The role of journalists is to make information public. The irony is that in order to do so, they need to keep lots of things secrets.
They do that in all sorts of ways. Sometimes journalists promise anonymity in order to get officials to divulge what they’re not supposed to reveal. Sometimes they cloak the exchange of sensitive documents. Sometimes they conceal the nature of their stories so that governments can’t censor their work preemptively.
What news organizations don’t worry enough about is keeping the identity of their readers secret. In an era when electronic spycraft is rampant, people who go to a website looking for news can unwittingly endanger themselves just by clicking on a story or video. Governments that know who is accessing specific information can intrude in a variety of ways—by blocking or censoring the story or by targeting individuals who access prohibited information for harassment or even legal action.
As elemental as it is to keep Web-based communication secure, it’s been a largely overlooked subject by many news outlets. That’s beginning to change, thanks to aggressive efforts by advocacy groups to strengthen and reinfforce safety barriers around the Web.
The aptly named Let’s Encrypt the Web project, part of a long-term effort by a coalition of tech companies and internet advocacy groups (including the San Francisco-based Electronic Frontier Foundation), seeks to ensure that all Web communication is both reliable and secure. It is precisely the kind of movement that traditional journalists tend to cover rather than support, since it has an activist tinge and a wonky and technical bent.
Most stories about the effort are framed as a struggle between two competing interests—the law enforcement and intelligence agencies trying to prevent terror attacks on one side, and on the other technology companies and advocacy groups seeking to protect individual privacy. Certainly, journalists should present both sides but they should also recognize their own stake in the outcome. Encrypting the web means deploying software to make the information exchanged between websites (including basics like email) indecipherable to prying eyes.
At a Tech Summit hosted by the Committee to Protect Journalists in San Francisco last month and attended by journalists, industry leaders, and technologists, the talk was about ways in which insecure information practices that endanger individual journalists, expose newsrooms to hacking, and compromise the security of those accessing the information.
There was also talk about the software companies and other vendors working to address the problem. As one participant, Ethiopian journalist Zerihun Tesfaye, wrote on Facebook: “These digital security experts first scare you so much that you won’t be online tomorrow morning … . Then they teach you how you would be able to move safe online, and inspire you to keep writing writing writing.”
Zerihun’s fears are well founded and were brought into high relief by recent revelations about Hacking Team, an Italian company that sold spyware to repressive governments around the world, including Saudi Arabia, Sudan, Egypt, and Azerbaijan. Internal documents “liberated” by an anonymous hacker are now posted online in a searchable database hosted by WikiLeaks. Hacking Team has gained a notorious reputation long before the most recent revelations. A February 2014 report confirmed that the Ethiopian government has contracted the Hacking Team to spy on Ethiopian journalists based in the United States.
In this environment, where the tools of electronic espionage are increasingly available to most anyone, it is critically important that journalists are empowered and trained to secure their own information.
But this approach has limitations. It puts the onus on individuals, often freelancers and local journalists, who have limited resources and training opportunities. And it pits them against forces with extreme power—think the NSA or Chinese government.
What’s more helpful is when the weight of entire media organizations is thrown at the issue. When it is, the most immediate and useful step they can take is to implement HTTPS on their web servers and STARTTLS email encryption, both of which will help protect journalists by default.
Many non-news sites already deploy both. Major search engines—your bank, your health plan—all utilize HTTPS (CPJ.org went full HTTPS by default in 2015.) The “S” stands for “secure.” When the little lock appears in the left side of the browser it means that traffic to and from the website is encrypted, and not visible to intrusive governments or malicious hackers.
Using HTTPS makes it much harder for governments to track visitors, censor an individual story without taking down the whole site, or even inject code that can take over a reader’s computer. Media organizations are starting to make the move. In June, the Washington Post became the first major media outlet to encrypt most of its site. The New York Times has announced plans to do so soon. Other, newer organizations like the Marshall Project, The Intercept, and ProPublica are fully encrypted. The stumbling block until now has been concerns about the compatibility of HTTPS with web-based advertising content. Fortunately, those concerns are starting to be addressed.
For email, there is STARTTLS, an easy-to-implement protocol that encrypts all email traffic while it’s in transit. But more news organizations need to adopt it. A study by the Freedom of the Press Foundation found that half of the 65 major news organizations surveyed did not have STARTTLS turned on, or had it imperfectly configured. The lack of adoption is hard to explain, but inertia and lack of awareness about the risk probably plays a role.
The final frontier is policy. Media organizations need to fight government efforts to compromise web security through the implementation of backdoors, which would allow government agencies and law enforcement to access encrypted information. (Experts have called such backdoors technically infeasible and probably illegal.) Media organization also need to push for limits on government surveillance. Tech companies, for their part, need to make encryption easier and ensure that governments seeking to access user information are operating lawfully and in compliance with international human rights standards.
Journalists can’t do their job without some level of secrecy and without a secure web they have no such assurance. Which is why what appears as an activist effort to challenge government policy is really not. It’s a cause that allows journalists to perform their core function, and media organizations should get behind it.