How Journalists Can Protect Themselves From the U.S. Government

White House press secretary Jay Carney has recently faced questions related to the Justice Department’s subpeona of two months of Associated Press journalists’ phone records.

Photo by Chip Somodevilla/Getty Images

It is beginning to dawn on America’s journalists—a group predisposed, in aggregate, to admire and vote for Barack Obama—that the president and his administration are becoming a clear and present danger to the craft they practice. The Obama Justice Department’s collection of vast phone records from the Associated Press, hot news in the past two days, has news people in a tizzy if not a fury.

They are right to be angry, if a bit hypocritical given news organizations’ widespread indifference to civil liberties breaches that don’t affect them so directly. The AP records collection—by most accounts aimed at identifying a leaker inside the government—is an escalation of the administration’s unprecedented war on leaks, a war that has made journalists a secondary but no less real target of surveillance.

Once they get over being shocked, shocked at the administration’s increasingly obvious antipathy toward what they do, American journalists will have to face up to the changed conditions in which they operate.

They will have to take many more precautions as they do their work—especially when it comes to the absolutely essential work of finding government whistleblowers. The alternative is being almost entirely neutered, because no whistleblower in his or her right mind today should have much trust in journalists’ ability to prevent discovery.

The need to beef up journalistic security has been clear for some time. Last year, believable allegations surfaced that Chinese hackers, with likely ties to the Beijing regime, were hacking major news organizations’ servers, prompting a flurry of countermeasures that may or may not be working.

More recently, hackers apparently tricked their way into getting the AP’s main Twitter passwords and then made bogus posts, including one that briefly whacked the financial markets. There were two key lessons for journalists here: a) be certain that they keep their accounts with third-party services under strict control and b) question whether they could afford the blowback from using third-party services that do not themselves employ up-to-date security practices.

Now it’s time now for U.S. media companies and individual bloggers alike to recognize that they live in an environment in which their own government—not to mention criminal or corporate hackers—may well be using all of the tools at its considerable disposal, legal or not, to spy on them. They will increasingly need to practice their craft here at home as if they were independent journalists or dissidents living under an authoritarian regime.

Unless they and their sources are taking extraordinary precautions, journalists should take for granted that most mobile carriers will hand over pretty much anything the government wants, pretty much anytime it asks. This is true of most Internet service providers as well, in part because many the same companies that provide voice-based telecom services.

Security experts have been urging journalists—and all of us who value privacy and safety—to think much harder about how we harden our communications against intrusion in general. We can’t plan for every contingency, and we have to understand that if a powerful nation-state like this one is willing to break laws and/or work in secret it can get to things others cannot. But we can adapt to various threats.

I asked the ACLU’s Christopher Soghoian for some advice a year ago, for an article in Columbia Journalism Review, and he offered a several essential suggestions beyond the ones he’d previously made in a New York Times op-ed.

For example, he advises against using phones for any conversations with endangered sources unless both sides are using untraceable prepaid devices. He urges folks to use virtual private networks, which encrypt information, but notes that governments (and others) can in many cases still know who’s talking to whom. In general, he told me, talk in person if at all possible.

Some journalists have taken worthwhile steps. In a noteworthy current example, The New Yorker just launched a “Strongbox” service, which will give sources an anonymous way—if they use it right—to send information to the magazine’s journalists. The service leverages the Web-based Tor network, which anonymizes traffic. Every news organization that wants to do its job properly should put systems like this in place.

Meanwhile, journalists can find a variety of useful security information from organizations like the Committee to Protect Journalists, which has focused mostly on threats abroad. CPJ’s “Journalist Security Guide” is a great place to start.*

Two days after the AP phone records handover was made public, the White House tried some damage control. It urged Congress to pass a so-called “reporters shield” law, even though no such proposal has never achieved critical mass in Washington. It might help—a little—if it becomes law. But the administration has pressed for a “national security exception” that, given its record, would be liberally applied.

The reality is that journalists need to help themselves, in the United States and everywhere else. We need what they do, and their work is increasingly at risk.

Correction, May 15, 2013: This article originally misidentified the Journalist Security Guide as the Journalists Security Guide. (Return to the corrected sentence.)