This story seems like a good time to re-emphasize a few things. Secure communications in 2018 are a core professional ethics obligation for journalists. Bad comsec is burning your source as surely as publishing their name would be. [Thread] nytimes.com/2018/06/07/us/…
That doesn’t just mean “Use Signal” (though that’s a good start). It means anticipating the compromise of an endpoint device, not retaining messages longer than necessary for the story, and setting your own messages to disappear in the event your source’s device is seized.
It means making encrypted messaging a default. A journo friend once proudly told me he’d started using Signal, but “only for sensitive conversations.” I had to break it to him that this wasn’t a whole lot better than plaintext for leak investigations.
If secure comms isn’t your default, and suddenly you tell a source it’s time to switch to Signal right around the time you’re reporting a story based on their sensitive information, how exactly do you think that looks to an investigator?
It also means thinking about metadata. Encrypting content isn’t enough if investigators have a clear data trail that shows you talking to one of the small number of people with access to the information you’re reporting.
Most critically, this is an ethical obligation at the INSTITUTIONAL level. It is not the source’s job to be Ed Snowden. But it’s also ridiculous to assume a bunch of 25 year old reporters can figure out secure comms on their own because they’re “tech savvy” about social media.
That’s like assuming the teenage kid next door can program in assembly language because he’s really good at Overwatch. Reporters should not be left to figure this crap out on their own, and it shouldn’t be something they start thinking about only when they get a sensitive source.
If a reporter is communicating with a source who wants to convey sensitive information, and at that point the reporter starts wondering “OK, how do we do secure comms?” congratulations, you’ve already fucked it up.
Also this! Do not assume your internal comms are sacrosanct! All your fancy cloak and dagger isn’t worth a damn if you’re blabbing to your editor in a logged Slack chat about what you’re reporting.
Not mentioning your source’s name isn’t good enough if you leave enough info for investigators to piece together a timeline in combination with other data. Did you say where you met? They can check cell logs and see that your source was there.
Good reporters need to attack their own process. You’re a dedicated investigator with subpoena power. How do you backtrack to identify your source? Think hard about this, often. Then close off those paths.
This last one is maybe the most critical thing that conscientious reporters who are trying to do secure comms don’t do enough. You need to take an attacker perspective constantly. Ask “how do I break this?” until you come up empty.
That means, incidentally, that the reporter — or, better, the person in charge of security training, which every news organization should be doing regularly — needs to know enough about the investigative process to think like the attacker & identify the common attack surfaces.
You have a SecureDrop portal to enable sources to reach out anonymously? Great. Is it on its own subdomain? Whoops, that’s going to show up in your source’s DNS log. mascherari.press/the-first-cont…
That’s the kind of design mistake you’re only going to avoid if it’s the job of someone on the team to understand all the different kinds of information available to leak investigators, and how they’ll be exploited.
You actually need specialized staff for this. Your tech savviest reporter is still a shitty information security professional.
And unless you are very, very lucky, your regular IT guy’s domain of expertise does not extend to securing reporter-source interactions against state adversaries.
