Lessons for journos in the NSA revelations

In the second such revelation in less than a month, on Wednesday the Guardian‘s Glenn Greenwald released a copy of a court order that confirmed the US government has been using parts of the Patriot Act to require Verizon to turn over information about the communications of US citizens. Just one day later, another set of documents published almost simultaneously by the Guardian and The Washington Post revealed the existence of PRISM, a data-collection program that allegedly allows the NSA to collect the comprehensive digital communications from the servers of partner companies. Many of the companies listed as partners–including Google, Facebook, and Apple–denied knowledge of the program and/or direct NSA access to their servers, saying that they instead complied with individual requests for information.

Lawmakers and government figures have been quick to defend the legality of both measures. In response to Wednesday’s publication of the Verizon court order, Senators Dianne Feinstein (D-CA) and Saxby Chambliss (R-GA) stressed that the document was a typical renewal. The order directs Verizon to turn over the “telephony metadata” of all US and US-to-international calls to the NSA for the three month period from April 25 to July 19, 2013.

“As far as I know, this is the exact three-month renewal of what has been the case for the past seven years,” said Feinstein.

“This is nothing particularly new,” Chambliss concurred. “This has been going on for seven years under the auspices of the FISA authority and every member of the United States Senate has been advised of this.”

The order was issued by the Foreign Intelligence Surveillance Court under 50 US Code 1861, which can require the production of “any tangible things” pursuant to “an investigation to obtain foreign intelligence information not concerning a United States person or to protect against international terrorism or clandestine intelligence activities.”

What is new in Wednesday’s release is the public confirmation that the US government has been using this “business records” section of the Patriot Act (now 50 US Code 1861) to collect information about the activities of US citizens. Prior attempts to gain insight into the government’s interpretation of the law, such as a 2011 FOIA request and subsequent lawsuit by the ACLU, were unsuccessful. In a letter to Attorney General Eric Holder dated March 15, 2012, Senators Mark Udall (D-CO)  and Ron Wyden (D-OR) suggested that “most Americans would be stunned” to learn how the law was being applied.

“As we see it,” the co-signed letter states, “there is now a significant gap between what most Americans think the law allows and what the government secretly claims the law allows.” The letter also notes that while the government’s official interpretation of the law had been communicated to Congress, it remained so highly classified that, in practical terms, many lawmakers were likely unaware of it. 

Taken together, the implications of these programs is clear: anyone wishing to keep private whom they are communicating with, and when–especially if the other party is international–will need to take additional steps to protect their communications. This is especially the case for journalists who need to protect their sources, given the enthusiasm the current administration has shown for prosecuting whistleblowers.

“Journalists in this country have enjoyed the benefits of press freedom, but now the combination of aggressive investigations and unprecedented reliance on technology mean journalists need to get up to speed on digital security, and so do their sources,” says Frank Smyth, senior advisor for journalists security at Committee to Protect Journalists. “Journalists have to start thinking about operational security in terms of reporting.” This means understanding the risks posed by different means of communication, as well as developing flexible strategies for minimizing those risks.

“Mobile phones are inherently insecure, by the way the network is designed” says Katrin Verclas, innovation officer at the National Democratic Institute. “Nevermind the content of the message. The SIM number, the GPS location, the call duration, who you call–it’s all routinely reported.”

As an alternative, Verclas says, journalists should learn to use digital communication tools securely. “Certainly online communications can be made more secure and anonymous. This is stuff you can learn, and you don’t leave those kinds of metadata traces.”

For example, Smyth says, “You could bring your laptop to a university or a library and then you have an ISP [Internet service provider] that’s not traceable to you.” Verclas suggests encrypted communications service Silent Circle.

“Think of ways to ping sources that would be untraceable,” says Smyth. “Use a secure chat program to send a message to a source. If you need to tell your editor who your source is, walk across the room, don’t send an email.”

Yet while there are strategies that individual journalists can use to help protect their communications, many experts believe that there is an essential role for institutions to play as well.

“There needs to be a push in the newsroom to do really good trainings, so it’s not just self help,” says Verclas. “Newsrooms have a moral and ethical obligation to invest in this kind of stuff in a very professional, high quality way.”

Focusing only on security isn’t sufficient, says Rebecca MacKinnon, cofounder of Global Voices and author of Consent of the Networked.

“The Patriot Act needs to be reformed, FISA needs to be reformed, ECPA (the Electronic Communications Privacy Act) needs to be reformed,” MacKinnon says. “We need a legal system that actually holds the government accountable.”

In the meantime, she says, “You can start acting like you’re a journalist in China.”

Looking for training and resources to improve your own digital security? Global Journalist Security is offering two special classes on Digital Safety for National Security Reporters in July 2013 in Washington, DC.