Tech journalist Lorenzo Franceschi-Bicchierai received an anonymous tip in 2017 through SecureDrop, a whistleblower submission system and project of Freedom of the Press Foundation (FPF).
The source revealed via the encrypted platform that they had hacked a software provider called “Retina-X” and proved the company was “storing very sensitive information in a very insecure way.” The findings helped Franceschi-Bicchierai, now a senior writer at TechCrunch, to break the tech reporting website Motherboard’s “first big investigation on stalkerware,” he said.
He credits SecureDrop’s encrypted anonymous file sharing, saying that without it, “perhaps we would have never gotten that story.”
He shared this anecdote at FPF’s Global Encryption Day discussion on social platform X, held on Oct. 22, 2024, to raise awareness about encryption and explain why it should be a part of every journalist’s toolkit.
Encryption, in a nutshell, is a method of protecting data like computer files or messages in such a way that they cannot be “modified or viewed unless someone has the key to open them,” Harlo Holmes, director of digital security at FPF, explained during the X Space. End-to-end encryption takes things a step further by ensuring that only the devices that are part of a conversation can decrypt and see the information.
While not every tip leads to a revelation, encryption makes the job of gathering information and protecting sources much easier for journalists. For those who haven’t adopted encrypted practices, the time to start is now, panelists agreed.
“Encryption used to be so hard,” said Julia Angwin, The Markup and Proof News founder and New York Times contributing opinion writer. “In 2012, you had to have your public key. And there were these key exchange places where you would look up other people’s keys.”
Now, with the advent of messaging apps like Signal and WhatsApp, she said, “It’s gotten so easy.”
But not all encrypted platforms are created equal, according to Holmes. Platforms like SecureDrop and OnionShare offer more protection, though they can be a heavier lift for smaller newsrooms or independent journalists to get and maintain.
Conversely, WhatsApp and Facebook Messenger — which both offer end-to-end encryption — are easier to use but log more metadata that can be leveraged through a subpoena or by law enforcement if a journalist’s device is seized.
Harlo Holmes, FPF director of digital security“This is why it’s really important for potential sources to find a journalist that they trust not only to tell their story but also that they trust to be as mindful about their communication with them as possible.”
“This is why it’s really important for potential sources to find a journalist that they trust not only to tell their story but also that they trust to be as mindful about their communication with them as possible,” Holmes said.
Communication, however, is only one way encryption can be used. It can also be a powerful tool for securing information on hard drives or phones to protect sensitive documents from unwanted intrusion.
One real-world example is at a border crossing, Angwin said, where the Fourth Amendment — which protects against unreasonable searches and seizures — doesn’t apply to the same degree as elsewhere.
“The best advice is to not bring your devices, but that is not really realistic,” she said. “A couple different things that I have tried is encrypting the hard drive and having it with a passcode. … Also, Signal has a little thing where you can delete (the app) off your phone really quickly if you need to. There’s kind of like an emergency button.”
“The best thing you can do is store as little as you can,” added Franceschi-Bicchierai. But nearly all journalism requires the storage of data somewhere, which is why compartmentalizing where your data is stored, and what on what platforms, can be crucial to protecting yourself and your sources.
“It’s best to spread the risk,” Angwin said.
There will always be risks, however, as threats to encryption develop outside the control of journalists. Holmes warned in particular about “backdoors,” which are created within platforms to bypass their security protocols.
One of the worst backdoor examples surrounds the use of a pen register, a legally obtainable way to trace outgoing communications from phones or computers. The process that ensures compliance within these platforms, however, has been used by hackers to surveil people thanks to backdoors baked into the systems.
Governments can also establish backdoors legislatively, under the guise of “moderation,” to access information that should remain confidential — which Angwin likens to George Orwell’s “1984.”
“Nobody wants to live in a world where every single piece of content that you share with your family, just a text message, is scanned by some third party trying to determine if you’re doing something bad,” she said. “It is sort of shocking to me that it continues to gain interest across the world and that there are people fighting these proposals in every country right now.”
But for all the fearmongering from law enforcement and governments around the world, “The good news is that encryption is here to stay and it is normalized,” Franceschi-Bicchierai said. “Life has become easier for journalists and sources.”
If you are looking to learn more about encryption and how to implement it into your workflow, FPF offers a toolkit for media-makers. We also conduct digital security training and offer related resources to journalists around the world.
