April 3, 2014, Berlin

Digital Protection of Sources: “I bring my own hardware into the newsroom”

Participants of the event at the Münzsalon in Berlin on 11 September discussed the significance of source protection in digital communications and the actions that journalists and newsrooms have to take to guarantee security.



The NSA affair has made it blatantly clear that journalists and media companies have to rethink their communications security concepts and develop new strategies. They – like the population at large – are affected by the widespread monitoring of digital communications and they are also responsible for ensuring that their sources are protected.

The recent revelations about secret service surveillance are paradoxical. Although they demonstrate the vast scale on which the secret services can capture and evaluate digital communications – even in communication channels that were thought to be secure – the fact that we are now aware of it means that journalists can still protect themselves. If Laura Poitras and Glenn Greenwald hadn’t used encryption and other security measures, we probably wouldn’t know anything about Edward Snowden’s documents.

Mathematics, law and politics

Jacob Appelbaum, activist and developer at Tor-Project, believes that the revelations are therefore proof that open source software and secure encryption programs can protect journalists and keep the secret services at bay. However, he isn’t expecting much help from government policy or legislation. “Ultimately, algorithms are the only things that count,” he said, referring to encryption models that can still be considered to be secure.

Do all journalists need to know the difference between Elliptic Curve Cryptography and Diffie-Hellman? Appelbaum thinks this crucial – and he has strongly criticised reports in the New York Times about NSA attacks on encryption technology, because they deliberately leave out details. This encourages scepticism, yet no mention is made of specific providers or technologies to avoid. First of all, journalists have to realise that their sources can be compromised with connection data alone. “If you can create a social graph, you can’t give any assurances about security.”

That’s why journalists, the media companies and their IT departments have to develop solutions that go beyond encryption and integrate privacy by design as standard, said Appelbaum, praising the “Zeit” newspaper for the implementation of its anonymous mailbox for whistleblowers. A daily newspaper could feature these kinds of secure contact options as a QR code in every publication, he suggested. This would make it easier for whistleblowers to overcome their initial concerns about making contact.

Newsrooms are lagging behind on security

Sebastian Mondial, data journalist at NDR, contradicted Appelbaum, suggesting that read programs for QR codes generally collect data and transfer them to the manufacturer, which means they aren’t a good idea. Mondial, who played an instrumental role in the evaluation of offshore leaks data, confirmed publishing companies’ ‘systematic failures’ in data security, so he has taken the matter into his own hands. “My security strategy is to bring my own hardware in to work,” he said.

Newsrooms have to gear their security strategies to the specific aspects of the case they are working on or the research they are performing. What’s the worst case scenario? What would happen if there were a data leak? These are questions that have to be asked in all phases of a journalist’s work – especially the phase after publication, which is often neglected. Where PGP-encrypted mails are not in widespread use or accepted, a local forum software might be a more suitable option for newsrooms.

What could a newsroom security culture be like?

One of the key issues addressed at the discussion in Berlin’s Münzsalon was what exactly a ‘newsroom security culture‘ could be like. “They need to be aware of special security requirements,“ said Mondial, referring to newsroom and publishing company decision makers. There is no one universal solution, said Appelbaum; compartmentalisation is the best IT security concept. Don’t use one single channel. Use the concept of compartmentalisation in the system design process, with one person writing the code, a second person checking it and so on.

The discussion made it evident that the situation has become even more complicated after the recent NSA scandal. “Practically anybody can be a surveillance target today, and the government isn’t responding quickly enough to this new situation,” commented Mondial. “The market itself is also being damaged,” added Appelbaum. Under laws like the FISA, service providers have only been able to make security promises that they end up breaking under pressure from organisations such as the NSA – without being able to disclose what they’ve done because that would make them liable to prosecution.

In this situation, a market for secure communication technologies cannot emerge, says Appelbaum. After all, the discussion demonstrates that journalism in surveillance societies has just started to meet the challenges it is facing now.

Author: David Pachali