Why Canadian journalists have to care about online security
When authorities snoop out our digital footprints, the best we can do is is mitigate risk, not eliminate it entirely
By H.G. Watson, Associate Editor
Do you know when you are being watched?
“It is really easy to know when you are being censored,” Laura Tribe, the executive director of OpenMedia, told J-Souce. “It is very hard to know when you are being watched. I think that’s why sometimes we take it for granted—because we can’t actually feel it or see it or know that it is happening.”
2016 may just be the year that Canadian reporters realized how real the threat of surveillance is: Vice reporter Ben Makuch faces the possibility of jail time over his refusal to hand over messages exchanged with an accused terrorist; six Quebec reporters discovered they were spied on by the provincial police; and Patrick Lagacé, a LaPresse columnist, said he was surveilled while reporting on the police, as part of an attempt to discourage police staff from speaking with him, according to the CBC.
Many journalists already take steps to protect themselves using encryption and apps that promise privacy. But that might not be enough.
What are newsrooms going to do about it
Robert Cribb uses encryption tools. You’d expect him to—he’s the Toronto Star’s foreign affairs and investigative reporter who worked on the Panama Papers story, an international collaborative investigative effort that looked deeply into the web of offshore accounts held by the world’s wealthy.
But there are plenty of reporters who might not think themselves candidates for police scrutiny. “It’s not something that traditionally we thought really happens,” notes Cribb. While he still thinks it unlikely that a movie reviewer, for example, might need to be overly concerned about surveillance, journalists who do any kind of work that holds those in authority accountable should be.
The problem for many is that using encryption tools can be time-prohibitive. “It is a hassle, no question about it,” said Cribb. “You get used to it and it becomes part of your working day but I don’t know that everybody wants to engage with these tools.”
J.M. Porup, a freelance national security and cybersecurity reporter who has written for Ars Technica UK and Motherboard, thinks these are the kind of things journalists in Canada—and worldwide—need to start thinking about.
But Porup says getting journalists to be in charge of their own security just doesn’t scale. But newsrooms can do something about it. For example, both the New York Times and The Intercept have in-house experts who ensure that all staff can communicate and work securely.
“It has to be a focused managerial decision to employ an in-house security expert to optimize business processes at both the organization and individual level for optimal security,” Porup said.
Freelancers and journalists in small newsrooms, however, don’t have access to those resources.
The trouble with cryptography tomorrow
Porup did his J-Source interview using Signal, an encrypted messaging service that many journalists rely on to securely communicate. Before we even spoke, we had to ensure that the same password appeared on our screen—if it didn’t, it might mean someone was intercepting the call.
Signal, Tor, DuckDuckGo—the list goes on. There are many security tools available.
Many come with caveats. Even though an “adversary”—Porup’s term— couldn’t hear your Signal conversation because of the cryptography the app uses, ISP’s and cell phone carriers still know when you are using the app. And not many people use Signal, which means you have to either get your source to download it, too, or switch to another encrypted app like WhatsApp, which is used more widely.
And just because a tool is secure today doesn’t mean it will be secure tomorrow.
“To the best of our knowledge the cryptography used by Signal is unbreakable even by the super computers the NSA has,” said Porup. The supercomputers on the way, however, could make mincemeat of secure apps.
Quantum computers, which store information in a far more sophisticated way than traditional computers, may be a reality as early as 2026 according to a story in the New Yorker. And they could easily crack most of the cryptography used by apps and other online services.
Porup imagines a scenario in which a reporter does everything right. The reporter uses encryption and successfully has an anonymous conversation with source. Until the NSA or CSE break the cryptography in 2026 with a quantum computer, and that source is no longer anonymous. “All sorts of things (are) constantly changing,” Porup said. “That’s just going to get worse.”
You gotta fight for your right to privacy
Tribe would really like journalists to be the loudest voices in the privacy battle.
As the executive director of OpenMedia, a Canadian advocacy group dedicated to keeping the Internet open, she has been actively campaigning to kill government legislation that makes surveillance easier.
“If (the government) are not protecting the rights of journalists who traditionally have had more protections and the protection of sources as an understood right here in Canada, what are they doing for regular Canadians who are just trying to communicate normally?” she asks.
C-51, the much maligned anti-terrorism bill introduced by the Conservatives in 2015, allows police to make arrests without warrants and share information about individuals with up to 17 different government agencies. After the Liberals were elected they promised an overhaul, which to date includes the announcement of a government consultation on “revamping” the legislation. There is also the Security Intelligence Review Committee which monitors both CSIS and CSE—but is understaffed and underfunded compared to the agencies that they are supposed to be monitoring, according to Tribe.
There is a laundry list of government attempts to increase the scope of information police and intelligence agencies want to obtain. In the United Kingdom, the Investigatory Powers Act was made law last month, legalizing data collection and requiring telecommunications company to keep data collected about users for at least a year, according to CNet. In America—well, Edward Snowden is basically a household name now for a reason. Apple has fought the FBI on embedding backdoors to encryption—but The Intercept recently uncovered that iPhones send its call history to Apple.
And here at home, The Toronto Star recently reported on the RCMP’s efforts to push for increased abilities to obtain private information through telecom companies, and access encrypted information. (For what it’s worth, the Privacy Commissioner says encryption isn’t going anywhere, according to a memo obtained by the Star).
Tribe doesn’t want to see the battles other countries have fought happen here. “We’re actually asking the Canadian government to proactively say we’ll never do this and support support strong communications technology here in Canada,” she said.
What comes next?
Porup understands the desire for a checklist—just do all these things and you’ll be safe and secure!
The problem is, there isn’t one.
What journalists need to do is mitigate risk. Tor and Signal aren’t perfect, but they do help make you more secure. Porup divides democracy on the internet into three pillars: end-to-end encryption; anonymity; and end-point security.
Freelancer Jane Lytvynenko created this presentation as a guideline for journalists who want to start mitigating risk.
H.G. Watson can be reached at hgwatson@j-source.ca or on Twitter. Header photo can be found here.
Correction, Dec. 8, 2016: A previous version of this story referred to an incorrect time frame for reporters to work on securing thier online profiles. This has since been removed. We apologize for the error.
H.G. Watson was J-Source's managing editor from 2015 to 2018. She is a journalist based in Toronto. You can learn more about her at hgwatson.com.