Time for journalists to encrypt everything
President Donald Trump has publicly called for a Justice Department investigation into leaks to the media, warning, “We’re gonna find the leakers. They are going to pay a big price.” There are ominous signs that the President is following up on his threat, including Sean Spicer’s surprise search of White House staffers’ devices, looking for apps that people could use to secretly reach reporters or social media. Naturally, news of the search was immediately leaked to reporters.
Leaks to the media have already forced the resignation of national security advisor Michael Flynn and led to a flood of articles about the Trump administration’s dealings with the Russian government. Information from unnamed sources at the Justice Department (okay, more leaks) also led attorney general Jeff Sessions to remove himself from federal investigations into those dealings.
Yet most journalists still don’t encrypt their email or phone calls. It’s true that the tools can be hard to use, but even tech-phobic reporters have a responsibility to protect their sources.
This week’s publication of the Vault 7 files from WikiLeakswhich reminded everyone that if the CIA owns your whole device, it can even read your Signal textswill likely cause privacy advocates to recalibrate what reporters (and everyone else) can consider safe enough to use. Is it the Torbased operating system Tails? A retooled iPhone? Advocates, including Edward Snowden, are still sorting out the meaning of the files released this week. Notably, Snowden tweeted in response to the news: “It may not feel like it, but computer security is getting better.” Notably, end-to-end encryption appears to remain intact.
In the meantime, the need for better security doesn’t just apply to investigative journalists. Think about it: In recent weeks, we’ve seen front-page controversies about national parks, FISA warrants, education, healthcare, oil pipelines, fashion, hotels, and movie stars. Teen Vogue is covering wiretapping; Vanity Fair is reporting on the travel ban. Editorial boards, such as the one at The Philadelphia Inquirer that recently compared Donald Trump to a dictator, should probably also batten down the hatches.
Journalists who do use encrypted privacy tools often face an uphill battle from editors and publishers who need convincing that online security is essential. Some seem to view electronic surveillance as a nerdy distraction. Yet the surveillance of journalists has profound implications for democratic institutions, including freedom of the press. An independent press corps cannot stay independent for long if reporters can’t investigate, communicate with sources, and write without worrying that someone is looking over their shoulder. Even the fear of surveillance triggers self censorship and influences writers’ thinking, research, and writing, according to a 2013 PEN study.
Google recently warned individual reporters at CNN, The New York Times, and The Atlantic, including some who cover the President, that a state actor is attempting to hack their email.
That’s scary: Hacked email can uncover private information about a person’s employer, their girlfriend, their finances, or their drinking problem. (It even revealed John Podesta’s favorite risotto recipe.) The information gleaned in hacked email could be used by an intelligence agency to quietly convince a reporter to change a story. It could be used to coerce a politician into changing their vote, or not to run for office at all.
Whistleblower Jeffrey Sterling, a source for New York Times reporter James Risen, is currently serving a three-year jail sentence for espionage. Emails and phone records between the two were used to build the case against Sterling. Those records might not have even existed if Risen had had access to a modern privacy tool like Signal (the software was developed years after the main events in the case.)
This is where managing editors, publishers, and CEOs must step in. They have an obligation to learn about online privacy and to mandate responsible security practices from the newsroom to the boardroom. While it may be tempting to delegate this problem to the IT department or leave individual reporters to fend for themselves, it’s the responsibility of company leaders, namely, the CEO, to make sure that the company is protecting reporters and their sources with the information and training they need and deserve. Newsroom security is not a project that can be accomplished piecemeal, and it takes more than a handful of tech-savvy reporters to change the practices of a whole company.
CEOs should appoint a newsroom privacy expert to keep abreast of the quickly changing landscape for online privacylike this week’s revelations from WikiLeaks. News companies should support efforts to stay ahead of the spies: At the Freedom of the Press Foundation, Edward Snowden and others are developing new privacy software and even a modified iPhone for journalists.
Privacy training should be required for new employees, with frequent updates for everyone. News outlets should also publish clear, easy-to-find information to help their sources share information safely. First contacts can be the most dangerous: People may reach out to journalists via unencrypted email or phone calls that are easily traced.
Some outlets already take security very seriously. The Intercept maintains rigorous standards for online privacy and has famously protected sources like Snowden. It often publishes rigorously researched, wellwritten articles on online safety for journalists.
The New York Times set an important precedent last year by hiring a director of information security for its newsroom. The Times recently reported it received useful information within 24 hours of publicizing safer ways to share news tips, and it now receives 50 to 100 of them a day.
The safest online privacy tools for phone calls, texts, and email must become newsroom standards. Without them, news reporting risks hurting the journalist, the source, and the news company.
This includes the company’s CEO. Executives won’t enjoy reading a 7 am text message over their morning orange juice that Russian hackers have their texts and their email-along with the email of the lawyer who is texting them. But that day will come if news leaders don’t protect themselves.
People are taking enormous risks right now to speak to reporters so that crucial information can reach the public. Media companies must match this commitment by doing everything they can to keep these sources, and their own journalists, safe.