October 2017 Podcast: Freedom of the Press Foundation Executive Director Trevor Timm talks digital security for student journalists

We speak with Trevor Timm, a co-founder and the executive director of the Freedom of the Press Foundation, a nonprofit which works to protect journalists and their sources by offering free, open source digital security tools.

Got an idea for who next month's guest should be? Send it to sbreslow@splc.org.

Samuel Breslow: Hi, I'm Samuel Breslow.

Emily Goodell: And I'm Emily Goodell.

SB: And you're listening to the Student Press Law Center podcast. The SPLC is a nonprofit advocate for student First Amendment rights, freedom of online speech, and open government on campus. Our reporting is funded by generous donations from our listeners — and yes, that's you!

EG: So our former executive director Frank LoMonte is off basking in the sunshine and teaching journalism at the University of Florida, but we're still going strong here in D.C. under our new director, Hadar Harris! We've revamped the show and we're really excited to speak with some amazing guests this fall about the most pressing issues affecting student journalists in the U.S.

SB: We have a fantastic guest starting us off this month. Trevor Timm is a co-founder and the executive director of the Freedom of the Press Foundation, a nonprofit which works to protect journalists and their sources by offering free, open source digital security tools. He previously worked for the Electronic Frontier Foundation defending civil liberties in the digital world. He also writes a weekly column for The Guardian, and was the 2013 recipient of the Hugh Hefner First Amendment Award. He spoke to me from his office in San Francisco. Without further ado, Trevor Timm:

SB: A lot of students journalists who are listening to this may be thinking that because they're doing work at a college level rather than professionally, they're probably not as high on the NSA's target list as someone who's receiving information from NSA employees or other high profile leaks like that. So, why should student journalists still care about protecting their digital security?

Trevor Timm: Sure, so the NSA is often in the headlines, and has been shown to violate people's privacy on a global scale. It's not the number one concern for most journalists. Certainly journalists working in the national security and foreign policy realm have to be worried about this type of state-sponsored surveillance, but student journalists have a bunch of other threats that they still need to worry about, even though the intelligence agencies don't come into play. So for example, if you're reporting on an administration, it's quite possible that the administration itself might try to, for example, look through your emails to find a source. There was a great example of Harvard, actually, going through the email accounts of sixteen resident deans in 2013 trying to find the source for a leak to the media about a cheating case involving the school. When an administration owns the infrastructure that you use to communicate, and you're reporting on that institution, it gives them a lot of power over what you do. And that's not even taking into account that there may be local law enforcement authorities that could get involved in issues dealing with reporting on either police involvement in campus issues or just generally in local reporting. So I think it's incredibly important for all journalists, no matter what they cover, to understand exactly what the threats to press freedom are and how best to combat them.

SB: So, you work for the Freedom of the Press Foundation, and you offer several tools on your website for journalists. So, let's start with SecureDrop. Can you tell about what that tool is and what problem it's addressing?

TT: Sure, so SecureDrop is an open-source whistleblower submission system. So, basically how it works is that any news organization can install it and use it to accept anonymous tips and documents from whistleblowers. SecureDrop uses the Tor network to anonymize a source's IP address, so that hopefully investigators wouldn't be able to figure out exactly who is sending information to SecureDrop. And it also prevents subpoenas to third parties like Google and AT&T. We've seen, over the past decade or so, a record number of prosecutions of whistleblowers that go to the press in the federal government, and the big reason for this is that the government is able to go to a Google or a Facebook or a phone provider, and secretly, with a court order, get all sorts of information on who reporters are talking to, when they're talking to them, for how long, and in some cases on what subject. And this is obviously a very big threat to how journalists do their job. They can almost [unintelligible] the public if there are sources who are willingly feel safe enough to talk with them. So SecureDrop tries to eliminate all these third parties from the equation and the SecureDrop server sits on the news organization's property, that people only communicate through that, and so hopefully if there is any sort of legal order trying to reveal who a source, a journalist's organization will have the opportunity to then contest it in court. And SecureDrop is certainly made for very extreme situations. So federal investigations involving agencies with large numbers of resources. It's not necessarily something that everybody needs to use. There might be certain situations that student journalists may want to use SecureDrop, but oftentimes there are simpler tools they could use that will better protect their privacy. For example, Signal, the secure messaging app, that anybody can install in like 30 seconds on their phone, which can be used to send end-to-end encrypted text messages.

SB: What are the advantages for student journalists of using that over other messaging apps?

TT: Well, a few things. So first, it's end-to-end encrypted, so the only way that anybody would be able to read the messages is if they had access to your phone or the person's phone that you're speaking to. Second, it does limit the amount of metadata that is available for people to find, and so what I mean by metadata is who you're calling, when you're calling them, and for how long. Signal does store people's phone numbers, so it's theoretically possible that an entity can subpoena Signal and find out if two phone numbers have connected at one point in time. But it does try to limit that amount of data, and it is certainly far better than using traditional SMS text messages or emails, especially if you're using an email system which your school itself controls.

SB: The other service that you offer is called Secure The News. Can you tell me what that initiative is about and why student journalists should care about it?

TT: Sure, so Secure The News is more of an advocacy project, and what it tries to do is encourage the adoption of HTTPS encryption on news websites. So obviously every time you go to a news website, you are reading various articles that can tell outside people a whole lot about your interests, what you read about, what you care about, all sorts of personal details that you should be able to keep private. What I read during the day shouldn't be available to anybody who wants to find that out. So what HTTPS encryption does is basically encrypts the websites that you visit. So say, for example, you're on a public WiFi network, and a website didn't have HTTPS encryption. Somebody on that same WiFi network could use a simple, freely available tool, to actually see all of the websites that you're visiting without HTTPS. And with HTTPS, they wouldn't be able to tell exactly which articles you're reading on the nytimes.com website, for example. They wouldn't be able to steal your password, they wouldn't be able to do all sorts of invasive things that are actually much more common than people know. And so, we really think that it's imperative for news organizations to adopt this encryption standard on their website, which websites like Google and Facebook have done for years now. And so, basically we automatically check, on Secure The News, hundreds of websites to see if they're upgrading to HTTPS, and then we keep track, on a giant leader board, and give organizations grades from A to F, so that people can, number one, see which websites are most secure, and then number two, encourage other news organizations to switch over at a much faster pace.

SB: So, a lot of student newspapers are run through services like WordPress, and they're not completely building their own websites from scratch. Are there ways that those websites, the people who are running them, can help make them more secure?

TT: Yeah, WordPress actually offers HTTPS encryption by default now, and so if you are using a service like WordPress or Squarespace, this type of encryption is actually built in, which is a fairly new development; it's only happened in the last year or two. But given that those companies are so large and that so many people use them, it's actually been a huge benefit to the security of the internet as a whole.

SB: One issue that a lot of high school papers tend to run into is web filtering systems, so school administrations blocking certain content that they don't want students to have access to during the school day, such as Facebook, but they can also be useful tools for reporting. Is that a trend that you find concerning?

TT: Yeah, web filtering, both on the level of school systems preventing student journalists from seeing certain websites all the way up to countries like China doing web filtering on websites that China doesn't like, are really similar symptoms of the same problem. And this is actually where HTTPS can help in certain situations, as well. While it's not going to help students who are blocked from using Facebook, what it does do is forces schools to make a decision. Forces schools to make a decision or large countries to make a decision, so with HTTPS, they, for example, would not be able to block specific Wikipedia pages. They would only be able to block websites on the much broader level. So with HTTPS, they could only all of Wikipedia; they couldn't block specific pages. And this is actually a deterrent from doing large-scale blocking, since while they sometimes want to block specific pages, there is often much more outrage when they block whole websites, and because that can be so controversial, they often weigh against blocking a site like Wikipedia, for example. So HTTPS can actually help prevent certain kinds of censorship in schools, as well.

SB: Can you envision any sort of hypothetical circumstance in which you would be okay with an administrator accessing a student's email account?

TT: Sure, I mean, I don't think that anybody is arguing that, investigators should never ever be able be able to access any type of information on any individual, but there really needs to be transparent, accountable rules in place when this type of incident happens. The school administrator should not be able to just decide, based on a whim, that they want to search through student journalist emails. And there should, frankly, be specific and more stringent rules, especially for student journalists who are reporting on administrations, given that they may come into conflict. And I think that, besides that point, so long as student journalists are more aware of what an administration has the technical capacity to do, and is more aware of tools that they should avoid versus tools that they should use, then they'll be in a much better place.

SB: Are there any other steps that you'd recommend student journalists take to either better educate themselves about what the administration could do or to better secure themselves against potential administrative overreach?

TT: We have a bunch of material on our website, at freedom.press. We have a whole digital security page, which can help people upscale their knowledge about basic digital security techniques. It's not just the administration that folks have to worry about. There are all sorts of threats out there from people trying to hack into their emails. Whether it's criminals or pranksters or even friends and loved ones, I think people need to be quite aware about, and there are simple steps that people can take to really up their digital security. Something like using a password manager, for example, or making sure two-factor authentication is always turned on in any account that you use. Unfortunately, digital security can be hard, because there is so much that we do online these days. I mean, when you think about it, we text, we email, we make phone calls, we use all sorts of social media networks that have all sorts of different privacy settings. We browse the web, we have a computer, we have multiple devices that need to be secured and protected, so often there is a learning curve when deciding what you need to do and what you should stay away from. So, at Freedom of the Press Foundation, we are hopefully a great resource for student journalists who want to learn more about this, and I would encourage anybody who's listening to reach out if you have more questions.

SB: The board of the Freedom of the Press Foundation includes some really notable figures, perhaps most prominently NSA whistleblower Edward Snowden, who I understand serves as the president of the board right. Can you tell me how he got involved and what it's been like to work with him.

TT: Sure, so we're really lucky to have a board of incredible journalists and whistleblowers. Glenn Greenwald and Laura Poitras are on our board (the two journalists who broke the Snowden stories). Famous whistleblower Daniel Ellsberg is on our board, and as you mentioned, Edward Snowden joined our board three years ago. And nobody has more experience using digital security to contact journalists to get a story out into the world than him, and it's been a real pleasure to work with him. He's been working with us on a couple new tools that we're hoping to release in the next few months that try to solve or mitigate some of the digital security problems that journalists face or that they will face in the next five to ten years. I mean, this is kind of really a passion for him. He comes from a technical background, but cares a lot about how journalists operate, not just in the U.S. but around the world, in dangerous places, in war zones.

SB: You mentioned some new tools that you're developing. Can you give us a preview of what those will be for?

TT: Well, unfortunately, I can't go into too many details, but there's a couple problems. First of all, a lot of journalists now increasingly receive large data sets, much like the NSA archive that Edward Snowden gave to journalists, not necessarily just about the NSA, but all sorts of issues. These data sets can be very sensitive, and they need to be stored securely. And there's limited options out there right now for journalists who want to be able to use and hold these data sets for a long time, but also don't want them to fall into the wrong hands. So, one tool we're developing is trying to at least partially solve this problem. And another problem that we're working on is cell phones, and the fact that your cell phone has all sorts of sensors and emitters that give off all sorts of information about yourself, and we think that users should have more control over how these sensors are used and how they can be used against you. And so, we're working on a couple projects that try to tackle this problem, as well.

SB: Can you give me more of an idea about how things go day to day in the office and what it's like to be in the line of work that you're in?

TT: Sure, so Freedom of the Press Foundation has about 15 employees. We're based in San Francisco and New York. And there are all sorts of things that we work on besides SecureDrop and Secure The News. We do digital security trainings inside news organizations. We often come to universities to do digital security trainings. So if you want someone to come to your school and so that you can learn more about these types of digital security techniques, please reach out to us; we'd be happy to come and visit and give a workshop or a seminar so that folks can learn more about this. Day to day, we have a bunch of engineers working on these tech projects, but then we're also doing advocacy. We're very active on social media, @FreedomofPress on Twitter and on Facebook. And right now, there seems to be a new threat to press freedom every day with the current administration, so certainly times are busy, but we feel like it's our job to help journalists with not just problems that they have been facing, but try to think about the problems that they could face in the future with the advance of technology. And certainly, these problems are not going away.

SB: Is there any advice you'd give to student journalists who are looking to go into doing this sort of reporting that you do?

TT: The best advice that I could give student journalists is for you to pick a subject which you become an expert on. And write and research and report and post on social media about it constantly. Obviously, it is tough times in the journalism world right now, given that Facebook and Google are dominating advertising dollars, and some news organizations are laying a lot of journalists off, but there is still ample opportunity for people to really pick a niche which not a lot of people report on, understand it better than everybody else, and make it an obsession. That's how I first got my start doing this, by picking the First Amendment and the Fourth Amendment, and becoming an expert on it and focusing all of my attention on informing the public about things that happen in the news that are relevant to those interests. And if you can do that, then I can almost guarantee that you will eventually be successful.

EG: That was Trevor Timm. This has been the Student Press Law Center podcast, produced out of our headquarters in Washington, D.C. I'm Emily Goodell.

SB: And I'm Samuel Breslow. Check out the show notes for links to the resources discussed in the Q&A, plus an article on the incident at Harvard that Trevor mentioned. The SPLC is on Facebook, Twitter, and Instagram, so please go follow us there!

EG: This show would not exist without the generous contributions of our members. Go to our website, splc.org, if you'd like to learn more and sign up. Also on our website, you can request free legal advice for any issues you may be encountering. Our supervising producer is Danielle Dieterich. Our theme track is "Inspirational Life" by Soundotcom.

SB: Special thanks to Trevor Timm and the Freedom of the Press Foundation. Also, did you know we publish news stories every week? They're like mini-podcasts, just for your eyes rather than your ears! One of our recent stories covers a Texas student journalist who was assaulted while covering a protest, and another compiles a massive list of journalism internships for this spring and this summer.

EG: Go give 'em a read on our website!

SB: We'll be back in a few weeks with an episode from Emily, plus I'll be back next month with another Q&A. Got an idea for who my next guest should be? Send me an email at sbreslow@splc.org. Thanks for listening; see you next month!