In 2013, Edward Snowden sent classified NSA documents to reporters at The Washington Post and The Guardian, detailing the extensive surveillance perpetrated by the US government on American citizens. The outrage about the infringement on the human rights to privacy placed the NSA under scrutiny and successfully led to the passing of some basic data protection laws in the US.
Though the foundation was laid in 2013, conversation around cybersecurity has faded as public attention has turned to other issues. This is a mistake. Many Western governments have passed data protection laws, similar to those in the US. However, these laws tend to focus on the data content, but have little protection around metadata. This poses a threat, not only to a civilianâ€™s right to privacy, but also to press freedom; as Reporters Without Bordersâ€™ annual World Press Freedom Index states, press freedom is in stark decline.
In the US, the NSAâ€™s mass surveillance program has been scaled back to a â€œcall details records program,â€ which entails metadata collection of suspected terrorist activity. Metadata does not track the content of phone, email or instant messages, but rather the data surrounding these communications. This may include data regarding who the parties involved were, their locations, the duration of the conversation, and its timing. In theory, the call details records program limits the governmentâ€™s powers to investigate only existing threats to national security. In practice, however, the US government can access records of the individual they are investigating, every person with whom they have had contact, and every person those people have contacted. This potentially impacts hundreds of thousands of civilians. For investigative journalists, metadata information can reveal the identities of their sources or communications connected to research surrounding yet unpublished stories. This surveillance acts as a deterrent for potential whistleblowers, who fear retribution once identified; and for journalists, 14% of whom stated that they have avoided pursuing a story due to concern for their sourcesâ€™ anonymity or of being surveilled themselves.
It is not only the US that collects metadata on its citizens. Many other Western governments continue to have gaps in legislation that allows for the collection of metadata. In August 2019, Human Rights Watch released a press briefing on the Australian Security Intelligence Organisation Act (ASIO). The ASIO includes unprecedented access to journalistsâ€™ communications, allowing for misuse of data by law enforcement, who can legally â€œself-authorize access to the stored metadataâ€. In fact, it has been reported that the Australian Federal Police obtained warrants to access the metadata of journalists 58 times over the course of mid 2017 to mid 2018. Following the information obtained through metadata collection, Australian police raided the home of political journalist, Annika Smethurst, and the Australian Broadcasting Corporation offices. ABCâ€™s executive news editor, John Lyons, stated that the message to Australian journalists and whistleblowers is clear: â€œWatch out, because we will be able to find out who you are and we will come after you.â€
In 2000, the UK enacted the Regulation of Investigatory Powers (RIPA), which allowed police access to metadata in service of investigating â€œserious crimesâ€. However, this conflicted with the Police and Criminal Evidence Act of 1984 (PACE), which listed specific protections for journalistic privilege. So, in 2014, controversy erupted when it emerged that the Metropolitan Police and Kent Police had accessed journalistsâ€™ metadata. Without clarity in the law detailing how and when journalists and sources must be protected, law enforcement was able to take advantage of the loophole and accessed the metadata of 82 journalists over the course of three years, citing RIPA as the legal recourse. The controversy led to the Investigatory Powers Bill, which more specifically outlined and expanded the data collection powers of UK law enforcement. Due to its lack of specific protections for journalists and sources, it has been called â€œa potential death sentence for investigative journalism in the UKâ€. In the years since the IP Bill, English media outlets have been described as increasingly â€œrisk averseâ€. The Guardian, which had originally published the Snowden documents and smashed their computers in efforts to protect their source, has since lost many of their top investigative reporters due to the organizationâ€™s perceived fear of â€œupsetting the spooks.â€
In order to protect their sources and themselves, there is an increasing number of journalists who are going â€œanalogueâ€: attempting to minimize their technology use by meeting sources in person, using burner phones, note taking by hand, etc. However, these methods are not foolproof; as in order to whistleblow, a source must make initial contact with a journalist, leaving a metadata trail.
Infringing on journalistsâ€™ right to privacy and source protection is a threat to overall civil liberties and must be addressed as such both legislatively and in practice. First and foremost, national data protection legislation must be amended to exempt journalists from mass data collection programs. The beginnings of change has occurred in the US, primarily with the 2018 US Supreme Court case of Carpenter v. United States, in which Carpenter successfully argued that the governmentâ€™s access to his location data was a violation of his Fourth Amendment rights, setting precedent for future journalist protections. In order to see this change globally, civil liberties unions need to petition their nationsâ€™ governments to include specific, airtight journalistic protections within national security and data collection laws.
Amending legislation will create avenues for change in protecting freedom of expression; however, legal recourse cannot be relied upon as the only lever of change. Technologically, protection of metadata is difficult, as the base function of metadata is to get messages from A to B. However, there are opportunities for public-private collaboration between tech companies and media outlets. This includes the provision of security apps, such as Signal or Tor, that minimize the amount of metadata produced, or secure whistleblowing dropboxes, such as SecureDrop, which allows for individuals who wish to provide information to do so without leaving a trail of communications data between themselves and the journalist.
Metadata collection is a human rights issue, not only threatening our rights to privacy, but our right to a free press. Governmentsâ€™ use of data collection as a national security tool chips away at the protections for journalists and their sources. In order to protect a global free press in the digital age, we need a dual response: Human rights advocates need to lobby their governments for legislative change; and tech security companies have the opportunity to lead in practice by developing and making widely available metadata protection programs to media outlets. A free press is a cornerstone of a free society; and in todayâ€™s climate, in which press freedom is on the decline, prioritizing investigative journalistâ€™s metadata protection will be vital to ensuring those in power are kept accountable in the coming decades.
Liz Hensler is a third year NYU Wagner MPA candidate with an international development and policy specialization. She is the Managing Editor of Events & Engagement for The Wagner Review.