Skip to content

Encryption: Is it enough, or too much?

Post categories

  1. Newsgathering
James Risen of The New York Times; Julia Angwin of ProPublica; Dana Priest of The Washington Post, and Christopher Soghoian…

James Risen of The New York Times; Julia Angwin of ProPublica; Dana Priest of The Washington Post, and Christopher Soghoian of the ACLU’s Speech, Privacy and Technology Project discuss real-world encryption problems for journalists.

Journalists worldwide are turning to enhanced operational security to safeguard their communications from surveillance. But panelists at the “News Organizations and Digital Security” conference on Nov. 7 emphasized that encryption-based tools, while important, are of limited utility so long as they remain uncommon and difficult to use.

Participants in a panel on “Real-World Encryption Problems” argued that, while securing electronic communications through encryption is important under some circumstances, it is difficult to convince sources to do so. Dana Priest, an investigative reporter at the Washington Post, opened by saying that her sources, many of whom have worked for the government for decades, would feel “very uncomfortable” communicating with her electronically. “I’m a low tech reporter,” Priest said.

James Risen, an investigative journalist at the New York Times, agreed that trying to convince sources to use encrypted communications channels is difficult. Telling a source that he or she should use encryption because the newsgathering process can be dangerous, he said, is “not very good advertising.” Even tech reporter Julia Angwin, of ProPublica, agreed that encryption is difficult for most people to use. “Most of the people I talk to on encrypted channels are cryptographers,” she said.

One reason that sources often choose not to use encrypted communications channels, even when they are aware of the risk of communicating openly, is that encryption itself can be seen as a “red flag” by colleagues or investigators. All the panelists agreed that until encryption is widespread, using PGP or encrypted mobile apps will likely continue to draw unwanted attention to sources simply because they are taking extra precautions to secure their communications.

The conference, which was co-sponsored by the Reporters Committee for Freedom of the Press, the Freedom of the Press Foundation, and the Open Technology Institute at New America Foundation, was designed to bring journalists, technologists, and lawyers together to discuss journalists’ security in an environment of ubiquitous metadata surveillance. Surprisingly, however, panelists at the conference emphasized that in many ways, the strategies and tactics of journalism remain traditional despite new technological threats.

Priest commented that her best practices in handling sources “have probably changed little after the revelations during the last several years.” Priest, like many of the panelists, finds that the easiest way to safeguard sources is to take additional precautions in setting up face-to-face meetings. Priest noted that “instances like the Snowden documents are rare.” And Risen added, “Edward Snowden is not a model for journalism. If it is, we’re going to have a lot of lawyers — and a lot of problems.” The documents are not the only unique aspect of the Snowden revelations. “I’ve never met a source who said, ‘I want to leave the country and live in Moscow because this story is so important to me,'” Angwin said. “In fact, every single one of them wants to still go home and tuck their kids in at night.”

But document-heavy stories like the Snowden revelations, while uncommon, are important —and risky. The problem is that the mere process of setting up clandestine in-person meetings can make sources and journalists vulnerable to surveillance. Under Section 215 of the Patriot Act, the National Security Agency collects vast troves of domestic telephony metadata on U.S. citizens. This metadata includes phone numbers and duration of incoming and outgoing domestic calls, which can reveal a good deal of reporter-source communications. Some opponents of the bulk collection of telephony metadata note that location may be collected as well, although the government has denied that it collects cell site location information pursuant to Section 215. And metadata collected pursuant to Section 215 can be used in investigations of unauthorized leaks, heightening reporters’ and sources’ concerns. The process of safeguarding sources becomes more complex when it is impossible to set up a meeting by phone without the fact of the initial contact being recorded.

Christopher Soghoian, a policy analyst and technologist at the American Civil Liberties Union, noted that many sources who share these concerns come to him and other users of encryption technology precisely because they worry about “conventional” journalists’ exposure to risk. “During your careers, many of you have gotten phone calls out of the blue from interesting people,” Soghoian said to the other panelists. “In 2014, a phone call out of the blue is too dangerous.” The risky environment has resulted in a chill to sources as well as reporters, as explored in a recent report by Human Rights Watch, With Liberty to Monitor All: How Large-Scale US Surveillance is Harming Journalism, Law and American Democracy. Sources are at risk of losing their security clearances, their jobs, and their livelihoods. Against this background, Soghoian emphasized the importance of obscuring the trail of metadata that would otherwise reveal the existence of a reporter-source relationship.

Risen’s own experience aptly illustrates the pitfalls of communicating via telephone, even when the substance of the communications remains secure. In 2008, Risen was subpoenaed to identify his confidential source for a report in his 2006 book State of War: The Secret History of the CIA and the Bush Administration. The report dealt with an alleged covert operation by the CIA to provide Iran with flawed nuclear designs. Risen has been fighting the subpoena for over six years. In 2011, U.S. District Court Judge Leonie Brinkema quashed the subpoena. In that decision, Judge Brinkema noted that even if Risen did not testify, the government could and would rely on a wealth of telephone records of calls between Risen and his alleged source, former CIA agent Jeffrey Sterling. Judge Brinkema’s decision was reversed on appeal, and the Supreme Court declined to step in. Whether prosecutors still intend to subpoena Risen is unclear, but Risen has vowed not to reveal his source.

While the problem of setting up the first contact between reporter and source is difficult to solve, the panelists agreed that the solution is not to push more communications online, even with better technologies to secure those communications. Angwin noted that even if a message is encrypted, the record of the communication having taken place will likely still exist. Rather, panelists noted that classic journalistic methods remain vital to reporters, even those with access to the best and most usable technologies. Priest remembered that when she was attempting to set up secret meetings with sources, she would often make phone calls from other locations than her office, including law firms or universities that she happened to be visiting, in order to obscure her contacts. And face-to-face meetings remain the safest way to communicate with sources. “The cloak-and-dagger meeting in the garage is the ultimate goal. That’s why we got into journalism,” Angwin said.

Although many agree that the current administration is among the most hostile to the press in American history, Priest noted, “Every government tries to control information.” But the atmosphere of ubiquitous surveillance is, perhaps, unique. Speaking about Watergate, Angwin said, “The fact that that secret was kept for 30 years is unimaginable in today’s world. If a determined prosecutor wanted to know who Deep Throat was today, he would find him.” Ironically, high-tech surveillance has shown journalists that even the most carefully encrypted communications are vulnerable to interception. Panelists agreed that the safest way to meet a source is to have an offline, coded signal: to be holding a Rubik’s cube in a hotel lobby (like Snowden), or to place a flowerpot on a balcony (like Bob Woodward). Encryption helps journalists and sources maintain their relationships, but it is not a panacea; it’s just one tool in the modern journalist’s toolbox.