You probably know you should turn on two-factor authentication and use a password manager. But do you? Does everyone in your newsroom?
Journalists often have to be visible online for their jobs. This visibility comes with personal and institutional risks, though, from hacking to harassment. A Tow Center report released today found many news organizations are not providing the training, resources, or encouragement to protect journalists, sources, internal information, and the organization’s reputation.
The report, by Annenberg School Ph.D. candidate Jennifer R. Henrichsen, found plenty of financial, cultural, and professional reasons for the sorry state of security cultures in newsrooms:
Information security cultures in many newsrooms are nascent for reasons including ongoing financial crises and labor precarity in journalism, both of which can limit the allocation of resources for information security. Moreover, journalists dislike taking security steps that might slow down their reporting in jobs that are already precarious, and awareness of the myriad security risks to journalists and news organizations is limited…Newsrooms are organizations which, depending on size, financial state, ethos, and management structure, may suffer from both bureaucratic inertia and traditional power structures that limit change. But smaller organizations with less bureaucracy tend to have fewer resources to implement security related practices and policies.
News organizations like Wired, BuzzFeed, The New York Times, and The Intercept — which an interviewee described as “basically born of paranoia and of thinking about mass surveillance” — have made steps toward creating a culture of security. (Back in 2017, BuzzFeed’s Open Lab, in collaboration with OpenNews, created The Field Guide to Security Training in the Newsroom.)
In many other newsroom, though, what Henrichsen dubs “security champions” are the only voices speaking up.
Journalists, curious by nature, may be willing to test tools without encouragement. (Our own Laura Hazard Owen played around with SecureDrop to find out how easy it is to leak to ProPublica.) The report indicated some subsets of journalists — investigative reporters or someone working the cybersecurity beat, for example — seem more likely to adopt security measures.Journalists also bring information security knowledge into the newsroom out of curiosity, and the belief that information security practices are important for them to get stories and do their jobs. These security champions — who become trainers by accident — work to support colleagues and convince them of the need to adopt more secure practices, through informal conversations, brown-bag lunches, and training sessions at the individual, desk, and newsroom level.
But the report also found some journalists suffer from a “security by obscurity” mindset that reflects their belief that “since since they are not working on anything ‘sensitive,’ they have little to no risk of digital attacks.”
There’s a geographic element too. The report found more awareness of security practices in areas where news organizations are highly concentrated, including “the Acela corridor,” than in other parts of the country.
Some newsrooms task their IT offices with basic security training — do those “terrible two-hour ‘How to Use Outlook’ training sessions” sound familiar? — but there’s not always follow through. One interviewee said:
“Everyone had to go to these like terrible two-hour ‘How to Use Outlook’ training sessions and then…never got training on how to use email again…We’re putting people in charge of a lot of information, whether it’s the CMS or they’re managing edits in Google Docs or they’re using Dropbox to manage files or whatever, but we’re using these third parties, we’re cobbling things together, and we really need to be cognizant of the risk.”
Newsroom norms about using platforms like Slack can increase security vulnerabilities if the journalists use them without understanding how information is transmitted or stored.
Other norms — such as the news-breaking prized by journalists and editors alike — can thwart security efforts that slow down publication. One interviewee explained a conversation about an app like Signal:
“So you have to explain it to your editor. Like, ‘Oh, I didn’t get to talk to them [the source] yet because they’re still installing the app.’ They’re like, ‘What app? What are you doing?’…You need to have buy-in and trust from your editor.”
Henrichsen acknowledges that journalistic craft and security aren’t always a natural fit. In addition to speed, tensions emerge with regard to visibility, verification, and usability.
Journalists may try to protect themselves from online harassment by limiting communication channels such as direct messages (DMs) on Twitter, yet by doing so, they also reduce the number of ways that potential sources can communicate with them. In the last two years, more news organizations have adopted the anonymous whistleblowing platform SecureDrop, but because of its anonymous nature, it can be challenging for journalists to verify the information received with it…
Another journalist and digital security trainer [told Henrichsen], ‘I’ve never had anybody be like, “I’m going to die on the hill of not signing up for two-factor authentication,” for example, but I’ve definitely had people say, “This is cumbersome, this is fiddly; I don’t like this,” but at the end of the day…this is what it is to do journalism in tech — in an online world. It’s time to put the typewriters down and fire up the VPN and get out there and do your job.”
The report details how the fast-paced but precarious nature of journalism encourages individual journalists to use their personal accounts and devices and connect to wifi wherever they happen to be reporting.
Great to see @JennHenrichsen‘s report highlight that securing a journalist requires more than just securing corporate assets and systems. pic.twitter.com/3JqaEJi1B7
— Runa Sandvik (@runasand) April 30, 2020
While many of Henrichsen’s interviewees seemed to know they weren’t operating at a gold security standard, a number couldn’t envision their newsrooms prioritizing the issue in the near future. “There are so many other things that take priority. Like, if the business model isn’t working, then security isn’t really a concern. You need to be able to pay people,” one journalist, who works in local news, said. Another interviewee pointed out that newsrooms are cutting back on crucial roles like copyeditors and wondered how devoting resources to security culture fit with the “barebones decision-making” they saw happening around them.
Henrichsen interviewed a reporter who noted top management, on the whole, is not particularly interested in security technology.
Management has a lot to think about, and it’s not necessarily in the day-to-day work, and thinking about how the tech comes together. They’re thinking about higher level things. It’s hard to find a balance between what they’re thinking about, and what we’re thinking about, and how those things combined.
One digital security trainer said that’s one reason why he caters workshops to what journalists can do as individuals. “We want to give them something that they can take home with them right away,” he noted.
The full recommendations section on how newsroom leaders can build security cultures and “make security fit journalism” is worth a read. Henrichsen ends the report with a list of steps news organizations should take at a bare minimum. (Hint: You’re going to need to get a password manager.)