Christopher Soghoian, a fellow at the Open Society Foundations, writes a stunning piece in the New York Times about the distinct lack of awareness amongst media practitioners about online security. And who really gets it? Wikileaks:
Brave journalists have defied court orders and have even been jailed rather than compromise their ethical duty to protect sources. But as governments increasingly record their citizens’ every communication — even wiretapping journalists and searching their computers — the safety of anonymous sources will depend not only on journalists’ ethics, but on their computer skills.
Sadly, operational computer security is still not taught in most journalism schools, and poor data security practices remain widespread in news organizations. Confidential information is sent over regular phone lines and via text messages and e-mail, all of which are easy to intercept. Few journalists use secure-communication tools, even ones that are widely available and easy to use.
Government officials often attempt to get journalists to reveal their sources by obtaining subpoenas and compelling testimony and the required telecommunications records. But sometimes that’s not even necessary, because sources have already been exposed by their own lax communications. And then there is illicit monitoring — I believe that American journalists should assume that their communications are being monitored by their government — and possibly other governments as well.
As an expert on privacy and government surveillance, I regularly speak with journalists at major news organizations, here and abroad. Of the hundreds of conversations I’ve had with journalists over the past few years, I can count on one hand the number who mentioned using some kind of intercept-resistant encrypted communication tools.
Even when journalists try to do the right thing, they still make dangerous mistakes, like relying on Skype. Skype is slightly more secure than phones but is by no means safe from snooping — which can be done with commercially available interception software.
Many major media organizations have distanced themselves from WikiLeaks, which, they tell us, is reckless, and does not engage in real journalism. The announcement this week by WikiLeaks’s founder, Julian Assange, that it might close because companies like MasterCard and Visa will no longer process donations to the group, highlights the threat the group faces.
But if the hallmark of quality journalism is the ability to protect confidential sources, then WikiLeaks should, in fact, be seen as a beacon of best practices. In contrast to the shameful practices of most journalists, WikiLeaks has spectacular operational security: encrypted instant messages are used for all real-time communications, strong encryption technology is used to protect files as they are passed between individuals, and servers are hidden using the Tor Project, a popular privacy tool that enables anonymous communication.
Whatever one thinks of Mr. Assange, he is a skilled data security expert. He knows an awful lot more about information security than even the most tech-savvy journalist. His platform appears to have worked: none of WikiLeaks’s confidential sources have ever been exposed by the organization. (Bradley E. Manning, the detained Army private who has been accused of the leak, was exposed by an acquaintance.)
Until journalists take their security obligations seriously, it will be safer to leak something to WikiLeaks — or groups like it — than to the mainstream press.