CybersecurityJournalists’ computer security tools lacking in a post-Snowden world

Published 24 July 2015

Edward Snowden’s leak of classified documents to journalists around the world about massive government surveillance programs and threats to personal privacy ultimately resulted in a Pulitzer Prize for public service. Though Snowden had no intention of hiding his identity, the disclosures also raised new questions about how effectively news organizations can protect anonymous sources and sensitive information in an era of constant data collection and tracking. Researchers found a number of security weaknesses in journalists’ and news organizations’ technological tools and ad-hoc workarounds.

Edward Snowden’s leak of classified documents to journalists around the world about massive government surveillance programs and threats to personal privacy ultimately resulted in a Pulitzer Prize for public service.

Though Snowden had no intention of hiding his identity, the disclosures also raised new questions about how effectively news organizations can protect anonymous sources and sensitive information in an era of constant data collection and tracking.

UW reports that a new study by University of Washington and Columbia University researchers, which will be presented next month at the 24th USENIX Security Symposium, probed the computer security habits of fifteen journalists across two continents and found a number of security weaknesses in their technological tools and ad-hoc workarounds.

Those included computer security tools that go unused because they introduce roadblocks to information gathering, inadequate solutions for basic tasks like transcribing interviews and failing to consider potential risks from cloud computing and other common practices.

“The way people try to bridge gaps can introduce security issues,” said UW senior author Franziska Roesner, an assistant professor of computer science and engineering who focuses on computer security and privacy.

“If you use your iPhone to translate speech to text, for example, it sends that information to Apple. So if you record a sensitive conversation, you have to trust that Apple isn’t colluding with an adversary or that Apple’s security is good enough that your information is never going to be compromised.”

News organizations’ abilities to build trust with sources and gather sensitive information have been called into question by recent disclosures about surveillance: the U.S. Department of Justice’s admission that it secretly obtained phone records from the Associated Press, Microsoft’s admission that it read a blogger’s personal Hotmail account to find a source of an internal leak and criminal investigations that have used email traces to identify and prosecute anonymous sources.

“Addressing many of the security issues journalists face will require new technical solutions, while many existing secure tools are incompatible with the journalistic process in one way or another,” said lead author Susan McGregor, assistant professor at Columbia Journalism School and assistant director of the Tow Center for Digital Journalism.

“At the same time, there are clearly opportunities to build tools that really support journalists’ workflow and build them in a secure way.”