Jump to ContentJump to Main Navigation
Show Summary Details
More options …

Proceedings on Privacy Enhancing Technologies

4 Issues per year

Open Access
See all formats and pricing
More options …

Individual versus Organizational Computer Security and Privacy Concerns in Journalism

Susan E. McGregor / Franziska Roesner / Kelly Caine
Published Online: 2016-07-14 | DOI: https://doi.org/10.1515/popets-2016-0048


A free and open press is a critical piece of the civil-society infrastructure that supports both established and emerging democracies. However, as the professional activities of reporting and publishing are increasingly conducted by digital means, computer security and privacy risks threaten free and independent journalism around the globe. Through interviews with 15 practicing journalists and 14 organizational stakeholders (supervising editors and technologists), we reveal the distinct - and sometimes conflicting-computer security concerns and priorities of different stakeholder groups within journalistic institutions, as well as unique issues in journalism compared to other types of organizations. As these concerns have not been deeply studied by those designing computer security practices or technologies that may benefit journalism, this research offers insight into some of the practical and cultural constraints that can limit the computer security and privacy practices of the journalism community as a whole. Based on these findings, we suggest paths for future research and development that can bridge these gaps through new tools and practices.

Keywords: Journalism; Usable Security; Usable Privacy; Organizational Practices


  • [1] A. T. Garbett, R. Comber, P. Egglestone, M. Glancy, and P. Olivier, “Finding real people: trust and diversity in the interface between professional and citizen journalists,” in 32nd Annual ACM Conference on Human Factors in Computing Systems. ACM, 2014, pp. 3015-3024.Google Scholar

  • [2] U.S. Supreme Court, “Risen v. United States,” SCOTUSblog, Retrieved: June 5, 2014.Google Scholar

  • [3] A. E. Marimow, “Justice Department’s scrutiny of Fox News reporter James Rosen in leak case draws fire,” The Washington Post, May 2013. [Online]. Available: http://www.washingtonpost.com/local/justicedepartments-scrutiny-of-fox-news-reporter-james-rosenin-leak-case-draws-fire/2013/05/20/c6289eba-c162-11e2-8bd8-2788030e6b44_story.htmlGoogle Scholar

  • [4] N. Perlroth, “Hackers in China Attacked The Times for Last 4 Months,” The New York Times, January 2013. [Online]. Available: http://www.nytimes.com/2013/01/31/technology/chinese-hackers-infiltrate-new-york-timescomputers.html?pagewanted=2&_r=0Google Scholar

  • [5] N. Perloth, “Washington Post Joins List of News Media Hacked by the Chinese,” The New York Times, February 2013. [Online]. Available: http://www.nytimes.com/2013/02/02/technology/washington-posts-joins-list-ofmedia-hacked-by-the-chinese.html?_r=0Google Scholar

  • [6] -, “Wall Street Journal Announces That It, Too, Was Hacked by the Chinese,” The New York Times, January 2013. [Online]. Available: http://www.nytimes.com/2013/02/01/technology/wall-street-journal-reports-attackby-china-hackers.html?ref=technologyGoogle Scholar

  • [7] Human Rights Watch, “With Liberty to Monitor All: How Large-Scale US Surveillance is Harming Journalism, Law, and American Democracy,” Jul. 2014, http://www.hrw.org/node/127364.Google Scholar

  • [8] K. A. Ruane, “Journalists’ Privilege: Overview of the Law and Legislation in Recent Congresses,” 2011. [Online]. Available: http://www.fas.org/sgp/crs/secrecy/RL34193.pdfGoogle Scholar

  • [9] S. Hardy, M. Crete-Nishihata, K. Kleemola, A. Senft, B. Sonne, G. Wiseman, P. Gill, and R. J. Deibert, “Targeted threat index: Characterizing and quantifying politicallymotivated targeted malware,” in Proceedings of the 23rd USENIX Security Symposium, 2014.Google Scholar

  • [10] W. R. Marczak, J. Scott-Railton, M. Marquis-Boire, and V. Paxson, “When governments hack opponents: A look at actors and technology,” in 23rd USENIX Security Symposium, 2014.Google Scholar

  • [11] S. E. McGregor, P. Charters, T. Holliday, and F. Roesner, “Investigating the computer security practices and needs of journalists,” in 24th USENIX Security Symposium (USENIX Security 15). USENIX Association, 2015.Google Scholar

  • [12] G. Greenwald, No Place To Hide: Edward Snowden, the NSA, and the U.S. Surveillance State. Metropolitan Books, 2014.Google Scholar

  • [13] C. Savage and L. Kaufman, “Phone Records of Journalists Seized by U.S.” The New York Times, May 2013. [Online]. Available: http://www.nytimes.com/2013/05/14/us/phonerecords-of-journalists-of-the-associated-press-seized-byus.htmlGoogle Scholar

  • [14] S. Huntley and M. Marquis-Boire, “Tomorrow’s News is Today’s Intel: Journalists as Targets and Compromise Vectors,” BlackHat Asia, Mar. 2014, https://www.blackhat.com/docs/asia-14/materials/Huntley/BH_Asia_2014_Boire_Huntley.pdf.Google Scholar

  • [15] Freedom of the Press Foundation, “SecureDrop (formerly known as DeadDrop, originally developed by Aaron Swartz),” 2013. [Online]. Available: https://pressfreedomfoundation.org/securedropGoogle Scholar

  • [16] K. Biscuitwala, W. Bult, T. J. P. Mathias Lecuyer, M. K. B. Ross, A. Chaintreau, C. Haseman, M. S. Lam, and S. E. Mc- Gregor, “Secure, Resilient Mobile Reporting,” in Proceedings of ACM SIGCOMM, 2013.Web of ScienceGoogle Scholar

  • [17] S. Carlo and A. Kamphuis, “Information Security for Journalists,” The Centre for Investigative Journalism, Jul. 2014. [Online]. Available: http://www.tcij.org/resources/handbooks/infosecGoogle Scholar

  • [18] S. E. McGregor, “Digital Security and Source Protection for Journalists,” Tow Center for Digital Journalism, Jul. 2014. [Online]. Available: http://towcenter.org/blog/digitalsecurity-and-source-protection-for-journalists/Google Scholar

  • [19] M. Keys, “Google experts reveal how top organizations are in danger,” The Blot, 2014, https://www.theblot.com/googleexperts-reveal-top-organizations-danger-7717511.Google Scholar

  • [20] A. Soltani, “12 of the top 25 news sites (incl. @washingtonpost) rely on Microsoft or Google for hosted email services,” Twitter, 2014, https://twitter.com/ashk4n/status/448105177439285248.Google Scholar

  • [21] P. Thornton, “Outlook/Exchange vs. GMAIL,” The Journalism Iconoclast, May 2008. [Online]. Available: http://patthorntonfiles.com/blog/2008/05/26/outlookexchangevs-gmail/Google Scholar

  • [22] N. Borisov, I. Goldberg, and E. Brewer, “Off-the-record communication, or, why not to use PGP,” in ACM Workshop on Privacy in the Electronic Society, 2004.Google Scholar

  • [23] P. R. Zimmermann, The Official PGP User’s Guide. Cambridge, MA, USA: MIT Press, 1995.Google Scholar

  • [24] R. Dingledine, N. Mathewson, and P. Syverson, “Tor: The second-generation onion router,” in Proceedings of the 13th USENIX Security Symposium, 2004.Google Scholar

  • [25] N. Unger, S. Dechand, J. Bonneau, S. Fahl, H. Perl, I. Goldberg, and M. Smith, “SoK: Secure Messaging,” in Proceedings of the IEEE Symposium on Security and Privacy, 2015.Google Scholar

  • [26] M. Brennan, K. Metzroth, and R. Stafford, “Building Effective Internet Freedom Tools: Needfinding with the Tibetan Exile Community,” in 7th Workshop on Hot Topics in Privacy Enhancing Technologies (HotPETs), 2014.Google Scholar

  • [27] Internews Center for Innovation & Learning, “Digital Security and Journalists: A SnapShot of Awareness and Practices in Pakistan,” 2012, https://www.fes.de/themen/menschenrechtspreis/pdf/mrp2012/Internews.pdf.Google Scholar

  • [28] J. L. Sierra, “Digital and Mobile Security for Mexican Journalists and Bloggers,” Freedom House, 2013. [Online]. Available: http://www.freedomhouse.org/report/specialreports/digital-and-mobile-security-mexican-journalists-andbloggersGoogle Scholar

  • [29] S. Gaw, E. W. Felten, and P. Fernandez-Kelly, “Secrecy, flagging, and paranoia: adoption criteria in encrypted email,” in Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. ACM, 2006, pp. 591-600.Google Scholar

  • [30] G. Norcie, J. Blythe, K. Caine, and L. J. Camp, “Why Johnny Can’t Blow the Whistle: Identifying and Reducing Usability Issues in Anonymity Systems,” in Workshop on Usable Security (USEC), 2014.Google Scholar

  • [31] A. Whitten and J. D. Tygar, “Why Johnny Can’t Encrypt: A Usability Evaluation of PGP 5.0,” in Proceedings of the 8th USENIX Security Symposium, 1999.Google Scholar

  • [32] N. Diakopoulos, M. De Choudhury, and M. Naaman, “Finding and assessing social media information sources in the context of journalism,” in Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. ACM, 2012, pp. 2451-2460.Google Scholar

  • [33] N. Taylor, D. M. Frohlich, P. Egglestone, J. Marshall, J. Rogers, A. Blum-Ross, J. Mills, M. Shorter, and P. Olivier, “Utilising insight journalism for community technology design,” in Proceedings of the 32nd ACM Conference on Human Factors in Computing Systems. ACM, 2014, pp. 2995-3004.Google Scholar

  • [34] A. Adams and M. A. Sasse, “Users are not the enemy,” Communications of the ACM, vol. 42, no. 12, pp. 40-46, 1999.Google Scholar

  • [35] Y.-Y. Choong and M. Theofanos, What 4,500+ People Can Tell You - Employees’ Attitudes Toward Organizational Password Policy Do Matter, ser. Lecture Notes in Computer Science. Springer International Publishing, 2015, vol. 9190, ch. 27, pp. 299-310.Google Scholar

  • [36] K. Renaud, M. Volkamer, and A. Renkema-Padmos, “Why Doesn’t Jane Protect Her Privacy?” in Proceedings of the 2014 Privacy Enhancing Technology Symposium, 2014.Google Scholar

  • [37] J. Corbin and A. Strauss, Basics of qualitative research: Techniques and procedures for developing grounded theory. Sage publications, 2014.Google Scholar

  • [38] V. Venkatesh and H. Bala, “Technology Acceptance Model 3 and a Research Agenda on Interventions,” Decision Sciences, vol. 39, no. 2, pp. 273-315, 2008.Google Scholar

  • [39] A. Greenberg, “How the Syrian electronic army hacked us: A detailed timeline,” Forbes, February 2014. [Online]. Available: http://www.forbes.com/sites/andygreenberg/2014/02/20/how-the-syrian-electronic-army-hacked-us-adetailed-timeline/Google Scholar

  • [40] Symantec, “Internet security threat report 2014,” 2014. [Online]. Available: http://www.symantec.com/content/en/us/enterprise/other_resources/b-istr_main_report_v19_21291018.en-us.pdfGoogle Scholar

  • [41] D. D. Caputo, S. L. Pfleeger, J. D. Freeman, and M. E. Johnson, “Going spear phishing: Exploring embedded training and awareness,” Security & Privacy, IEEE, vol. 12, no. 1, pp. 28-38, 2014.Google Scholar

  • [42] A. Das, J. Bonneau, M. Caesar, N. Borisov, and X. Wang, “The tangled web of password reuse,” in Symposium on Network and Distributed System Security (NDSS), 2014. Google Scholar

  • [43] K. E. Caine, “Supporting privacy by preventing misclosure,” in CHI’09 Extended Abstracts on Human Factors in Computing Systems. ACM, 2009, pp. 3145-3148.Google Scholar

  • [44] P. Kumaraguru, S. Sheng, A. Acquisti, L. F. Cranor, and J. Hong, “Teaching Johnny Not to Fall for Phish,” ACM Transactions on Internet Technology, vol. 10, no. 2, pp. 7:1-7:31, Jun. 2010.Google Scholar

  • [45] PhishMe, http://phishme.com/.Web of ScienceGoogle Scholar

  • [46] K. Niknejad, A. Kaphle, A. A. Omran, B. Baykurt, and J. Graham, “The New Global Journalism: Foreign Correspondence in Transition,” Tow Center for Digital Journalism, Sep. 2014. [Online]. Available: http://towcenter.org/wp-content/uploads/2014/09/The-New-Global-Journalism-1.pdfGoogle Scholar

About the article

Received: 2016-02-29

Revised: 2016-06-02

Accepted: 2016-06-02

Published Online: 2016-07-14

Published in Print: 2016-10-01

Citation Information: Proceedings on Privacy Enhancing Technologies, Volume 2016, Issue 4, Pages 418–435, ISSN (Online) 2299-0984, DOI: https://doi.org/10.1515/popets-2016-0048.

Export Citation

© 2016. This work is licensed under the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 License. BY-NC-ND 4.0

Comments (0)

Please log in or register to comment.
Log in