Why journalists and whistleblowers need to understand infosecurity

An online training initiative promises to make information security accessible and understandable to journalists, confidential sources and whistleblowers.

Snowden’s revelations of the extent of UK and US state surveillance were a wake-up call to journalists, sources and whistleblowers to take information security more seriously.

Across the world, governments are taking an increasingly hostile approach to journalists and the brave individuals who feed them information to expose wrong doing, hypocrisy and unethical behaviour by those in power.

In the UK, since the passing of the Investigatory Powers Bill last year, a wide range of government bodies beyond the police and the security services have been given legal powers to access journalists’ phone, email and internet browsing records.

They include the NHS, the Department of Work and Pensions, and the Food Standards Agency, among many others.

As a result, journalists, whisteblowers and sources need to become more sophisticated in the way they use electronic devices to communicate if they are to guarantee confidentiality to their informants.

Dangers of phoning or emailing sources

Protecting the identities of individuals who are brave enough pass on information in the public interest has always been a fundamental principle of journalism.

Nicky Hager, an investigative journalist in New Zealand, who faced jail after exposing corruption in New Zealand’s National Party government, following a clearly politically motivated police raid, summed it up beautifully in an interview last year.

“If you’re meeting a source, you don’t ring them, you don’t email them and you don’t take your phone. That is pretty simple,” he said. “If you contact the source by phone you are a bloody idiot these days.”

Journalists need infosec training

Information security should feature in every journalism training course. The problem is, the technology can be difficult to use and understand, both for journalists and especially for their contacts.

Organisations like the human rights group Liberty, and the Centre for Investigative Journalism (CIJ) have been offering great classroom courses in information security, which explain how to minimise the risks of exposing confidential sources and journalistic material to prying authorities.

Infosec Bytes

But an initiative launched today, Infosec Bytes, promises to make this training more widely accessible to journalists and would-be sources.

It features a series of highly accessible, jargon-free training videos, funded by the Logan Foundation, and created by security specialists at the Centre for Investigative Journalism.

They explain, in non-technical language how to use security tools to protect journalistic work, and offer a screen-by-screen guide on how to install and use security software.

The first in the series explain how to use and install Tor browser  – to carry out research on the internet anonymously – in a way that is highly accessible to anyone, whether or not they have a technical background.

Others are on their way that will explain end-to-end encryption, the use of secure operating systems, and how to encrypt computer files.

The videos, which will also be useful for lawyers, campaigners and whistleblowers are a great starting point for understanding and using information security.

Journalists dealing with the secret state, or stories that may have life and death consequences, as the CIJ acknowledges, will probably need to seek additional advice from information security professionals.

Abuse of powers

There are safeguards in the Investigatory Powers Bill that require state agencies to seek a warrant from a judicial commissioner before using surveillance powers to identify journalistic sources.

But history shows that it is tempting for the state to use surveillance under the radar to identify and deter government employees who have the temerity to leak embarrassing material to journalists.

In the UK, Cleveland Police was criticised for using the Regulation of Investigatory Powers Act (RIPA) to unlawfully monitor journalists suspected of receiving embarrassing information about the force from police insiders.

And in Canada, an enquiry is underway into why Quebec’s largest police department accessed journalists phone records in an attempt to identify those responsible for leaking confidential information.

Meanwhile, the US has virtually declared war on leakers. President Obama used the 1917 Espionage Act, introduced to prosecute spies during the First World War, to prosecute more leakers and whistleblowers than all previous administrations combined.

There is no indication that the Trump presidency shows any more sympathy with those who pass on information to journalists.

Risk assessment

But it’s easy to get carried away. As Investigative journalist Duncan Campbell has pointed out, most day-to-day stories will be of no interest to the electronic intelligence gathering agency GCHQ or its US counterpart, the NSA.

“There are a huge number of stories, from tracing contamination in food to medical scams to corruption in business, where there’s not the remotest possibility that the extensive capability of NSA and GCHQ, and those they share with, is not going to be allowed anywhere near those who might seek to interdict the source of this journalism,” he said, quoted in the study “No More Sources ?” by Paul Lashmar.

That is why one of the videos promised by the Info Sec Bytes project will be particularly important – how to model threats and conduct risk assessments –  so that journalists and take precautions that are proportionate to the risks.

Infosec Bytes is an important contribution which will hopefully lead to more journalists understanding and using information security technology appropriately to protect their confidential sources.

Check out the videos here