says Doig. “But if I’ve at least implanted a tiny touch of paranoia in them, then I will have met my goal.”
That word—paranoia—points to a tricky challenge for those who train new journalists. Susan McGregor, who teaches at The Tow Center for Digital Journalism at the Graduate School of Journalism at Columbia University and who has herself written for CJR about what journalists can take away from this year’s most pressing legal and technical challenges, stresses the importance of keeping perspective. The more you become aware of the potential risks out there, “it can get in your head…it can be damaging,” McGregor says. “We have to make sure we’re handling these issues in a way that does not expose ourselves and our sources unduly, but that also does not prevent us from doing the work.”
Balance is vital. The simple, cover-your-butt steps might give students a false sense of security, while the more onerous steps may make them want to give up completely. (Searching the Web through Tor is slow, and anonymous chat and email can be far more clunky and confusing than their less-secure counterparts.) Too often, McGregor says, people who are new to this stuff will go to a training session, install a bunch of software, and then never use any of it because it all seems so complicated and slow. That’s why understanding when to employ these tools is just as important as how to use them. After all, digital security isn’t like learning any new tool: it’s not a video camera, it’s not Flash. It’s a way of thinking: about how to evaluate the risks at hand, and how to address them in the most efficient way. And for that, McGregor says, “You need to give people a conceptual model, a mental map.”
To that end, The Tow Center is holding a three-day workshop next weekend that McGregor says will discuss and explore “threat modeling” in a holistic way, in addition to merely training attendees on technical tools. The workshop also has the aim of connecting the non-technical journalism community to the non-journalistic technical community. The hope is that the people who could potentially develop tools to help journalists stay secure can start to really understand what the needs are.
As for the question, Does everyone have to learn this stuff? McGregor says, absolutely. Journalists have a collective responsibility; it’s as important as closing and locking the door behind you when you walk into your apartment building. “You may not be covering the NSA, but a colleague of yours might,” says McGregor. “Unless you’re working really on your own, you have a responsibility to protect the person who is vulnerable or may be targeted within your organization by being responsible yourself. If you are not being responsible, you are exposing the people you work with, potentially.”