The following is a guest post. See more information about MediaShift guest posts here.
In this post I’m going to bang on a rather popular drum: Journalists need to know how encryption works … and use it. It’s a statement that’s common among digital security experts. The Rory Peck Trust, where I work, focuses on freelancers, and we’ve got our own resource on using encryption.
Freelance newsgatherers have a lot going on, from researching and pitching their next story, to completing their current one and making sure they’ve been paid for their last. Understandably, mastering end-to-end data encryption may not be on the top 10 list of things to do today. Here I’m going to try to convince you that it should be.
Jennifer Henrichsen, a consultant researching digital security issues facing journalists for UNESCO, undertook a poll on digital security habits among journalists.
“The majority of journalists who were polled in my study said they were aware of encrypted email services, yet most of the journalists polled didn’t report using them,” she told me.
“According to interviews I’ve had with a variety of journalists, technologists and digital freedom activists, it seems that a lot of the tools are still considered too complex for the average individual or journalist to use effectively,” she said. “There is also an assumption by some journalists that if they are not working on a sensitive story or something involving national security, more generally, they don’t need to use encryption or take other measures to better protect their digital security. The problem with that is anyone can be compromised by a phishing email, which in turn, can affect others who are working on sensitive stories. It can also compromise sources, which journalists have a duty to protect.”
Awareness doesn’t drive better behavior as well as incentives can. Here’s a main incentive for practicing better communications security: It will make you better at what you do and open up more opportunities.
Encryption is good…
For your sources: Before he knew whom he was talking to or what he was going to get, one of Glenn Greenwald’s earliest emails from Edward Snowden read: “There are people out there you would like to hear from who will never be able to contact you without knowing their message cannot be read in transit.” It’s a difficult matter to get a source to start using encryption, but when a source comes to you asking to use it, then there may be a really good reason. Have it ready.
For your story: You communicate with a lot of people for a story. You’re also saving files that you may not want just anyone seeing before you publish. It’s likely that some or most of this information isn’t full of incredibly sensitive details, but some of it probably is. Encryption is going to help keep your story exclusive and protect your raw material from being seized or leaked.
For yourself: Being able to send or receive encrypted email, even if you use it sparingly, is empowering. The software required often leaves something to be desired in the user experience department, and it requires you to stop and think about what you’re doing, even if briefly, but that’s no bad thing. It at least lets you decide when you’ll limit an audience down to one or two people instead of leaving that up to your service provider.
Practicing what we preach
Rory Peck Trust’s Freelance Assistance Program deals with very sensitive information on a daily basis. We communicate with freelance journalists in a critical situation, sometimes in hiding, threatened and under surveillance. Getting our team set up with end-to-end encrypted email was vital.
“We have a responsibility to take the necessary measures to minimize risks when getting in touch and communicating with anyone,” said Elisabet Cantenys, the Trust’s head of Programs. “Otherwise, by us trying to help we could put vulnerable freelancers in further danger if our conversations were compromised. Aware of this, we are reviewing our communications’ protocols and integrating encryption into our routine. It was time for us to walk the talk on digital security.”
“Learning the practicalities of how to encrypt has been surprisingly easy; changing habits and attitudes is the challenging part,” Cantenys said. “It takes will and time, and that’s why it’s important that you keep using it. (It’s like driving.)”
Get started with email encryption
Knowing how to send and receive encrypted email is a nice gateway into the topic, and one you can start using regularly right away.
- Use this method (or another one) to set up GPG email encryption on your computer.
- Share your public key with your intended recipients, and get their public key. (This will be done without encryption, so don’t include any sensitive information here. Keep it simple: “Here’s my key. can I have yours?”) You can also post your public key here.
- Use your first encrypted emails between you and your recipient to work out basic ground rules about how you’ll send and receive information and how you’ll be able to prove to one another that your keys or accounts haven’t been compromised.
Knowing how different encrypted services work isn’t just useful for your own safety; it helps your sources as well, and lets them know you take their privacy seriously. You can also help them start using more secure channels, which could help increase their trust and interest in working with you. Use our page on encryption methods to get started. We’ve also curated a list of our favorite online guides that will help.
Don’t keep it to yourself
The good thing about encryption is that you can be public about being able to be confidential. After you’ve done the above (or, if you already have), share this tweet (if you’re on Twitter) and let everyone know you’re a freelance journalist who’s ready to receive encrypted contacts.
“Seeing how encryption has allowed us to share more delicate information with partners, and as a result being able to support more freelancers facing an emergency, is paying off,” said Cantenys. “And once you are in and have experienced its advantages, you want to encourage others to encrypt and learn about other measures available to us. Because it takes two to email, it’s not enough that you know how to do it.”
Andrew Ford Lyons is the digital producer for Rory Peck Trust, the only organization dedicated to the support, safety and welfare of freelance newsgatherers around the world. Andrew oversees the Trust’s online projects and runs its digital security programs. His GPG key is here.
An even easier way to use PGP (it is not just journalists who feel “the tools are still considered too complex for the average individual”) is with a solution like Enlocked. It takes care of creating and encrypting your key pair, sharing it with those who want to send to you (they just address the message as usual), getting the keys and software you need to whatever device you are on at any time (with versions for Android, iOS, Outlook and all the most popular web browsers / email systems),
Email encryption has been around for 20+ years, but the hassles of key management have prevented widespread adoption… give some of the newer (and still just as secure) solutions a try if you find the old school manual methods too cumbersome!
It’s true that there is a learning curve to using end-to-end encryption properly, and a lot of the tools were made by programmers, not designers and lack some of the user experience that people are used to. Still, there are important criteria to keep in mind when selecting a solution:
1. Its code is open source with an active community of peer reviewers. This is still the leading way to ensure that what your software promises it’s doing is actually happening.
2. The encryption should be happening client side, not online. Otherwise your still transmitting your data without protection until it reaches the service.
3. Private keys must be secured locally. A cloud based private encryption key is outside your control.
Nothing wrong with open source, but there is also plenty of security software that is not – most people have firewalls and AV software that is not open source for example. It comes down to whether you trust the provider.
Encryption (and decryption) with Enlocked is done on the client. See the “how it works” page our site for details, but we NEVER see content in the clear. An older version did, but since March we have been fully end-to-end.
Your private key is secured locally (the same client side code that encrypts and decrypts content is responsible for locking your key with a passphrase). We do “store” the encrypted key to make it easier for users to run Enlocked on all their devices, but without the passphrase there is no way for us to use the key.