behind the news

Encryption, security basics for journalists

Courtesy of Monday's Hacks/Hackers meetup in Manhattan
September 17, 2013

“Should you worry about the NSA? Eh, maybe,” was the title of the night’s first slide, when the Hacks/Hackers New York group led a session on encryption and security on Monday. The event was meant to get journalists familiar and comfortable with several of the free, basic tools that can help them protect their own work-in-progress and their communications with sensitive sources.

There’s been a flood of NSA-related info from the Snowden leaks over the past few months about how the US government spies digitally on its own citizens. Sometimes it’s hard to keep things in perspective, to know how secure we need to be with our information and communication as we live our lives and do our jobs. For reporters protecting the identity and information of a source, the stakes are already high. But how should typical journalists think about data security when they’re going about their daily work?

Jennifer Valentino-DeVries, who reports on privacy issues for The Wall Street Journal, and who has worked on special projects like the digital privacy series “What They Know,” led the first part of the night, explaining the stakes of data security to an audience of about 70. First, she elaborated on the “Eh, maybe.” If you’re a journalist on a typical beat, then no, the NSA is probably not hacking into your email on a regular basis, she said. But there are aspects of your job that could make you more susceptible to having your communications monitored in some way, or its metadata collected for later analysis. For instance, if you are a journalist who frequently works overseas, or who specifically reports on national security issues–these factors could raise your profile.

That said, Valentino-DeVries went on, there’s a real benefit to all journalists learning the basics of encryption and operating security.

“For most folks, your concerns are going to be with investigations that don’t involve the NSA: like subpoenas, civil cases, accidental disclosure,” she said. “And one thing that isn’t a security concern as much, but I have found in my reporting that surveillance in general has a chilling effect–it makes sources more scared to talk to you.” The more comfortable journalists become with secure communication, the safer that all sources will feel when contacting and trusting members of the media.

You may not be currently reporting on sensitive topics involving government leaks. But what if a source contacts you with the promise of a big story and insists on encrypted communication? It happened to Glenn Greenwald, Laura Poitras, and Barton Gellman, the team approached by Edward Snowden. If you don’t have any experience with encryption or security, it might be difficult to jump in when the stakes are so high.

Sign up for CJR's daily email

So, in the second half of the evening, Mike Tigas of ProPublica’s news applications desk guided everyone in downloading and installing a bunch of simple, free tools. Attendees were already sitting grouped according to operating system to facilitate a smoother “Install-fest”: There were a handful of Windows users up in the front, a half-dozen dudes running Linux in the back, and about 50 Mac users bunched on one side.

With Tigas’ help, everyone downloaded Tor for anonymous browsing, Adium (for Macs) and Pidgin (for PCs) for secure IM conversations, and then a combination of Thunderbird, Enigmail, and PGP/GPG keys for a good, basic start on sending and receiving encrypted email.

There are countless tools available online; they’re easy to find, easy to learn about with a little reading, and often free. Besides the ones above, Valentino-DeVries also explained the pros and cons of Cryptocat, for encrypted group chats, TrueCrypt, which encodes and password-protects files on your computer, and CCleaner, which cleans up your computer by deleting temporary files and overwriting deleted files to make them harder to recover. All are free. In general, the presenters said, it’s a good idea to use tools that are open-source, and that have been around and in use for the longest.

A man from the Windows contingent raised his hand and asked about some of these programs’ potential weak points. Valentino-DeVries emphasized that no system is completely secure. Every piece of software has its flaws. And common mistakes like using weak, crackable passwords or connecting to insecure online networks can make whatever software you’re using moot in any case.

If a person (or company, or agency) really, really wants to hack your computer, they probably will be able to do so, Valentino-DeVries said: Don’t rely on encryption to safeguard a source’s life. There are far more extreme measures to be taken in that case, as this blog post that Hacks/Hackers sent out before the Meetup describes.

The main takeaway of the event was that, regardless of the type of journalism you do, it’s in your best interest to at least experiment with encryption and security before you actually “need” them. Just because any given security system isn’t perfect, that doesn’t mean it’s not worth using any security system at all. Yes, it may seem complicated at times, but it can be easy to get the hang of, and it’s good practice–especially if you could imagine doing more sensitive work in the future.

“Even if the men in suits aren’t after you, there are benefits to everyday crypto,” read another slide in the presentation. Valentino-DeVries said that, in addition to making you a better prepared, more knowledgeable, and versatile journalist, learning these basic skills can incrementally benefit all of your colleagues, as well. Some government officials have actually stated in previous legal cases that a person’s using cryptography at all was a “red flag” that that person could be doing something illegal, and was therefore a worthy subject of investigation, said Valentino-DeVries.

“Normalizing the use of these tools legally makes it more apparent that we all have an interest in our own privacy, and an expectation of privacy in our communication,” she said, “even if we’re using the Internet and third parties and doing our communicating online.”

Lauren Kirchner is a freelance writer covering digital security for CJR. Find her on Twitter at @lkirchner