In the digital world, almost everything you do to communicate leaves a trace. Often, emails are stored on servers even after they’re deleted. Phone calls create logs detailing which numbers connected, when and for how long. Your mobile phone can create a record of where you are.
If you’re a journalist trying to protect a confidential source, this is a very difficult world to work in.
“I have been running around in my newsroom, screaming about this … for years,” says Julia Angwin, who covers computer security and privacy at The Wall Street Journal. “There’s so much evidence now that journalists are being targeted, that our communications are vulnerable and, mostly, that our sources are being put in jail.”
It’s in this context that The New York Times decided to outsource its email to Google. This summer, the paper moved all of its reporters onto corporate Gmail accounts. Before the switch, Times emails were stored on servers it owned; now those messages are in Google’s digital filing cabinet.
‘A Sense Of Nervousness’
Unlike the free Gmail used by millions of consumers, corporate Gmail accounts cost money and offer greater privacy protections. But that protection is not complete, and the move could leave Times reporters and their sources with fewer legal protections if they are the subject of a government investigation.
Angwin says one of the reasons that so many journalists have been unable to protect their sources is that records about whom they are talking to are collected by third parties. Last year, when the Department of Justice was investigating a leak about a foiled terrorism plot in Yemen, it didn’t subpoena reporters at the Associated Press. Instead, it went to Verizon and asked for the records of calls going into and out of the AP’s bureaus.
Prosecutors also go after journalists’ private email accounts. And often investigative requests to companies like Google and Verizon come with gag orders.
“I find that all of this, including the AP revelations, contributed to a sense of nervousness among sources,” says Jennifer Valentino-DeVries, also of The Wall Street Journal. “Even people who are not discussing particularly sensitive information with me will comment about the possibility of my emails and phone calls being tapped. And I think that’s been disconcerting.”
“I worry a lot about the outsourcing of email at a news organization. We only have two layers of protection, right? One is technological and one is legal,” Angwin says. “So certainly our lawyers at a news organization are gonna fight to protect our emails. But, if they don’t fully control them technically, they can’t mount a very good argument.
“If Gmail is handling our emails, then we have to rely on them to mount our legal arguments,” she adds. “And that’s not a situation that news organizations have been in, in the past.”
Investigations And Gag Orders
The New York Times isn’t the only media organization to outsource its email. In a statement, it said it had discussed the legal issues involved in detail and the company is confident that its deal with Google, combined with precautions its journalists are now taking, has enhanced the protection of sensitive information. Right now, the Times believes hackers are a bigger security threat than government investigations or gag orders.
Fred Cate, the director of the Center for Applied Cybersecurity Research at Indiana University, says a large email service provider like Google may very well offer better security. Still, Cate says, when it comes to mounting a legal defense against a leak investigation, the Times is making itself vulnerable.
“There will be a gap. There is no question that there’s going to be a gap,” Cate says. “Because previously you would have had to serve that piece of paper on The New York Times.”
Now, an investigator would serve Google. And if the request comes with a gag order, the Times might never know.