The Investigatory Powers Act has now been law for almost six months. For journalists and publishers this means having to remember that the webpages that you and your sources visit, who you call on your phone, and where you take it, are all being collected and potentially accessed by a range of authorities*.
It also gives the state the power to hack into devices and to require companies to help them compromise the security of users of their websites and apps.
But most importantly, it means understanding that unlike previous legal regimes it is likely that you will not be aware if any of this is happening, nor will you have an opportunity to mount a legal defence to argue against it.
If this makes you feel powerless to protect your sources, here are some things you can do to feel better:
1. Sketch out a threat model
The first step in any security strategy is to actually work out what risks you face. It’s easy to exaggerate the risks and feel helpless — or to underestimate the scale of surveillance by public bodies and private sector employers.
It may be, for example, that the biggest risk is not from the Snooper’s Charter but from a source’s employer monitoring their communications; or from people who want to hoax your followers on social media; or that you didn’t realise that 16,000 public sector staff will be able to access web browsing records.
A threat model is a process for identifying why someone might want to access your information, how they might do that, and what the risks are if they do. In this post I explain the process in more detail, while Privacy for Journalists also has a useful framework for threat modelling.
2. Use different passwords – and choose good ones
In just one fortnight in June we learned that 33 million Twitter passwords, 360 million MySpace passwords, 117 million LinkedIn passwords and 65 million Tumblr passwords had been hacked.
Around 1 in 5 journalists fail to use different passwords for different accounts. Based on that, I’m guessing that they don’t choose particularly good ones either. News organisations could do a lot more to train their journalists.
3. Get a PGP key for your newsroom – and publish it
PGP keys are used to encrypt messages or documents. It’s still possible to see who you contacted, and the subject of the message, but the contents cannot be hacked. In September I wrote about The Guardian’s decision to routinely link journalists’ profile pages to their PGP keys — and just how few news organisations did the same.
Note that under the existing RIPA laws you could be compelled to hand over your PGP keys, and face jail if you refused. However, at least this offers you the opportunity to mount a legal defence.
4. Make sure sources know their activity is recorded
It is one thing to secure your communications once a source has made contact — but what about their first contact with you? This is the biggest vulnerability, and the hardest to address.
It is important to make audiences aware how much of their activity is recorded, not just by government agencies but by their employers and the digital tools that they use.
Having PGP keys is one thing, but if the source has used their work email to contact you, it doesn’t really help.
5. Report, share — and campaign
When I completed my research into information security in the regional press it was clear to me that the solution to ensuring source protection was not technical, but political and legal.
Press Gazette’s Save Our Sources campaign is just one example of an industry making its voice heard over concerns that laws incorporate vital democratic safeguards.
And the next challenge will be a proposed Espionage Act which would criminalise journalists and whistleblowers.
The Times and The Telegraph have both been vocal in their criticism of the proposals, while The Guardian has ensured that it reports wider concerns. The NUJ has said it will defend members who “face being criminalised for doing their job” under the proposals.
Following these developments, reporting them for a wider audience, contributing to consultations, signing petitions, attending meetings and demonstrations, supporting organisations like the NUJ, Index on Censorship, English PEN, Reporters Without Borders, Open Rights Group, Liberty and the Electronic Frontier Foundation, and writing to your MP are all further methods of protecting your sources too — and the great news is that they don’t require installing any software.
*Some of the plans to retain communications data are being held up at the time of writing.