It’s a credo that most journalists strive to live by: Don’t share your notes and don’t give out advance copies of your story. But what many American journalists often lose sight of is that while traveling through cyberspace one might unwittingly put his work at risk. Stories that might still be in the tweaking stage could be intercepted while being transmitted. Anonymous sources, which may only be in a story version sent to the editor, might become public knowledge. That’s where the need for encryption comes in. Encryption — the method of encoding data to keep it secure — is one good way to frustrate computer hackers or other snoops. Currently, the only encryption standard the United States permits for development and export is what’s known as 56-bit Data Encryption (DES), a level that’s easily cracked, according to the Electronic Frontier Foundation.
While public encryption is limited, the U.S. military faces no such restrictions, which created a degree of skepticism when military-grade encryption was used to keep President Clinton’s Aug. 17 televised grand jury testimony secure. The U.S. policy seems to be that insecure encryption is OK for the public but not for politicians involved in scandals.
The top-secret nature of the presidential testimony drew attention to an issue that’s bigger than the complex algorithms and the prodigies striving to create “unbreakable” codes. As we hurtle toward a totally wired future, encryption means much more than a measure of protection.
There’s a lot of naiveté on the part of businesses and individuals regarding the security of their information. But for journalists and news-gathering organizations, encryption may be the only safeguard against increasingly sophisticated and hostile agents who use the ubiquity of networks to target the media. Despite this, end-to-end encryption has yet to figure into the communication plans of most journalists.
“There’s too little recognition of this issue, I’m sorry to say,” says Dan Gillmor, technology columnist for the San Jose (Calif.) Mercury News. “It’s a major cause of concern. If any business should recognize the need for this technology, it’s ours.”
Adam Clayton Powell III, vice president of Technology and Programs for The Freedom Forum, says: “The reason for encryption is the same reason for sealing an envelope. As far as I know, journalists seal envelopes when they mail stories and even innocuous letters to colleagues. Aside from obvious privacy concerns, journalists are not especially eager to see their work pirated or their scoops grabbed by competitors.”
Trouble on the frontier
For overseas journalists in particular, many of whom are increasingly dependent upon networks like the Internet for communicating with both sources and editors, security must become a priority. Reporters posted in countries with whom the United States has an adversarial relationship already find themselves in dangerous physical circumstances.
Advances in listening devices and network interceptors compromise their ability to gather news, at the very least. At worst, covert surveillance of network data may endanger lives.
Michael Stoll, now a reporter for the Press & Sun-Bulletin in Binghamton, N.Y., wasn’t in much danger when he attended an International Youth Conference in Cuba. But after he transmitted articles to two U.S. newspapers via a government-provided Internet link, he was chagrined to have Cuban officials quote his copy back to him verbatim.
Maud S. Beelman, director of the International Consortium of Investigative Journalists at The Center for Public Integrity, says: “Most reporters who work in the United States don’t see the immediate need for encryption. They assume they are safe.” She says encrypting information should carry the same weight as protecting one’s Rolodex.
Protecting your privacy
Philip Zimmermann, a world-renowned cryptographer, says the issue is nothing less than a battle for the control of free speech in a digital society. He is the creator of a free public-key encryption program known as Pretty Good Privacy (PGP), a robust 128-bit format that remains subject to U.S. export restrictions.
So if privacy and protection are prerequisites for free speech, what are newspaper organizations doing to protect themselves? Some whose Web sites involve some type of transactional feature use what’s called Secure Socket-Layer (SSL) encryption to protect monetary interactions.
But outside the financial realm, some observers say media organizations have placed themselves at great risk by not being proactive about encryption. A casual poll of reporters and executives at organizations like The New York Times and Hearst Newspapers generates little more than shrugs.
Beelman, however, cites the long-standing efforts of her former wire service employer, The Associated Press (AP), which maintains a private, internal network for all its communications.
Tim Gallivan, the AP director of news technology and a 19-year veteran in this field, points to the company’s proprietary system in use by both foreign and domestic correspondents.
“AP maintains a private, distributed computer network that doesn’t use any Internet protocols,” Gallivan says. “Our network is its own best defense. A hacker would have a very hard time accessing it, because it is so highly compartmentalized.”
The system uses dial-up modem locations around the country and protects its members through log-ins and passwords. Asked whether the system uses some form of end-to-end encryption, Gallivan says it does not but emphasizes, “The highly customized nature of a system like this leaves it impervious to tampering.”
To cryptographers like Zimmermann, such claims are cause for concern. He says, “If I were a reporter working for the AP, I would seriously question the integrity and safety of my information and myself.” He adds, “We’re not talking about pimply faced teen-age hackers here. We’re talking about very resourceful and determined governments, corporations and agents who have highly sophisticated means to intercept data. Private networks, no matter how customized, are susceptible without end-to-end encryption.”
Gallivan’s response: “He’s all wet. If intruders ever succeeded in getting into this system, they would be faced with an extremely daunting task of having to breach every layer of process that protects our information.”
From Gallivan’s perspective as a journalist, the desire to break into such a system would be limited anyway. “Most of us are not too concerned about leakage because news is such a perishable commodity,” he says. “We have dealt with protecting our sources and information for 150 years, and since we adopted this network, we have never had a breach.”
Still, Gallivan is quick to underscore AP’s active research and testing of system extensions to deal with the vagaries of Internet communications on the rise. “We can never be complacent about these things,” he says.
Ann Harrison, a senior writer for Software magazine who covers security and business intelligence, supports the side of cryptographers on this issue. “Large organizations with private networks are vulnerable, and reporters in the field are vulnerable,” she says. “I think there is much more network monitoring than they think there is.”
How the code was cracked
Journalists used to lock up and hide papers they didn’t want anyone to see, but there is nowhere to hide in cyberspace, since the technology which spawned it also provided the building blocks for electronic surveillance.
“There’s a parallel between encryption’s fate and what happened with electronics in the ’50s and ’60s,” says Zimmermann, now an independent consultant and Senior Fellow at Network Associates, a technology conglomerate devoted to building commercial security software. “In the ’50s, the government created integrated circuits specifically for guided missile technology, which inadvertently crossed over and gave rise to the consumer electronics industry of the ’60s.”
Cryptology was a public occupation until the U.S. military completely co-opted the field during World War I to protect national security interests. Realizing the value well beyond wartime, the government held the science and art of making and breaking codes under its classified purview.
Computer technology arose from the need for machines that could execute split-second mathematical calculations in order to make or break ciphers. So long as computers were expensive machines that only governments or research institutions could afford, cryptography remained beyond both the need and reach of the general population.
The personal computer revolution of the 1980s and 1990s irrevocably altered communication, and federal officials felt pressure from cryptographers, as well as commercial industries, to yield the use of encryption.
The military relies on symmetric, or secret-key, codes, using the same code for both encryption and decryption of messages. In 1976, a paper written by Whitfield Diffie and Martin Hellman, called New Directions in Cryptography, introduced the concept of public-key, or asymmetric, cryptography.
Essentially, it uses two unrelated keys, one for encryption and one for decryption. It meant anyone could encrypt information using a universally available public key and decode it by using a privately held personal key, giving the privacy of citizens the same strength as the symmetric codes still held secret by the military.
Federal officials, however, balked at the notion. The FBI and Department of Defense remain so concerned about encryption circumventing their ability to carry out surveillance of potential lawbreakers or terrorists that levels of encryption were given munitions status. Distributing an “unbreakable” cipher could be considered a prosecutable offense.
Zimmermann knows. After the publication and release of his PGP freeware in 1991 (software that is now considered the de facto worldwide standard for public-key encryption of e-mail), he found himself the target of a three-year investigation by the U.S. Customs Service. The investigation was closed without indictment in 1996 but not before exposing the cryptographer’s plight and the political intricacies of granting people the means to keep speech private.
A better stage coach
Today, Zimmermann attempts to raise the awareness of both government officials and the public. “Without encryption, there is no other way to send from point to point securely. When you consider the capacity and availability of new surveillance technologies, you realize just how much we have to hang onto our privacy right now.”
In an ironic twist, even federal officials are urging U.S. businesses not to rely on the government to protect their information privacy. According to the President’s Commission on Critical Infrastructure Protection estimates, hacking into corporate and government computer networks will cost the U.S. $10 billion a year.
Last year, 250,000 hacks were attempted on the Pentagon’s network alone. CIA director George Tenet has urged U.S. industry to “get off its butt.”
As for news organizations, Gillmor of the San Jose Mercury News says common sense is what’s necessary. “Paranoia is no more helpful than lazily assuming no unauthorized person could ever read what you send or store.”