How are Canadian news organizations protecting their sources online?

By Pierre Chauvin

As the author of three books about the Mafia, National Post reporter Adrian Humphreys understands the importance of protecting confidential sources and how to go about doing so. He considers himself “a master of old-school security and protection.”

But it wasn’t until he was working on a feature about a former U.S. soldier seeking asylum in Canada, claiming he was tortured by the FBI, that Humphreys realized he wasn’t up to speed with how to protect his sources online.

By Pierre Chauvin

As the author of three books about the Mafia, National Post reporter Adrian Humphreys understands the importance of protecting confidential sources and how to go about doing so. He considers himself “a master of old-school security and protection.”

But it wasn’t until he was working on a feature about a former U.S. soldier seeking asylum in Canada, claiming he was tortured by the FBI, that Humphreys realized he wasn’t up to speed with how to protect his sources online.

In this case, the former soldier was involved with the loosely associated international hacker group Anonymous. When Humphreys began reaching out to Anonymous members for information, “there was an expectation of enhanced digital privacy” that he hadn’t encountered before. If he wanted their participation, he had to prove he could protect their identities online.

“We weren’t prepared” for that, said Humphreys. “It forced us to wake up.”


Related content on J-Source:


As a result, the Post had to take “extraordinary steps in-house that we had not taken before” in order to secure the co-operation of Anonymous members.

In the wake of former NSA contractor Edward Snowden’s revelations about government surveillance, news organizations around the world are having to think about how to protect their online communication with sources. Just last month, for example, The Guardian started using SecureDrop, a platform that allows whistleblowers to contact journalists safely, following the example of The New Yorker, ProPublica, The Washington Post and The Intercept.

For the most part, Canadian news organizations seem to be dealing with online security on a case-by-case or reporter-by-reporter basis, with few institutional, across-the-board measures in place.

“There is not a huge push from coming within the institution to lock things down,” said Colin Freeze, a national security reporter at The Globe and Mail. “So, it’s really incumbent upon every reporter who deals with this sensitive material to educate themselves about things like basic encryption.”

Matt Braga, a former National Post technology reporter, echoed Freeze’s views.

“We were provided with company laptops that had strict IT policies against installing or using certain applications,” said Braga. That made it more difficult to use encryption software.

“While I certainly wasn't forced to bring my own laptop in—in fact, bringing unapproved devices onto the network was forbidden—I did it anyway from time to time so I could send messages using PGP or OTR,” he said.

PGP (Pretty Good Privacy) is a program that encrypts emails and relies on a set of public and private keys. A whistleblower who wishes to contact a reporter using PGP will look up the reporter’s public key, use it to encrypt an email and then only the journalist can decrypt it with his or her private key. The Intercept, the publication created by journalists Glenn Greenwald, Laura Poitras and Jeremy Scahill, displays each staff member’s public key on its website.

OTR (Off the Record) Messaging is a plugin that encrypts communication sent over instant messaging applications.

While some reporters at the Canadian Press use PGP when needed, the company has no “formal training regime for encryption tools,” said acting editor-in-chief Andrew Lundy. But it is considering adopting one, he said.

In Montreal, La Presse provides training to all of its journalists who want it  and initiated a discussion on the topic, investigative reporter Vincent Larouche told J-Source.

And according to CBC’s The Fifth Estate tip page, sources can request the show’s public PGP key to communicate with its staff.

After Snowden’s revelations, there’s little need to explain the importance of digital security to journalists, said Gerard Harris, of at eQualit.ie, a Montreal-based organization that provides online security training for citizens and journalists alike.

“I think we have received more requests by Canadian journalists than usual for trainings in the last 12 months,” said Harris.

The University of Toronto’s Citizen Lab has also developed a proposal for a journalism security training program for which it is currently seeking funding.

Chris Parsons, a post-doctoral fellow at the Citizen Lab, said he got positive feedback when reaching out to journalists to see if such training would be useful.

Its next objective is to look into the curriculum of journalism schools to evaluate what is taught about the subject and how it can be improved.

Pierre Chauvin is a freelance journalist based in Montreal. He previously worked for the francophone community newspaper l’Aurore boréale in Whitehorse.

 

 

 


Related content on J-Source: