Tag Archives: security

Research: regional publishers may be risking their sources and their brands

Whistle with spikes

Journalists say sources are less willing to talk because they are afraid of employers. Image by Terry Border

Local journalists don’t know how to protect their social media accounts, or the law regarding sources, and they don’t know what their employers are doing about online security.

That’s the upshot of research that I conducted with dozens of reporters around the UK – and it’s so important I’ve organised an event to tackle it.

Here are some of the key findings…

Journalists could be compromising colleagues – but they don’t think security affects them

Over the past year it’s been revealed that UK police forces have been accessing regional journalists’ communications, and at least one local authority has used its powers to spy on journalists meeting an employee: security isn’t just about GCHQ and Edward Snowden.

Social media accounts that have been hacked in the past few years include those reporting on subjects as innocuous as entertainment and the weather, while commercial organisations including Microsoft and Vodafone have hacked journalists’ communications when they wrote about them. This week a journalist was found guilty of helping hackers access a newspaper CMS, causing almost $1m in damage.

But local journalists’ and editors’ perception of the issue is that security is “another planet”, there’s no strategy for protecting branded social media accounts, and it is assumed reporters who routinely need to protect their sources are “usually pretty conversant with that kind of issue”.

Unfortunately, on the whole they are not. More than one experienced crime reporter that I spoke to operated on the basis that police requests to access their sources would come through the newspaper. “They’ve never taken action to gain that information from me,” one said.

But the key thing that I’ve discovered is that networked working practices in modern newsrooms mean that information regarding sensitive stories can still be accessed through communications with colleagues who do not consider security to affect them.

1 in 5 lack even basic password security

Despite feeling that security issues did not affect them, around half of journalists had made some changes to their behaviour online in the past year.

But a significant proportion of journalists were not even using different passwords for different accounts – one of the most basic security practices.

22% of journalists do not use different passwords for different accounts


16% of journalists did not do any of the following: use different passwords, clear their browser history, turn off cookies, turn off geolocation or use enhanced privacy settings on social media.

What are publishers doing about information security?

Despite hundreds of journalists and many editors signing Press Gazette’s Save Our Sources petition last year, there is no indication of leadership or communication from the top on the issue of source protection.

Journalists overwhelmingly said that they did not know what their organisation was doing about internet security. But perhaps more importantly, editors did not know either. “I should know the answer to that,” said one, “and it’s worrying that I don’t.”

88% of journalists do not know what their employers are doing regarding security

31% of journalists said their employer was doing enough to protect employees and sources


Strangely, even though only 4% of respondents said that their employers had taken steps in the last 12 months on the issue, almost a third of respondents made the leap of faith to say that their employers were “doing enough”.

Newsroom processes aren’t set up for modern law and technology

One thing became very clear: newsrooms and work processes are still set up for an analogue world where protecting sources is a reactive process. Discussions about sensitive sources focus on a potential legal defence if approached directly. No processes are in place to anticipate or prevent sources’ identities being accessed indirectly.

Likewise IT policies focus on protecting email – but there is little consideration to securing social media accounts.

And journalists felt unable to advise sources who were unwilling to talk because of workplace surveillance and contracts with ‘gagging’ clauses.

What I’m doing about it

I’ve organised an event to try to begin to address these issues, with people who have been directly affected, experts on law (including employment law) and people who can advise on the technical side. It’s in Salford at BBC in Media City on Friday November 6 – you can sign up here.

The 10 most-read posts (and one page) on the Online Journalism Blog in 2014

ojb post frequency 2014

The last 2 months of 2014 saw a return to regular blogging after some quiet periods earlier in the year

2014 was the 10th anniversary of the Online Journalism Blog, so I thought I’d better begin keeping track of what each year’s most-read posts were.

In 2014 the overriding themes for this blog were programming for journalists, web security, and social media optimisation. Here are the most-read posts of the year, plus one surprisingly popular new page with some background and updates. Continue reading

This Christmas, encrypt your emails and make the haystack bigger

Why should journalists be interested in web security? You may not fear your social media accounts being hacked by propagandists, your email hacked by companies you write about, or your phone records being seen by police, but there is another good reason for adopting security measures.

“Anonymity loves company,” security researcher Ross Anderson reminded attendees at this month’s Logan Symposium on secrecy, surveillance and censorship. “You can only hide in a crowd.”

In other words, the more people who use encryption in their email, or other security measures, the less unusual it becomes.

And the more widespread these practices are, the harder it is for the contents of messages to be used to identify whistleblowers – whether that is with journalists, charities, or even whistleblowing services (remember that only the message is encrypted, not the identity of the sender or recipient).

So if you have some spare time over the festive period, why not get yourself set up with an email client like Thunderbird with a plugin like Enigmail, and get started.

How The Cambodia Daily went HTTPS to protect its readers – guest post

Last month The Cambodia Daily announced it was going HTTPS. In a guest post for OJB Joshua Wilwohl explains why they decided to go secure, and how they did it. (Disclosure: Joshua is a student of mine on the MA in Online Journalism by distance learning at Birmingham City University).

During the past year, The Cambodia Daily has witnessed an increase in government interest in monitoring the Internet.

This week, the newspaper revealed a government plan to inspect the network equipment, billing and data files of mobile phone operators and internet service providers.

Government officials argued this was to help with investigations into crime committed over Voice Over Internet Protocol, or VoIP.

But computer crime experts said the Government’s planned tactics could also be used to monitor people’s phone calls and Internet data. As one expert said: Continue reading

“Don’t be afraid: keep them afraid” and other notes from the Logan Symposium on surveillance’s first day

Don't be afraid. But keep them afraid.

Seymour’s parting advice to young journalists: maintain a watchdog role and hold power to account

On Friday I was at the Logan Symposium on secrecy, surveillance and censorship, an event which, as is often the case with these things, managed to be inspiring, terrifying, and confusing in equal measure.

Notably, Director of the Centre for Investigative Journalism Gavin MacFadyen opened the day by talking about investigative journalists and hackers together.

It is common to hear attacks on journalists mentioned at these events, but rare to hear an old-fashioned hack like MacFadyen also talk about the “growing number of hackers being imprisoned”, while noting the commonalities of a desire for a free press, free speech, and “a free internet”. Continue reading