Learning Security: Information Security Education for Journalists
We would like to extend a heartfelt thank you to the Tow Center for Digital Journalism. Without the financial, logistical and moral support provided by the Tow Center—and by the Columbia University Graduate School of Journalism more broadly—it would not have been possible for us to spend a semester away from our day jobs, rewiring an information security curriculum, splicing it into the power source provided by a room full of eager j-school students and attempting to monitor the results. In particular, we are hugely grateful to Emily Bell for creating this opportunity, to Liz Boylan and Smitha Khorana for their assistance throughout the semester, to Jenn Henrichsen for her help with this report, and, of course, to Susan McGregor for advice and encouragement at every stage.
We would also like to thank Mark Hansen, Michael Krish, and the Brown Institute for Media Innovation, whose brand new home served as a workbench for this experiment. We are well acquainted with the urgent creativity that a particularly challenging venue can sometimes inspire, but the Brown Institute was our first experience with a training room that forced us to innovate just so we could do it justice.
By allowing us to participate in their Investigative Skills class, Sheila Coronel and Jim Mintz gave us key insights that allowed us to tailor our curriculum much more effectively. Thank you both. And, finally, a shout out to our students for their curiosity, enthusiasm and commitment. It’s been a pleasure!
The two years since the Snowden revelations have seen an unprecedented focus in media and public interest circles on the role of privacy and security in our highly networked and digitally mediated information world. While increasing legal actions against journalists and sources, questionable practice on the part of government bodies, and often disturbing new understandings about the ability of third parties to register, obtain, and share our digital communications has continued to make headlines, the impact of these events on the daily practices of working journalists has been much more uneven. In our semester as Tow Fellows at the Columbia University Graduate School of Journalism (CJS), we found that while most students, alumni, and staff are convinced of the importance of learning information-security skills, they still lack regular opportunities to do so with qualified teachers in a structured environment. To address this, we organized a range of educational interventions designed to assess both the real depth of this professed commitment and the most effective ways of providing these skills. To that end, we hosted both short (one- to four-hour) information sessions and two parallel series of workshops spread over the semester—one set drop-in and the other cumulative. We also conducted interviews with students, staff, faculty, alumni, and working journalists to understand their particular needs and concerns and made a high-level review of current practices and resources in major newsrooms and journalism schools to understand where and how adjustments to these practices might be made. This research project was designed to explore possible models for providing journalism school students with the tools they need to start putting information-security skills and knowledge into practice while they are learning to be reporters. When offered structured, sustained support and learning opportunities, the students and alumni we encountered during our time at CJS displayed a surprising level of demand for—and sustained commitment to—the non-accredited workshops offered at Columbia J-School as part of this research, which we discuss in detail below. Our work revealed a few key takeaways that we hope newsrooms and journalism schools will use to improve the robustness and efficacy of their information-security training programs:
- Despite a real need in newsrooms and journalism schools for practical information-security skills1, this demand is not being met effectively by current programs, interventions, and resources.
- The strong expressed demand for information-security coursework from the Columbia University Graduate School of Journalism students and staff was matched by a demonstrable commitment to dedicate the time required to develop and strengthen relevant skills, even when no credit or formal recognition was offered.
- A continuous series of relatively short, hands-on workshops—scheduled at least a week apart—results in better skill acquisition, stronger retention, and less confusion than do either brief introductory sessions or multi-day, intensive boot camp events.
- By assigning students a carefully selected series of verifiable tasks, one can effectively and efficiently evaluate learners’ basic competency with information-security tools and techniques.
Information security for journalists is a complex area of knowledge and expertise. Yet most journalists need not become advanced experts in information security, as some fear. The typical journalist, however, is still likely to handle information considered sensitive—whether by a source, employer, or colleague—at some point and does need a baseline level of expertise in digital security fundamentals, such as robust password practices, anti-virus software, and regular data backups; as well as select intermediate information-security skills, such as an awareness of the basic insecurity and risks of various channels of communication. Journalists also need access to qualified technical and operational expertise and the commitment to select and use more advanced security tools and tactics if so advised. Most importantly, however, they need to develop the ability to appreciate when turning to security experts is required. While achieving these practice goals does represent a considerable amount of skill-building and learning for most journalists, we believe that this process is not dissimilar to the continuous learning they already undertake to improve their basic computing skills, access online sources, integrate data into their reporting, and learn to use multimedia tools and software.
1. Journalists have a real need for practical information-security skills that is not currently being met.
Even in the wake of the Snowden revelations, most of the support for improving journalists’ information security has been confined to low-cost and low-commitment options like hosting panels, contributing to or linking to guides, or writing blog posts and tweets (and occasional long-form articles). Only a few of the world’s major newsrooms have made truly substantial internal changes that include comprehensive training for staff, well-tuned information-management policies, and robust support for journalists working on higher-risk beats and projects. At the same time, some large news organizations have quietly made well-calibrated changes in the wake of digital attacks; a few have even had information-security support available for years. By contrast, no journalism schools yet offer a distinct course in information security, nor have they integrated information-security fundamentals into their core curricula. In many cases, they lack even an organized way of providing relevant expertise for staff and professors2. As Chris Soghoian commented in 20133, two years after his New York Times op-ed criticized journalism schools and newsrooms for not helping students and staff learn basic digital security skills and tools, “They’re forcing journalists to figure it out for themselves . . . and they don’t know what they’re doing.”4
What we’re doing isn’t working…
The failure of newsrooms and journalism schools to properly outfit journalists with the skills and support they need to protect themselves, their sources, their colleagues, and their stories is evidenced in the anemic learning opportunities currently available to both working journalists and journalism school students. Discussions with members of the CJS community about the opportunities available to learn about information security yielded a description of those occasional offerings in detail—and mirrored similar conversations we had with journalists in newsrooms5. The most common resource available seems to be the standalone one- to four-hour session led by an outside “expert.” Run by guest speakers of varying skill level and qualifications, these sessions are typically offered publicly once a year or so to a limited number of participants. In recent years, as the issue of information security for journalists has gained more attention, there have been additional, somewhat more extended events for journalists a CJS, including those hosted by the Tow Center. Often billed as a “training,” we found that these interventions leave participants frustrated and empty-handed, with only long complicated guides for further reference and no follow-up access to experts to assist their efforts or correct mistakes. For journalism school audiences already familiar with the issue and eager to learn more6, these outreach sessions are described almost universally as too superficial, with little or no time for hands-on practice. What is covered during these sessions goes unused and forgotten in the absence of any sustained attention or follow-up, leaving audience members without any sense of how to navigate crucial decision-making processes or apply practical skills in their actual reporting.
…and may be making things worse.
Though the inefficacy of these trainings is unfortunate, more troubling is evidence that they may actually worsen or reduce interest in and capacity for information-security learning. Students, alumni, and staff all shared tales of grappling with the vestiges of various tools that had been briskly installed on their devices during these brief sessions—often hosted at or even by the school7. Introduced rapidly, and left on devices without practice or context for proper use, these technologies can render users’ primary applications (and even operating systems) buggy (at best) and inoperative (at worst). As a result, many with whom we spoke had been doing everything they could to avoid these various security and privacy tools, which they weren’t even sure how to remove. Several individuals, their systems crippled by these hastily installed programs, had workarounds that were riskier than the workflows they’d used initially. The cumulative result of these challenges is that the few journalists who engage with the limited information-security training opportunities available to them often end up more frustrated and no better informed about these practices, let alone with the ability to actively apply them and help sources and colleagues do the same.
Applied Takeaway: Scale Expectations to Reflect the Resources Available
While one- to four-hour sessions can provide a passable introduction to the subject of information security for journalists—given the right presenter and agenda—these establish impossible expectations for participants when labeled as “trainings.” The misleading expectation that participants can acquire practical skills in so short a time leaves them with a negative impression of security and privacy tools in general, and suspicious of those offering them in subsequent “quick-learn” contexts. The result, over time, is reduced engagement with information-security issues—the exact opposite of what these efforts are meant to produce. Such events are often equally disappointing for the trainers or, who are forced into impossible situations as those requesting or brokering these sessions (sometimes their own organizations) ask them to provide the equivalent of one to two weeks of training in one to four hoursToo often, session leaders are given little or no preparation time, nor sufficient background about their audience’s context. Despite this, many of these presenters (such as Reporters San Frontieres) continue to provide these introductory trainings—often on a pro bono basis—to a number of journalism schools and other organizations because they feel no one else is offering anything comparable on journalism school campuses. In many cases, newsrooms—even those with means and some with reputations as having advanced digital security skills and capabilities—are giving similarly short shrift to training and staff support on an ongoing basis, creating parallel frustrations among even those working journalists eager to improve their information-security practices.
2. Demand for information-security coursework was matched by the time and effort committed by students.
Our initial planning for the semester at the Columbia Journalism School included three weekend workshops based on advising faculty’s assessment of student availability, as well as physical venues open at the school8. To frame the value of the workshops and their content, and attract interest in the program, we hosted an hour-long evening presentation early in the semester. Though optional, the presentation attracted a substantial audience and resulted in sixty-three workshop sign-ups. The bulk of these came from currently enrolled CJS students, but also included a handful of alumni, digital media support staff, and one computer science professor, who commented, “I realized I didn’t know or use those things either.”The major focus of the presentation was the following:
- How journalists’ need for information security pre-dated Snowden and would only increase in the absence of substantial legal and policy changes in the United States and abroad9
- How the vast majority of newsrooms were not providing their staff with information-security training and tailored support, even those most involved in the Snowden leaks.
- How journalists planning to offer their sources any assurances of privacy, anonymity, or off-the-record communications needed to establish a robust information-security practice.
- How legal protections (shield laws and reporters privilege) for journalists in the United States are weak and crumbling10, and any such protections are even worse globally11. Furthermore, legal measures would only be invoked where journalists’ information was not already attainable via legal third-party access mechanisms, documented surveillance practices, or technical exploits.
- Most crucially, addressing the pervasive fallacy that only national security reporters need to care about information security. To do this, we described a range of real-world examples where journalists covering business, technology, sports, conflict, environment, local news, and a wide swath of international topics had all been targeted for surveillance and digital attacks by both state and non-state actors. Providing these salient and relatable examples was essential to generating sustained interest in the workshops, and a number of students who signed up during this initial presentation later said that these examples ultimately persuaded them to attend.
- How the workshops could increase their value to prospective employers.
Ongoing promotion yielded a total of more than one hundred and ten individual sign-ups for the opportunity to join our workshops throughout the term. In addition to this, we trained the school’s five digital media associates (DMAs) and provided individualized assistance to various reporting projects, professors, and students focused on higher-risk investigative stories and contexts.
Applied Takeaway: Build It and They Will Come
This initial wave of interest was far greater than anything we’d anticipated and proved resistant to the attrition we’d been told to expect based on other non-credit offerings in recent years. In response, we vastly expanded our workshop and office-hours offerings; still, we were unable to come anywhere close to accommodating the demand for both workshop slots and one-on-one assistance. This sustained interest persisted despite that, on the whole, professors and advisors did not encourage or otherwise reward participants for attendance. While a few attendees certainly did feel it would help make them competitive in the job market, most came because they felt the training was necessary to do their jobs properly and responsibly. Many also said they attended because they found our sessions to be their favorite and most valuable “class” of the semester. As noted in emails participants sent to the Tow Center leadership and journalism school administration:
“[These] workshops have been one of the most worthwhile investments I have made during my time at the Journalism School. In the future, [fewer] than ten years from now, perhaps, I envision a course like [this] being mandatory. For now, at the very least, [these] workshops give students that take [them] seriously an edge in the job market and an edge in reporting on sensitive stories that require additional steps to protect sources.”
“I believe the workshop is the most important course that I am taking at Columbia. I know it’s not actually a course, but it should be.”
“I wholeheartedly support the idea of integrating digital security into the core curriculum . . . I believe there is a dedicated, serious, core group of J-schoolers who want this course very, very badly.”
This high level of interest, combined with students’ unprecedented commitment to attending workshops throughout the semester, leads us to conclude that the interest in learning information-security skills is more than a passing one and warrants inclusion in regular journalism school curriculum offerings.
With approximately ten years of combined experience facilitating intensive, three- to five-day information security trainings for activists, bloggers, and human rights defenders around the world, both the techniques we have refined through these engagements and experimental remediation of these efforts’ observed shortcomings informed our methodology for designing and delivering the workshops at the Columbia Journalism School in the fall of 2014.Our decision to draw on training precedents from the international human rights and activist communities stems from these sectors’ and journalism’s shared need to document and protect their sources, as hostile or repressive political regimes regularly target both groups—as individuals and organizations. Likewise, with respect toinformation security in particular, human rights activists and journalists must often learn as much as they can as quickly as they can, and then must return to environments that lack structured support for maintaining and expanding these skills. As a result, it is from these training ecosystems that many newsrooms have begun to seek similar expertise, training, and support12.
Drawing on our prior experience, the following principles informed the initial design of the workshops:
- Abandoning the boot-camp model to better support task demands and the more extensive review needs of adult learners.13
- Creating participant-driven workshop goals.
Abandoning the Boot Camp Model
One major drawback to the training structure of the three- to five-day boot camp model with which we are most familiar is the sheer density of material it must cover. Squeezing a core information-security curriculum into a single workshop, while maintaining the focus of the hands-on practice described above, has typically required approximately five full days. While this approach remains more effective than the most common alternatives—brief, lecture-style presentations and distance-learning platforms—it clearly comes with its own limitations. Most significantly, adult learners simply are not very good at absorbing and retaining new information so quickly, a challenge compounded by a lack of opportunity for proper review. In a weeklong workshop, it is possible to review material at most four days after covering it initially, and the typical window is significantly shorter than that. Moreover, boot camp-style trainings leave little room for the uninteresting-but-time-intensive activities that actually represent key dependencies for the skills that journalists need. For example, full-disk encryption is a recommended digital-security basic, especially for anyone working on a laptop that he or she transports, even from work to home. While on Macintosh computers, for example, it’s easy to “switch on” this feature, we recommend that participants make both initial and ongoing backups of their laptops before activating it. This latter process, however, which provides for crucial data recovery, is actually a multi-stage, high-latency process that includes several foundational and sometimes time-consuming steps:
- Understanding strong passwords.
- Comfort with secure password managers.
- Obtaining one or more sufficiently large external hard drives (or backing up and re-formatting existing drives).
- Practice encrypting external hard drives.
- Familiarity with backup software.
- One or more overnight file transfer operations.
- Training on full-disk encryption itself, including (on a MacOS device) how to create a restore code for FileVault encryption software. Creating a backup before turning on full-disk encryption is a safety measure as well as a core task, since rare errors can occur and may require restoration of data from a current backup.
- Another long (possibly overnight) window during which data is actually encrypted.
- Demonstration of full-disk encryption in action, such as how FileVault affects the ability to connect computers together via FireWire in “target mode” on MacOS devices.
The bold items above, in particular, represent tasks that are extremely difficult to fit into a several-day training window. A number of the topics we covered have similarly awkward dependencies. At CJS, however, we were able to hold shorter sessions and schedule them farther apart from one another. Both journalism schools and newsrooms looking to implement professional development programs should take full advantage of this luxury, as it made a significant difference in terms of students’ ability to:
- absorb content.
- benefit from meaningful repetition and review.
- utilize gaps between sessions to do things like clearing off old hard drives, backing up content, and encrypting large amounts of data.
Unlike our experience with weeklong trainings in the human rights sector, we were able to help students complete multi-step challenges, such as the process enumerated above, by relying on a combination of in-class support, office-hours, and assigned homework. The result was a significant percentage of students with verifiably encrypted backups and laptops, demonstrably strong password habits, and appreciation for the vulnerability of unencrypted data at rest.
Designing with Participants’ Goal in Mind
Early feedback from the CJS community indicated a strong desire among students for practical, skills-based education. As one student responded to our initial awareness raising presentation, “We already know it’s important, man. That’s why we showed up! It’s the specifics we need more of.”
At the same time, a number of participants at our first workshop had missed our initial presentation, so we spent some time reiterating the basic arguments for the importance of the content. We were afterwards reminded again that these journalists—mostly students, with some CJS media staff, alumni, and one human rights NGO staffer unable to access comparable workshops in his own sector—were already convinced and ready to move on to practical skills-building:
“The general feeling was that we spent too much talking about why it is important to have data security . . . Given how digitally ignorant we are and how much we need to learn, I really hope we could cover more skills . . . at each of these sessions.”
Though it was very much in line with our existing plans for the remainder of the semester, this reiterated feedback helped strengthen our focus on applied skills, which was already the inclination of our NGO-sector training experience. Accounts from students and alumni who had previously “given up” on information-security workshops and trainings either due to the dearth of practical material covered or because such events had left them plagued by half-installed tools highlighted the value of this sustained hands-on approach. One student, for example, came to us unable to send email from her computer at all after attempting to install and configure PGP during a twenty-minute workshop offered elsewhere. While practical, hands-on experience is a must, it takes time, preparation, and some degree of post-workshop follow-up and support to be effective.
We offered two workshop tracks during the fall semester:
- A drop-in series of standalone, three-hour workshops open to the first twenty students who RSVP’d for each session.
- A cumulative series of three-hour weekend workshops for twelve students who committed to attending all six sessions.
We held five drop-in workshops—approximately two per month—with a slightly different group of fifteen to twenty students participating in each session. These workshops were officially two hours in length, with an optional third hour for discussion and Q&A. The majority of participants stayed for at least two-and-a-half hours. We held six cumulative workshops—approximately two per month—for a single group of twelve students, the vast majority of which attended all but a single session (for which they were allowed to schedule a catch-up appointment during our office hours the following week). These workshops lasted three hours. The sixth session included a series of evaluation exercises, which doubled as an opportunity to review material covered in all five workshops. Students were not given advance notice for these evaluations and had no opportunity to prepare for them.
Our workshops typically began with a brief demonstration of some sort, followed by an interactive discussion and a short lecture about the material we would cover. An hour or two of hands-on work with relevant tools—including discussions of trade-offs and threat-modeling scenarios—came next, and accounted for the majority of the session. Our workshops ended with a brief summary and a Q&A session, leaving ten to fifteen minutes to address any previous questions that had been deferred in the interest of staying on track. With few exceptions, the scenarios we used to contextualize threats and frame the opportunities afforded by strong information-security practices were either chosen for their relevance to the challenges journalists face in general, or were volunteered by students themselves. As NGO sector trainers with limited journalism experience, the opportunity to participate in a handful of journalism school courses and immerse ourselves in community events proved invaluable in this respect.
While our previous workshops have generally fallen short in terms of objective, quantitative evaluation of participants’ skills and behaviors, we inserted performance metrics as a central element of our work at Columbia. Most concretely, during our final session of the semester, we tested participants’ competency with the core tools and techniques covered in our workshops. We also worked with a combination of direct observation and brief interviews as a way to get some sense of the extent to which students had actually changed their habits in response to the coursework.
In the final evaluation/review session for our cumulative workshop series, we asked participants to carry out the following tasks to demonstrate their mastery of password selection, encrypted password managers, secure file storage, encrypted email, and encrypted chat:
- Generate two strong passwords, one that is memorable and one that is shorter but stronger.
- Create a new KeePassX password database containing entries for each of those passwords.
- Create a small TrueCrypt container, using the first password for its hidden volume and the second for its outer volume.
- Send us both the KeePassX database and the TrueCrypt container as encrypted email attachments.
- Tell us the KeePassX master passphrase through a verified, encrypted instant messaging conversation using CryptoCat or Pidgin/Adium.
We also asked students to carry out the following tasks to demonstrate their capacity to use VPNs and Tor Browser for connection security and anonymous browsing:
- Turn on your VPN.
- Visit the following web address. (We gave each student a unique URL on a web server where we could monitor traffic logs.)
- Turn off your VPN and launch Tor Browser.
- Visit the same web address.By analyzing the server’s traffic logs, we were able to verify, quickly and easily, who was and was not using these tools properly.
By contrast, to evaluate the extent to which participants had actually adopted these habits in their daily lives, we asked them to:
- Show us the number of entries in their primary KeePassX database, or
- Describe any alternative systems they had adopted since the relevant workshop.
Both methodologies are works in progress—particularly the second—but we strongly encourage those designing and implementing future information-security curricula to attempt something similar.
Attendance and Outcomes
Drop-in Workshop Attendance
In the end, we offered five weekday drop-in workshops in CJS’s new Brown Center for Media Innovation for a maximum of twenty participants at each workshop, with a total of forty-four students participating in the drop-in sessions. Four students attended all five workshops; another four attended four of the five workshops; six attended three of the five workshops; ten attended two; and twenty attended only one workshop.
Cumulative Workshop Attendance
For the cumulative track, we asked twelve students to commit to attending all six workshops. If they missed a session, we asked them to make it up during weekly office hours. To accommodate participants’ schedules and the availability of the Brown Center, we held the workshops on the weekends, usually late on Saturday afternoon. None of our students dropped out of the track, although one student missed two sessions due to health and family issues. Two others were also juggling full-time jobs, one as a part-time CJS student and another who worked outside of the New York metro area as a participant in the new Lede program14. Of the twelve cumulative workshop students, three attended all six sessions; five only missed one session; three missed two of the six sessions; and one (who worked a considerable distance outside of the city and was no longer enrolled in classes at the school) missed half of the sessions.
Differences between Drop-in and Cumulative Sessions
While we reinforced previously covered material where possible for participants in the cumulative track, we had to ensure that our drop-in sessions did not assume prior knowledge of the topic. This restriction—along with the challenges presented by shorter sessions and larger class sizes—prevented us from covering certain topics with our drop-in participants. For example:
- At the end of our first cumulative workshop, we asked participants to bring an empty external hard drive to the next session so that they could practice creating encrypted backups. For students in our drop-in workshop series, on the other hand, we provided a comprehensive walkthrough on how to create an encrypted backup and enable full-disk encryption. (That said, most of our drop-in students who actually completed the encryption process did so by way of additional one-on-one assistance during our office hours.)
- The hands-on portion of our drop-in Off-the-Record (OTR) chat encryption session only addressed the use of CryptoCat and did not extend to the Pidgin and Adium instant messaging (IM) clients.
- Similarly, while we covered the same tools in both OpenPGP email encryption workshops, there was not enough time in the drop-in session for participants to verify one another’s public key fingerprints.
- Most importantly, as noted in the session descriptions above, students in our cumulative workshops had multiple opportunities to practice using tools and applying techniques covered earlier in the semester. In nearly every session, for example, they generated new passwords and added them to the KeePassX password manager. We also gave them a second chance to access an onion service—specifically the CryptoCat encrypted chat service—through the Tor Browser.
Of the quantitative competencies described above, fifty percent or more of cumulative-track students were able to execute the following tasks in an unannounced evaluation:
- Create and manage a strong password.
- Create and securely share an encrypted chat room location and check the identity of (authenticate) the person with whom they were chatting.
- Launching Tor, confirming their IP and navigating to an onion-only site.
- Use a VPN.
Generally more challenging were the compound tasks, especially those involving the use of hidden encrypted volumes. While participants demonstrated strongest attainment in simpler tasks, these are also the ones most likely to be relevant to daily journalistic work and general information-security practice. Such tasks include the use of strong passwords, encrypted chat services, protected web browsing, and remote log-in work with Tor and VPN services. On the qualitative side, many participants did report better password habits in their daily routines, including some who actively improved old/bad passwords for other services. They also set up log-in requirements for their computers and had in some cases encrypted additional media beyond their hard drives. All students also had firewall protection turned on.
Challenges and Opportunities
This section intends to shed light on a few of the obstacles information-security trainers invited to an institution—be it a journalism school or a newsroom—may face regarding the logistical challenge of implementing a workshop series according to the methodology highlighted above.
Determining the weekly time slot for our cumulative track was quite a challenge, as we asked that students—whose official class schedules had already been determined—commit to attending all six of our workshops. This was further complicated by CJS’s mid-term schedule rotation. While the form of these challenges may be unique to CJS, any institution offering similar workshops on an ongoing basis will face both outreach and scheduling challenges. Though scheduling an initial session at a time when most of our target audience of students was free helped with outreach, we also made use of Twitter and Facebook announcements, as well as word of mouth, to build an email list through which we could solicit schedule information from potential participants. Naturally, our drop-in track was easier to schedule, as we only needed to identify the time slot that conflicted with the fewest classes. Managing an ongoing sign-up process, however, proved somewhat time-consuming. Within one week of each workshop, we announced the upcoming session topic by email and asked students to RSVP. We maintained a wait-list of up to ten students for each session and asked participants to cancel by email if they were unable to attend. To publicize these sessions we additionally made use of centralized displays and calendars the school maintains, as well as social media announcements. We held office hours two days per week, for two hours each day.With the exception of cumulative workshop participants requesting catch-up appointments for missed sessions, which typically lasted one hour, we limited each appointment to thirty minutes. Office hours requests were sent primarily by email. We maintained a sign-up sheet by hand and sent out reminders ourselves. While office hours were open to the whole CJS community, the vast majority of appointments were with workshop participants. Ultimately, handling logistics on an institutional/administrative level would offer significant advantages over the relatively manual and largely email-based approach we used. Institutions should leverage known information about schedules, shifts, and contact methods, using existing lists or calendaring mechanisms to streamline RSVP and attendance. While some of these exist at CJS, better-documented and coordinated resources would have opened up substantially more time to focus on teaching-related activities.
Commit to sustained teaching and follow-up.
Three-hour workshops, with a week or more of down time between sessions, are far more effective than an equivalent number of consecutive hours spent on intensive training. While our availability during office hours complicates the comparison somewhat, it is nonetheless worth highlighting that we covered easily as much material in fifteen total classroom hours at CJS as we did typically in thirty to forty total hours during the weeklong boot camp events we have facilitated in the past. While we do not have evaluation data from those events to compare with our initial baseline from our cumulative workshop series at CJS, our sense is that the latterset of participants showed greater competency.
Repetition and review are key to retention.
We believe the ability to accommodate repetition and review is one of the reasons for the increased effectiveness described above. For most topics, we found it relatively easy to design tasks that required students to use tools and techniques covered in earlier sessions in completing the hands-on portion of later sessions. One of the tools for which we did not contrive such an opportunity was TrueCrypt. Though our data are a long way from demonstrating causality, we feel that our participants’ relatively low competency with this tool is likely related to the fact that they only had one opportunity to practice using it. As shown at the end of the Curriculum section in Appendix A, of the eight students who attended the TrueCrypt workshop and who were present at the evaluation session, fewer than half were able to fully demonstrate their ability to use the tool’s core features without assistance.
Make information-security a core competency.
The possibilities for extending and improving on the curriculum we used during this fellowship are exciting and promising, especially if such a course were offered as part of the regular curriculum, requiring students to perform assignments and tasks outside of the classroom15. The inclusion of more complex exercises, assignments, and threat modeling experiences are recommended. In feedback about our workshops, a number of participants argued that information-security skills need to be integrated into the core curriculum. When we helped a special reporting project team of recent alumni compile a list of security measures it needed to use, one of the group asked why they all hadn’t learned this during their year at CJS and expressed frustration with this gap in their skill set.
Educate and leverage support staff.
Fortunately, the opportunities to meaningfully integrate information-security practices into the core journalism curriculum are rich and varied. As we trained CJS digital media associates (DMAs), for example, who provide technical support to students and staff, they saw great potential for integrating information security into existing classes. We consider the DMAs an important avenue for bringing digital security skills into the school, even though their one-year tenure at the school would make this challenging. Nevertheless, the DMAs were some of our most committed students and were passionate about information security at CJS. Moreover, as they are all recent CJS students, they have a unique breadth and accuracy of insight into how and where these practices can be more integrally applied to the existing curriculum. News organizations might similarly look to target smaller populations of staff for deeper information-security training. Desk editors, for example, who are also in a leadership position, may be uniquely well placed to both share and prioritize these practices.
Ultimately, improving on the information-security practices of journalists will require a commitment not just at the training level, but at a leadership one in both journalism schools and newsrooms. However, our experience at the Columbia Graduate School of Journalism demonstrates that such efforts are rewarded with improved understandings, demonstrable skills, and an ongoing commitment to the better security practices that protect journalists, sources, and news organizations at all levels. We hope that both journalism schools and news organizations will take up and apply—if not formalize—our initial work in this area; to facilitate that, the appendix to this report contains a detailed description of our workshop curriculum. We gladly welcome continued questions and feedback and look forward to continuing to work with the journalism community to refine and extend these efforts.
Aside from the necessary logistical and methodological differences mentioned above, and a few variations on content described at the end of this section, the first five workshops of each track adhered to the same curriculum. (The drop-in workshop series did not have a sixth session.) Since the vast majority of our participants were Mac/OSX and iOS users, most of the platform-specific curriculum described below focuses on Mac/OSX tools. Throughout both workshop tracks, however, we also provided one-on-one assistance to our handful of Windows users16.
Session 1: Creating and Maintaining Strong Passwords
In this session, we attempted to explain and simplify the “rules” for choosing strong passwords. We also addressed the difference between online and offline password attacks, including the importance of configuring two-step authentication for services that support it. We discussed how to evaluate the security claims of various password managers and discussed the risks inherent in browser-based systems. Finally, we introduced students to KeePassX, a secure password manager, and practiced using it to store different sorts of credentials. All students left with a portable version of KeePassX on a USB stick, along with an encrypted password database.This workshop included a live demonstration of a brute-force password attack on Android and iOS smartphones.We also used this session as an opportunity to gather baseline information about who had and had not configured certain security features on their devices, including Apple’s FileVault full-disk encryption, Microsoft’s Bitlocker full-disk encryption, and Apple’s TimeMachine backup software.
Session 2: Secure Data Storage and Backup
In this session, we addressed the fact that while strong passwords are a dependency for encrypted file storage, the two concepts are not equivalent and a log-in password alone is not enough to secure data at rest. We covered full-disk encryption on MacOS, Android, and iOS devices but focused primarily on FileVault for full-disk encryption and DiskUtility as a way to encrypt external media (which we discussed in the context of secure backup habits).We also introduced students to Apple’s TimeMachine backup software. We spent the bulk of our hands-on time working with the TrueCrypt file encryption tool, including its plausible deniability feature, which we contextualized using stories about reporting in high risk countries, generally, and about border crossings and checkpoint threats in particular. In addition, however, students went home with instructions on how to create their first encrypted TimeMachine backup, and—for those who felt comfortable enabling FileVault before our next session—a reminder to record their FileVault recovery code in KeePassX, along with the TrueCrypt passwords they created during the workshop. (Several students visited us during our office hours to request additional help with these steps.)
This workshop included a live demonstration of how little protection even a strong password provides, in the absence of encryption, against an adversary with physical access to the device in question. Because our participants all had MacOS devices, we used TargetMode for this demo. And, because there were students in the class who had not set a log-in password of any kind, we also demonstrated a malicious USB attack capable of pulling sensitive documents from an unlocked computer in just a few seconds.
Session 3: Connection Security, Online Censorship, Metadata, and Anonymity
In this session, we explained the difference between symmetric and asymmetric encryption, then discussed the concept of end-to-end encryption as it applies to HTTPS, virtual private networks (VPNs), instant messaging (IM), email, etc. We covered HTTPS certificate warnings, Man-in-the-Middle attacks, the HTTPS-Everywhere browser extension, and threats related to metadata and traffic analysis, starting with the basics of how an IP address can be linked to a real-world identity. As a prelude to hands-on practice with RiseUp VPN and Tor Browser, we discussed the concept of centralized versus decentralized trust, the circumvention- and privacy-related uses of anonymity tools, onion services (“the deep web”), and the importance of HTTPS even when using a tool like Tor Browser. Credentials for a new VPN account were stored in KeePassX.This workshop included a live demonstration of a local network attack through which an adversary could sniff the Columbia University password of any student, faculty member, administrator, or staff person who had not applied at least one of the techniques covered in the workshop.
Session 4: Encrypted Chat
In this session, we focused on encrypted chat, including practical techniques for introducing sources and colleagues to relatively easy-to-use secure communication tools. We covered asymmetric encryption—specifically the Diffie-Hellman key negotiation protocol—in greater detail. We also devoted significant time to the issues of authentication and cryptographic fingerprint verification, with an emphasis on helping students understand when their real-world intuition about “verifying identity” does and does not apply to the context of secure digital communication. For the hands-on portion of this workshop, we practiced using Off-the-Record (OTR) chat encryption with both CryptoCat and Pidgin/Adium. Students used Tor Browser to access the onion service version of CryptoCat and those who created new XMPP (chat) accounts, for use with Pidgin/Adium, stored their passwords in KeePassX.The session began with a brief presentation that used color-mixing as a metaphor to explain how the Diffie-Hellman key negotiation protocol works and how proper authentication can prevent Man-in-the-Middle attacks.
Session 5: OpenPGP Encrypted Email
It was quite challenging to fit a complete, hands-on OpenPGP session into three hours, so we covered very little else during this workshop. Fortunately, we had already addressed many related issues in previous workshops, including symmetric versus asymmetric encryption, cryptographic fingerprint verification, and end-to-end encryption. High-level topics discussed in this workshop were limited to the basics of how public key encryption works, the risks associated with OpenPGP’s lack of perfect forward secrecy, and the importance of local key signatures as a way to avoid exposing one’s network of contacts. Students left the session having installed GPGTools; configured a new or existing email account to work with Apple’s Mail application; uploaded their public keys to a keyserver; located and downloaded one another’s keys; and practiced sending and receiving encrypted messages (including attachments).During the last thirty minutes of the session, students practiced verifying and (locally) signing one another’s public keys.
1 Often referred to as “digital security” skills, this is misleading as it implies an exclusive focus on all things digital, whereas the true focus is on information of all kinds in both analog and digital forms.
2 Although this research did not include a survey of similar offerings for students at other major journalism schools, the brief, intensive introductory sessions on digital security at Columbia is considerably more than what is available to students, staff, and the extended communities of other journalism schools. Very few j-schools offer comparable standalone introductory sessions or have professors who proactively include information-security topics into their course curriculum, including Columbia. Discussions of providing information-security support for journalists in j-schools and newsrooms were already present before Snowden (see A. Santo, “Teaching Cyber-security,” Columbia Journalism Review, 24 Jan. 2012, at http://www.cjr.org/the_news_frontier/teaching_cybersecurity. php?page=all for more information), but it appears that very little has actually changed after Snowden, despite the new evidence regarding the sophistication and extent of surveillance worldwide. (See L. Kirchner, “Teaching J-School Students Cyber-security,” Columbia Journalism Review, 15 Nov. 2013, at http://www.cjr.org/behind_the_news/teaching_cybersecurity_in_jsch.php).
3 T. Locy, “Surveillance and Security: Are Reporters and News Organizations Doing Enough to Protect Sources?” Nieman Journalism Lab, 9 Jan. 2014, http://niemanreports.org/articles/surveillance-and-security/.
4 C. Soghoian, “When Secrets Aren’t Safe With Journalists,” The New York Times, 26 Oct. 2011, 46 COLUMBIA JOURNALISM SCHOOL | TOW CENTER FOR DIGITAL JOURNALISM http://www.nytimes.com/2011/10/27/opinion/without-computersecurity- sources-secrets-arent-safe-with-journalists.html?_r=2&.
5 There have been regular opportunities for CJS students, faculty, and staff to learn more about information security in recent years. Reporters Without Borders (RSF) provides an annual two- to four-hour-long session each year pro bono, and professors have also asked similar organizations (e.g., Internews, CPJ, Freedom House) to provide comparable one- to four-hour sessions for specific courses, degree programs, and continuing education courses. (For more about Columbia’s professional development courses, visit http://www.journalism.columbia.edu/page/8-training-programs/8.) In addition, the Tow Center recently offered two weekend workshops on security information: A three-day workshop in November of 2013 and a one-day workshop in October of 2014. Lastly, CJS students and community benefit from subject expertise at the Tow Center for Digital Journalism from assistant professor and assistant director of the Tow Center, Susan McGregor, as well as from Tow Fellow and data journalism instructor Jonathan Stray. McGregor is the author of the recent “Digital Security and Source Protection For Journalists” and has spoken widely on various aspects of information security for journalists. (To see her report for the Tow Center, visit http://towcenter.org/digital-security-and-sourceprotection- for-journalists-research-by-susan-mcgregor/.) Stray is one of the few j-school instructors who has integrated information security into his courses and authored well-received security guides for journalists. (For the first in his series, “Security for Journalists, Part One: The Basics,” see https://source.opennews.org/en- US/learning/security-journalists-part-one-basics/.
6 This is particularly the case as attention to the issue has increased over the past two to five years, arguably peaking in the wake of the Snowden leaks in mid-2013.
7 For example, one of our cumulative track students had been grappling with an old installation of GPGTools in his Mail client from a hackathon-style digital security event he’d attended over a year previously, where he had not been given rudimentary instruction on how to use GPG/PGP, let alone crucial background about the tool that users need to have. And, unfortunately, one of the twenty-five-minute “targeted trainings” offered at the Tow Center’s “Source Protection” event was PGP, where the session lead unadvisedly had students install GPGTools instead of providing the briefest of introductions to the complex tool. One of our workshop students who hadn’t yet attended our three-hour PGP/GPG sessions approached us for help in uninstalling the tool and reported frustration with having been told to install it without proper background or instruction at the event.
8 Programs at CJS are intensive. Students work long hours and many work six to seven days per week; part-time students can be even busier as they juggle their day jobs alongside classes. Additionally, there are acute constraints on space at the school, which similarly limited our workshop estimations to weekends with no scheduled courses and no required events for students.
9 Although we agree with a number of journalists that the Snowden- Greenwald example is somewhat misleading due to the rarity of a Snowden-like source, we played the instructional video Snowden sent Greenwald explaining how to install and use PGP—and readily agreed with our audience that most people wouldn’t have used or followed it.(To access the video, visit https://www.youtube.com/watch?v=9mvf8VwVjJY.).
10 “Journalism After Snowden: A Lecture by David A. Schulz,” Tow Center for Digital Journalism, Columbia University, http://towcenter.org/blog/journalism-after-snowden-a-lectureby- david-a-schulz/.
11 “The Legal Environment for Media,” Center for International Media Assistance, accessed 24 Jan. 2014 at http://cima.ned.org/media-development/legal-environment.
12 In fairness, it should be noted that the human rights and freedom of expression communities have adopted this boot camp approach largely out of necessity. Limited geographic distribution of qualified trainers, the cost of international travel, and funding constraints make other models involving face-to-face training infeasible. Furthermore, members of these communities are in the process of reviewing chronic shortcomings, including the ways in which information-security training lacks funding, interdependent local support, and coordination between parallel efforts.
13 A key tenet of adult learning is that “adult learners benefit most from information presented in stages, and in a variety of formats.” For more information on how training adult learners on information security, see the LevelUp Project, which provides curriculum, pedagogical advice, and logistical resources for information security trainers.
14 Columbia University Graduate School of Journalism, “The Lede Program: An Introduction to Data Practices,” accessed 25 Jan. 2015 at http://www.journalism.columbia.edu/page/1058-the-ledeprogram- an-introduction-to-data-practices/906.
15 We avoided asking workshop participants to perform tasks and assignments outside of the workshops, primarily because our workshops were already additions to overloaded schedules. Within a class for credit, the amount of content covered—as well as the type and depth—could increase considerably, as would the value of the course.
16 This was a reversal of our training experiences in the global human rights sector, where most trainees were Windows users. Our few NGO trainings for international media prior to CJS did, however, reveal a higher percentage of OSX users among journalists and bloggers.