Since 2007, Steve Doig, an investigative journalist, has been giving a talk called “Spycraft: Keeping your sources private.” He’s presented at conferences for Investigative Reporters and Editors and the National Institute for Computer Assisted Reporting, explaining a number of specific technological tips for reporters: using Tor for online anonymity, the benefits of no-contract cell phones, and how to trick keyloggers, among other tools.
“It’s basically trying to develop a paranoid mindset about your work,” says Doig. As a professor at Arizona State University’s Walter Cronkite School of Journalism and Mass Communication, Doig uses his Spycraft PowerPoint for a lecture every semester when teaching “Media Research Methods.” The lecture is often the first time students hear about such security vulnerabilities. “In most journalism courses, you talk about anonymous and confidential sources, the good and the bad of that,” he says. “The other shoe that should fall in there is the steps you need to take to do it, and that is the part that isn’t being talked about a lot.”
Computer security expert Christopher Soghoian wrote about the vulnerability of journalists’ communications in an op-ed for The New York Times this past October, “When Secrets Aren’t Safe With Journalists.” In it, he faults both journalism organizations and schools for what he sees as negligent communication standards across the industry:
Journalists aren’t completely to blame for their lack of computer security expertise — after all, journalism schools have taught them to write, not to play “Spy v. Spy.” The blame also lies with universities that don’t teach these skills, and with news organizations that invest their tight technology budgets in fancy Web sites but not security training.
And while you’d be hard-pressed to find a journalism school that doesn’t talk about the legal and ethical implications of dealing with sensitive sources, the topic is mostly discussed in the context of court proceedings, such as reporter’s privilege or shield laws. But there is much more to be considered besides what to do in the event of prosecutorial action. “It’s very rare that you see a journalist threatening to go to jail,” says Soghoian. “And that’s because an intelligence agency can figure out who the source is without forcing the journalist to testify—without the journalist even knowing.”
Lucy Dalglish, the executive director of the Reporters Committee for Freedom of the Press, which provides free legal advice and support to journalists, met last summer with an intelligence agent who confirmed this, although she agreed not to identify the representative’s name or agency. “He told me, ‘You guys are so worked up about a shield law, and guess what, we don’t need you guys anymore, we know who you’re talking to.’ And I think he’s right,” says Dalglish. Yet specific ways to counter this type of monitoring aren’t covered in most journalism programs. “I’m not aware of anyone doing substantial course work on this,” says Dalglish.
I spoke with a number of journalism schools, to see how the growing issue of cyber-security was being handled, and found a range of approaches. I turned to my alma mater, Columbia’s Graduate School of Journalism, and spoke with Emily Bell, the director of Columbia’s Tow Center for Digital Journalism, a dual master’s program in journalism and computer science, which is in its first year. She says that issues of cyber security bother her “immensely,” but at this point, most students aren’t receiving detailed instruction about it. The only cyber-security course being taught takes place within the computer science program, which is only offered to the students enrolled in the Tow Center’s double major. Bell says discussions are underway for how to introduce this more broadly to the curriculum.