Surveillance and Security


The National Security Agency has been accused of collecting data from the servers of web companies like Google, whose data center in Council Bluffs, Iowa is pictured here. Image courtesy of Google

This article was originally published in the Nieman Foundation e-book "Muckraking Goes Global: The Future of Cross-Border Investigative Journalism." In the 1980s, when I worked at the Philadelphia Daily News, I remember watching in awe as reporter Joe Daughen worked confidential sources. After a few mumbled words on the phone, he’d grab his rumpled trench coat, nod to an editor and say, “I gotta go see a guy about a thing.”

Today, reporters rely on cell phones, e-mail and texts to reach sources.

Digital technology is also benefiting the National Security Agency and the FBI, making it so much easier to identify “whodunit” in a leak investigation that the Obama administration has set a record for espionage prosecutions against alleged sources for journalists. In response to criticism over aggressive investigative tactics aimed at the news media, U.S. Attorney General Eric H. Holder Jr. has tightened Justice Department procedures to make prosecutors and agents jump through a few more hoops before they can obtain phone logs, e-mail and other information gathered by reporters.

But journalists shouldn’t think the danger has passed. Instead, the revelations leading up to the Justice Department’s mea culpa should serve as a warning to reporters and their sources that they are leaving digital tracks that are difficult to ignore.

The investigation of James Rosen, a Fox News correspondent in Washington, D.C., stands out not only because the FBI convinced a federal court to treat him as a suspect in an espionage case for steps he took to cultivate a source. The Rosen case is also significant because his use of cell phones, pressroom landlines, and e-mail highlights flaws in contemporary reporting techniques, and raises questions about whether reporters and news organizations are doing enough to keep promises to protect sources.

Some journalists, computer scientists and privacy advocates are so alarmed that they recommend reporters go old school, like Daughen, and rely on in-person interviews and snail mail.

Others say reporters—and their sources—should encrypt computer files, hard drives and e-mail, and cover their tracks on the Internet, mimicking precautions taken by The Guardian’s Glenn Greenwald and Barton Gellman of The Washington Post and their source, former NSA contractor Edward Snowden. “The old-fashioned promises—I’m not going to reveal my source’s identity or give up my notes—are kind of empty if you are not taking steps to protect your information digitally,” Gellman says.

Chris Soghoian, principal technologist for the ACLU’s Speech, Privacy and Technology Project, says news organizations are failing to provide reporters with digital security skills. “They’re forcing journalists to figure it out for themselves,” he says, “and they don’t know what they’re doing.”

David Cay Johnston, president of the board of directors of Investigative Reporters and Editors, says it’s a “fool’s errand” for news organizations to train journalists to conceal their reporting. “All of the budgets of all of the news organizations are a drop in the bucket compared to the federal security establishment,” he says. “The question to ask is, What’s government doing pursuing the work of journalists?”

Johnston says federal agents should follow the law, and journalists should do their jobs as they always have. Business as usual means using the phone and e-mail. But there is no reliably safe way to shield phone calls from surveillance, and e-mail encryption is far from the perfect alternative, says Doug Tygar, a computer science professor at the University of California at Berkeley.

At issue is the power of metadata captured as the NSA routinely collects records of phone calls Americans make and receive at home and contents of calls and e-mails of non-citizens abroad. Technology experts say the NSA’s collection is massive and tough to analyze—for now, until traffic analysis improves.

An FBI affidavit shows what agents can do with digital breadcrumbs when they have an idea of what they’re looking for.

Rosen and his alleged source, Stephen Jin-Woo Kim, spoke on cell phones and landlines inside the State Department. The reporter used a pressroom line and Kim used his office phone. Kim reviewed a document about North Korea on a classified computer, while on the phone with Rosen. The reporter also set up an unsecure e-mail account to communicate with Kim. When they met, they didn’t go far from the building.

To connect them, the affidavit says the FBI simply lined up the phone numbers, compared the calls’ timing to log-ins at Kim’s secret computer, cracked nicknames they used as code in e-mail, and tracked the State Department security badges they swiped when they left and returned to the building within minutes of each other.

More reporters and sources operate like Rosen and Kim than Greenwald, Gellman and Snowden, who used encryption to communicate.

Even if the reporter and source master encryption software, a court could order a journalist to give up the secret codes to her encrypted computer and e-mail. Federal judges in Colorado and Vermont have ordered defendants in criminal cases to decrypt hard drives and turn over the material to prosecutors, ruling that the Fifth Amendment’s protection against self-incrimination doesn’t apply. But a district court judge in Michigan and the U.S. Court of Appeals for the 11th Circuit say it does.

It’s not a big leap for someone like me, who’s been held in contempt of court for refusing to identify sources, to imagine a judge ordering a reporter to decrypt her computer or e-mail for a plaintiff’s attorney or prosecutor who wants her notes and sources’ names.

I was taught early in my career to throw away notes on a consistent basis. I had no notebooks to turn over when I received a subpoena from lawyers in a civil lawsuit filed on behalf of Dr. Steven Hatfill, a former U.S. Army scientist who was the target of the FBI’s flawed investigation into the deadly 2001 anthrax attacks.

Reporters shouldn’t take or keep notes on a laptop, Gellman says, nor should they put sources’ names in calendars or contacts lists on a computer or in the cloud. But he says reporters—and everyone who works with sensitive information—still should encrypt their computers’ hard drives.

A next step would be to use software like Tor, a free downloadable program available at https://www.torproject.org that helps users remain anonymous as they browse the Internet. Using Tor, reporters can create special e-mail accounts to communicate with sources, who must take similar steps.

Tor routes a user through three encrypted random relays around the world—out of 3,000 volunteer servers—before taking her to the site she wants to visit, and this takes longer than via Safari or Firefox. While a user’s identity and location are shielded, the contents of an e-mail, for example, aren’t. Secrecy could be blown if the reporter or source forgets to launch Tor and uses an unsecure browser to access such an e-mail account, or signs a message with a real name. “It takes discipline,” Gellman says.

Reporters and sources can get extra security by using Tor in conjunction with e-mail encryption software, such as GnuPG, to protect contents of messages. “Tor is as easy as pie,” Gellman says. “E-mail encryption takes a little more effort.”

Tygar blames technologists for failing to make encryption more user friendly. In 1999, he co-wrote a paper, “Why Johnny Can’t Encrypt,” based on a study of users of a popular e-mail encryption program, PGP, or Pretty Good Privacy. “They weren’t stupid users,” he says, but most failed miserably. The programs require public and private “keys,” long strings of letters and numbers, to send and receive e-mail. Sender and recipient must exchange their respective public keys. Tygar recommends that a reporter and source exchange them in person or through a trusted intermediary.

Each person also has a private key that decrypts e-mail so it can be read. A user creates a passphrase that unlocks the private key, which should be stored in a safe location, such as on an encrypted computer or USB drive. My department’s IT guru and I spent several hours setting up G-mail accounts, configuring GnuPG and creating keys before we successfully sent encrypted e-mail to each other.

Another free Tor product called Tails seems a bit easier because it offers an all-in-one package with the Web browser and encryption for e-mail, files and instant messaging. Tails can be installed on a computer, USB drive, or DVD, and used on the go.

Encryption has another drawback: It glows in the dark. The NSA keeps encrypted material in hopes of eventually cracking the codes.

Most reporters—who aren’t assigned to national security issues—don’t need such cloak-and-dagger techniques, Martin Baron, executive editor of The Washington Post, and William K. Marimow, former editor of The Philadelphia Inquirer, say. “There’s zero evidence that the government is routinely monitoring all reporters’ communications,” Baron says.

According to Marimow, meeting sources in person may mean stories take longer to produce, but it’s a fair tradeoff because it’s “just good journalism.”

Steven Aftergood, an expert on government secrecy at the Federation of American Scientists, says reporters may want to consider buying “burn” phones and meeting sources in out-of-the-way places. “I hate to advise people to act like they are Mafiosi or drug dealers,” he says. But the reality is, reporters and their sources need to be careful out there.

Toni Locy covered federal courts for The Washington Post, the Justice Department for USA Today, and the U.S. Supreme Court for the Associated Press. She is the author of “Covering America's Courts: A Clash of Rights.”