Bruce Schneier had an interesting post last week on how insecure journalists are. It turned out to be quite an animated discussion.
As I commented therein, I really doubt that your typical newspaper reporter gets much cybersecurity, or even cyber-awareness, training in journalism school. There are no whistle-blowers that go to traditional media anymore, a sorry state of affairs for journalism as a whole.
Several months ago, an Australian reporter somehow managed to track me down on LinkedIn expressing his concerns over what he perceives to be a pretty repressive free-speech environment in Australia. From all accounts, he seems to be correct. “What good is encryption if the government knows your contacts and meeting places from Cell Tower meta-data?” I was surprised, actually. How about putting your device in a Faraday bag, or even better, leave your device back in the office and tell your contact to do the same? Good grief.
Look, you can’t deny the obvious. If you have a Microsoft, Google, Yahoo, or AOL email account, the NSA is monitoring it. The PRISM documents released by Snowden document that fact. Furthermore, this is being done at the server-level, not facility or link-level monitoring. As per those same NSA documents, the NSA specifically calls out those systems that do link and facility monitoring as separate from their Email, Facebook, and Skype server-monitoring programs. From the Washington Post’s PRISM collection:
Now regarding Email in general, this can’t really be used to protect data. PGP encryption can help, but Address and Recipient fields are cleartext, as is usually the subject line as well. Other security professionals and healthcare professionals can use S/MIME techniques, but third-party Certificate Authorities cannot offer any real end-to-end privacy either. Signal is good to use, but there is still the possibility of correlation between sending and receiving phone numbers. That leaves you with IP-based IM messaging products. Facebook’s servers have to be considered as compromised; plus WhatsApp is a forensic nightmare (traces of messages left everywhere). Telegram might be one of the better plays here.
I find Reality Winner’s case to be very intriguing and insightful. How important is this to journalism? Consider that without it the American Public would have no hard evidence of Russian Election hacking. I found NSA’s comment that they were able to correlate the dialog between Winner and The Intercept. How’s that? Was Winner or The Intercept already under active investigation? No, metadata collection (if it was truly only that) simply ensures that whatever you say or do can be held against you at a time of NSA’s choosing. Considering the murky data-retention laws, anything you say or do is likely to mess up your grandchildren too.
Wise-up, journalists or you won’t have any sources anymore.