Why encryption is crucial for all news organizations

March 31, 2015
Photo: Wikimedia

Most discussions of digital security begin with Edward Snowden.

In November 2014, the Reporters Committee for Freedom of the Press held a conference on news organizations and security subtitled “Solutions to Surveillance Post-Snowden.” A Pew Research Center poll released this month aims to discover “Americans’ privacy strategies post-Snowden.”

Another Pew Research Center poll co-sponsored with the Tow Center for Digital Journalism at Columbia University from February called “Investigative Journalists and Digital Security” doesn’t mention Snowden explicitly, but he obviously lurks behind questions like this one: “Thinking specifically about US government requests for data, do you think your home ISP would or would not share your data with the government as part of standard NSA data gathering?”

Americans Have More Muted Concerns about Government Monitoring of their Own Digital Behavior

That poll, which queried members of the nonprofit Investigative Reporters and Editors, reveals a byproduct of focusing the whole industry conversation around digital security on the former Booz Allen contractor. “Many [IRE members] assert that only journalists focusing on national issues or government investigations would be monitored,” the report finds. Indeed, national security and foreign affairs journalists were more likely than others to believe the government has collected data about their phone calls, and more likely to have taken a number of precautions to increase their digital security.

But it would be shortsighted for reporters and news organizations to continue to think of encryption and other privacy tools as essential only for those journalists hoping to hear from the next Snowden. Fortunately, it appears 2015 may be the year that message sinks in.

Sign up for CJR's daily email

In early March, Gawker Media announced it was implementing SecureDrop, an anonymous communication system built by late hacktivist Aaron Swartz and now developed by the Freedom of the Press Foundation.

In his introductory post, Investigations Editor John Cook, just returned from a stint at The Intercept, explained why even a constellation of sites more focused on pop culture than national security needs to provide potential leakers with a safe, anonymous way to contact reporters: “Gawker Media runs on tips and leaks from people with information to share.”

[T]he sad fact is that when it comes to the internet, everybody is a spy: the government, the service providers watching your packets whiz by, the employer who operates the network you’re reading this post on, the lurker on the wifi at Starbucks. The ubiquity of digital communications has made it harder than ever before to engage in truly private conversations, and tools like SecureDrop are increasingly crucial to guaranteeing that people with important stories to tell can safely come forward.

Of course, all good newsrooms run tips and leaks, which is why systems like SecureDrop are becoming a “basic cost of entry” for news organizations, argues David Walmsley, editor in chief of Canada’s Globe and Mail.

“I think probably the media industry was quite late in recognizing the capacity of those who would wish to hear and see and listen to what we do,” Walmsley said in a phone interview.

The Globe and Mail also adopted SecureDrop in early March and has a small team of reporters from across the newspaper, not just the national security team, monitoring the anonymous portal. Walmsley said the team has already seen a number of interesting leads, including one by the end of the first day of implementation, come through the system.

“It really speaks to the notion that there is an appetite for the sort of confidential vehicle that otherwise perhaps people felt they couldn’t take,” he said, adding that it is a primary responsibility of news organizations to be trustworthy repositories for all kinds of sensitive information. “You’re only as good as the oxygen of the information flow that you’re getting.”

Despite the progress at national news organizations like Forbes, The New Yorker, The Washington Post, and Wired, all of which use some form of SecureDrop, encryption and other security measures still lag at regional news outlets and among the general public (aka sources).

Among the 17 organizations using SecureDrop, only one, the San Francisco Bay Guardian, has a regional affiliation. A recent Freedom of the Press Foundation survey of which organizations use STARTTLS, a way to upgrade email servers so they can handle encrypted messaging, found that “that regional, local and city newspapers tend to be less protected than large national outlets, which was expected as they operate with less resources and lower stakes.”

Local papers undoubtedly have fewer resources than their larger peers, but whether they operate for lower stakes is up for debate. As Walmsley pointed out, it can be even more vital to protect sources in a community where “everybody knows everyone.”

“The ability to speak truth to power in a smaller community can sometimes be neutered because no one wants to be seen to be speaking out of turn,” Walmsley said. “But [someone] may believe there is something that needs to be fundamentally revealed that the city council doesn’t want to have public, and the best way of doing that is through the journalists.”

That such a concerned citizen would have the technical knowledge to take advantage of a system like SecureDrop, even if it were available at the local news site, is unlikely. The Pew poll that set out determine America’s post-Snowden privacy strategies found that 79 percent of respondents either have never considered using Tor, the anonymity software that anyone leaking through SecureDrop must use, or have never even heard of it.

Still, there’s hope that 2015 will a breakthrough year for mainstream encryption, as Apple and Google continue to roll out devices encrypted by default, making the public more familiar with the concept, and as groups like Open Whisper Systems try make end-to-end encryption as easy to use as standard text messaging. And even if it takes sources years to catch up with the digital security technology, news organizations need to be there ready and waiting, or risk missing the story, big or small.

Kelly J O'Brien is a freelance journalist based in Boston. Follow him on twitter at @kelly_j_obrien