Learning Security

1. Journalists have a real need for practical information-security skills that is not currently being met.

Even in the wake of the Snowden revelations, most of the support for improving journalists’ information security has been confined to low-cost and low-commitment options like hosting panels, contributing to or linking to guides, or writing blog posts and tweets (and occasional long-form articles). Only a few of the world’s major newsrooms have made truly substantial internal changes that include comprehensive training for staff, well-tuned information-management policies, and robust support for journalists working on higher-risk beats and projects. At the same time, some large news organizations have quietly made well-calibrated changes in the wake of digital attacks; a few have even had information-security support available for years. By contrast, no journalism schools yet offer a distinct course in information security, nor have they integrated information-security fundamentals into their core curricula. In many cases, they lack even an organized way of providing relevant expertise for staff and professors2Soghoian commented in 20133op-ed criticized journalism schools and newsrooms for not helping students and staff learn basic digital security skills and tools, “They’re forcing journalists to figure it out for themselves . . . and they don’t know what they’re doing.”4

What we’re doing isn’t working…

The failure of newsrooms and journalism schools to properly outfit journalists with the skills and support they need to protect themselves, their sources, their colleagues, and their stories is evidenced in the anemic learning opportunities currently available to both working journalists and journalism school students. Discussions with members of the CJS community about the opportunities available to learn about information security yielded a description of those occasional offerings in detail—and mirrored similar conversations we had with journalists in newsrooms5available seems to be the standalone one- to four-hour session led by an outside “expert.” Run by guest speakers of varying skill level and qualifications, these sessions are typically offered publicly once a year or so to a limited number of participants. In recent years, as the issue of information security for journalists has gained more attention, there have been additional, somewhat more extended events for journalists a CJS, including those hosted by the Tow Center. Often billed as a “training,” we found that these interventions leave participants frustrated and empty-handed, with only long complicated guides for further reference and no follow-up access to experts to assist their efforts or correct mistakes. For journalism school audiences already familiar with the issue and eager to learn more6these outreach sessions are described almost universally as too superficial, with little or no time for hands-on practice. What is covered during these sessions goes unused and forgotten in the absence of any sustained attention or follow-up, leaving audience members without any sense of how to navigate crucial decision-making processes or apply practical skills in their actual reporting.

…and may be making things worse.

Though the inefficacy of these trainings is unfortunate, more troubling is evidence that they may actually worsen or reduce interest in and capacity for information-security learning. Students, alumni, and staff all shared tales of grappling with the vestiges of various tools that had been briskly installed on their devices during these brief sessions—often hosted at or even by the school7rapidly, and left on devices without practice or context for proper use, these technologies can render users’ primary applications (and even operating systems) buggy (at best) and inoperative (at worst). As a result, many with whom we spoke had been doing everything they could to avoid these various security and privacy tools, which they weren’t even sure how to remove. Several individuals, their systems crippled by these hastily installed programs, had workarounds that were riskier than the workflows they’d used initially. The cumulative result of these challenges is that the few journalists who engage with the limited information-security training opportunities available to them often end up more frustrated and no better informed about these practices, let alone with the ability to actively apply them and help sources and colleagues do the same.