Digital Security Practices in Newsrooms

After Edward Snowden’s disclosure that the majority of web traffic is gathered and surveilled by government agencies like the NSA, concerns about computer security were no longer limited to the discourse of hackers and privacy activists. In particular, journalistic interest in this subject gained new urgency as the duty to protect one’s sources appeared to be increasingly difficult to fulfill. A Pew poll from February 2015 found that sixty-four percent of investigative journalists believe that they have been subjected to surveillance by the U.S. government.⁷ The same poll found that about half of these journalists had since taken measures to protect sensitive documents they share, and thirty-eight percent had begun to use secure communication tools with their sources.

Data from the directory of encryption keys at the MIT key server also supports the increasing use of encryption tools among journalists.⁸ For this study, I searched for keys registered to email addresses at a selection of news organizations, including those running SecureDrop.ⁱ The figure below shows the running total of PGP key registrations at some of the few news organizations represented in the key directory. This figure also includes an index line noting the date of the first published Snowden disclosures. Although this event is probably not the sole cause of the rising use of encryption among these journalists, it is clear that there has been a drastic change from the relative flatline in most newsrooms beforehand.

A selection of news organizations and the number of their employees who have registered encryption keys at the MIT public key server over time.

It is worth noting that journalists’ adoption of encryption tools has been highly uneven: The vast majority of news organizations have no listings at all in the directory. The major outliers are The New York Times and the BBC, neither of which has a SecureDrop system in place. Nevertheless, both have had a large number of employees register PGP keys at the MIT directory over the last seventeen years—though their lines are omitted from the graph above because they throw off the scale. While the BBC rate of encryption-key registration has been fairly consistent over the last fifteen years, The Times’s numbers began to climb at a faster rate in 2011; it surpassed the BBC in early 2013, right before the Snowden disclosures.

The graph above with The New York Times and BBC included.

The bar graph below shows the total number of PGP key registrations at each of the news organizations I pulled from the MIT key server. The table lists the number of registrations each year over the past decade.

Total public key registrations by organization.

Although these numbers provide some sense of which news organizations have recognized the uses of encryption versus those which have ignored it, these totals should not be read as raw indicators of digital security consciousness from place to place. The BBC’s total of ninety-four PGP key registrations reflects just half of one percent of its 18,974 total staff. On the other hand, ProPublica’s thirteen registrations represent nearly a quarter of its sixty employees.

Bearing in mind this limitation of the data, it is worth noting that the benefits of increased PGP registration across newsrooms are not necessarily cumulative. In the past, news organizations with just one or two journalists set up with encryption have been contacted by sources who specifically wanted to work with them. What is more problematic is the large number of news organizations in which encrypted communication channels are completely absent, or where interested reporters do not have the opportunity to be trained.

Anecdotally, several of my informants observed that the overall use of digital security tools in their newsrooms appeared to increase after the installation of their SecureDrop system. When the FPF developers visited to oversee the installation of the SecureDrop system, then returned to check up on it, these conversations sometimes prompted further steps among the staff to encrypt hard drives, set up PGP keys for encrypting email, and download the Tor anonymous browser or the Tails anonymous operating system.

Number of employees at each organization who registered public keys each year from 2005 to 2015.

Still, this elevated attention to security rarely extends beyond the small group of reporters who are trained to use the SecureDrop in each newsroom. “That wasn’t something that we thought would scale to the whole newsroom,” said Alasdair McKie of The Globe and Mail. “We really needed to identify, who are the most invested recipients of that training, who are most likely to take it to heart and actually use it in their day-to-day lives as reporters.”