17 September 2014
Last week, the M100 Sansouci Colloquium gathered international specialists on the subject 'Media Freedom in the age of Big Data'. With the recent revelations about mass surveillance organised by intelligence agencies, questions are raised about how journalists can protect their data and more importantly, their sources. At the Colloquium, we met with Matthias Spielkamp, founding editor of iRights.info, and we asked him about journalism and communication security.
How vulnerable are journalists?
Matthias Spielkamp: There is always a balance you need to find: if I go on a panel or an interview, and say there is no hope, everything is being spied on, people would just say they cannot do anything. It is really my conviction that this is not true, because we need to look at these different threat models. Now the threat model is: the agencies leave you alone, but they try to store everything, they try to know everything about your communication. They are ways to protect yourself against that.
Let's take email encryption for example: PGP is an encryption mechanism, still supposed to be secure at least for a couple of decades. The messages that are stored now can probably be decrypted in 30 years, right now it is very hard, nearly impossible to decrypt them. So if you use PGP, what you are doing is that you are making it a lot harder for the intelligence agencies to know about the content of your communication.
How about metadata?
Matthias Spielkamp: This is a specific problem. It means the data about your communications: for exemple, using PGP you are not hiding who you are sending messages to. If I send you a PGP encrypted mail, the agencies would still know that we are exchanging emails. Now many experts see this as a bigger problem. It is a lot harder to avoid these traces, you can do it when you surf the web using Tor for example, and you can also successfully encrypt the data on your hard drives to protect it when it get lost, stolen or seized.
You can't secure your communication totally, but you can make the job of the intelligence agencies a lot harder, you can increase the cost, which is very meaningful. You can secure the connection that you are using HTTPS, a secure internet connection to exchange passwords and login data, you can do the same with your email account so your data is not transferred. You can also use VPNs.
Are editors-in-chief informed about what is at stake?
Matthias Spielkamp: I am pretty certain, although I haven't talked to him personnally, that Alan Rusbridger knows all about communication security and how to secure the data that they are holding. The same thing is true for editors of Der Spiegel, The Washington Post or The New York Times, people working with the Snowden files. In my experience, editors-in-chief of newspapers and broadcast organisations know very little about how it works in practice. One of the reasons is many people who are not working on investigative reporting say that they don't have anything to hide. We have everything to hide from the government, especially when we are working as journalists. It is not the government's business who I am talking to, what I am saying to this person. In all democratic countries, journalism is legally privileged.
How can an editor implement basic solutions?
Matthias Spielkamp: It is a dream of mine that editors-in-chief would use some of their time to have some expert come in for half a day and explain to them how online communication works, how it can be spied on and what general ideas or tools can be used to prevent that. It is a small amount of time to understand this threat. I have been doing training and consulting on this and most of the time, I was talking to editors and they would tell me, 'It is fine that we now know how to use PGP, but we can't install it on our system because we are not allowed to by the IT department'. This is a very common situation!
The IT department is not focused on this kind of security: they have the latest malware protection because they need to protect the system against viruses and Trojan horses. Before, the NSA was not specifically targeting you, because you were just a regular newspaper, you did not have any reason to think that the NSA was targeting you, but that is no longer the case: they are targeting everyone, every single piece of communication. The change that has to occur is top-down: if the managing editor, or even the CEO, does not understand what is going on, these things will not change. This is all centrally managed and if you are just a regular editor, you cannot change them. The managing editors need to know what is going on so they can initiate that change.
It the media industry running behind?
Matthias Spielkamp: I have been trying to convince media companies to change their practices. First of all, you can, on a systematic basis change things: make it a default situation that people are surfing anonymously, you can provide training for your staff so they know how to exchange encrypted emails, you can make it impossible for people not to encrypt data on their hard-drive.
The thing is, it is very disruptive. IT is a complicated business and most executives are not very knowledgable about it. If they talk to the Chief Technology Officer, they basically have to trust them and so far, they were in the business of saying 'we need to verify that our systems are running properly and that is hard enough'. But now you have to weigh it against the new threat model that we are facing. I would say it is almost irresponsible for someone running a journalism business to not change this policy.
Everyone knows that if you want to change the computer system in your company, you face opposition. Companies have less money than before, they have less resources, and in this situation, many people have the reaction 'Go away!' but I would say they will pay for it later on.
What are you suggesting as first steps?
Matthias Spielkamp: First, make yourself knowledgeable if you are a decision-maker. Then you will have a better understanding of what need to change and talk to your IT department, find out what changes you can do, and it can be gradually.
Editors-in-chief should also offer a secure way for whistleblowers, leakers and sources to get information to them. Manning tried unsuccessfully to contact the NYT, WaPo and (probably) Politico before he turned to Wikileaks. Zeit Online in Germany offers a dead drop facility via their website for people to anonymously upload files.
In parallel, provide training to your staff because this all have to go hand in hand. It is not only about how to use PGP or Tor, it is also how to understand or assess the threat model: 'How is my communication really threatened and what do I need to do about it?' Not everyone has to do what Greenwald and his colleagues are doing because the NSA is after them. The NSA is not after you or me, but only in the sense that they are not trying to access my computer specifically, but the NSA if after all of us when it comes to general communication. This is what mass surveillance is.
To learn more about those issues, join an iRights.Lab training session: more info here.
- "NSOC-2012" by Unknown photographer - National Security Agency. Licensed under Public domain via Wikimedia Commons - Link
- Beraldo Leal