It’s no accident that some of the most significant progress in newsroom information security over the past decade has been in smaller, more recently-formed digital startups.
While the journalistic community has historically demonstrated a poor understanding and appreciation of the importance of strong information security skills and techniques, smaller outlets are proving they can effectively incorporate strong infosec strategies into their highly adaptive and responsive workflows.
Part of their strength lies in understanding how to cultivate an effective security mindset for the journalists in their organization from the outset. “We throw them in the deep end; we say you’re going to use Signal, you’re going to use Thunderbird, this is how you do encrypted storage, we’re going to set up two-factor authentication (2FA) on your work email and your personal email,” said Emma Prest, chief information at the Organized Crime and Corruption Reporting Project (OCCRP).
She was among several newsroom leaders, security experts, and journalists – from Italy, Norway, the Czech Republic, UK, Botswana, the Philippines, the United States, France, India, Greece, and the Netherlands – that I interviewed about what’s working, what isn’t, and what we need to do to move the industry forward.
The need for strong information security in newsrooms is real. And it isn’t just for national security reporters anymore. Reporters who write about culture and lifestyle issues are doxxed on a daily basis. Television hosts are threatened and pursued by malicious trolls. Court reporters are hounded.
And yet, almost a decade since the revelations about global surveillance revealed by Edward Snowden, many newsrooms still haven’t figured out how to build effective strategies to combat these risks into their newsrooms. Mistakes are made. Journalists feel left in the dark, and frustrated at the lack of change.
Small teams can adapt to these threats with more agility: their experiences are useful in providing some strategies and instructive guidance to larger, older newsrooms that are still coming to grips with how to embed a strong infosec culture.
While they work in vastly different environments, some common themes and strategies emerge from them.
1. Show, Don’t Tell
The first is having strong leadership that instills infosec culture from the outset. Each of the organizations has senior editorial leaders that recognize the importance of information security risks and take steps to establish protocols to manage them in their editorial workflows.
At Serbia’s KRIK, managing editor Bojana Jovanovic said the most important part of the process is to communicate clearly with their journalists on how to mitigate risks at the very start of the story process.“We need to explain why it is sensitive, how to act, how to communicate. It’s really important to give a headstart to all journalists so they know how to process and how to work on the story.”
2. Early Action
The second is ensuring that information security risks are factored into the editorial process as the story develops. This is consistent with Columbia University researcher Susan McGregor’s view that these risks need to be front-of-mind for all journalists and editors, in much the same way as they know when a story needs to be checked by the legal team. Many of these organizations also point to the fear of reputational damage they may suffer if they don’t act appropriately from the early stages of a story. In McGregor’s words: “Every reporter, editor, and newsroom leader needs to understand the foundations of information security if they hope to avoid the industry’s cardinal sins: outing a source and becoming the story.”
3. Easy and Effortless
The third is developing workflows that are easy for journalists to manage, and avoiding unnecessarily complex tools. All advocated the use of Signal for internal communications. Each organization also offered a range of encrypted tools for first contact, including Signal, Securedrop and, in some circumstances, a Protonmail email address. The more complex the tools, the less likely journalists – as well as sources – are to use them, and the more likely risks will be taken.
For Alvin Ntibinyane, founder of the INK Centre for Investigative Journalism in Botswana, making tools and processes simple is a priority that extends to considering sources, too: “When we did one story in 2017 we had one guy trying to use Signal. He had a smartphone but struggled with it. We had to spend hours with him,” he said.
In the words of Mark Schoofs, former editor of BuzzFeed News: “Infosec is a two-way street. You and your organization can be great about it, but you’re only one half of the equation.”
4. Risk Assessment
The fourth is considering the potential interplay between information security and physical security. Harm minimization strategies – like those deployed by BuzzFeed to harden social media presences – are a valuable tool in diminishing the impact of online attacks, and decreasing the risk of a physical attack. Mapping out key and emerging risks for staff and how they could lead to physical attacks is a crucial part of any assessment of information security risks.
Investigace.cz founder Pavla Holcová said: “What I’ve learnt is that if you are dealing with sensitive information, you tend to underestimate or overestimate the risk. You need that person to talk to. You really need to take a step back and look at a sensitive project,” she said.
Daniel Howden, managing director of Lighthouse Reports in the Netherlands told me: “We calculate our risk profile or threat profile. Once it reaches the stage where you assume you could get targeted, protocols become hugely more complicated.”
5. Security Mindset
Finally, each of these organizations demonstrated a strong security mindset. Senior leaders had a clear understanding of risks, and these were communicated across the editorial workflow, and among all staff members. This mindset informed their approach to executing complex journalistic activities in a way that minimized potential harm for them and their sources.
What Tools Should Journalists be Using?
Everyone I interviewed said it was impossible to be too prescriptive in explaining exactly what tools journalists need. The risks and threats for different journalists operating in different environments will shape the responses required. As a result, discussions of information security for journalists tend towards abstractions that are of little use to practitioners.
For this reason, I will set out a brief snapshot of some common tools referenced by interview subjects that are broadly in use. Before considering their use, consult more definitive resources that are regularly updated to ensure that no vulnerabilities have emerged.
- Signal, mentioned extensively above, is by far the most ubiquitous tool referenced by interview subjects. It is regularly used as a first contact tool, and the widespread take-up of the app and ease of use has made it a strong first choice for many journalists. It is also used frequently for communication within newsrooms.
- Some participants explained that due to the rise in the use of Signal, the use of PGP email encryption as a first contact tool and for internal communication had diminished. But others also said there was a renewed use and interest in PGP due to an increase in concerns over mobile phone spyware. Others still reported that PGP was used for other purposes such as file encryption.
- Similarly, while tools like Off the Record (OTR) messaging were previously common five to 10 years ago, they appear to be in less frequent use due to the ubiquity of Signal.
- Some interviewees did use tools like Onionshare for receiving files anonymously from sources, but this use had also been diminished by the now broad take-up of Securedrop in many newsrooms or file transfers via Signal.
- The Tails operating system, which has been in use for a long time and is endorsed by many security practitioners, has gained increasing prominence and use. Some interview practitioners believed that the operating system has vastly improved in its day-to-day usefulness to a decade earlier.
- Two noteworthy new tools are worth pointing to; the first is the Qubes operating system. The technical threshold is likely to be a challenge. Few interview subjects were aware of current practitioners that were using Qubes in their daily workflow, or even for more sensitive one-off projects.
- A further tool of note is DangerZone, developed by Micah Lee. It allows users to convert potentially malicious files that may have malware into safe files. Given that many attacks on journalists are through malicious email or other types of files, this tool may prove useful for journalists seeking a quick sandbox solution that doesn’t not involve using a separate device.
Every day, all over the world, people reach out to journalists asking them for help. Some of those people are taking a chance when they do this: risking their lives, their jobs, and their security to communicate something they believe the public needs to know about.
In doing so, they put their trust in us – collectively – to do all we can to protect them. Having a strong culture of information security helps ensure their trust is not misplaced.
As the range of threats grows in intensity and endangers journalists themselves, having that strong culture will not only help sources, but journalists, too.
Paul Farrell is an investigative reporter at the Australian Broadcasting Corporation’s flagship current affairs program 7.30. He previously worked at the Guardian and BuzzFeed News, leading the Guardian’s Nauru files reporting team, which examined Australia’s offshore detention regime. He also worked on the Panama Papers and the HSBC tax files with the ICIJ.