With the given security tools, journalists are ill-equipped to protect the identity of their sources, especially after Edward Snowden’s leak of classified documents to journalists across the globe about massive government surveillance programmes and threats to personal privacy, says a new study.
“Addressing many of the security issues journalists face will require new technical solutions, while many existing secure tools are incompatible with the journalistic process in one way or the other,” said lead author Susan McGregor, assistant professor at Columbia University in the US.
The researchers probed the computer security habits of 15 journalists across the US and France and found a number of security weaknesses in their technological tools.
“If you use your iPhone to translate speech to text, for example, it sends that information to Apple,” said senior author Franziska Roesner from University of Washington.
“So, if you record a sensitive conversation, you have to trust that Apple is not colluding with an adversary or that Apple’s security is good enough that your information is never going to be compromised,” said Roesner.
News organizations’ abilities to build trust with sources and gather sensitive information have been called into question by recent disclosures about surveillance: the US Department of Justice’s admission that it secretly obtained phone records from the Associated Press, Microsoft’s admission that it read a blogger’s personal Hotmail account to find a source of an internal leak, and criminal investigations that have used email traces to identify and prosecute anonymous sources, the study said.
“At the same time, there are clearly opportunities to build tools that really support journalists’ workflow and build them in a secure way,” McGregor said.
For instance, the team found that reporters’ number one goal — obtaining information — was often impeded by existing security tools that introduce roadblocks to communication.
One open-source product that sought to let whistleblowers securely send documents to journalists was rarely used because it lacked the common mechanisms by which news organisations tend to authenticate a source’s identity.
“Tools fail when the technical community has built the wrong thing,” Roesner said.
“We have been missing a deeper understanding of how journalists work and what kinds of security tools will and won’t work for them,” Roesner added.