Sign up for The Media Today, CJRâs daily newsletter.
In the wake of the Arab Spring, the UK riots, and Occupy Wall Street, when the same digital tools that were enabling journalists to share information and organize in unprecedented ways–through Twitter, Facebook, mobile phones–had also enabled the authorities to surveil and target their efforts, journalist Susan McGregor understood that metadata was the biggest security risk to her colleagues and their sources. With a grant from the Brown Institute, she started building a mobile app called Dispatch that allowed for secure, authenticated, and anonymous communication and publishing.
But it wasnât until McGregor attended the Privacy Enhancing Technology Symposium (PETS)* in 2014Â that she recognized a major underlying threat–one that potentially stood in the way to solving the problem of secure communications for journalists and their sources. It wasnât just that many of her colleagues werenât versed in the technical issues around privacy, but also that the people building security tools didnât know enough about how journalists worked, or what they valued, to design what they needed.
To bridge this gap for tech people, McGregor teamed up with Franziska Roesner, a professor of computer security at the University of Washington who has a special interest in building security tools, and who was also at the conference. Together they interviewed 15 journalists from the US and France about their workflow and computer security habits. They presented the results on Thursday at the USENIX security conference in Washington DC, to a good deal of excitement. Despite the small sample size, and the fact that the findings wonât surprise many journalists, the effort is seen as a step towards bridging two communities that havenât historically overlapped. And by laying out some of the basic habits and priorities of journalism, it offers a roadmap to building better, more intuitive security tools for journalists.
Often the reason the tools we build donât get used by as many people as weâd like is that we didnât build them with a deep understanding of the journalistic process.
âI was surprised by how little I know about what journalists did,â Roesner says. âFor instance–and in retrospect this seems obvious, especially to journalists–I didnât realize how seriously journalists take their duty to protect their sources. Often the reason the tools we build donât get used by as many people as weâd like is that we didnât build them with a deep understanding of the journalistic process.â
SecureDrop, an open source whistleblower system that enables news organizations to accept secure documents from anonymous sources, was one example. Both McGregor and Roesner think itâs one of the better tools out there. But because SecureDrop assumes journalists get stories by way of anonymous sources who drop off sensitive documents, it doesnât account for a fundamental tenant of the journalistic process–namely, the reporter-source relationship, which is cultivated over time, and often over the phone. And while there are ways to encrypt a cell phone conversation, McGregor and Roesner found that journalists wonât use them if they interfere with a source. âWhat happens when a journalist is in the middle of a conversation and all of a sudden your source starts feeling more comfortable and decides to share an anecdote?â McGregor asks. âYou canât put them on hold and say, Wait a minute while I encrypt this conversation. Even if you donât freak them out, the flow of the moment is lost.â
One goal, then, is to design a tool thatâs nimble enough to protect the ebb and flow of an evolving reporter-source relationship. But the ultimate goal, McGregor says, is to have secure communication channels and practices be the default in journalism, regardless of whether a reporter is involved in a major investigation or tracking down everyday press quotes.
Language was another gap that emerged.
âWhen journalists talk about an anonymous source, theyâre talking about someone whose identity they know, but whose name they donât publish,â McGregor says. âWhereas when tech people talk about an anonymous source, theyâre talking about someone whose physical identity is unknown. So in the technical sense of the word, almost no journalism actually comes from anonymous sources.â
Roesner was especially inspired when she learned the lengths to which some journalists go to confirm the identity of a source–for example, sending a source a sentence over an encrypted channel and asking them to then post that sentence to Twitter to verify that the source holds both accounts. She hopes that knowing about such ad-hoc approaches may lead to new innovations in security.
On Twitter, computer security specialists were hopeful, too:
Tech people who want to build security tools to protect journalists need to read this first. https://t.co/X2shHOocMI
â matt blaze (@mattblaze) August 13, 2015
A week after new documents released by Edward Snowden show how AT&T helped the US spy on the internet, the study, and the issues it raises around better security practices and governance, have implications well beyond the press. âJournalists have no special protections or exemptions, so in that sense, we have a mandate as a profession to deal with this stuff, but this is everybody. Weâre all on our email and phones.â
*Correction: This article originally stated that McGregor attended the Journalism After Snowden conference in 2014; it was actually the Privacy Enhancing Technology Symposium.
Has America ever needed a media defender more than now? Help us by joining CJR today.
