Learning Security


1 Often referred to as “digital security” skills, this is misleading as it implies an exclusive focus on all things digital, whereas the true focus is on information of all kinds in both analog and digital forms.

2 Although this research did not include a survey of similar offerings for students at other major journalism schools, the brief, intensive introductory sessions on digital security at Columbia is considerably more than what is available to students, staff, and the extended communities of other journalism schools. Very few j-schools offer comparable standalone introductory sessions or have professors who proactively include information-security topics into their course curriculum, including Columbia. Discussions of providing information-security support for journalists in j-schools and newsrooms were already present before Snowden (see A. Santo, “Teaching Cyber-security,” Columbia Journalism Review, 24 Jan. 2012, at http://www.cjr.org/the_news_frontier/teaching_cybersecurity. php?page=all for more information), but it appears that very little has actually changed after Snowden, despite the new evidence regarding the sophistication and extent of surveillance worldwide. (See L. Kirchner, “Teaching J-School Students Cyber-security,” Columbia Journalism Review, 15 Nov. 2013, at http://www.cjr.org/behind_the_news/teaching_cybersecurity_in_jsch.php).

3 T. Locy, “Surveillance and Security: Are Reporters and News Organizations Doing Enough to Protect Sources?” Nieman Journalism Lab, 9 Jan. 2014, http://niemanreports.org/articles/surveillance-and-security/.

4 C. Soghoian, “When Secrets Aren’t Safe With Journalists,” The New York Times, 26 Oct. 2011, 46 COLUMBIA JOURNALISM SCHOOL | TOW CENTER FOR DIGITAL JOURNALISM http://www.nytimes.com/2011/10/27/opinion/without-computersecurity- sources-secrets-arent-safe-with-journalists.html?_r=2&.

5 There have been regular opportunities for CJS students, faculty, and staff to learn more about information security in recent years. Reporters Without Borders (RSF) provides an annual two- to four-hour-long session each year pro bono, and professors have also asked similar organizations (e.g., Internews, CPJ, Freedom House) to provide comparable one- to four-hour sessions for specific courses, degree programs, and continuing education courses. (For more about Columbia’s professional development courses, visit http://www.journalism.columbia.edu/page/8-training-programs/8.) In addition, the Tow Center recently offered two weekend workshops on security information: A three-day workshop in November of 2013 and a one-day workshop in October of 2014. Lastly, CJS students and community benefit from subject expertise at the Tow Center for Digital Journalism from assistant professor and assistant director of the Tow Center, Susan McGregor, as well as from Tow Fellow and data journalism instructor Jonathan Stray. McGregor is the author of the recent “Digital Security and Source Protection For Journalists” and has spoken widely on various aspects of information security for journalists. (To see her report for the Tow Center, visit http://towcenter.org/digital-security-and-sourceprotection- for-journalists-research-by-susan-mcgregor/.) Stray is one of the few j-school instructors who has integrated information security into his courses and authored well-received security guides for journalists. (For the first in his series, “Security for Journalists, Part One: The Basics,” see https://source.opennews.org/en- US/learning/security-journalists-part-one-basics/.

6 This is particularly the case as attention to the issue has increased over the past two to five years, arguably peaking in the wake of the Snowden leaks in mid-2013.

7 For example, one of our cumulative track students had been grappling with an old installation of GPGTools in his Mail client from a hackathon-style digital security event he’d attended over a year previously, where he had not been given rudimentary instruction on how to use GPG/PGP, let alone crucial background about the tool that users need to have. And, unfortunately, one of the twenty-five-minute “targeted trainings” offered at the Tow Center’s “Source Protection” event was PGP, where the session lead unadvisedly had students install GPGTools instead of providing the briefest of introductions to the complex tool. One of our workshop students who hadn’t yet attended our three-hour PGP/GPG sessions approached us for help in uninstalling the tool and reported frustration with having been told to install it without proper background or instruction at the event.

8 Programs at CJS are intensive. Students work long hours and many work six to seven days per week; part-time students can be even busier as they juggle their day jobs alongside classes. Additionally, there are acute constraints on space at the school, which similarly limited our workshop estimations to weekends with no scheduled courses and no required events for students.

9 Although we agree with a number of journalists that the Snowden- Greenwald example is somewhat misleading due to the rarity of a Snowden-like source, we played the instructional video Snowden sent Greenwald explaining how to install and use PGP—and readily agreed with our audience that most people wouldn’t have used or followed it.(To access the video, visit https://www.youtube.com/watch?v=9mvf8VwVjJY.).

10 “Journalism After Snowden: A Lecture by David A. Schulz,” Tow Center for Digital Journalism, Columbia University, http://towcenter.org/blog/journalism-after-snowden-a-lectureby- david-a-schulz/.

11 “The Legal Environment for Media,” Center for International Media Assistance, accessed 24 Jan. 2014 at http://cima.ned.org/media-development/legal-environment.

12 In fairness, it should be noted that the human rights and freedom of expression communities have adopted this boot camp approach largely out of necessity. Limited geographic distribution of qualified trainers, the cost of international travel, and funding constraints make other models involving face-to-face training infeasible. Furthermore, members of these communities are in the process of reviewing chronic shortcomings, including the ways in which information-security training lacks funding, interdependent local support, and coordination between parallel efforts.

13 A key tenet of adult learning is that "adult learners benefit most from information presented in stages, and in a variety of formats." For more information on how training adult learners on information security, see the LevelUp Project, which provides curriculum, pedagogical advice, and logistical resources for information security trainers.

14 Columbia University Graduate School of Journalism, “The Lede Program: An Introduction to Data Practices,” accessed 25 Jan. 2015 at http://www.journalism.columbia.edu/page/1058-the-ledeprogram- an-introduction-to-data-practices/906.

15 We avoided asking workshop participants to perform tasks and assignments outside of the workshops, primarily because our workshops were already additions to overloaded schedules. Within a class for credit, the amount of content covered—as well as the type and depth—could increase considerably, as would the value of the course.

16 This was a reversal of our training experiences in the global human rights sector, where most trainees were Windows users. Our few NGO trainings for international media prior to CJS did, however, reveal a higher percentage of OSX users among journalists and