We know email is a central part of the reporting toolkit — central enough that the Department of Justice recently targeted the email records of journalists at The Washington Post, The New York Times and CNN in its search for sources of leaked information. Likewise, email often sits in inboxes indefinitely, making it a high-value target in digital attacks. That’s why it’s crucial for newsrooms conducting investigation-worthy work to know when to switch channels away from email, in ongoing and future communications.
Research with journalists on their security practices found in 2015 that email was one of the most common channels used to communicate, along with the phone. In their interviews with 15 journalists, researchers Susan McGregor, Polina Charters, Tobin Holliday and Franziska Roesner reported that choices in communication channels are “typically determined by what is most convenient for the source, including the platform on which [the] source is most likely to respond.”
The truth is, most emails that journalists exchange beyond their newsroom are not terribly sensitive. However, it’s also tough to tell when a conversation is about to become sensitive.
This brings us to the “first contact problem.” When a reporter exchanges an email with a source, even once, email providers have a log of those conversations — who emailed whom, when, and subject lines. At least in the United States, email providers like Google may be compelled to hand over these logs to investigators with a simple court order. Since the U.S. Press Freedom Tracker began keeping records in 2017, the Department of Justice has sought the email records of at least eight journalists.
Even if the reporter and source decide to move to a more secure channel, it’s too late; some records are already there.
Newsrooms should advertise their tip pages aggressively and encourage sources to use metadata-resistant channels when possible, to prevent communication service providers from keeping logs of their conversations in the first place. For example, Signal does not retain conversation metadata on their servers, and demonstrated this in courts. Likewise, SecureDrop is built from the ground up to maintain the confidentiality of sources.
When using email within a newsroom, metadata about who is speaking to whom might be somewhat less sensitive; after all, it’s a matter of public record what journalists are employed at an organization. But other communication channels can also be subject to legal requests. Perhaps your Slack is not a great place to have conversations about your Department of Justice source. It's important for newsrooms to have easy access to secure communication channels, such as Wire, and to develop a culture that normalizes switching to safer channels to speak about sensitive topics. Some conversations are OK over relatively unsecured channels. But you want the secure alternative readily available to pivot to when discussing confidential, or otherwise sensitive details.
Newsrooms are probably not going to swear off email any time soon, because in spite of its many risks, email offers us a known lifeline to the people to whom we want to speak. But journalists must become more comfortable knowing when and how to switch to a different channel, both for internal and external conversations. Newsrooms must also become more proactive about advertising — and normalizing — safer tip channels by default.