A nagging contradiction of the news industry’s long struggle with digital adaptation is that journalists cover the tech industry’s biggest moves for their audiences every day — yet their employers continually fail to grasp the implications of tech stories for their own organizations.
Apple’s ongoing fight with the FBI over privacy is a story worth considering through that frame. This case isn’t just fodder for pageviews or ratings. It highlights problems in the news industry that demand a reckoning.
Now. Before our own full-blown crisis erupts.
Unlike Apple, media companies don’t make password-protected gadgets with localized encryption. But they do have a related technical problem in that most of them haven’t done enough to encrypt the networked flow of information in and out of the newsroom. This leaves sources and users vulnerable.
(At this point, a few disclosures are in order: I co-founded and write open-source encryption software for a for-profit company, Roscoe Labs. I’m also a former reporter for The Wall Street Journal and Washington Post).
To find a good organizational encryption plan, a useful starting point is the seven-point list of recommendations from Encrypt All the Things, an initiative of the digital-rights organization Access Now. Their goal, obviously, is to encrypt as much of the Internet as possible, from personal websites to organizations the world over.
Newsrooms, of course, have particular needs that deserve separate attention. Perhaps their most industry-specific challenge is protecting whistleblowers and other vulnerable sources who need anonymity as they communicate with journalists.
This topic has recently been the focus of two studies that are each very much worth a read. One was presented at the Usenix Association’s symposium in August, authored by a team of professors from Columbia Journalism School and STEM faculty from the University of Washington. The other, released last week, is by Javier Garza Ramos of the National Endowment for Democracy’s Center for International Media Assistance.
The upshot of both pieces is that there are glaring holes in the processes journalists around the world use to protect communication with their sources. At the same time, the threats are increasing everyday from from governments, criminals and other bad actors.
Ramos surveyed 154 journalists from North America, Latin America, Europe, the Middle East, Asia and Africa. He began with a simple question: Do you regularly use digital tools for general security?
Sixty percent said no. And even among the “yes” respondents, the picture may be bleaker than it appears at first glance, once we factor in the follow-up questions Ramos asked about specific security tools and practices.
The survey also reveals that in some cases, journalists think they are using security tools that are not really secure. Asked about tools they use for safely conducting certain activities (communications, sharing documents, etc.) some respondents mentioned tools that are not designed for secure purposes or that have vulnerabilities. In other words, the tools they think that are secure, are actually not. This suggests that while there is an awareness of the need for security, there is little education about what is safe to use.
As someone who’s been both a reporter and developer, I think would be ideal to encrypt every piece of communication that comes in and out of a newsroom — every voice call, every email et cetera. Reporters should also be trained in the use of encryption technology to protect sources so they don’t inadvertently compromise someone by using the wrong tools, whether they’re personal or employer-provided.
Encrypted tiplines of the sort that developer Aaron Swartz was working on at the time of his tragic death are also a great idea. But these tiplines are not a cure-all because they ultimately rely on the user to make a technically astute decision in choosing the right way to contact the news organization.
A less technically savvy tipster — say, a local government clerk or a mid-level bank executive — might not make the right call in that regard. That person might just ring up a reporter he or she knows the old-fashioned way, or send an email to an address that’s linked on the news organization’s website, overlooking the encrypted tipline.
Better, then, to implement what engineers call redundancy. Create secure tiplines, yes, but also encrypt all the newsroom’s other communication by default, or at least as much of it as possible.
News organizations also need to focus their attention on protecting users as they consume and interact with news. Potential third-party surveillance of this activity, which offers strong signals about a reader’s identity and interests, opens up truly Orwellian possibilities that simply weren’t foreseen in the heyday of old-fashioned press runs loaded onto delivery trucks.
This is why, over the last year or so, a growing chorus of advocates has been urging news organizations to adopt the encrypted HTTPS protocol for Web publishing. Unfortunately, few have heeded the call so far, with admirable exceptions including The Washington Post and several digital-native publishers. Almost everyone else — including Poynter.org — has kept their site unencrypted for the time being.
Again, this unwisely ignores the direction where the Web is inevitably going anyway, pushed largely by players outside the media industry. The Mozilla Foundation, maker of the Firefox Web browser, announced in April 2015 it intends to phase out support of unencrypted HTTP. Even more important, Google has advocated that all sites switch to HTTPS, to the point that it’s already begun to favor HTTPS sites in search results, and it has plans to begin warning users in its Chrome browser about non-HTTPS sites at some point.
Translation: If you don’t switch to HTTPS soon, you’re setting yourself up for yet another hit to your site traffic, either because it won’t rank highly in search or because users will be scared off.
In the face of this scenario, one of the big supposed knocks on HTTPS utterly crumbles away. I refer here to the fact that HTTPS is incompatible with certain third-party ad networks that by design insert themselves between publisher and reader.
I ask, what good is preserving compatibility with such third-party software if it’s going to cost you the very eyeballs that make the ads valuable in the first place?
The better solution, I believe, is to go HTTPS and self-host ad serving and analytics. With open-source tools like the analytics platform Piwik and the new certificate authority LetsEncrypt, this isn’t as prohibitive as it once might have seemed.
Yes, a transition to self-hosting ad functionality would entail some labor and associated costs. But it would protect users better and have the added strategic benefit of giving organizations tighter control over their bread-and-butter revenue stream.
Finally, I’d like to make explicit a premise that runs through all the recommendations I’ve made above. I know people might quibble with some of the specific steps I mentioned, but I hope we can agree on this, if nothing else:
Encryption is ultimately a matter of not just the Fourth Amendment, as it’s often couched in news stories, but also the First Amendment. People cannot speak with true freedom if they don’t know who’s in the room, real or figurative. That goes for the average Joe in his day-to-day life, and it goes for the one profession specifically named in the First Amendment: the press.