Back in the dark ages of January, 2012, my colleague Alysia Santo wrote a thoughtful piece about how journalism schools were—or were not—equipping their students with the tools and know-how they need to protect their digital information and communications. Many professors Santo interviewed expressed concern about cyber-security threats, and she reported that general awareness of the issue was “certainly spreading.” But at the same time, most academics she spoke to also said that there were no formal training programs in their curricula that would teach students about, say, encryption.
She wrote that piece a little under two years ago, and a lot has happened since then: Edward Snowden’s revelations about NSA surveillance; the Department of Justice’s subpoena of AP phone records; the legal battles of James Risen and James Rosen, and on and on. The technical and legal threats to journalists and their sources have been in place for a long time, but there is now such stark evidence of them that journalists can no longer claim ignorance as a reason not to take the necessary precautions with their data.
Reached again this week, educators Santo interviewed say that, despite these high-profile cases, digital security is still only starting to find a place in their journalism classes. Many of them liken it to computer-assisted reporting or data visualization—there’s a recognition that these skills are vital to the industry as a whole, but there’s disagreement about how they should be incorporated into the curriculum, given a limited amount of time, and whether or not all students should be required to study them in order to earn a degree.
Anecdotally, though, professionals and students do at least seem more aware of the risks to their digital data, and more receptive to solutions, than they may have been in the past. They might just not know where to start. Investigative journalist Steve Doig, whom Santo interviewed for her piece last year, said this week that he now has audience members lining the walls and sitting in the aisles when he gives his talk “Spycraft: Keeping your sources private.” It’s the same talk he’s been giving for years, but the demand for it has exploded.
Frank Smyth has worked with the Committee to Protect Journalists to develop a guide to help reporters evaluate and respond to all types of threats, as well as a guide specifically on digital security basics for the Medill School of Journalism at Northwestern University, both of which he has said can help fill the void until journalism schools get their act together. “Digital Safety for Journalists should be a three credit-hour elective at every school, and it should be recommended, if not mandatory for anyone focused on investigative journalism, national security or, down the road, even school board meetings,” Smyth writes in an email.
Many professors agree with Smyth, and want to see a separate, dedicated class or workshop on digital security incorporated into the curriculum. Geanne Rosenberg, a professor at Baruch College and the CUNY Graduate School of Journalism, told Santo in 2012 that she lectured her students “in general terms” about risk, without getting into technical details, but that she was very interested in seeing journalism schools increase their focus on the topic. Reached this week for a followup, Rosenberg pointed to her colleague Sandeep Junnarkar’s brand new cyber-security “module” debuting this semester. The course description says it will cover specific tools for secure communication, file storage, and general computer health (for instance, how to “permanently delete the content of your trash”).
It can also make sense to teach digital security in the context of other classes, rather than separating it out into its own category. Another CUNY journalism professor, New York Times reporter Andy Lehren, says that he mentions tools like Tor and public and private keys in his international reporting classes. Jane Kirtley, who teaches at the University of Minnesota’s School of Journalism and Mass Communication, says that she has been disappointed with her colleagues’ response to this gap in the school’s curriculum—but that at least she knows the students will hear about it from her, in the program’s required media law course. It’s not enough to teach the basic legal concepts of tort and libel, says Kirtley; she’s also got to warn her students about the threat of hackers and third-party subpoenas.
Kirtley also says that one positive outcome of the Snowden revelations of NSA surveillance has been a more widespread awareness of digital security issues in general. The NSA isn’t a threat to reporters’ everyday work, but it’s such an explosive story that it has gotten people thinking about all of the other threats out there, too. “Even the students who are the most disconnected from the news have heard about that—and it has made them think twice about the security of their communications,” she says.
The basic concepts of digital security also fit logically into classes that teach investigative reporting and computer-based research. Charles Seife, a professor of investigative journalism at the Arthur L. Carter Journalism Institute at New York University whom Santo interviewed (and who, in fact, recently came out as a former NSA employee) says now that the school’s curriculum hasn’t changed since then, nor have his views on the topic.
“I believe that by teaching students the incredible power of information—how to use even tiny information leaks to knit together a skein of knowledge about a subject—they naturally become much more aware of how valuable and fragile a resource information is…they then (often) become much more jealous of guarding their own,” Seife wrote in an email. “Infosec is, in many ways, the flip side of digital investigative reporting—any course which goes deep into the latter will typically give a lot of information about the former.”
Another important question, aside from how to teach these concepts, is who exactly needs to learn them. Should digital security training be required for all graduates? Or should it be offered as some sort of elective? Or, maybe that’s a false dichotomy; maybe there’s a better and entirely different way to think about it?
In her piece last year, Santo quoted digital security expert and ACLU technologist Christopher Soghoian—who had written an op-ed in The New York Times on the topic a few months earlier—voicing his frustration at the lack of this type of training in journalism programs:
Soghoian is irked by the fact that most journalism programs offer a plethora of courses in video, audio, and social media, while not training students in what he sees as a basic foundational knowledge of how to protect the information they’re gathering. “It’s not like journalists are so ignorant they cannot be taught about technology,” says Soghoian. “This is just another skill they have to be taught. [Journalism schools] are going to need to rethink their curriculum. They’re going to need to have a course that every student is required to take.”
At the time, some of the professors Santo interviewed pushed back on that last point, that “every student” should be “required” to take it. For instance, NYU journalism professor Adam Penenberg told Santo that the NYU program didn’t require all students to learn comsec for the same reason that they didn’t require all students to learn “how to line up ‘fixers’ in a war-ravaged nation or go undercover with a hidden camera. Only a fraction of students will ever need those skills.”
So, has that changed? Contacted again this week, Penenberg said that “in response to all the NSA hullaballoo” he has incorporated encryption into his syllabus and invited guest speakers like Witness.org’s Bryan Nunez to discuss digital security especially when reporting abroad. But, his overall opinion remains unchanged: “The truth is that very few reporters will ever need to encrypt communications and communicate with top secret sources,” Penenberg wrote in an email.
Steve Doig, who, when not delivering standing-room-only “Spycraft” lectures, teaches at Arizona State University’s Walter Cronkite School of Journalism, echoed Penenberg’s point. While some students may go on to do highly sensitive national security reporting, others may cover Hollywood or the like, Doig says—but all students should at least be aware of the issues at stake, whether or not they end up needing to act on them. An occasion where a source’s life is at stake is relatively rare, but if that occasion arises, it’s vital that everyone involved knows how to handle it.
Doig says he’s certainly no techie, but he tells his students about the basics, like buying burner phones, using cash, and doing anonymous searching, and then he recommends tools and resources where they can learn more if they need to. “Who knows what people will wind up doing?” says Doig. “But if I’ve at least implanted a tiny touch of paranoia in them, then I will have met my goal.”
That word—paranoia—points to a tricky challenge for those who train new journalists. Susan McGregor, who teaches at The Tow Center for Digital Journalism at the Graduate School of Journalism at Columbia University and who has herself written for CJR about what journalists can take away from this year’s most pressing legal and technical challenges, stresses the importance of keeping perspective. The more you become aware of the potential risks out there, “it can get in your head…it can be damaging,” McGregor says. “We have to make sure we’re handling these issues in a way that does not expose ourselves and our sources unduly, but that also does not prevent us from doing the work.”
Balance is vital. The simple, cover-your-butt steps might give students a false sense of security, while the more onerous steps may make them want to give up completely. (Searching the Web through Tor is slow, and anonymous chat and email can be far more clunky and confusing than their less-secure counterparts.) Too often, McGregor says, people who are new to this stuff will go to a training session, install a bunch of software, and then never use any of it because it all seems so complicated and slow. That’s why understanding when to employ these tools is just as important as how to use them. After all, digital security isn’t like learning any new tool: it’s not a video camera, it’s not Flash. It’s a way of thinking: about how to evaluate the risks at hand, and how to address them in the most efficient way. And for that, McGregor says, “You need to give people a conceptual model, a mental map.”
To that end, The Tow Center is holding a three-day workshop next weekend that McGregor says will discuss and explore “threat modeling” in a holistic way, in addition to merely training attendees on technical tools. The workshop also has the aim of connecting the non-technical journalism community to the non-journalistic technical community. The hope is that the people who could potentially develop tools to help journalists stay secure can start to really understand what the needs are.
As for the question, Does everyone have to learn this stuff? McGregor says, absolutely. Journalists have a collective responsibility; it’s as important as closing and locking the door behind you when you walk into your apartment building. “You may not be covering the NSA, but a colleague of yours might,” says McGregor. “Unless you’re working really on your own, you have a responsibility to protect the person who is vulnerable or may be targeted within your organization by being responsible yourself. If you are not being responsible, you are exposing the people you work with, potentially.”
Finally, here’s one last thought to help motivate students to learn about digital security, cumbersome as it can sometimes be: It’s one more skill to add to a resume. During a panel discussion on encryption basics one evening last month at Columbia, McGregor threw in this enticing aside: “I’m guessing that if you want to work for Glenn Greenwald’s new $250 million news outlet, probably knowing this stuff is going to be valuable.”