[Cryptography] Columbia Journalism Review: How NOT to report on encryption
hbaker1 at pipeline.com
Sun Dec 6 10:35:49 EST 2015
FYI -- It looks like Trevor Timm finally wrote the article that desperately needed to be written.
"rarely has the coverage of such a debate been so lacking in facts--especially considering that encryption is a tool reporters increasingly need to do their jobs"
How not to report on the encryption 'debate'
By Trevor Timm
December 4, 2015
Rarely has a public debate been ignited so fast as the one about whether to ban online encryption after the tragic Paris attacks two and a half weeks ago. And rarely has the coverage of such a debate been so lacking in facts--especially considering that encryption is a tool reporters increasingly need to do their jobs.
The deplorable terrorist attacks in Paris occurred on the evening of Friday, Nov. 13. By the end of that weekend, news organizations had published dozens of articles linking the Paris attackers with the use of encrypted messaging apps that prevent the companies that make them--and therefore governments--from easily accessing the messages their users send back and forth. By the following Monday, there were literally thousands of articles questioning whether such apps should be outlawed, spurred on by the Sunday talk shows that gave intelligence officials license to speculate on the "likely" use of encryption as a catchall excuse for why the attacks had not been detected, and to condemn the technology without a single skeptical follow-up.
Why were officials saying it was "likely"? Not because they had actual evidence, but because they assumed that if authorities didn't know about the plot in advance, the terrorists must have used encryption. (Yes, that was the actual explanation Senate Intelligence Committee Chairman Richard Burr later gave reporters when pressed.) Meanwhile, an early New York Times article on the attackers' supposed use of encryption--sourced to anonymous European officials, whose assertions became the launchpad for many of the weekend's think pieces--was quickly rewritten and the anonymous reference to encryption removed (without a note to readers about why).
"We think that's a likely communication tool because we didn't pick up any direct communication" (2/2)
-- Julian Hattem (@jmhattem) November 17, 2015
By Monday night, the Times made clear in its lead story about the still-raging encryption debate that there was "no definitive evidence" that encrypted communications had been used by any of the attackers, but by then the terms of the discussion were already set, and the CIA had no problem continuing its epic game of blame deflection throughout the week.
NYT: "There is still no definitive evidence to back up" the claims that the Paris terrorists used encryption https://t.co/P8t0q4BJYv
-- Trevor Timm (@trevortimm) November 17, 2015
First, there was CIA director John Brennan, last seen deceiving the public about the CIA spying on Senate staffers, lamenting that privacy laws were to blame. Former CIA director James Woosley was allowed to opine at length on CNN about his preferred method for killing Snowden, claiming he had "blood on his hands" for the supposed rise in use of encryption after his leaks. Then there was this Michael Hirsh "interview" with former acting CIA director Michael Morrell in Politico. Calling it a softball is an insult to softball players; it was more like T-ball.
To this day, there's hardly any publicly available evidence that the Paris attackers used encrypted communications to plan their attack. It's important to point out, as journalist Dan Gillmor astutely writes, that whether these particular terrorists did use such technology should not matter in the debate over whether to ban it. But it does prove how easily the CIA can still mislead and steer the media while diverting attention from its own potential failures.
What have we learned since the "ban encryption" movement gained full steam on the first weekday after the attack? It turns out that most of the attackers were already known to intelligence agencies. Within a week of the attack, we found out they had used Facebook to communicate, as well as normal SMS text messaging. The ringleader even bragged about infiltrating Europe and planning an attack in ISIS's English language glossy magazine, complete with a photo spread.
The Paris attackers used Facebook, not encryption
and in an ISIS dedicated group! https://t.co/QmcVcQWZ5S pic.twitter.com/VB1TmCF1Hp
-- the grugq (@thegrugq) November 20, 2015
By this week, The Wall Street Journal was reporting that the Paris attack had been "hatched in plain sight": The terrorists used their real names and identification cards for hotel and rental car reservations and did not noticeably try to cover their tracks.
To be fair, we know these facts because print media started to get the story right after a few days. The New York Times editorial board wrote in its scathing editorial on the subject of encryption and intelligence agencies: "It is hard to believe anything Mr. Brennan says." The Washington Post wrote a very informative article headlined "Why it's hard to draw a line between Snowden and the Paris Attacks." (Hint: Because there isn't one.)
But cable news, which sadly often reflects the national agenda more than print, had no interest in the truth, and as Glenn Greenwald wrote, "neither CNN nor MSNBC has put a single person on air to dispute the CIA's blatant falsehoods about Paris despite how many journalists have documented those falsehoods."
Part of the problem is that many reporters--television anchors in particular--apparently don't understand the basics of how encryption works and what it does and does not do.
First, even if terrorists do use encryption, that doesn't mean a giant black cape has been thrown over them so they can work in complete secrecy. Far from it: Authorities can still track the precise location of terrorists 24/7 if they carry a mobile device. Even if suspects encrypt their communications, intelligence agencies can get information about who they're talking to, when, and for how long. They can also hack into individual terrorists' computers or phones and read their messages, no matter what type of encrypted apps they are using. (For more, read Nathan Freitas's "6 Ways Law Enforcement Can Track Terrorists in an Encrypted World.")
Ask any national security reporter who has tried to completely switch to encrypted and anonymous communication with a source and you'll find that it is virtually impossible unless you have weeks or months of training. Even then, if the agency tracking you is the NSA, you don't stand much chance. "People must communicate," Director of National Intelligence James Clapper reportedly said in 2014, downplaying any damage the Snowden revelations may have caused. "They will make mistakes, and we will exploit them."
Then there's the question of why journalists always frame the encryption debate as a perilous balance between privacy and security. It's the government's favorite dichotomy to trot out right before it proposes to violate your privacy a little more. But more importantly, it's not accurate.
While end-to-end encryption certainly gives us an extra layer of privacy protection at a time when our rights are constantly being eroded, this is actually a security vs. security debate. Encryption's main purpose is to protect us from hackers of all sorts--the kind responsible for the disastrous data breaches at Target, JP Morgan Chase, or the US government itself. The government is complaining that companies cannot unlock certain communications because only the sender and the receiver hold the key--the company itself does not. When tech companies do not have a way to access all their customers' data at once, neither do hackers. As a commentator said last week in response to the new push to ban encryption in the name of "security": "Weakening security with the aim of advancing security simply does not make sense."
Only a month ago, politicians were saying that cyber-security was our number one priority. Ranking intelligence committee chair Sen. Dianne Feinstein said: "It's impossible to overstate [the cyber-security] threat." Now she and others are going on television brushing aside those concerns--or simply refusing to address them.
Umm, what? https://t.co/v80iqfihU8 pic.twitter.com/Y6qEXtDuZA
-- Trevor Timm (@trevortimm) November 22, 2015
There are, of course, many questions reporters can and should be asking intelligence officials: Don't you still have many other ways to track terrorists, even if they use encrypted messaging apps? If the terrorists planned so much of this out in the open, and they were known to intelligence agencies, why didn't you catch them with the resources you already had? Do you actually have too much information to be effective, as many have argued? Specifically, how would a ban on encryption have helped you in this instance?
Encryption is not an issue about which reporters should be "neutral"--it directly affects their wellbeing. Encryption is increasingly an important tool for journalists of all stripes, whether it's protecting your computer and phone if you go over a border or are arrested, or everyday conversations you have with sources via text message or email that could be swept up in a mass surveillance net.
As lawmakers continue to push for legislation around encrypted communications in the coming months, there will no doubt be many more stories written by journalists around the country. Let's hope that as the story continues to unfold, the debate--and those writing about it--will get a little more honest and a little more knowledgeable than they have been the past two weeks.
Trevor Timm is the executive director of Freedom of the Press Foundation, a non-profit organization that supports and defends journalism dedicated to transparency and accountability. He is also a twice-weekly columnist for the Guardian, where he writes about privacy, national security, and the media.
More information about the cryptography