In 2013, Edward Snowden sent classified NSA documents to reporters at The Washington Post and The Guardian, detailing the extensive surveillance perpetrated by the US government on American citizens. The outrage about the infringement on the human rights to privacy placed the NSA under scrutiny and successfully led to the passing of some basic data protection laws in the US.
Though the foundation was laid in 2013, conversation around cybersecurity has faded as public attention has turned to other issues. This is a mistake. Many Western governments have passed data protection laws, similar to those in the US. However, these laws tend to focus on the data content, but have little protection around metadata. This poses a threat, not only to a civilian’s right to privacy, but also to press freedom; as Reporters Without Borders’ annual World Press Freedom Index states, press freedom is in stark decline.
In the US, the NSA’s mass surveillance program has been scaled back to a “call details records program,” which entails metadata collection of suspected terrorist activity. Metadata does not track the content of phone, email or instant messages, but rather the data surrounding these communications. This may include data regarding who the parties involved were, their locations, the duration of the conversation, and its timing. In theory, the call details records program limits the government’s powers to investigate only existing threats to national security. In practice, however, the US government can access records of the individual they are investigating, every person with whom they have had contact, and every person those people have contacted. This potentially impacts hundreds of thousands of civilians. For investigative journalists, metadata information can reveal the identities of their sources or communications connected to research surrounding yet unpublished stories. This surveillance acts as a deterrent for potential whistleblowers, who fear retribution once identified; and for journalists, 14% of whom stated that they have avoided pursuing a story due to concern for their sources’ anonymity or of being surveilled themselves.
It is not only the US that collects metadata on its citizens. Many other Western governments continue to have gaps in legislation that allows for the collection of metadata. In August 2019, Human Rights Watch released a press briefing on the Australian Security Intelligence Organisation Act (ASIO). The ASIO includes unprecedented access to journalists’ communications, allowing for misuse of data by law enforcement, who can legally “self-authorize access to the stored metadata”. In fact, it has been reported that the Australian Federal Police obtained warrants to access the metadata of journalists 58 times over the course of mid 2017 to mid 2018. Following the information obtained through metadata collection, Australian police raided the home of political journalist, Annika Smethurst, and the Australian Broadcasting Corporation offices. ABC’s executive news editor, John Lyons, stated that the message to Australian journalists and whistleblowers is clear: “Watch out, because we will be able to find out who you are and we will come after you.”
In 2000, the UK enacted the Regulation of Investigatory Powers (RIPA), which allowed police access to metadata in service of investigating “serious crimes”. However, this conflicted with the Police and Criminal Evidence Act of 1984 (PACE), which listed specific protections for journalistic privilege. So, in 2014, controversy erupted when it emerged that the Metropolitan Police and Kent Police had accessed journalists’ metadata. Without clarity in the law detailing how and when journalists and sources must be protected, law enforcement was able to take advantage of the loophole and accessed the metadata of 82 journalists over the course of three years, citing RIPA as the legal recourse. The controversy led to the Investigatory Powers Bill, which more specifically outlined and expanded the data collection powers of UK law enforcement. Due to its lack of specific protections for journalists and sources, it has been called “a potential death sentence for investigative journalism in the UK”. In the years since the IP Bill, English media outlets have been described as increasingly “risk averse”. The Guardian, which had originally published the Snowden documents and smashed their computers in efforts to protect their source, has since lost many of their top investigative reporters due to the organization’s perceived fear of “upsetting the spooks.”
In order to protect their sources and themselves, there is an increasing number of journalists who are going “analogue”: attempting to minimize their technology use by meeting sources in person, using burner phones, note taking by hand, etc. However, these methods are not foolproof; as in order to whistleblow, a source must make initial contact with a journalist, leaving a metadata trail.
Infringing on journalists’ right to privacy and source protection is a threat to overall civil liberties and must be addressed as such both legislatively and in practice. First and foremost, national data protection legislation must be amended to exempt journalists from mass data collection programs. The beginnings of change has occurred in the US, primarily with the 2018 US Supreme Court case of Carpenter v. United States, in which Carpenter successfully argued that the government’s access to his location data was a violation of his Fourth Amendment rights, setting precedent for future journalist protections. In order to see this change globally, civil liberties unions need to petition their nations’ governments to include specific, airtight journalistic protections within national security and data collection laws.
Amending legislation will create avenues for change in protecting freedom of expression; however, legal recourse cannot be relied upon as the only lever of change. Technologically, protection of metadata is difficult, as the base function of metadata is to get messages from A to B. However, there are opportunities for public-private collaboration between tech companies and media outlets. This includes the provision of security apps, such as Signal or Tor, that minimize the amount of metadata produced, or secure whistleblowing dropboxes, such as SecureDrop, which allows for individuals who wish to provide information to do so without leaving a trail of communications data between themselves and the journalist.
Metadata collection is a human rights issue, not only threatening our rights to privacy, but our right to a free press. Governments’ use of data collection as a national security tool chips away at the protections for journalists and their sources. In order to protect a global free press in the digital age, we need a dual response: Human rights advocates need to lobby their governments for legislative change; and tech security companies have the opportunity to lead in practice by developing and making widely available metadata protection programs to media outlets. A free press is a cornerstone of a free society; and in today’s climate, in which press freedom is on the decline, prioritizing investigative journalist’s metadata protection will be vital to ensuring those in power are kept accountable in the coming decades.
Liz Hensler is a third year NYU Wagner MPA candidate with an international development and policy specialization. She is the Managing Editor of Events & Engagement for The Wagner Review.