Information security: You are the weakest link
teaches Online Journalism at Birmingham City University
Watergate's Bob Woodward and Carl Bernstein: a bygone age of source protection
Underground car parks, blurred faces and courtroom arguments: this is the picture of source protection we are used to. From the silhouette and trembling voice of the whistleblower to the investigative reporter who is prepared to go to jail, it is all about the resilience of the individual.
But as I’ve discovered in research conducted over the past six months, it is a picture that needs to change - because we have a problem. In fact, we have quite a few.
This is how it goes: a source contacts a reporter, the reporter talks with their colleagues and editor, who consult a lawyer. They decide what sort of defence they might have if approached by the authorities, and how to proceed.
Actually, scratch that. This is how it goes: a reporter approaches a source about a potential story, and they won’t talk. They say they fear their employer. They say their contract forbids it. They say they won’t talk off the record.
What are the problems?
Here’s problem number one: newsroom processes are built around building a reactive legal argument. This made sense when police needed to go through news organisations to get hold of sources’ details, and when police were the only organisations seeking those. Now they don’t, and they’re not.
A data centre in Hafnarfjordur, Iceland
Problem number two: we think source protection is about national security (Snowden) and law enforcement (RIPA), but the biggest issue is workplace surveillance. Meeting in an underground car park may be great theatre. It may also be too little too late.
But the biggest problem is number three: most journalists don’t think they have a problem. They believe that source protection is only for colleagues who work on sensitive stories.
That made sense when contacts were made via brown paper envelopes – but when newsrooms share cloud storage, content management systems, diaries, email systems and social media accounts, you start to realise that those colleagues who don’t consider themselves a target may be a great back door into the system.
(And we know that they are targeted. More than one news organisation has been hacked because a senior staff member opened a link from a colleague who had been hacked first.)
What do we do about it?
First, news organisations need to update their legal training: the capabilities of public authorities and commercial ones when it comes to accessing the communications and movements of reporters and sources have changed enormously.
Second, we need to help our sources better understand the risks they are taking – and make them more confident that they can contact us without employers knowing.
But before we do all that there is a third, simple, step. It’s called making a threat model: assessing the threats that your organisation and reporters may be exposed to, and the best way to address those, whether that is competitors trying to steal your stories or Twitter accounts being hacked for the LOLs.
To kick that off, I’m organising a free event next month with sessions on the law, technology and techniques surrounding source and brand protection: ‘Keeping Your Stories, Sources and Brand Safe’ is a joint BBC Academy/Birmingham City University event on Friday, 6 November at BBC North in Salford. To attend, sign up here.