the news frontier

Teaching Cyber-Security

Confidentiality promises often require technical skill
January 24, 2012

Since 2007, Steve Doig, an investigative journalist, has been giving a talk called “Spycraft: Keeping your sources private.” He’s presented at conferences for Investigative Reporters and Editors and the National Institute for Computer Assisted Reporting, explaining a number of specific technological tips for reporters: using Tor for online anonymity, the benefits of no-contract cell phones, and how to trick keyloggers, among other tools.

“It’s basically trying to develop a paranoid mindset about your work,” says Doig. As a professor at Arizona State University’s Walter Cronkite School of Journalism and Mass Communication, Doig uses his Spycraft PowerPoint for a lecture every semester when teaching “Media Research Methods.” The lecture is often the first time students hear about such security vulnerabilities. “In most journalism courses, you talk about anonymous and confidential sources, the good and the bad of that,” he says. “The other shoe that should fall in there is the steps you need to take to do it, and that is the part that isn’t being talked about a lot.”

Computer security expert Christopher Soghoian wrote about the vulnerability of journalists’ communications in an op-ed for The New York Times this past October, “When Secrets Aren’t Safe With Journalists.” In it, he faults both journalism organizations and schools for what he sees as negligent communication standards across the industry:

Journalists aren’t completely to blame for their lack of computer security expertise — after all, journalism schools have taught them to write, not to play “Spy v. Spy.” The blame also lies with universities that don’t teach these skills, and with news organizations that invest their tight technology budgets in fancy Web sites but not security training.

And while you’d be hard-pressed to find a journalism school that doesn’t talk about the legal and ethical implications of dealing with sensitive sources, the topic is mostly discussed in the context of court proceedings, such as reporter’s privilege or shield laws. But there is much more to be considered besides what to do in the event of prosecutorial action. “It’s very rare that you see a journalist threatening to go to jail,” says Soghoian. “And that’s because an intelligence agency can figure out who the source is without forcing the journalist to testify—without the journalist even knowing.”

Lucy Dalglish, the executive director of the Reporters Committee for Freedom of the Press, which provides free legal advice and support to journalists, met last summer with an intelligence agent who confirmed this, although she agreed not to identify the representative’s name or agency. “He told me, ‘You guys are so worked up about a shield law, and guess what, we don’t need you guys anymore, we know who you’re talking to.’ And I think he’s right,” says Dalglish. Yet specific ways to counter this type of monitoring aren’t covered in most journalism programs. “I’m not aware of anyone doing substantial course work on this,” says Dalglish.

Sign up for CJR's daily email

I spoke with a number of journalism schools, to see how the growing issue of cyber-security was being handled, and found a range of approaches. I turned to my alma mater, Columbia’s Graduate School of Journalism, and spoke with Emily Bell, the director of Columbia’s Tow Center for Digital Journalism, a dual master’s program in journalism and computer science, which is in its first year. She says that issues of cyber security bother her “immensely,” but at this point, most students aren’t receiving detailed instruction about it. The only cyber-security course being taught takes place within the computer science program, which is only offered to the students enrolled in the Tow Center’s double major. Bell says discussions are underway for how to introduce this more broadly to the curriculum.

Lowell Bergman, who teaches at the Berkeley Graduate School of Journalism, says he takes care to teach his students practical advice about their communications. For the type of monitoring that wouldn’t necessarily require a courtroom, he advises students to use caution. “I tell them, ‘Don’t e-mail anything you wouldn’t want on the front page, or quoted back to you in litigation,’” amongst other warnings, like the potential of phone records to be used in identifying confidential sources. But he says he has not heard of anyone in the school going into great detail about tools or other specific work-arounds to help protect the electronic communications in the first place. Having some introduction to these issues is important, he agrees, although “it militates the actual priorities people have when they come to journalism school, like how to make a documentary, learn Flash, how to make a website, or how to do a long form article.”

Soghoian is irked by the fact that most journalism programs offer a plethora of courses in video, audio, and social media, while not training students in what he sees as a basic foundational knowledge of how to protect the information they’re gathering, “It’s not like journalists are so ignorant they cannot be taught about technology,” says Soghoian. “This is just another skill they have to be taught. [Journalism schools] are going to need to rethink their curriculum. They’re going to need to have a course that every student is required to take.”

While Charles Seife, a professor at the Arthur L. Carter Journalism Institute at New York University, agrees with Soghoian’s overall point about that “many of us are lax when it comes to securing our telecommunications against snooping,” he felt that the op-ed was “devoid of nuance” because “security always involves tradeoffs and compromises.”

“The more safeguards you put on a system, the more of a pain in the butt the system is to use – and the more likely it is that people will try to undermine those safeguards or disable them entirely,” Seife wrote in a recent e-mail. He’s used encryption in his own reporting, but wrote that he’d never done so out of necessity, and wouldn’t trust that doing so would hide his actions sufficiently anyway. He also points to the fact that encryption can be counterproductive; it shows anyone watching that somebody is trying to conceal the contents of their message.

Seife thinks it’s better to assume insecurity and “behave accordingly”; the concept of vulnerability is the real lesson. “No, we don’t teach students about how to use Tor or proxy servers or PGP,” writes Seife, which are among the recommendations Soghoian makes, along with other digital-privacy advocacy groups, like the Electronic Frontier Foundation (more on that here). He shows his students how to gather bits of electronic data from “IP addresses in emails, from hidden metadata in documents, from the source code of HTML.” By showing “how to exploit those information sources,” the students learn what they could be revealing in the course of their own electronic communications.

Jane Kirtley, the Silha Professor of Media Ethics and Law at the University of Minnesota’s School of Journalism and Mass Communication, has a similar philosophy. She tells her students to drop the expectation that their communications are secure, and then go from there, advising them to do their best to have “face to face communication. It seems ironic to go back to something so old fashioned, but it’s the only way you can insure the security of the communication.” She regrets that the journalism community has not yet become fully aware of the issue. “What I keep finding, anecdotally, is that people who are teaching the reporting courses are not fully aware of the consequences of this.”

Kirtley says the transition that many universities are making to Gmail illustrates the problem: “The fact that so many universities have converted to Gmail programs with little pushback suggests to me that people don’t really grasp the ramifications of this.” When the University of Minnesota’s College of Liberal Arts, of which the journalism school is a part, made the switch to Google, she put a disclaimer at the bottom of her e-mail as her “little way of telling Google” that her messages aren’t intended for the eyes of others. The University of Minnesota’s Law School students have been switched to Google, but so far the faculty, staff and law clinics have been able to hold out, because of the sensitivity of client/attorney communications. The University of Minnesota’s Academic Health Center have also been able to interrupt the transition, since Google has yet to sign a legal agreement to protect patient information. Seife had similar feelings about NYU’s transition to Google, writing that he trusts them “far less than NYU to keep from turning over my communications to a third party without a warrant.”

Geanne Rosenberg, a professor at CUNY’s Baruch College and Graduate School of Journalism, is part of a project with the Carnegie Corporation that’s looking into best practices for educating students and faculty about reducing legal risk, particularly since journalism schools are increasingly filling a role as news providers. She said media law experts and journalism educators met in April at the Poynter Institute, and security issues were discussed, but Rosenberg says they will revisit the topic at the task force’s second meeting this February. As far as the classes she teaches, Rosenberg lectures “in general terms about the fact that all this information could be subject to interception or subpoena risk,” but doesn’t get into the nitty gritty details about specific technological ways to protect from that, though she thinks it’s something “journalism schools should consider ramping up.” Rosenberg is planning an event for this August’s Association for Education in Journalism and Mass Communication (AEJMC) conference in Chicago, and says the topic of teaching cyber-security “is a good one to raise there for an audience of journalism educators.”

Linda Steiner, president of the AEJMC, says that while she’s not aware of any “formal evidence that this is major gap in journalism programs,” if it were to become more apparent, she would take it to the organization to suggest journalism schools start teaching this “in greater detail across the curriculum.”

Adam Penenberg, a journalism professor at NYU, wrote in an e-mailed response that he “doesn’t understand why anyone expects journalism schools to teach comsec. We also don’t teach students how to line up ‘fixers’ in a war-ravaged nation or go undercover with hidden camera. Only a fraction of students will ever need those skills.”

He goes on to write that he “doubts many students would enroll in a class on communication security. I think it is a question better put to news organizations… what is The NY Times, WSJ, Time, Bloomberg, etc. doing on this front? Because they are the ones that assume the risk.”

It’s a question I tried to answer with this piece. The Los Angeles Times declined an interview request, but did say it has “ systems in place to safeguard its journalists’ communications,” but for “obvious reasons, we are not at liberty to disclose detailed information about those protections.”

The New York Times responded similarly, saying that as “a matter of policy we do not discuss these types of security issues publicly,” but the “goal is obviously to have as secure communications as possible between our journalists and their sources and the policy of not discussing details of how we accomplish that is consistent with this goal.”

Soghoian says the piece he wrote for The New York Times was “heavily edited” and that many of his criticisms of the Times were removed. In his op-ed, he’s also critical of The Wall Street Journal’s Safehouse, a WikiLeaks style whistleblower platform set up this past May, which he said had technical flaws and a terms of service that allowed the paper to a reveal a confidential source to law enforcement or a third party. The Electronic Frontier Foundation criticized Safehouse along with Al Jazeera’s Transparency unit, also a leaking platform, for similar problems. (More on whistleblower portals here.) But in an interview, Soghoian praised The Wall Street Journal, saying its operational security is “pretty impressive at this point,” and said that Al Jazeera is “probably the best there is as an organization.” Both organizations would not comment on what types of protections they have in place.

Soghoian says WikiLeaks has been an influencing force. “Every news organization I’ve spoken with that’s dealt with WikiLeaks, as a result of working with them, has learned how to communicate securely, because WikiLeaks will only communicate over secure means,” says Soghoian. When WikiLeaks released the “Spy Files” in December, a cache of documents from the surveillance industry, Soghoian says the news organizations who were in contact with WikiLeaks in the course of reporting on the leak were forced to learn how to use encrypted text messaging because “that’s what WikiLeaks insisted on.”

Awareness is certainly spreading across the journalism community, and one start-up I spoke with is in the process of putting security measures into place before launch. James Heaney, an investigative reporter and a Pulitzer Prize finalist, is building an investigative news site for the Buffalo New York region, called the Investigative Post. After hearing Steve Doig’s Spycraft talk at an Investigative Reporters and Editors conference in June, he asked Doig for advice about what precautions he should take, and plans on having a sit down with a technology expert to figure out how to translate his advice into some concrete action, as he anticipates his reporting to “ruffle some feathers.” “As an investigative reporting site, it’s a priority to safeguard my notes and other sensitive internal documents,” says Heaney. In his days at the The Buffalo News, where he worked for twenty-five years, he had received threats over stories he did, and he’s brought that experience into the planning for this new venture: “I’ve learned to think defensively.”

Alysia Santo is a former assistant editor at CJR.