Thousands of people in Canada have access to top secret government documents, but if any of them are considering following in the footsteps of Edward Snowden and leaking records to journalists, they will find comparatively few reporters in this country who are capable of protecting them.
Snowden, an NSA contractor turned whistleblower, leaked a massive trove of documents that revealed potentially illegal surveillance programs throughout the “Five Eyes” intelligence alliance of Australia, Canada, New Zealand, the United Kingdom and the United States. Intelligence agencies in these countries not only monitor the communications of terrorists and foreign states, they also collect private and potentially compromising information from journalists and the public at large.
However, since the Snowden leaks were made public, only a handful of reporters in Canada have taken steps to secure themselves and their sources. Many investigative reporters and even some national security reporters in Canada are not equipped with e-mail encryption.
A CANADALAND investigation into over one hundred Canadian media organizations, including all major papers and broadcasters, found that only 37 journalists in the country have publicly begun using encrypted email with their work accounts since the first Snowden NSA stories in June 2013. This information was obtained using the MIT PGP Public Key Server, a sort of a phone book for PGP encrypted email contacts, to find journalists and other staff publicly using PGP encryption with their work email accounts. The number does not include freelance reporters, but it remains atrociously low when compared with journalism in the United States.
For example, in the same period from June 2013 to present, reporters at the New York Times alone registered 55 encrypted professional email accounts.
Only 12 media outlets in Canada have had reporters sign up for encryption since the Snowden leaks. The Toronto Star tops the list with 7 new PGP users, Sun Media has 6, and the Globe and Mail and La Presse tie the CBC with 5 new PGP users apiece.
Dozens of media organizations including Global, Macleans and the Canadian Press, didn’t have a single email address registered on a public key server.
However, looking up the emails of media organizations on the public key server does not reveal all the journalists using encryption. Three categories of journalist do not show up: freelance journalists, reporters who have only encrypted their personal email accounts and those who have not listed themselves on the server.
For example, VICE Canada politics reporter Justin Ling uses PGP but hasn’t uploaded his key to a public key server. His colleague, Matthew Braga, listed his personal account on the server in 2013, but only added his @vice.com email address this February.
To increase the scope of our investigation, CANADALAND set up an email account under a pseudonym, ‘Loqior’, and contacted several Canadian journalists while posing as a source hoping to leak them documents through encrypted means:
“Is there a way to send you an encrypted message? I was not able to find you on the Public Key Server. If you are using PGP encryption, please send me your public key.”
The email was sent to national security reporters, the winners of the most recent round of CAJ awards and to investigative news programs.
Reporters who were already using encryption were not contacted. These included the CAJ award winners Amber Hildebrandt and Michael Pereira of the CBC, who are currently collaborating with Dave Seglins to report on Snowden documents. National security reporters Michelle Sheppard of the Toronto Star and Colin Freeze of the Globe and Mail were also already using encryption.
Especially troubling is that the majority of CAJ award winning reporters did not respond to the email. Neither did the investigative news programs W5, The Fifth Estate and 16×9. Two national security reporters who were contacted, Jim Bronskill of the Canadian Press and Ian MacLeod of the Ottawa Citizen were not using encryption but are planning to do so in the future, both indicated that if the matter was urgent they would set it up right away.
On the other hand, some positive stories did emerge.
Glen McGregor, a reporter with the Ottawa Citizen, initially responded, “No, don’t have anything like that but I suppose I should probably get one.” Less than 30 minutes later he replied with a newly established public key.
Similarly, freelance journalist David Ball replied, “There is now” along with a link to his public key.
Most impressive was the response from the CBC’s Ian Johnson, who replied to the email with the key for a “trusted colleague”, and explained that “If necessary, we have access to an air-gap computer, use Tails and can also use other tools to help ensure privacy if the situation requires it.”
Robert Fife, a parliamentary reporter with CTV, responded by saying the he did not use PGP encryption, but provided his BlackBerry Pin to Pin, another means of sending an encrypted message that is widely used in government circles. While much more secure than sending unencrypted messages, Blackberry pin messages fall short of the security provided by other forms of encryption. The CSE states on their website that “any BlackBerry device can potentially decrypt all PIN-to-PIN messages sent by any other BlackBerry.”
“Encryption works,” declared Snowden, shortly after stories based on his leaks were first revealed. “Properly implemented strong crypto systems are one of the few things that you can rely on.”
Whether through legal or illicit means, unencrypted emails can be read by a variety of parties, including internet service providers, email providers, law enforcement, spy agencies, and criminal hackers. Without encryption, a journalist has shut the door to sources who need a secure method of communication in order to protect their identity.
“As a reporter, you are holding yourself out to the public as someone who sources can trust” says Lex Gill, a Montreal based activist and law student, who has organized training sessions, dubbed ‘crypto parties,’ aimed at helping the public learn to use encryption tools. “In this day and age it is irresponsible for anyone who is communicating with vulnerable sources, or has sensitive documents, to not be using encryption. This is a matter of journalistic ethics.”
If any CSE employees are disturbed by their agency’s current activities, they may not feel safe approaching many media organizations in Canada. That’s because the handful of journalists using PGP encryption on its own this is not enough to protect sources with highly sensitive records.
In 2013, the New Yorker began using SecureDrop, a system designed to allow sources to send journalists records with considerable protection.
The following year the Guardian, the Washington Post and many other media outlets began using SecureDrop. However, it wasn’t until earlier this month that the Globe and Mail became the first organization in Canada using the tool.
“SecureDrop is the 21st-century equivalent of the manila envelope,” said David Walmsley, the Globe and Mail’s Editor in Chief, when the newspaper announced earlier this month that it had adopted the technology.
Sources can upload encrypted data to SecureDrop, but the system is only accessible through Tor, a tool that allows users anonymity by routing their online traffic through multiple computers across the Internet.
Journalists then receive the encrypted data from SecureDrop and transfer it via a USB key to an air-gapped computer—a machine without an Internet connection—to prevent external access. The data is then decrypted on the air-gapped computer, which uses Tails, an operating system that runs off a USB key and leaves no trace on the computer running it.
The Globe and Mail, however, is not the only media organization in Canada that is capable of secure communication beyond PGP. Some reporters at CBC are capable of decrypting messages on an air-gapped computer running Tails. The problem is that the broadcaster doesn’t publicize this capability, and potential sources have no way of knowing.
The handful of CBC reporters using encryption are likely a product of the broadcaster’s current collaboration with Glenn Greenwald, one of the reporters first approached by Edward Snowden, and his publication The Intercept.
On October 21st 2014, Greenwald visited CBC’s Toronto headquarters to talk about his reporting on surveillance. On that same day Dave Seglins first registered an encrypted email account. Soon after Amber Hildebrandt and Michael Pereira would also encrypt their emails, and a few weeks later the CBC began publishing stories on Snowden documents related to CSE.
The dates that these reporters publicly began using encrypted email are known because they published their public keys and other information needed to contact them on a public key server – a sort of a phone book for PGP encrypted email contacts.
While any number of spy agencies around the world may be targeting journalists covering national security, reporters covering other beats are not immune from risk.
“The government isn’t the only party who has strong incentives to monitor your communications: everyone from the private sector to organized crime might pose a risk to journalists,” says Gill, the Montreal based law-student.
She is convinced that encryption is integral to the future of journalism, and encourages reporters to not only learn to use PGP encryption but to also use other tools that are designed to encrypt their phone calls, chats, text messages, and the data that is stored on their computers. She thinks it is particularly important that reporters are encrypting their notes, and other sensitive documents.
UPDATES (March 20th):
Since this article was published several journalists have added their keys to the Public Key Server. This list provides the names and keys of some of the Canadain reporters using PGP encryption, and info on how to be added.
If you want to learn encryption and other security tools a great resource is provided by the Electronic Frontier Foundation’s Surviellance Self-Defence guide.
Two reporters at the Globe and Mail registered encrypted email between research for this article was conducted on March 12th and when the article was publlished on March 19th.
UPDATES (March 19th):
Matt Braga joined VICE in January 2015, and added his key to the Public Key Sever that next month.
The New Yorker began using encryption in 2013, this article had previously said it was the New York Times.
While The Fifth Estate did not respond to an email to firstname.lastname@example.org, the email listed on their contact page, a seperate part of their website provides the email address email@example.com, and indicates that a PGP key can be provided.
Information about BlackBerry Pin to Pin from CSE’s website was added to the article.