How—and why—The Globe and Mail adopted SecureDrop technology
On Mar. 4, The Globe and Mail announced the launch of its own SecureDrop system, an open-source information submission program. The claim: not only does it protect potential whistleblowers, but journalists, too.
[[{“fid”:”3941″,”view_mode”:”default”,”fields”:{“format”:”default”,”field_file_image_alt_text[und][0][value]”:””,”field_file_image_title_text[und][0][value]”:””},”type”:”media”,”link_text”:null,”attributes”:{“height”:”427″,”width”:”640″,”style”:”width: 300px; height: 200px; margin-left: 10px; margin-right: 10px; float: right;”,”class”:”media-element file-default”}}]]By Chantal Braganza, Associate Editor
Last August, Globe and Mail national security reporter Colin Freeze and Kevin O’Gorman, who works in software development at the paper’s IT department, took a last-minute trip to Washington, D.C. The Online News Association was hosting a course in digital security training for journalists, and the two decided to make the drive to NPR’s Washington headquarters for a one-day boot camp.
“We heard stories from people at major U.S. papers where they’d built secure rooms for journalist communications, where no memory stick or data device gets in or out,” said Freeze. “It put into relief what we knew already, but also made us realize that we were behind the curve in trying to lock down our communications in a way that would give us an assurance when speaking to sources.”
The post-Snowden world has demonstrated to both media and public that information is rarely as secure as we think (or would like) it to be. In a Pew Research Center report from last February, 64 per cent of U.S. investigative journalists surveyed believed that their government had likely collected data from their phone and online communications, while up to 80 per cent believed that simply being a journalist made them more likely targets for this type of surveillance.
That ONA trip spurred an already-ongoing discussion the Globe’s IT department had been having about secure communications for journalists. In October 2013, The Freedom of the Press Foundation announced the launch of its SecureDrop program, a secure whistleblower submission system originally built by the late computer programmer and Internet activist Aaron Schwartz. The New Yorker was the first news organization to implement a version of the encrypted dead drop system in May 2013. In just over a year, Forbes, ProPublica, The Washington Post, The Guardian and a few others followed suit. By fall 2014, O’Gorman, Freeze and others at the Globe thought about bringing the technology to Canada.
“This has been a grassroots thing, not top-down,” said Craig Saila, director of digital products at the Globe. A few months after that August trip, O’Gorman, Saila and a few other IT staffers put together a business case for adopting the technology, mapped out its costs and presented it to management, while also developing a series of smaller workshops for reporters to learn some basic digital security practices.
“In broad strokes, what we felt we wanted to teach reporters about was how to make your computer safer just in general,” said deputy production editor Alasdair McKie, who was also involved in the project. Delivered towards the end of last year, they covered topics such as how to apply full encryption on Macs, password management and data storage practices on such platforms as iCloud.
“These kinds of things would be applicable to anybody,” said McKie, “not specific to what reporters would need to do—but most people don’t have files worth stealing.”
By early February, most of the elements to set up SecureDrop in the newsroom had been put in place. The team worked out financing for the project (a 50/50 split between editorial and IT, according to Saila); bought the servers, air-gapped (i.e., never Internet-connected) computers and USB sticks necessary to securely receive, store and view information submitted (about $1,700 in total) and brought FPF reps to the Globe to train the newsroom in how to use the system. (While technical assistance is offered by the non-profit for a donated amount, the software itself is available for free.)
[node:related]Here’s how it works, in short: after installing a Tor browser, which connects users to a network of servers that masks a user’s identity, a potential source heads to a web address where he or she can access the Globe’s SecureDrop system, upload files and messages and, with a designated code name, later check for responses to these files if need be. After submissions have been routed through a second, non-public-facing server, a reporter uses a designated air-gapped computer to view the files.
“We’re taking submissions from any source, but in terms of physical access to the system, it’s restricted to a couple of members of the investigative team,” O’Gorman said, describing a kind of scrub-down process in place to keep the system as airtight as possible. “We do have a sign in, and we have more secure locks. The room itself has no network connectivity and people aren’t supposed to bring in phones.”
“We wanted to provide another way to get in touch with us,” said McKie. “What people get in touch with us about is still up to them, whether it’s something happening in the community, the latest bit of news from a union or a business leak.”
“Just because you report on spies and terrorists doesn’t mean you’re going to get the lens turned on you,” said Freeze, noting that after-the-fact, “front-door” investigations such as court subpoenas are also good reasons to adopt such security practices. “I approach it from less of a framework [of surveillance] than basic source protection. If you’re talking to a whistleblower…are you doing everything you could be to protect them?”
Matt Braga, Canada editor for VICE’s Motherboard and a previous tech reporter for the Financial Post, believes that digital security measures from the individual (using call encryption apps such as RedPhone or setting up PGP keys for email) to the more institutional, like SecureDrop, shouldn’t be seen as strictly in the wheelhouse of i-teams. “The way to look at it is more that when you’re communicating with anyone in any field that’s sensitive, you want to make it harder for people to eavesdrop or stumble upon your work,” he said.
“There’s a reason why a lot of journalists will put PGP keys in Twitter bios, or that newsroom mastheads will list PGP keys,” Braga said. “It’s a good signal of intent that you take this stuff seriously.”
Correction: This article has been edited to correct an incorrect spelling of Alasdair McKie’s name.
