When professionals need to offer confidential communications, can they do it?

Add to my custom PDF

Investigating the Computer Security Practices and Needs of Journalists

Information technologies have enhanced communications between individuals, but have also increased the risk of a violation of confidentiality. This has put professionals that require such confidentially for the performance of their trade, such as journalists, doctors, researchers and lawyers, and their sensitive clients at risk. The computer security community needs to have a better understanding of the practices, needs and constraints of these professionals. This will allow the development of security tools that can fully protect the sanctity of confidential practitioner to client communications.

McGregor et al., conducted interviews in both the United States and France to investigate computer security practices and needs of journalists from a computer security perspective. Security issues that are apparent in communications between journalists and their sources are likely to be applicable more widely. This would include communications between lawyers and their clients, doctors and their patients, government departments and members of the public, researchers and study participants and so on.

15 journalists from a range of well-respected institutions participated in the study. Working with a small group allowed the authors to conduct in-depth, semi-structured interviews. The interviews focused on the general practices, security concerns, defensive strategies and unfilled needs regarding security technology of the participants.

The study found that the professionals made use of non-technical defensive strategies, such as physically mailing digital data and ad-hoc defensive strategies, like code names or intermediaries. Those who did employed technical strategies, such as disk encryption, did so sporadically and reported requiring an extended amount of time before being comfortable with them. The professionals stated that anonymous security tools interfere with the process of authentication of sensitive clients. Alternatively, not using security tools puts them at risk, because of the recording and auditing inherent in modern communications; such as metadata trails. Also, clients often determine the communication method used by professionals. As they often do not have the technical knowledge or access to computer security technologies, especially if they are part of more vulnerable populations, a lower levels of security is required. The professionals also mentioned that they lack secure systematic management tools and secure technical support for transcription purposes. The organization employing these professionals also appeared to play an important role in influencing their security behavior.

Recommendations for the Computer Security Community
1.

Anonymous communication tools should address the issue of authentication of sensitive clients by professionals.

2.

Effective, usable and transparent solutions to overcome the tracking of metadata trails are needed.

3.

Security technologies that are accessible to populations with low technical skills or limited access to technology should be developed.

4.

Improved access to computer security technologies for low-income and vulnerable populations is needed.

5.

Professionals need a secure and systematic knowledge management system to support the storing, organizing, searching, and indexing story-related data.

The organization is able to play a crucial role in the understanding and competent implementation of communications security and related behaviours of professionals. However this is only part of the problem Professionals make decisions on how to communicate on the level of comfort their client has with securing technologies. Ensuring the confidentiality of these forms of communication requires that the awareness and competence of the greater public is required. Further, professionals are missing secure tools for the collection processing and storage of data. The computer security community could seize these opportunities and fill the voids.

Practical communications security is limited to the level of the least capable. Ensuring that the public can confidently confide in their professionals requires work at many levels.