Security for journalists: How to keep your sources and your information safe

When you write to your colleagues, text your friends or speak to your sources, it may seem like the only people with access to the conversation are you and the other person. For most people, that couldn’t be further from the truth.

Independent journalist Quinn Norton, Andy Boyle of NBC News and Jeff Larson of ProPublica came together at the CAR Conference to discuss the biggest security problems facing journalists today, and how they can protect themselves, their organizations and their sources from antagonistic outside forces.

Norton and Larson began by explaining how basic cell phone and online technologies automatically gather data about us and our communication practices.

“Many of the technologies we have in some ways paint portraits of us,” Norton said. “And that’s a neutral process — that’s how radiofrequency physics works.”

Under the Foreign Intelligence Surveillance Act, the federal government is allowed to gather individual billing records and call logs from telecommunication companies. Norton said that technology corporations also have a large amount of information on their users, and it can be more dangerous than government surveillance because it “runs a lot deeper, it looks into who we are.”

These large private data collections are often vulnerable, too. Larson noted that one of the largest data breaches in history happened to the NSA. Information stored in workplace chat software like Slack, Campfire and Google Hangouts can be subpoenaed (and become public record) through libel cases and other legal entanglements.

So, what can journalists do to protect their sources and themselves from unwanted surveillance or exposure? The panelists suggested:

• Educate your sources about security risks. Most sources don’t know how leaking information can impact their lives. Protect them by securing that information.
• Beware email attachments and USB drives; malware is easily transferred through these channels. Norton suggested keeping an air-gapped computer in the newsroom to test suspicious links and drives for malware.
• Don’t use Slack for information you want to keep secret. It’s far too easy to access.
• Use end-to-end encryption. Signal is a good option for communicating with sources that aren’t very tech savvy. For Android users, SMSSecure is another good option.
• Make sure your website uses an HTTPS connection.
• Try a submission system like SecureDrop, which allows media organizations to securely accept and verify documents from anonymous sources.

While security risks are a real challenge for journalists, Norton, Boyle and Larson said that journalists can temper their fears by paying attention to tools they can use to protect themselves. They also said not to be too paranoid, and not to take things personally: Bulk data collection creates its own problems for the organizations gathering it.

“Having all of the information is in many ways identical to having none of the information,” Norton said. “They can’t always turn it into actionable knowledge.”

Riley Beggin is a journalism graduate student at the University of Missouri and a volunteer at IRE. You can find her on Twitter @rbeggin or email her at rileybeggin@gmail.com.