In the months since Donald Trump took office, Washington has been leaking like a sieve. The new administration has become such a consistent source of revelation and gossip that the president frequently tweets about the “illegal leaks coming out of Washington” or reporters using anonymous sources as producing “#fakenews.” The deluge of disclosures also comes as the growth of secure messaging and file transfer tools like Signal, Confide, and SecureDrop have made it simpler for sources to spill secrets to journalists. In an attempt to plug the West Wing’s leaks, press secretary Sean Spicer reportedly seized his employee’s cellphones, in February, “to prove they had nothing to hide.”
But is secure leaking really more simple and widespread than ever before? As researchers, we wanted to find out. So we conducted a census of Washington journalists to find out whether these tech tools were really taking off. Turns out, many political reporters seem to be better equipped to play a part in All the President’s Men than they do in Citizenfour.
Journalists need to protect themselves and their sources from threats like government surveillance, corporate hacking, metadata collection, and even casual snooping. So much journalism today takes place digitally—from composing stories to sending emails to messaging and texting to saving notes. If journalists don’t take proper precautions, all of this material could fall into the wrong hands, putting journalists and sources at risk. That’s where rigorous security comes into play. There are no official best practices, but there are lots of options. If journalists need to make sure there isn’t a record of text logs, call end or start times, or contact information on their phones, an app like Signal or Confide comes in handy. Since emails might be intercepted, reporters could use end-to-end encryption made possible by technologies like Pretty Good Privacy or secure email like ProtonMail to make it impossible for anyone other than the sender and receiver to see messages. Of course, all of this is only useful if journalists make these resources known to potential sources, such as by putting the info in their Twitter bios.
Alas, our findings suggest that secure communications haven’t yet attracted mass adoption among journalists. We looked at 2,515 Washington journalists with permanent credentials to cover Congress, and we found only 2.5 percent of them solicit end-to-end encrypted communication via their Twitter bios. That’s just 62 out of all the broadcast, newspaper, wire service, and digital reporters. Just 28 list a way to reach them via Signal or another secure messaging app. Only 22 provide a PGP public key, a method that allows sources to send encrypted messages. A paltry seven advertise a secure email address. In an era when anything that can be hacked will be and when the president has declared outright war on the media, this should serve as a frightening wake-up call.
The good news is that newsrooms are more likely to offer secure communication tools than they were just a few years ago. A report from the Columbia’s Tow Center for Digital Journalism, for example, shows that the number of employees at major news organizations with registered encryption keys spiked after Edward Snowden’s leaks about the National Security Agency’s surveillance programs began in 2013. There was also a post-Trump bump. The secure messaging app Signal, for example, saw its downloads peak on Inauguration Day. The Gizmodo Media Group took out targeted Facebook and Washington bus shelter ads encouraging government employees to “tell on Trump” via various anonymous transmission platforms. Our research showed that journalists within certain beats, such as national security and technology, and organizations, such as digital native outlets, were slightly more likely to advertise their encrypted communications.
We also found that many major news organizations didn’t publicize secure and anonymous ways to submit sensitive information either. The Official SecureDrop Directory, a listing of secure file transfer web addresses managed by the Freedom of the Press Foundation, lists only 15 American news organizations (if you include the Guardian) and two individual journalists, Barton Gellman of the Washington Post and Wired’s Kevin Poulsen. It mostly includes the organizations you would expect: big names like the New York Times, Associated Press, the Washington Post, and USA Today; some digital native sites like BuzzFeed and Vice; and investigative outlets like ProPublica, the Intercept, and the Center for Public Integrity. The New Yorker offers SecureDrop on its website, though it isn’t listed on the directory. NBC News advertises a mix of contact information, which includes numbers for encrypted apps like Signal and Telegram.
Notably missing, however, are CNN, CBS, ABC, NPR, and the Wall Street Journal, plus scores of locally focused news organizations (though some do have individual reporters who advertise secure contact information). Doing a bit of searching, none of these big players have strong, easily accessed alternatives for their institutions either. CNN’s website, for example, encourages users to use a basic form or go to its social media platforms to share tips.
Sure, end-to-end encrypted information isn’t the only tool to help conceal a source’s identity. And while it provides considerable protection, it’s not fail-proof. But it’s troubling, particularly because, according to a 2015 Pew Research Center survey, many in the media are also neglecting other information security practices such as turning off electronic devices when meeting with a source or using dummy email accounts.
When journalists don’t step up, sources with sensitive information face the burden of using riskier modes of communication to initiate contact—and possibly conduct all of their exchanges—with reporters. It increases their chances of getting caught, putting them in danger of losing their job or facing prosecution. It’s burden enough to make them think twice about whistleblowing.
White Houses have historically been sensitive to disclosures that they worry could damage American security interests. Former President Barack Obama, for one, used the Espionage Act to prosecute more leakers than any administration in history. He also used it to go after journalists, including the Times’ James Risen, who almost went to jail for refusing to reveal confidential sources. But journalists we spoke to said that this administration feels even more worrisome to them. Trump has shown a penchant for villainizing all leaks, equating sensitive national intelligence revelations with innocuous depictions of warring White House factions. He’s also demonstrated fundamental misunderstandings about the important role independent media and whistleblowers play in a democracy. Even the tough-on-leaks Obama administration didn’t use “consistent rhetoric that it was a moral failing or an act of cowardice,” said Politico cybersecurity journalist Eric Geller.
National security reporters we spoke to said that sources in their beat generally know how to communicate securely and can find journalists that do as well. But with the expanded war on leaks, it’s becoming increasingly important for their colleagues covering other Washington beats, too. The Daily Beast’s Betsy Woodruff said she doesn’t use these technologies for most communication with sources, but she finds them helpful for covering both national security and immigration. “There are a lot of people that are just more comfortable talking, more candid, [and] will spend more time talking to you if it’s through an encrypted app,” she said.
Our sample certainly has some limitations. It looks only at reporters with permanent credentials for the 114th Congress (2015–16), and it’s possible that these journalists have been slower to adopt secure communications because congressional sources aren’t facing the direct wrath of the administration. Others doing related coverage may, for various reasons, not have this particular credential. But the 2,515 on the roster do represent a wide spectrum of Washington journalists, most of whom also cover politics beyond the Hill.
It’s also true that reporters who solicit tips via secure communications aren’t necessarily getting dumps of earth-shattering classified information. Sources may not know the advantages of using them. Or, as in the recent case of defense contractor Reality Winner, they may make other security missteps along the way. Or as Dan Vergano, a science reporter for BuzzFeed who links to both his PGP key and his publication’s secure tips guide on his Twitter account, put it: “It’s not a magic piggy bank—[where] you turn it on, you put it on your Twitter bio, and all of a sudden the tips come rolling in.”
The New York Times, however, has claimed the secure communication channels it launched late last year have been fruitful, especially those via mobile platforms Signal and WhatsApp. In March, the Times said it was getting 50 to 100 tips a day from them, of which only one-third were immediately discarded.
Nonetheless, even if sources haven’t used secure communications, there are journalists ready and waiting. “I set one up because you never know,” said Washingtonian’s Ben Freed, who advertises Signal and PGP in his Twitter bio. “It’s one more tool to have. In the event that somebody wants to send me some secure documents, some classified documents, or tapes, and they want to do it over a secure channel.”
All of the journalists we spoke to stressed that leaking sensitive information shouldn’t be viewed as a casual act. Leaks may pose real dangers to national security if published. Tips may be false, misleading, or power plays by a political operative. But countless sources disclose information Americans deserve to know—some at great personal risk.
“There are people who are going to great depths to do something for public service and they are trying to help us out,” said the New York Times’ Matthew Rosenberg, “and the least we can do is to try to keep them safe.”