Journalists (and their sources) have become increasingly vulnerable to digital attacks from state and non-state actors that can compromise their security, threaten source confidentiality, and ultimately undermine journalistic activities. These threats range from digital surveillance and the tracking of their activities and interactions to the hacking and theft of their data to the disruption of journalistic activities through denial of service attacks and account hijacking. These attacks have become especially problematic as researchers have found many journalists to lack even basic knowledge about how to integrate defensive measures like using encryption and identifying ‘spear phishing’ digital attacks.
In many parts of the world, unearthing wrongdoing and challenging powerful individuals within government and society at large can carry great risk. For example, as a consequence of his efforts to shed light on secret U.S. government activities, whistleblower Edward Snowden (a contractor who worked with the National Security Agency) was forced into exile in Russia. The journalists Snowden worked with were subjected not only to legal threats of their own by the U.S. government but also to smear campaigns by a range of political actors as well as death threats from people around the country. This example is indicative of broader trends around the world where, in many countries, protections for typical journalistic activities are being eroded and, in some cases, critical journalistic activities are being criminalized.
Within this context, it is important to recognize that there has been a parallel trend across the world in recent years to strengthen the surveillance powers of government agencies. (Moreover, even private companies now have access to a wealth of granular information about individuals.) Those efforts are not always designed to target journalists but nevertheless affect them and their work. Specifically, increased surveillance has made it not only harder but riskier to do journalism around the world.
For example, the United Kingdom’s Investigative Powers Act (which is also sometimes called the “Snoopers’ Charter”) came into effect in November 2016 and granted comprehensive and far-reaching digital surveillance powers to police and intelligence services. While the IPA offers some safeguards for sensitive professions, including journalists, those protections are widely regarded as being inadequate for journalists and would-be whistleblowers. The IPA legally forces communication service providers to assist with targeted interception of data and makes it illegal for those providers to reveal when a user is the subject of an investigation.
The U.K. is hardly alone in this regard. In fact, at the center of Snowden’s revelations was a coordinated global mass surveillance effort led by the National Security Agency in the United States, GCHQ in the United Kingdom, and allied intelligence services in the Five Eyes Group. Those surveillance efforts indiscriminately targeted all citizens’ communications instead of just those belonging to citizens suspected of wrongdoing. They also consequently ensnared journalists reporting on a range of topics, including those that showed governments and social elites in a negative light.
Fears about such technologies being turned on journalists are not unjustified, either. For example, in 2006, New York Times reporter James Risen wrote a book about U.S. efforts to combat terrorism that included details of a secret failed plot to disrupt Iran’s nuclear weapons program. Alarmed by the revelations, federal prosecutors sought to identify the source of the leak. They eventually obtained a grand jury indictment of a former Central Intelligence Agency employee based records of phone calls and emails between Risen and that employee. Risen was subpoenaed to testify at the employee’s trial — the employee was charged with disclosing classified information illegally — but ended up striking a deal to avoid revealing his source. Nevertheless, the government prosecutors were able to obtain a conviction primarily through the use of the communication records obtained from service providers who, under federal law, were not allowed to tell Risen or the employee that their records had been seized. Consequently, neither Risen nor the employee could challenge the data collection used to implicate them (even if they had legal standing to do so, which American courts have said they did not due to the lack of information).
The broad consequence of these efforts is that engaging in sensitive journalistic activities has become even riskier in recent years. Not only have many governments increased the number of analysts dedicated to digital surveillance under national security laws, who can be turned to focus on specific journalists, but they have deployed large-scale, indiscriminate nets that can turn journalists into persons of interest based on their online activities. This becomes especially problematic as more journalistic activities take place online, from basic research for news stories to e-mails and messages scheduling interviews.
Moreover, it has also had a chilling effect on sources’ — and especially whistleblowers’ — willingness to talk to journalists since they are more likely to fear that their communications (and activities) might be monitored. This is especially true under more repressive regimes around the world. Indeed, several repressive regimes and wealthy individuals have been shown to be clients of NSO Group, a highly secretive Israeli technology company that produces exploit-based spyware that can be surreptitiously installed on targets’ phones. Journalists in countries spanning the political spectrum (e.g., Bahrain, England, Mexico, Morocco, Saudi Arabia, Spain, and Yemen) have all been found to have been targeted by the technology — even though it is legally a restricted export that supposedly must be approved by the Israeli government.
In order to protect themselves against surveillance, journalists around the world have increasingly turned to tools designed to encrypt communications and to obscure online activity. However, researchers have found that both journalists and their sources tend to have a very limited understanding of how those technologies work and generally find them hard to use in day-to-day activities. This, in turn, has limited their uptake within journalism, even as their non-use puts journalists and their sources at risk.
The lack of uptake is particularly problematic because widespread use of encryption is widely regarded as being important to truly circumvent surveillance. That is, increasing the amount and complexity of encryption and anti-surveillance tools makes mass surveillance more expensive and difficult, thereby offering a form of herd protection. Perhaps more importantly, it helps protect those who most need protections since the use of anti-surveillance technology can attract unwanted attention to the very activities it is designed to protect. Put another way, in the absence of mass encryption, a journalist may inadvertently draw government attention to themselves and their sources through the very effort of circumventing surveillance.
Technologies like the mobile messenger apps Signal and Telegram (and, to a lesser extent, WhatsApp) have begun to normalize secure communication by providing user-friendly end-to-end encryption with strong privacy controls. Similarly, the popularization of Virtual Private Networks (VPNs) and TOR (The Onion Router) has made it easier for journalists and sources to anonymize their online activities. Many journalistic outlets around the world — from BuzzFeed in the U.S. to The Guardian in the U.K. to NRK in Japan — now use technologies like SecureDrop to help whistleblowers easily submit information securely and anonymously over encrypted communications. Taken together, these technologies have helped journalists around the world regain some measure of security and the trust of their sources. Indeed, many investigative journalists now publicly link to secure communication channels via insecure platforms, as with a journalist posting their Signal number on their Twitter profile.
However, those technologies can also be repurposed by bad actors. For example, the Telegram messaging app was purportedly used by the terrorist group ISIS as a group messaging tool to spread propaganda, and it may have been used by terrorists to plan the 2015 Paris attack. Consequently, many countries, including China, India, Malaysia, Singapore, and Sudan have used national security justifications to impose severe restrictions on the use of encryption. Those restrictions include banning encryption outright or requiring a license for its use. Even in the United States, encryption is classified as a ‘dual use technology’ that can ostensibly be used as a weapon, and its export is therefore heavily regulated.
In short, journalists around the world must now contend with a form of mass surveillance that was not previously possible. While they are becoming more security-minded and have access to technologies that make surveillance harder, most journalists are still only scratching the surface of what is needed to offer a herd form of protection. Moreover, as the tools have evolved, so have the government responses to them, creating a race for protecting journalists.
Journalists around the world are increasingly subjected to mass surveillance efforts by their governments and other governments around the world. Even when they are not the targeted for surveillance, they may be ensnared by indiscriminate algorithms.
The specter of mass surveillance promotes self-censorship on the parts of both journalists and their potential sources.
Journalists now have access to easy-to-use technologies that can help circumvent surveillance. Although the uptake of those technologies has increased dramatically in recent years, they are not yet mainstream in most places. Additionally, the technologies have drawn the attention of many governments, some of which have restricted their use.