Why aren't more journalism schools teaching digital security?

Martin Shelton

Principal Researcher

Arizona State University students - Gage Skidmore

Gage Skidmore (CC BY SA 2.0)

Many journalism schools have a blind spot. In an environment where newsrooms increasingly defend against targeted hacking and surveillance that could endanger themselves and their sources, digital security knowledge is a key part of the job. Yet most university programs offer students little to no security education.

J-school programs are designed to cultivate many skills, and security is increasingly a key part of a well-rounded education. What, then, are the competing interests and barriers that are getting in the way of a fully developed security education?

Want to help with our research on digital security education at j-schools? Share your thoughts here.

In 2017, Citizen Lab examined coverage of information security education at 32 Canadian and U.S. j-schools, finding only half offer information security training of any kind. Less than a quarter require this training. Of those offering some security education, the majority devote no more than two hours to the topic. At Freedom of the Press Foundation, we have a team of digital security trainers that facilitates workshops in newsrooms and universities alike, but security education cannot scale to reach all practicing and future journalists without baking it into the education system journalists rely on most.

With a variety of threats, and so many devices and applications to secure, one-time workshops are not necessarily enough to instill introductory knowledge necessary to help journalists protect themselves and their sources. In 2014, as fellows at the Columbia Tow Center for Digital Journalism, Carol Waters and Chris Walker conducted a semester of security courses and quizzed students on the basics, finding only about half passed a quiz on the material, even after attending as many as six three-hour security workshops supplemented by office hours.

There is some good news. Since 2017, for example, the new Craig Newmark Center for Journalism Ethics and Security at Columbia and University of Southern California’s Annenberg school have started to create programs that focus on journalism security. But we know we have a long way to go.

Of course, journalists come from all walks of life and professional backgrounds, and many reporters do not have a j-school background. But the fact remains that j-schools are one of the few places where we can reliably find aspiring journalists today who have the time and ability to learn digital security techniques in a comprehensive manner.

So we asked some students and professors about their department’s security offerings.

The need for “top down” support from departments and faculty

“We are in an urgent arms race, and we need to continually develop tools and mental frameworks to deal with that,” says Marc Ambinder, an adjunct professor at the University of Southern California Annenberg School for Communication and Journalism. “The more we delay making information security a central premise of journalistic education, the worse off journalists of tomorrow will be tomorrow, regardless of what the legal or technological landscape is.”

As a longtime national security reporter, Ambinder knows firsthand what it’s like to have sources investigated or reprimanded. He wants his students to learn from past real-world risks.

Students at his program are assigned remote reporting assignments, learning the context-specific challenges of reporting. Along the way, they will inevitably encounter security issues, and Ambinder is there to coach them.

“A student’s going down to the border, and the student is in the United States on a visa. And wants to know whether her rights if she crosses the border are different, and what she might want to do in advance of crossing a border with the journalistic work product that she has, in order to prevent the chance that someone might see it, or that she may be detained, or that she may be harassed upon detention. So there’s a mentality that we have to train into students as well, as much as training them on any particular technique.”

He says his school recognizes this. Alongside the USC Annenberg school, Ambinder is helping to craft a broad security program that he hopes will include both dedicated coursework, as well as integrated security modules in existing courses. This is only possible because of buy-in from the department.

Ambinder believes these skills will make USC Annenberg students more competitive candidates for journalistic roles after graduation. “Having looked at the core curricula requirements for many journalism schools in just preparing my own work… There’s very little type of this education that’s out there. One assumption I think being that, well, you’ll learn it when you go out into the field, when you get employed. I also think that unfortunately represents a mentality that might have worked five or six years ago. Now, I think it’s a plus if you can go into a newsroom and tell your editor, I know how to make sure that my communication with my source is fairly sacrosanct.”

Having even one advocate in the department is also one of the first steps to making substantive change.

Charles Berret, assistant professor at the University of British Columbia Graduate School of Journalism joined the department to focus on issues of technology use in journalism, and advocates for security education to be built into coursework. One of the issues frustrating adoption of full security courses, he says, is that departments have several competing priorities for course offerings. “Even if people like the idea, even if there’s a strong argument for it, they still have to create a course code… Just the idea that they have a limited number of spaces in which new courses can be placed, I think is an odd source of bureaucratic anxiety, but a real one, and it can really put the brakes on something even if there is some measure of support.” Berret says one way to address this concern is to further embed security education in existing coursework.

J-school students are taking on a growing roster of skills, nearly all of which now rely on technical skills. On top of narrative writing, this could mean students are taking on courses in documentary, photo, video, and audio journalism. Students are increasingly involved in data analysis and software engineering courses as well.

When trying to develop a well-rounded courseload, department staff are thinking through their priorities. Berret says, “The question is not so much do they want to do it, or not want to do it. Do they have any way to know whether the course is going to be the most valuable addition to the curriculum in the long run?”

Each professor in a department has the power to influence the current body of course offerings, and if they don’t reach consensus about an area of study, they may simply choose to forego or spend less time on it. Few professors are well-placed to advocate for additional security coverage.

Departments that have not determined a strategy to integrate security education deeply into their program are unlikely to hire professors with deep knowledge or experience on this topic. At the same time, j-schools with faculty experienced in security are often the agitators for integrating security education into coursework.

Students and “bottom up” priorities

Yael Grauer worked as an investigative reporter for over a decade, and had worked on security reporting for five years before joining the Arizona State University Cronkite School of Journalism and Mass Communication. The department, like most journalism departments, offers minimal security training, partly because they feel pressure from existing coursework. Grauer suggests many of the students in her cohort won’t pursue reporting on sensitive areas, but security is an overlooked issue at a moment when everyone is talking to sources over electronic, and sometimes insecure, channels.

For students whose journalistic careers are just beginning, Grauer suggests they may not yet know why security knowledge is going to be important in their work. “I’ve been doxxed. I’ve gotten harassed online… So maybe other people haven’t had that experience.”

Grauer says she is concerned about how her journalism program’s lack of coverage affects how its fledgling reporters interact with sources, and how this could affect sources’ livelihoods, because she has written for publications where sources have allegedly leaked information that could put them in jail. For some sources, speaking about their workplace with reporters can introduce the risk of losing their job. In national security or foreign affairs reporting, they might also risk their freedom. “I do worry. What if people here have sources that go to jail?”

Though she’s skeptical that most journalism programs would do so, Grauer feels j-schools should offer introductory courses on foundational security practices.

“I think people are just kind of set in their ways. I do think there should be a one-credit digital security class to just teach people basic stuff. Like password managers, two-factor authentication, how to use a Yubikey, different messaging apps, how to threat model.”

Building demand for security education

Alongside the growing role of computing in how newsrooms work, we also see the growth of both passive and targeted security threats journalists face each day. Future reporters must be equipped with the knowledge to protect themselves and their sources. J-schools have a meaningful opportunity to influence a generation of journalists and their sources that is safer than the last.

Freedom of the Press Foundation’s digital training team regularly conducts digital security trainings in newsrooms around the country. But a one-day training is often just the beginning, and we want to push journalism programs to think hard about how to integrate security education into their curricula, so that journalists are equipped with the right knowledge before they enter the newsroom. We need both top-down acknowledgment of the issue from department faculty, and bottom-up demand from students to make it happen.

Are you a journalism student or faculty member? If so, we’d love your help conducting research to learn how we can improve security education in journalism programs. Help us learn about your j-school here. And if your program is looking for assistance or consulting to bring regular security education to your school, we’re here to help.

Read more about Security

First major study looks at how SecureDrop is used in newsrooms in North America

Today the Tow Center for Digital Journalism at Columbia Journalism School has published a first-of-its-kind study on how newsrooms are using SecureDrop, our open-source whistleblower submission system that is now ...

Publishing the unredacted SecureDrop 0.3.4 audit report

In July, we announced the release of SecureDrop 0.3.4 and published the accompanying security audit by iSEC partners (now NCC Group). The audit found 10 issues, one of which ...

US officials have no problem leaking classified information about surveillance—as long as it fits their narrative

In the past few days there have been a flurry of stories about the Russian plane that crashed in the Sinai peninsula, which investigators reportedly think may have been caused ...