How journalists can encrypt their email
Journalists, and their sources, have a lot to lose.
Thankfully, there are a host of free, relatively easy-to-use tools at your disposal to help protect your privacy when sending and receiving emails, as well as browsing the Internet and chatting.
“Encryption technology is like putting your message in an envelope before you send it,” said Susan E. McGregor, assistant director of the Tow Center for Digital Journalism at Columbia University, in a phone interview.
One of the benefits of using “crypto,” McGregor said, is the government must notify you if pursuing your communications as a means of having them decrypted.
But because the use of these programs is not yet widespread, email encryption is a “cumbersome” process that requires multiple programs, she said.
Still, McGregor added, “there are so many people out there who really want to help journalists do this and do this right.”
One of the best resources I found is a tip sheet produced by Mike Tigas, a 2013 Knight-Mozilla OpenNews Fellow at ProPublica, who, like McGregor, presented on the subject at an Online News Association conference.
“Most journalists should at least understand that [encryption] is an option,” Tigas said by phone. “With time and effort, most people can understand it.”
The first question is an easy but important one: Which operating system are you running?
For creating encrypted emails and texts, Tigas recommends GPG4Win for PC and GPG Tools for Macs. And for sending and receiving encrypted email, he recommends email clients Thunderbird and Enigmail (as opposed to sending encrypted communications via Web browser).
PGP, which stands for Pretty Good Privacy, is a popular tool that allows users to both encrypt and decrypt emails. It’s been around for 15 years and “nobody has the impression that its been broken yet,” Tigas said.
Part of the process of using encrypted email is generating a PGP Key, or keypair.
The system can also be used to verify the sender’s identity and ensure that the received message has not been changed, according to several guides.
You will also need to pick a “passphrase,” which is really just an industry term for a long, tough-to-break password, according to a white paper written by Micah Lee for the Freedom of the Press Foundation.
Once set up, users must make their public key, well, public -- by publishing it on a website or to a “keyserver,” which Lee says “is basically an email directory that shows if there are GPG keys available for a given email address” -- before they can be contacted through the system by other crypto communicators.
Their other key, the secret key, is required for actually decrypting the message sent to you.
Many journalists -- including Glenn Greenwald, who understands the importance of crypto perhaps more than anyone else -- link to their PGP Key (or include their shorter PGP fingerprint) in their bios on Twitter, in addition to more conventional contact information like an email address or phone number. I spoke with a few of them.
Matt Sledge, a reporter for The Huffington Post, said he hasn’t used email encryption very often. “But I want potential sources to have the option,” he wrote in an email.
Prashant Rao, Baghdad bureau chief for Agence France-Presse, echoed this sentiment. “If it encourages one person to get in touch with me who wouldn't have otherwise, then it's worth it,” he wrote, adding that he will “need regular practice and integration to really be comfortable” with crypto communication technologies.
Brian Fung, a technology reporter for The Washington Post, said he is rarely contacted using his PGP key but occasionally partakes in encrypted chats. “It’s pretty easy to do, and handy to turn on and off whenever you need it,” he wrote.
McGregor says installing and familiarizing yourself with encrypted communications “is not something you can do in 20 minutes,” and should not be done while in a last-minute story crunch.
Email encryption technology should become easier to use in the future, both Tigas and McGregor say, once it becomes more mainstream and gets more designer attention and resources.
In addition to encrypting your email, many web security experts recommend using Tor to browse anonymously, encrypting your hard drive and setting up a Virtual Private Network to help protect your identity. McGregor recommends some options for doing so.
While these tools can up your privacy game, nothing is foolproof, especially when your communications are pursued by the government.
In September, ProPublica ran an in-depth story -- based on documents released by Edward Snowden -- about long-standing government efforts to systematically weaken and break encryption technologies.
But to quote a presentation given by The Wall Street Journal’s Jennifer Valentino-DeVries, “For most reporters, the big issues with surveillance are not the NSA but leak investigations, subpoenas, accidental disclosure, and [the] chilling effects on sources.”