The pandemic has taken its toll on truth and transparency. Doctors and nurses have been disciplined for speaking out; the captain of a U.S. Navy aircraft carrier lost his command; bad actors at home and abroad are peddling false information.
At a time like this, journalists’ sources — especially confidential sources — are essential. So is the protection of those sources, a task complicated during the pandemic by social distancing, stay-at-home rules and work-from-home constraints.
“It’s critical for journalists to be able to communicate with sources and find out exactly how the pandemic is spreading, how governments are responding, how healthcare systems are responding, how this is impacting populations, and that’s especially the case as we’ve seen governments really clamping down on information about their approaches,” said Naomi Gilens, a legal fellow specializing in free speech litigation at the Electronic Frontier Foundation.
“As all this is happening, there’s just been a huge spike in government attempts to suppress information,” she said in an interview with the National Press Club Journalism Institute. “So it really makes it more important now than ever for journalists to be able to do their jobs and to do that in a way that keeps their sources protected and safe.”
We spoke to Gilens to get her insights about privacy in the midst of a pandemic and how journalists can safeguard potentially vulnerable communications with their sources.
Are certain sources more vulnerable to retribution or surveillance?
Gilens: One thing that’s a bit unique about this moment in time is the number of people who are suddenly working from home maybe for the first time, and people using their work devices in their homes.
So if it’s a journalist speaking to a source, I think that no matter whether that source is a government employee or someone working in private industry, the most important thing is going to be for journalists just to be aware of the particular threat model that they’re facing in that situation.
If they’re concerned about actors surveilling their communication, for example, they’re going to want to take steps to communicate over platforms that are end-to-end encrypted. That’s going to be the case no matter whether their concern is that it’s a government actor who will be listening in or a private employer.
What are some steps journalists can take to secure their communications with sources and reassure them that their communications are safe?
Gilens: Journalists should be looking into their communication platforms, and these things aren’t static because something that’s safe today might have a vulnerability discovered tomorrow. So that’s going to be an ongoing security practice — to be doing this kind of research into your platforms to see if it’s being criticized online or compromised. Take a look at platform transparency reports that they publish to see what kind of demands for information they’re getting from the government…
Encryption is going to be a good solution if they’re worried about a government actor or private actors surveilling their communications. In countries where it’s illegal to use encryption products you’re going to want to figure out a different solution so you’re not having sources expose themselves.
Once a journalist has communicated with a source then, of course, they’re going to want to take steps to protect the information that they’ve gathered. That’s basic security practices like keeping your devices updated, using two-factor authentication on all your accounts that you can, and avoiding phishing attempts.
Many news organizations are communicating through popular apps such as Zoom. How vulnerable are they to hacking by bad actors? What is it that bad actors can do to disrupt these communications?
Gilens: It depends to some extent because there’s just a huge range of different apps people are using and, of course, the apps themselves are changing day to day.
So Zoom is at the forefront of everyone’s minds right now and has been having a lot of attention for Zoom-bombing, which is where you have uninvited participants who come into meetings with harassments or slurs. That is a real vulnerability that can be traced largely to having insecure meeting IDs in Zoom. So, in order to stop that happening, the most important step is going to be just to keep meeting IDs private. Instead of posting them on the public Internet, hosts can require passwords to meetings…
Zoom meetings aren’t end-to-end encrypted, which means that the company itself can access the content of your communication over Zoom. The company says that it doesn’t do that. But even if that’s the case, it can still be compelled to hand over that information to law enforcement if it’s served with process.
You have written about how elected officials who have blocked Twitter followers they don’t like are violating the First Amendment. Why, at a time like this, should we care about this issue?
Gilens: We’ve seen government on all levels, from local government to the President, using social media to communicate updated information about these evolving shelter-in-place orders, to communicate about what government services are open, or what private businesses are allowed to be open…This is a time when people’s phone lines might be overrun, or maybe they’re not being answered. So suddenly social media is really the primary method for people to communicate with their elected officials.
Government officials, health care officials are making the case that tracking the disease will be crucial to limiting its spread. What are the privacy implications of such surveillance?
Gilens: This kind of location tracking raises a lot of privacy implications that aren’t necessarily new. Tracking people’s locations, or their proximity to other people, that information can be used to determine what people are doing, who they’re associating with, where they’re going and when… There is a difference here in scale. Now we’re seeing the potential for global contact tracing with data that’s combined with sensitive health information and associational information you know about who people are being in contact with. So that’s new and it makes these kinds of privacy concerns even more acute right now…
We’re hoping developers of tracking technologies will be transparent about how these technologies operate so people understand the privacy risks that they’re taking by using them. The tracking should be limited to opt in, so that people can consent to having their location tracked, understanding the privacy implications of that decision. And we want strong retention limits so that the data is not being held longer than necessary.
There are moments when the public may seem more amenable to this kind of intrusion. Is this pandemic one of them?
Gilens: One of the things that we learned from 9-11 is that when there are these peaks where the government or the public is more amenable to government tracking and surveillance efforts, we really have no reason to think that those efforts will be rolled back when the crisis is over.
That shouldn’t be too much of a surprise to anyone but the government doesn’t willingly roll back its own surveillance authorities when it doesn’t have to. It’s very, very difficult for advocates like EFF to have that happen in the aftermath of these events.