Journalists’ computer security tools lacking in a post-Snowden world
The researchers interviewed fifteen working journalists from the U.S. and France about how they communicate with sources, what strategies they use to organize notes and protect sensitive information, and their use of existing information security tools. They found some reporters took steps to lessen certain types of security risks, but not others.
One journalist who went to great pains to protect the identity of sources by only meeting in person, for instance, used an iPad to photograph sensitive documents. Although roughly one-third of the reporters used encryption services to communicate with sources or protect their notes, a majority also used popular cloud services like Google Drive or Dropbox to store and share information.
That may be fine for the average user — or even most journalists — but anyone working with sensitive material ought to consider how much they trust that those servers will never be hacked, Roesner said.
“The flip side is that it’s not just a matter of giving journalists information about the right tools to use — it’s that the tools are often not usable,” Roesner said. “They often fail because they’re not designed for journalists.”
For instance, the team found that reporters’ number one goal — obtaining information — was often impeded by existing security tools that introduce roadblocks to communication. The communication methods that reporters used were driven by the preferences of sources, who have widely different experiences with and access to technology.
One open-source product that sought to let whistleblowers securely send documents to journalists was rarely used because it lacked the common mechanisms by which news organizations tend to authenticate a source’s identity. Encryption tools that garble the content of an email or message unless someone knows the secure key can still leave behind traces of “metadata,” which leak investigations or criminal prosecutions can use to prove a relationship between a reporter and a source existed.
One of the study’s goals was to identify opportunities for the computer security community to better serve journalists, Roesner said. That might include building security applications into a wider content management tool that accomplishes other tasks that reporters would find helpful, such as transcribing interviews and tagging or organizing notes.
“Tools fail when the technical community has built the wrong thing,” said Roesner. “We’ve been missing a deeper understanding of how journalists work and what kinds of security tools will and won’t work for them.”
UW notes that the research was partially funded by the National Science Foundation’s Division of Computer and Network Systems.
— Read more in Susan E. McGregor et al, “Investigating the Computer Security Practices and Needs of Journalists” (a paper to be presented at the 24th USENIX Security Symposium, Washington, D.C., 12-14 August 2015)
