Learning Security

Introduction

The two years since the Snowden revelations have seen an unprecedented focus in media and public interest circles on the role of privacy and security in our highly networked and digitally mediated information world. While increasing legal actions against journalists and sources, questionable practice on the part of government bodies, and often disturbing new understandings about the ability of third parties to register, obtain, and share our digital communications has continued to make headlines, the impact of these events on the daily practices of working journalists has been much more uneven. In our semester as Tow Fellows at the Columbia University Graduate School of Journalism (CJS), we found that while most students, alumni, and staff are convinced of the importance of learning information-security skills, they still lack regular opportunities to do so with qualified teachers in a structured environment. To address this, we organized a range of educational interventions designed to assess both the real depth of this professed commitment and the most effective ways of providing these skills. To that end, we hosted both short (one- to four-hour) information sessions and two parallel series of workshops spread over the semester—one set drop-in and the other cumulative. We also conducted interviews with students, staff, faculty, alumni, and working journalists to understand their particular needs and concerns and made a high-level review of current practices and resources in major newsrooms and journalism schools to understand where and how adjustments to these practices might be made. This research project was designed to explore possible models for providing journalism school students with the tools they need to start putting information-security skills and knowledge into practice while they are learning to be reporters. When offered structured, sustained support and learning opportunities, the students and alumni we encountered during our time at CJS displayed a surprising level of demand for—and sustained commitment to—the non-accredited workshops offered at Columbia J-School as part of this research, which we discuss in detail below. Our work revealed a few key takeaways that we hope newsrooms and journalism schools will use to improve the robustness and efficacy of their information-security training programs:

  1. Despite a real need in newsrooms and journalism schools for practical information-security skills1 being met effectively by current programs, interventions, and resources.

  2. The strong expressed demand for information-security coursework from the Columbia University Graduate School of Journalism students and staff was matched by a demonstrable commitment to dedicate the time required to develop and strengthen relevant skills, even when no credit or formal recognition was offered.

  3. A continuous series of relatively short, hands-on workshops—scheduled at least a week apart—results in better skill acquisition, stronger retention, and less confusion than do either brief introductory sessions or multi-day, intensive boot camp events.

  4. By assigning students a carefully selected series of verifiable tasks, one can effectively and efficiently evaluate learners’ basic competency with information-security tools and techniques.

Information security for journalists is a complex area of knowledge and expertise. Yet most journalists need not become advanced experts in information security, as some fear. The typical journalist, however, is still likely to handle information considered sensitive—whether by a source, employer, or colleague—at some point and does need a baseline level of expertise in digital security fundamentals, such as robust password practices, anti-virus software, and regular data backups; as well as select intermediate information-security skills, such as an awareness of the basic insecurity and risks of various channels of communication. Journalists also need access to qualified technical and operational expertise and the commitment to select and use more advanced security tools and tactics if so advised. Most importantly, however, they need to develop the ability to appreciate when turning to security experts is required. While achieving these practice goals does represent a considerable amount of skill-building and learning for most journalists, we believe that this process is not dissimilar to the continuous learning they already undertake to improve their basic computing skills, access online sources, integrate data into their reporting, and learn to use multimedia tools and software.