At a workshop at Medill School of Journalism's Washington, DC newsroom, David Reese (left) helps Amy McCullough (right), an editor for Air Force Magazine, install PGP encryption for her email. Behind, Aaron Rinehart helps Sarah Kinosian, a human rights worker, do the same.
WASHINGTON -- When whistleblower Edward Snowden used an email encryption program called PGP to contact documentary filmmaker Laura Poitras, only a tiny fraction of journalists used it. The precaution, designed to scramble messages so only the sender and receiver can read them, was essential for Snowden to leak the information.
The series of stories that followed shocked the world and radically altered the way people think about government surveillance and the Internet. Now, encryption is becoming a standard item of the journalism toolkit, a must-have for anyone hoping to report on sensitive issues that might upset institutions of power. It was also the subject of a workshop recently held at Northwestern's Medill newsroom in Washington, DC, which walked about 15 journalists through the basic software installations involved in setting up PGP, which is short for "Pretty Good Privacy" and ironically named after a grocery store in Garrison Keillor's fictional town of Lake Wobegon.
For Aaron Rinehart, one of the workshop's leaders, the goal is to protect the relationship between journalists and their sources, "to get journalists confident using these tools so sources feel they can give them information safely," said Rinehart. Without that possibility, he said, the Fourth Estate could be fundamentally crippled.
And it's not just the NSA journalists and sources need to protect themselves from, warned Rinehart. He used an example of a story exposing pharmaceutical malpractice. "It's not that sexy of an issue, right? But just think of the potential adversaries." There's the government whose regulators screwed up, the drug companies who are poisoning people, and their stakeholders who don't want to lose profits. With any story, there are likely a host of people who want to hack the journalist and sources to prevent the information from being aired.
The workshop was taught by Rinehard and digital security advisers David Reese and Ferdous Al-Faruque. Rinehart and Reese recently founded TestBed Inc., a technology consulting company. And Al-Faruque is a master's journalism student at the University of Missouri who said he wants to establish a class there on encryption and cyber security.
Rinehart, who spent time in Djibouti while serving in the Marine Corps, said his motivation for putting on the workshop came from a time when journalism salvaged his college career. "The media saved me," he said. About a decade ago, Rinehart faced a bureaucratic nightmare at the University of Missouri, when he returned from serving abroad and was not permitted to complete his studies. A local paper led an investigation into the problems veterans were having there, and the university changed policies. Since then, Rinehart said he tries to do all he can to help journalists.
Of the reporters who attended, many are intent on investigative work like the kind that exposed the NSA's mass, indiscriminate surveillance. "Since I cover national security and defense, I would definitely use this to coax sources to communicate with me or send me documents that they don't want their government or our government to see or know about," said Kristina Wong, a reporter for The Hill.
But others also attended, including a cryptologist who said he comes to events like this out of professional interest, and a human rights worker.
"In a lot of countries, activists and human rights defenders especially are really targeted," said Sarah Kinosian, who monitors American security assistance in Latin America for the Center for International Policy. "So we want to make sure [victims] can pass documentation to us in a safe way."
The workshop began with Rinehart and Reese playing a segment of Citizen Four, Poitras's documentary on Snowden and government surveillance that recently won an academy award.
"I would like to confirm out of email that the keys we exchanged were not intercepted and replaced by your surveillance," a narrator said, reading Snowden's correspondence with Poitras as a line of ominous tunnel light split darkness on the screen. "Please confirm that no one has ever had a copy of your private key and that it uses a strong passphrase." Rinehart interjected: "That is what we will be teaching you today."
He then spoke for a while on the importance of responsible password management, recommending a program called KeePass, before moving on to downloading email client software and installing extensions designed to encrypt communications.
Aaron Rinehart displays the GPG encryption download suite for those at the workshop to follow along.
The way it works can seem daunting and complex, especially for anyone not tech-savvy. The email extension, called GPG or PGP, generates both a public and private key for each user. When PGP is used to send an email, the sender uses the receiver's public key to encrypt the contents of the email so only the receiver's private key can decrypt it.
Also on the other end, the receiver can see that the sender's identity is confirmed. A public key is just what it sounds like: something meant to be made public along with an email address so the owner can be contacted by anyone. The private key must be kept secret by the owner, and is used to decrypt messages sent using his or her public key.
In essence, it's is the same concept of an email. Anyone can send a message to someone but only that someone can read it. But encryption makes it nearly impossible for that message to be intercepted. And while subpoenas can force Google or Yahoo to turn over peoples' emails, PGP makes it impossible for Google and Yahoo to read the messages, so they'd be turning over incoherent nonsense (although it is still possible to see who the sender and receiver are, and the subject line of the email is not encrypted. Ergo, aliases are commonly used once initial contact is made).
Click here to see my public key.
Encryption's complexity has deterred it from becoming widespread, even in newsrooms. "At The Hill, not many people use it at all," said Wong, something many would deem troublesome given the publication's focus on politics and aim to bring transparency to Washington.
But most people agree the complexity is in the technical details behind the process, not in its application. "The world of cryptology and algorithms and coding that goes into encryption tools is difficult for just about anyone to comprehend," Rinehart said. "But using the tools is quite simple for people who take the time to learn."
While the majority journalists still do not use encryption, it is becoming common practice for many organizations who do investigative work. The New Yorker, The Intercept, Washington Post, and ProPublica are a few of the early sign-ons for Secure Drop, a new encryption system for journalists designed by the Freedom of the Press Foundation and originally coded by Kevin Poulsen and the late Aaron Swartz. Gawker is another publication that uses it, showing encryption may become more widespread for groups focused on less hard-hitting subjects as well.