Secure the News: A Dialogue on How News Organizations, Tech Companies and Technologists Can Protect the Future of Journalism

From IFF Wiki
Jump to: navigation, search

Session Description

Building on CPJ's 2015 Tech Summit (, this session will convene journalists, technologists, technology company representatives and others to discuss how news organizations can protect the free flow of news by deploying strong encryption by default, adopting security standards for staff, and better educating readers about the threat environment. Draft outcomes include: 1. Enhanced understanding of, and support for, HTTPS and STARTTLS deployment in newsrooms large and small. CPJ will be deploying a major "Secure the News" campaign to do just that in 2016. We will be reaching out to Freedom of the Press Foundation, EFF, Let's Encrypt and other organizations. 2. Dialogue around actionable minimum best practices for news *organizations* other than robust HTTPS and STARTTLS deployments. 3. Dialogue and an action plan around regularizing emergency response procedures at technology companies for situations in which a journalist/blogger is kidnapped, arrested or otherwise under duress.

Secure the News: A Dialogue on How News Organizations, Tech Companies and Technologists Can Protect the Future of Journalism
Presenter/s Geoffrey King, Tom Lowenthal, Oktavía Jónsdóttir, Kim Pham
Bio/s King joined CPJ in 2013 to coordinate the organization's Internet and technology policy efforts. Based in San Francisco, he protects the rights of journalists through advocacy, public education, and engagement with policymakers worldwide. Prior to joining CPJ, King, an attorney by training, represented U.S.-based individuals in constitutional matters involving the freedoms of speech, press, and petition. He is also a documentary photographer whose work has focused on human rights and social movements. In addition to his work as an advocate and journalist, King teaches courses at UC Berkeley on digital privacy law and policy, as well as the intersection of media and social change. King holds a bachelor's degree in Mass Communications, Phi Beta Kappa and with Highest Distinction, from UC Berkeley. He earned his law degree from Stanford Law School. His public GPG encryption key fingerprint is 4749 357C E686 71B1 4C60 F149 9338 5A57 27FA 494C.
Language English, possibly Spanish

Session Comments

Q1 What do you see as the overarching threats to journalists? Or journalism as a vocation?

Ambivalence and disbelief when you propose basic things. For ex, digital sec 101 to secure with two-factor auth, very freq someone in the room who literally doesn’t believe that it might help, b/c hindrance of typing something twice or introducing a new workflow. the incredulous person is like the major demo in the room, prominent person. having to assert auth as a trainer…threat model hasn’t changed.

how many use 2-factor auth? majority in the room

hard drive encryption? 7 of 400

security is not intuitive. If you're a journalist, your expertise is journalism, not security. you need help support and instruction to be effective in sec practices. journalists in greatest risk tend to have the least amount of support freelance journalists in war zones don’t have full institutional support that their colleagues would have had a decade ago. transition of the realm of journalism implies new challenges vis a vis security, amplified as the journalism gets less professional, more occasional on the spectrum

lack of physicality on the internet makes security much more abstract. given a car and keys and didn’t have a license and just went but didn’t have an idea of what the signs around us mean. y’all go. digital literacy is important and not intuitive.

threats to journalism: still haven’t been able to find true solidarity within ourselves as a strategy for safety, through peer groups, or with a buddy, that it is super hard to do this work and we’ll never be able to do it if we don’t do it together, once you have that, the rest will come.

biggest threat: that thing in your lap, that thing in your pocket, and not having a digital security policy. individual digital security policy: written down. water the plants, take out the trash. critically thought out policies. hold intentions that are important to you. thinking deliberately about your own digital security policy.

temporal gap: when you’re on deadline and working with sources, first contact is a mess but after that, we need to have a protocol.

when you say what your secret plans are, you may be giving access to those plans.

reluctance to publish guidelines within organizations on digital security, because of risk of them being revealed. the more prominent the org, the more adversaries. also, the idea of liability, if we write it down, then that elevates the app signal to such status then the app itself becomes a target. “keep your secret sauce secret” have to have open disc as a community about what works and why.

the best sec systems are those that are entirely open but you have one secrete component (key) if you can invest in keeping that part secret there’s no reason why you should be silent about anything else.

if we don’t lift of this rabid secrecy around digital security then we resist building the communities that we need to stay safe.

not planning is a bigger risk than the most sophisticated of our adversaries. writing it down, sharing our tools and practices has a much bigger net benefit.

system of locks (analogy) on doors. people try to get into that, and then they know that this works. if i’m using PGP then come at me.

how you use an app changes depends on what you’re doing, journalist different than becky trying to sneak out to a pool party and evade her parents.

one of the reasons sec tools work as well as they do, they help establish contact between journalists and their sources, the conundrum of the first contact. we have to make sure that people who don’t get to sit in rooms like this have access while still giving them a reasonable degree of confidentiality and anonymity.

Signal mentioned a lot. publish fingerprint. SecureDrop.

Balance of figuring out what our risk tolerance is (how far we will go before we set a boundary) vs the operational safety we want to have. complex, because always in layers, as individual, team, organization.

need to sit down once in a while and verbalize risk tolerances as teams, orgs, what we’re willing to do as a team, what we’re willing to tolerate.

note retention policies around libel lawsuits. has to be tailored to the culture of the place. threat modeling

Q2: Opportunities you see right now? Large-scale solutions, target interventions? tools are starting to trickle into the journey ecosystem and influencing the way they talk to people. intuitively off the record if we’re speaking over signal. tools are starting to shape the way that people are doing their jobs in a really intuitive way. default rules matter.

the most extreme security from a while ago is now available to everyone, so raise the peaks, security in a mobile device that you can get with IOS, cams security provided by https, basic tech available for the most imp and common communications, protects so many people from so many thing in so many ways. breadth and ubiquity provides not just that direct benefit but also for other unanticipated threats. great to develop the next amazing thing that will become the default in a decade, also prioritize taking the techs that are ready to go and spread them everywhere.

five continents: journalists talking about the fact that they’re burnt-out. which provides an opportunity to build resilience into the culture. app to have broader access to tools that are more intuitive for humans

FBI & Apple should be normalizing these conversations and looking to intersections and intersectionality that threats to journalists may have things in common to domestic violence survivors, LGBT youth and have those conversation with each other across continents and interest group identities…

FBI talking about 4th amendment…can’t serve a valid warrant. talking about ciphers that Jefferson used, the constitution was drafted using encryption. for affairs of state, courtship, boring conversations and letters. Kama sutra has one of the first discussions of encryption, one of the 5 things that women should know.

Audience Participation ~using tools in intuitive ways, Signal and OTR? it shouldn’t be that intuitive, when agreeing to use a certain tool it should be spelled out what you’re using it for and what exactly each side expects. maybe the source actually wants what they’re passing along to be on the record.

Response: anecdotal power use journalists, lay down the law with a potential source in a way that’s specific; depending on the newsroom that you’re working with or freelance journalists, there are actually restrictions how you may or may not use technology that is encrypted by default. freelancers have it rough. freelancers, pitching assignments to several pubs at the same time.

~To what extent is digisec being integrated into journalism curricula? Response: Freedom of the Press foundation; also Columbia’s J School. Additional thought: Huge need in the non-US universities and schools.

~How do you get journalists to care? Time, resources, too difficult. Also, in non-US environments? New journey more comfortable tech, seasoned journalists are also comfortable with the idea of protecting their sources. because they know just how dangerous things are. Talk to the young tech guy and figure out what he needs and what he wants, talk to the older guy and see what he/she wants and try to meet in the middle

~Threat modeling for journalists? And multiple stakeholders/Trolling and interception of communication, at any time during your production process.