Data protection in a new DOJ era

June 18, 2018 11:00

In a precedent set under the previous administration, the Department of Justice has made clear its priority is to investigate leaks. Attorney General Jeff Sessions has declined, not once, but twice, to pledge he would not go after reporters for protecting confidential sources. Now, we’ve seen that forewarning realized in the “first known instance of the Justice Department going after a reporter’s data under President Trump,” according to The New York Times, an action RTDNA strongly protested.

RTDNA and a number of journalism groups have urged Sessions to meet with press freedom advocates to explain the action and address the concerts it raises.
Update: In January 2019, Attorney General nominee Wiliam Barr also refused to rule out jailing journalists.

In the meantime, journalists would do well to lean about what happened – and what to do to be prepared and protected.

Can they do that?
In short, yes.

There are legal mechanisms regulating how such records can be obtained, as well as more specific policy mechanisms further restricting when agencies will use those mechanisms.

Law enforcement can obtain warrants for records via a several different procedures. Depending on the mechanism used, the subscriber or customer may not be notified or may be notified only after the information is retrieved (as in this case).

Under the Code of Federal Regulations, Congress gives agencies the authority to make some rules or regulations by which they will operate. The Department of Justice’s regulations have ostensibly created additional barriers to accessing reporters’ records related to confidential sources. These include trying all other means to get the information, notifying the reporter and permitting the order to be challenged and requiring the signoff of top department officials.

These regulations should make it more difficult to access reporters’ data, but, as we’ve seen, it can still happen.

What can they get?
And how? We asked Electronic Frontier Foundation Senior Staff Attorney Sophia Cope.

Phone and email services are provided by companies. Those companies have records of customers’ use of their services. And – based on the legal and regulatory frameworks outlined above – they may be asked to turn records over to law enforcement.

Says Cope, “The government obtained the reporter's email and phone records, but not the content of those communications (probably via the Electronic Communications Privacy Act/Stored Communications Act). This means they obtained some sort of metadata such as to/from and date/time information for each email and call.”

What about the contents of communications?  

These are most easily obtained directly from the device used to send and receive them – yours, or your sources, as in the case of reporter Ali Watkins and her source, James Wolfe, who was the subject of an investigation. In this case, Cope says, “The government obtained the content of communications Wolfe had with reporters over encrypted messaging apps. Our guess is that the government got a warrant for Wolfe's phone and simply opened up the app and saw the messages in the inbox.”

What can you do about it?
Encryption is a good first step. It protects contents of communications from interception.

“It's important to note that while encryption protects the contents of communications, it doesn't mask metadata,” says Cope. In other words, encryption protects what is being said. If you’re concerned about law enforcement finding out who you’re talking to, you’ll need to protect your metadata as well with further anonymity from a service like Tor.

Encryption has another limitation. Cope says, “although encryption thwarts interception of communications content, if that content is sitting unencrypted in an app, then anyone who has access to the phone can see those messages,” as occurred with Mr. Wolfe’s phone.

Some device makers have taken steps to make it harder, for now, for law enforcement to access phones’ contents without assistance from phone owners.

Recently, Apple closed a security loophole that had allowed data to be pulled even from locked phones via third party software.

However, short of refusing to give up a phone password, data is most protected when it isn’t there. “Totally deleting received messages is an added precaution that some journalists might want to take. For example, Signal allows users to toggle on Disappearing Messages," Cope advises.
Find more resources to protect yourself and your information:


2019 Research

Corporate Members