2016 was a year when technology use, abuse, and failures all owned political news. It was a year of massive corporate and government hacking scandals, mainstream adoption of encryption, connected appliances taking down major websites, algorithmically supported misinformation, protest votes, and protests against the vote. For me, it was also the year of Pokemon GO, non-stop writing and research, jet lag, and meeting friends at global human rights and hacker conferences. As part of the Knight-Mozilla OpenNews fellowship, which places technologists in newsrooms around the world, 2016 was the year I moved to New York to work with the Coral Project based at the New York Times.
The Coral Project is a collaboration between the New York Times, the Washington Post, and Mozilla, building open source software and resources to improve how journalists and their readers communicate on news sites. While I had some experience working with journalists, until 2016 I had never worked in a newsroom.
I’m a data analyst and user researcher interested in security for at-risk groups. As part of a Ph.D. at the University of California at Irvine, I studied how investigative journalists manage their digital security, particularly in light of the Snowden disclosures. I learned from journalists, press advocates, and security specialists about their work. In effect, I became a sort of professional “security botherer” when doing my dissertation research.
Guides and assistance on digital security
Occasionally the journalists I’d talk to for my dissertation study would ask about strengthening their security posture, and the research was helpful for answering these questions. If I couldn’t point them to a convenient resource, I occasionally wrote “how to” guides. It almost happened by accident.
In writing security guides, I found one of the most useful ways this research could be used is not by sharing my observations with other academics, but rather, sharing observations with the people I wanted to learn from, and hearing their thoughts.
I wrote a couple of articles on getting started with digital security posture for journalists and first-timers learning about digital security. Then I wrote a couple more. Then a couple more.
- Securing Your Digital Life Like a Normal Person
- Digital Self-Defense for Journalists: An Introduction (via Source)
- Password Managers for Beginners
- Signal for Beginners
- Security Compromises in Journalism
- Defending Accounts Against Common Attacks (via Source)
- Current Digital Security Resources
- Secure Journalism at Protests (with @geoffwking)
… And then a couple more related posts on methods.
- Research Methods With Media Activists Under Surveillance
- How 10 News Orgs Adopted PGP Email Encryption (Or Not)
The fellowship was crucial for finding the time and mental space to write. Throughout the year I also worked with several nonprofits on improving their digital security materials.
Slowly, I found myself helping out at New York cryptoparties — beginner-friendly events for teaching and learning about digital security. I also occasionally lead or assist on digital security training with journalists.
Research with the Coral Project
At the Coral Project, I found more time for digging into user research, as well as questions around digital security practices for our reader-facing tools.
- I conducted a study on defending against user-submitted malware when accepting media files from readers.
- Examined research on creepy data collection practices, and how newsrooms can avoid them.
- Conducted a study with engagement editors on analytics dashboards for a user-submission tool we’re building, which we call Ask.
- Moderated usability studies for Ask.
- Worked with the Coral Project design team on crafting studies and digging up relevant research.
Finding time to fail
The truth is, the fellowship allowed experimentation because it gave me the room to fail, and fail often.
I started a handful of projects that fell apart, such as a study into alternative designs for human-readable privacy policies that we could use for newsrooms. (It turns out this is a very Hard Problem.) I also attempted to conduct a study that examined how media activists in politically volatile regions deal with their digital security habits. After conducting half a dozen interviews, and after discussions with my team, I learned that the research fell outside the scope of our near-term work.
Dropping projects was partly about being honest about the likely uses for the research. But projects also compete with one another for time, and I wanted to prioritize those with more immediate impact.
Experiments in bridging communities
In April 2016, I started a forum for discussing digital security and journalism called Tinfoil (https://tinfoil.press). Back then it was a small experiment. I’m surprised how fast it grew, enabling smart conversations among journalists, activists, security trainers and engineers, policy wonks, and human rights defenders, as well as ordinary folks curious about security.
There’s a lot of room for growth to make the forum more useful, especially for people who are new to digital security. I’m pushing to make that happen. Right now I’m building “onboarding” resources for new users and encouraging a more inclusive culture, asking underrepresented groups in journalism and security to bring their questions and perspectives.
Slowly, Tinfoil appears to be turning into a fixture within journalism and security circles. I started to meet Tinfoil friends at cryptoparties and hacker conferences, some of whom have helped with my research.
Travel, travel, travel
The OpenNews fellowship encourages travel to conferences where fellows have accepted talks and workshops. Over this past year I visited a small handful of places:
- Miami for an OpenNews orientation.
- Denver, Colorado for NICAR.
- Portland, Oregon for SRCCON.
- Washington D.C. to meet the distributed team at the Coral Project.
- The San Francisco Bay Area for RightsCon and the Computation and Journalism Symposium.
- Las Vegas, Nevada for DEFCON.
- New York City for Hackers on Planet Earth (HOPE).
- Buenos Aires, Argentina for Hacks/Hackers Media Party.
- Hamburg, Germany for the Chaos Communication Congress.
- London, England for MozFest 2015 and 2016. (We made a short handout for a MozFest 2016 security training!)
Journalism and hacker conferences allowed me to put usernames and Twitter icons to faces. The six other OpenNews fellows are like family, and going to conferences where they were all present often felt like a reunion. The OpenNews staff is also made up of some of the sharpest and hardest working people I’ve had the pleasure to work with. No matter how jet lagged I am, I always look forward to seeing this crew at conferences.
The coming year
After the fellowship comes to a close this month, I’ll head back home to the Bay Area to begin a new role. With help from friends in journalism, civil society, and security, I hope to use what I’ve learned over this past year to work with at-risk groups in my local community, particularly in populations with the most to lose in the coming years. We’ll keep busy — there’s a lot of work to do.
If you’re interested in similar questions around understanding security for at-risk groups, I’m always interested in learning more. Email, reach out on Twitter (@mshelton), or reach out at a few different encrypted channels. ❤