News organizations and journalists aren’t doing enough to secure data and communications—and it could put whistleblowers and other sources at risk.
By Dave Seglins
Forgive me for sounding a little paranoid, but I’ve had the rainbows ripped from my eyes. Last fall, I signed up to work on a CBC investigation into Canada’s electronic spying programs, relying on the CBC’s exclusive access to the Edward Snowden/NSA leaks. It has been shocking to learn the capabilities of our intelligence agencies. But it has also been a surprising crash course in new technology, privacy and vital questions facing the future of journalism. The world’s intelligence agencies are monitoring almost everything we do when we’re on our computers or when we pick up those handy GPS-tracking transmitters we carry around in our pockets—our mobile phones. Modern surveillance has profound implications for everyone, but especially for news organizations and anyone who reports sensitive stories or needs to protect sources. It’s a brave new world, and traditional media are struggling to come to grips with it.
Lessons in Encryption
Dealing with top-secret materials obtained by Snowden has meant a huge technological shift. I’d never heard of PGP encryption before last fall. I always assumed the CBC had ensured our emails were safe. Guess again. Everything sent out across the World Wide Web is fair game (or perhaps more accurately unfair game) to all manner of intelligence agencies, criminal organizations and hostile nations with the wherewithal to access it. Before I could even have an email conversation with sources about the Snowden leaks, I had to install software and learn how to use encryption. It was extremely daunting at first. No one within the CBC had a clue when it came to learning about PGP encryption, let alone integrating it into the company’s email system. The good news is that it’s not hard to learn with help from an online video Snowden crafted to help journalists. I’ve since adopted encryption for email and chat, hard drives, document sharing and sensitive cellphone conversations. This lesson in encryption has forced me to reconsider everything I assumed about my privacy and my digital footprint as a journalist, and as an average citizen.
Cellphones, email, even encryption vulnerable
In the last two years, we’ve learned the spy agencies of Canada, the U.S., the U.K., Australia and New Zealand (the "Five Eyes") have been engaged in worldwide collection of metadata and email traffic. They are monitoring social media and file-sharing sites, and vacuuming up vast volumes of traffic sent through undersea Internet cables, not to mention tracking, cracking and invading mobile devices. "Even if the content of our calls and messages is not being stored, the metadata showing who we contacted and when can be enough to identify sources," warns Ryan Gallagher of The Intercept, one of the CBC’s partners in examining the Snowden leaks. "It makes it easy for the government to track down whistleblowers and leakers who are reaching out to reporters," Gallagher says. He also worries the surveillance could discourage journalists themselves from pursuing sensitive, important stories. "The more I learned about what the government was capable of doing, the more I became alarmed," he says. "I realized I had to take serious steps to shield my communications from snooping if I wanted to protect my sources." Beyond Canada’s and our allies’ spy agencies, those of Russia, China and North Korea, as well as ISIS, criminal organizations and terror groups, are also lurking out there. The Globe and Mail national security reporter Colin Freeze, who calls his own journey toward greater online security "a work in progress," explains the risks:
"The most obvious and clear threat is the foreign journalist in a repressive country or war zone who openly amasses a log of phone and email transactions of, say, dissident sources, and who then hands over an unencrypted smartphone for inspection to the repressive state’s border crossing. Or maybe that data could be gathered automatically without a physical hand-off. It’s a real risk."
But surveillance risks go beyond reporters covering foreign conflicts, terrorism or spies, notes Christopher Parsons of the Citizen Lab at the University of Toronto’s Munk School of Global Affairs, who has helped the CBC dissect the Canadian Snowden documents. "Sports reporters might be less interesting to signals intelligence organizations but might still be very interesting to other sporting organizations, criminal betting organizations and so forth."
Newsrooms and journalism schools lag behind
Freeze has some advice for journalists thinking about upping their cyber-security game: "Educate yourself. Initiate conversations with people inside or outside your organizations who understand this stuff. Don’t wait for institutional solutions. And this is the hardest thing—carve out time to learn." Kevin Donovan, an investigative reporter and editor at the Toronto Star, is no stranger to tiptoeing through sensitive stories involving police investigations and wiretaps—be it the Rob Ford crack scandal or corruption within Ontario government agencies. "More and more, people I interview are worried that their communication with me will be intercepted, either by our government or sometimes even by businesses or their institution," says Donovan. "It makes sources more nervous about speaking out." But Donovan isn’t as worried as his sources, and he doesn’t use encryption regularly. "I focus a lot on talking to people directly," he explains. "I don’t write their names in my books, for example. I may be an idiot, but I don’t think the government is surveilling me or the people I am interviewing." A number of news organizations are protecting sources with SecureDrop, an open-source system for whistleblowers and others to deliver information anonymously. Managed by the Freedom of the Press Foundation, the system takes resources and know-how to set up but is now used by The Intercept, The Guardian, the Washington Post and The New Yorker, among others. The Globe and Mail announced in March 2015 that it has adopted the system, becoming the first newsroom in Canada to use SecureDrop. Its initiative is forcing other major news outlets (the CBC included) to sit up and take note. But it has been a long slog even for the Globe. "Security is seen as a luxury, and there aren’t a lot of luxuries in newsrooms these days," says Freeze. "The baby boomers who controlled news environments, or did until recently, learned their [operations security] from the Deep Throat era. And for most news agencies, it has been enough of an institutional challenge over the past 10 years just to keep up with how the Internet is changing advertising, marketing and how readers/viewers consume the news. Given all that, security is an afterthought."
Responsibility to sources
"Malware and spyware infect computers across Canada on a regular basis; what do you do when your work computer, holding audio or text files pursuant to a sensitive story, has been compromised?" asks Parsons. "Do you want to notify sources? Do you want to have an ‘air gapped’ computer, which is disconnected from the Internet, where you store source materials, and another computer or device for writing your stories?" These are awkward questions. No news organization wants to publicly admit its electronic communications are vulnerable. Frankly, I’ve never had a single conversation with the CBC’s IT people about whether we’ve been hacked or compromised, let alone been told what we do specifically to protect sensitive information. And it’s vital, because so much of our email and work these days lives in the cloud. In recent weeks, I’ve begun to ask questions within the CBC about what we might do to improve our cyber-security. I believe we could install better systems—and then tell the public that we have surveillance-safe ways for people to bring sensitive information to us. But the conversation has quickly stalled in the face of other priorities. My advice: don’t wait. We, as citizens and journalists, need to take steps to reinforce our own privacy—to protect our personal lives, our conversations and the sources and other people on whom we rely for reporting.
PROTECTING YOUR DATA
Learn about encrypting your data on the following websites:
- • Browse the Internet securely with TOR
- • Encrypt email with PGP or Virtru
- • Encrypt phone chats with Signal, TextSecure or RedPhone
- • Protect sources and whistleblowers with SecureDrop
- • Resources from the Freedom of the Press Foundation to protect your communications
Dave Seglins (@cbcdaveseglins) is an investigative reporter and a host with CBC News. His public PGP encryption key can be found at ow.ly/FrZeR . This piece was originally published in CJFE’s 2014-15 Review of Free Expression in Canada.