Individual versus Organizational Computer Security and Privacy Concerns in Journalism

Susan E. McGregor 1 , Franziska Roesner 2  and Kelly Caine 3
  • 1 Columbia Journalism School
  • 2 University of Washington
  • 3 Clemson University


A free and open press is a critical piece of the civil-society infrastructure that supports both established and emerging democracies. However, as the professional activities of reporting and publishing are increasingly conducted by digital means, computer security and privacy risks threaten free and independent journalism around the globe. Through interviews with 15 practicing journalists and 14 organizational stakeholders (supervising editors and technologists), we reveal the distinct - and sometimes conflicting-computer security concerns and priorities of different stakeholder groups within journalistic institutions, as well as unique issues in journalism compared to other types of organizations. As these concerns have not been deeply studied by those designing computer security practices or technologies that may benefit journalism, this research offers insight into some of the practical and cultural constraints that can limit the computer security and privacy practices of the journalism community as a whole. Based on these findings, we suggest paths for future research and development that can bridge these gaps through new tools and practices.

If the inline PDF is not rendering correctly, you can download the PDF file here.

  • [1] A. T. Garbett, R. Comber, P. Egglestone, M. Glancy, and P. Olivier, “Finding real people: trust and diversity in the interface between professional and citizen journalists,” in 32nd Annual ACM Conference on Human Factors in Computing Systems. ACM, 2014, pp. 3015-3024.

  • [2] U.S. Supreme Court, “Risen v. United States,” SCOTUSblog, Retrieved: June 5, 2014.

  • [3] A. E. Marimow, “Justice Department’s scrutiny of Fox News reporter James Rosen in leak case draws fire,” The Washington Post, May 2013. [Online]. Available:

  • [4] N. Perlroth, “Hackers in China Attacked The Times for Last 4 Months,” The New York Times, January 2013. [Online]. Available:

  • [5] N. Perloth, “Washington Post Joins List of News Media Hacked by the Chinese,” The New York Times, February 2013. [Online]. Available:

  • [6] -, “Wall Street Journal Announces That It, Too, Was Hacked by the Chinese,” The New York Times, January 2013. [Online]. Available:

  • [7] Human Rights Watch, “With Liberty to Monitor All: How Large-Scale US Surveillance is Harming Journalism, Law, and American Democracy,” Jul. 2014,

  • [8] K. A. Ruane, “Journalists’ Privilege: Overview of the Law and Legislation in Recent Congresses,” 2011. [Online]. Available:

  • [9] S. Hardy, M. Crete-Nishihata, K. Kleemola, A. Senft, B. Sonne, G. Wiseman, P. Gill, and R. J. Deibert, “Targeted threat index: Characterizing and quantifying politicallymotivated targeted malware,” in Proceedings of the 23rd USENIX Security Symposium, 2014.

  • [10] W. R. Marczak, J. Scott-Railton, M. Marquis-Boire, and V. Paxson, “When governments hack opponents: A look at actors and technology,” in 23rd USENIX Security Symposium, 2014.

  • [11] S. E. McGregor, P. Charters, T. Holliday, and F. Roesner, “Investigating the computer security practices and needs of journalists,” in 24th USENIX Security Symposium (USENIX Security 15). USENIX Association, 2015.

  • [12] G. Greenwald, No Place To Hide: Edward Snowden, the NSA, and the U.S. Surveillance State. Metropolitan Books, 2014.

  • [13] C. Savage and L. Kaufman, “Phone Records of Journalists Seized by U.S.” The New York Times, May 2013. [Online]. Available:

  • [14] S. Huntley and M. Marquis-Boire, “Tomorrow’s News is Today’s Intel: Journalists as Targets and Compromise Vectors,” BlackHat Asia, Mar. 2014,

  • [15] Freedom of the Press Foundation, “SecureDrop (formerly known as DeadDrop, originally developed by Aaron Swartz),” 2013. [Online]. Available:

  • [16] K. Biscuitwala, W. Bult, T. J. P. Mathias Lecuyer, M. K. B. Ross, A. Chaintreau, C. Haseman, M. S. Lam, and S. E. Mc- Gregor, “Secure, Resilient Mobile Reporting,” in Proceedings of ACM SIGCOMM, 2013.

  • [17] S. Carlo and A. Kamphuis, “Information Security for Journalists,” The Centre for Investigative Journalism, Jul. 2014. [Online]. Available:

  • [18] S. E. McGregor, “Digital Security and Source Protection for Journalists,” Tow Center for Digital Journalism, Jul. 2014. [Online]. Available:

  • [19] M. Keys, “Google experts reveal how top organizations are in danger,” The Blot, 2014,

  • [20] A. Soltani, “12 of the top 25 news sites (incl. @washingtonpost) rely on Microsoft or Google for hosted email services,” Twitter, 2014,

  • [21] P. Thornton, “Outlook/Exchange vs. GMAIL,” The Journalism Iconoclast, May 2008. [Online]. Available:

  • [22] N. Borisov, I. Goldberg, and E. Brewer, “Off-the-record communication, or, why not to use PGP,” in ACM Workshop on Privacy in the Electronic Society, 2004.

  • [23] P. R. Zimmermann, The Official PGP User’s Guide. Cambridge, MA, USA: MIT Press, 1995.

  • [24] R. Dingledine, N. Mathewson, and P. Syverson, “Tor: The second-generation onion router,” in Proceedings of the 13th USENIX Security Symposium, 2004.

  • [25] N. Unger, S. Dechand, J. Bonneau, S. Fahl, H. Perl, I. Goldberg, and M. Smith, “SoK: Secure Messaging,” in Proceedings of the IEEE Symposium on Security and Privacy, 2015.

  • [26] M. Brennan, K. Metzroth, and R. Stafford, “Building Effective Internet Freedom Tools: Needfinding with the Tibetan Exile Community,” in 7th Workshop on Hot Topics in Privacy Enhancing Technologies (HotPETs), 2014.

  • [27] Internews Center for Innovation & Learning, “Digital Security and Journalists: A SnapShot of Awareness and Practices in Pakistan,” 2012,

  • [28] J. L. Sierra, “Digital and Mobile Security for Mexican Journalists and Bloggers,” Freedom House, 2013. [Online]. Available:

  • [29] S. Gaw, E. W. Felten, and P. Fernandez-Kelly, “Secrecy, flagging, and paranoia: adoption criteria in encrypted email,” in Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. ACM, 2006, pp. 591-600.

  • [30] G. Norcie, J. Blythe, K. Caine, and L. J. Camp, “Why Johnny Can’t Blow the Whistle: Identifying and Reducing Usability Issues in Anonymity Systems,” in Workshop on Usable Security (USEC), 2014.

  • [31] A. Whitten and J. D. Tygar, “Why Johnny Can’t Encrypt: A Usability Evaluation of PGP 5.0,” in Proceedings of the 8th USENIX Security Symposium, 1999.

  • [32] N. Diakopoulos, M. De Choudhury, and M. Naaman, “Finding and assessing social media information sources in the context of journalism,” in Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. ACM, 2012, pp. 2451-2460.

  • [33] N. Taylor, D. M. Frohlich, P. Egglestone, J. Marshall, J. Rogers, A. Blum-Ross, J. Mills, M. Shorter, and P. Olivier, “Utilising insight journalism for community technology design,” in Proceedings of the 32nd ACM Conference on Human Factors in Computing Systems. ACM, 2014, pp. 2995-3004.

  • [34] A. Adams and M. A. Sasse, “Users are not the enemy,” Communications of the ACM, vol. 42, no. 12, pp. 40-46, 1999.

  • [35] Y.-Y. Choong and M. Theofanos, What 4,500+ People Can Tell You - Employees’ Attitudes Toward Organizational Password Policy Do Matter, ser. Lecture Notes in Computer Science. Springer International Publishing, 2015, vol. 9190, ch. 27, pp. 299-310.

  • [36] K. Renaud, M. Volkamer, and A. Renkema-Padmos, “Why Doesn’t Jane Protect Her Privacy?” in Proceedings of the 2014 Privacy Enhancing Technology Symposium, 2014.

  • [37] J. Corbin and A. Strauss, Basics of qualitative research: Techniques and procedures for developing grounded theory. Sage publications, 2014.

  • [38] V. Venkatesh and H. Bala, “Technology Acceptance Model 3 and a Research Agenda on Interventions,” Decision Sciences, vol. 39, no. 2, pp. 273-315, 2008.

  • [39] A. Greenberg, “How the Syrian electronic army hacked us: A detailed timeline,” Forbes, February 2014. [Online]. Available:

  • [40] Symantec, “Internet security threat report 2014,” 2014. [Online]. Available:

  • [41] D. D. Caputo, S. L. Pfleeger, J. D. Freeman, and M. E. Johnson, “Going spear phishing: Exploring embedded training and awareness,” Security & Privacy, IEEE, vol. 12, no. 1, pp. 28-38, 2014.

  • [42] A. Das, J. Bonneau, M. Caesar, N. Borisov, and X. Wang, “The tangled web of password reuse,” in Symposium on Network and Distributed System Security (NDSS), 2014.

  • [43] K. E. Caine, “Supporting privacy by preventing misclosure,” in CHI’09 Extended Abstracts on Human Factors in Computing Systems. ACM, 2009, pp. 3145-3148.

  • [44] P. Kumaraguru, S. Sheng, A. Acquisti, L. F. Cranor, and J. Hong, “Teaching Johnny Not to Fall for Phish,” ACM Transactions on Internet Technology, vol. 10, no. 2, pp. 7:1-7:31, Jun. 2010.

  • [45] PhishMe,

  • [46] K. Niknejad, A. Kaphle, A. A. Omran, B. Baykurt, and J. Graham, “The New Global Journalism: Foreign Correspondence in Transition,” Tow Center for Digital Journalism, Sep. 2014. [Online]. Available:


Journal + Issues