Are You Savvy about Digital Security?

Illustration showing the concept of a microchip and a lock.


For Azeen Ghorayshi, protecting her sources’ confidentiality has become a crucial part of the reporting process. Since 2015, Ghorayshi, a science reporter at BuzzFeed News, has been writing about sexual harassment in science. Her stories include painful personal accounts of harassment from people who don’t always want to be named, and exposés of universities’ cover-ups, so it is crucial that sources trust her and know how to contact her without risking their safety or privacy.

Ghorayshi is fortunate to be in a tech-savvy newsroom, so when she began reporting on sensitive issues, she asked colleagues for advice on best practices. She now routinely invites sources to send her information via the encrypted messaging app Signal. Signal is known for its strong focus on privacy: Only the sender and receiver have the code to decrypt the messages. The app can also be set to automatically delete conversations from a specific contact.

“[Signal] gave me the assurances I was looking for,” Ghorayshi says. “It is really very easy to convince [sources] to use it as well. They don’t have to learn how encryption works, but they can feel safe with it.”

For any journalist, regardless of nationality or beat, protecting sources is part of the job. With growing anti-science sentiment, climate change denialism, and politicization of science at the highest levels of U.S. government, science journalists, too, are facing challenges more commonly associated with those investigating corruption or national security.

“With science becoming increasingly politicized, that should be a red flag [for science journalists],” says Courtney Radsch, advocacy director for the nonprofit Committee to Protect Journalists. “You never know when it is going to become an issue until it is an issue.”


Many journalists mistakenly believe that their stories are not sensitive enough to warrant increased digital protection.


Some newsrooms, unlike Ghorayshi’s, can be slow to adapt to growing concerns about digital security. Many journalists mistakenly believe that their stories are not sensitive enough to warrant increased digital protection.

“I’ve spent time in legacy newsrooms and seen how slowly culture changes,” says Susan McGregor, assistant director of the Tow Center for Digital Journalism at Columbia University.

Anyone who relies on digital communications, including email, texting, instant messaging, and voice-over-internet services, team collaboration tools (such as Slack), and social media applications, should worry because all of these modes are vulnerable to digital threats, including viruses, eavesdroppers, and hackers. Some journalists even experience in-person threats to digital security, such as border officials demanding access to contacts, text messages, and online communications on their phones.

“If you are not thinking about digital security, you’re missing a critical component of being a modern journalist capable of protecting sources,” Radsch says.


Identifying Vulnerabilities

To protect themselves and their sources, journalists must first identify what they are trying to protect, and from whom—a process sometimes called threat modeling. “It is really important when engaging in security as a journalist to consider your adversary and their likely avenues of attack,” says Dominic White, chief technology officer at the digital security consultancy SensePost. “It’ll help you prioritize defenses.”

There are two points of access for digital eavesdroppers: end-point devices, such as cell phones and laptops, which are most likely to fall prey to malicious software, and the networks to which the devices are connected, which can be monitored without the user’s knowledge. Employers—both journalists’ and sources’—can legally spy on their employees’ activities on their internal networks, and some governments also have the ability to intercept communications on a mobile network.

Russell Brandom, a reporter for The Verge who writes frequently about cybersecurity and science, says journalists should try to anticipate the possible threats against themselves and their sources. “In most stories, it’s going to be the source’s employers, whether in the public or private sector,” who are the biggest threats, he says. “So the first step is getting off of all employer-controlled infrastructure: no work phones, no work laptops, no connecting through office Wi-Fi.” Some investigative journalists even resort to leaving their phones at the office when they go to meet sources. While he was writing a story about Iranian digital activists, Brandom says, he kept all information that could identify his sources in a physical notebook locked in his desk. “We figured that even if the Iranian regime were able to hack my computer, it would be pretty difficult for them to break into our offices,” he says.

Journalists should also be aware of what they disclose on social media. For example, tweeting a picture of a university campus at which you are meeting a confidential academic source could give away the source’s identity. During the Tunisian Arab Spring revolution in 2011, authorities used social media to track dissenters and journalists. The U.S. Department of Homeland Security has also announced plans to create a database of journalists and media influencers. They plan to collect data such as location, beat, publication, and keywords derived from social media posts and stories. In some cases, this social information could point in the direction of sources.

Mohammed Yahia, a science journalist who was harassed because of his stories about a bogus health intervention by authorities in Egypt, says he became aware of the danger he was in when he saw journalists and activists being arrested for their social media posts. He realized then that when covering stories where science and politics intersect, “it was important to protect my sources,” he says.

These days, Yahia relies more on nondigital means when reporting on politically sensitive stories. “And if we use digital media, I always try to explain to [the sources] the importance of choosing the most secure channels for us to share documents—for their own sake,” he says.

Ghorayshi, too, is a firm believer in nondigital reporting. “You get into more trouble with the new-fangled stuff than the old-school picking up [of] the phone,” she says. “From my perspective, it is the safest way to communicate and communicate freely, obviously with caveats—I’m not reporting on extreme national security issues.” Other journalists, with a different set of stories and risks, may balk at using the phone.



Courtesy of Sarah Wild

Sarah Wild is a South African science journalist. She studied physics, electronics, and English literature at Rhodes University in an effort to make herself unemployable. It didn’t work so she read for an MSc in bioethics and health law (Wits University), with a special focus on race science and the philosophy of science. She has written for numerous publications, including Nature, Quartz, and New Scientist. She’s written about astronomy, particle physics, and everything in between. In 2017, she won a Kavli Gold Award for her work investigating forensics in South Africa. Follow her on Twitter at @sarahemilywild.

Skip to content