What Journalists Can Learn From Police Seizing a BBC Reporter's Laptop

On Wednesday, it was revealed that UK police used powers under the controversial Terrorism Act to seize the laptop of a BBC journalist. The Independent reported that the order was served onto the media group and Secunder Kermani, a journalist working on BBC Newsnight who has interviewed Western-born jihadis.

This move—of a Western government legally compelling a journalist to hand over their laptop—is pretty uncommon, although there have been other cases of UK authorities using surveillance legislation to target reporters. In 2006, a police force bugged a journalist's car to track down a leaker, and more recently police accessed journalists' phone records. Notably, the BBC did not contest this current order, according to Press Gazette.

Back in September, I wrote about the need for journalists using encryption to protect themselves from "thuggish threats": that is, adversaries for whom the mere presence of encryption is enough to antagonise them. This was in response to several VICE News journalists being arrested, reportedly because one of them had an encryption program installed on his computer.

This latest case with the BBC bluntly demonstrates the need for journalists to take extra steps to protect their data, ones that go beyond simply using encryption to communicate with sources or lockdown their computer.

Some may ask why a law-abiding journalist wouldn't want to fully cooperate with a government request for data. Investigative journalists might have a confidential source that they want to keep anonymous, and which, in turn, authorities are trying to identify. In short, revealing sources compromises a journalist's ability to get information and therefore report the news faithfully.

Perhaps the reporter is communicating with a criminal, and law enforcement feel they can use these conversations to pursue the fugitive. Again, some may claim that step is okay: using a journalist's communications with a bad guy, perhaps to track them down. But this totally runs counter to the responsibility of journalists to protect their sources. It does not matter whether they are a terrorist, a pedophile, a drug dealer, or a government official: journalists must preserve the confidence of their sources, even when they are criminals. A source, is a source, is a source.

A story can never be covered properly, a narrative scrutinised and examined, if journalists don't take measures to talk to the people who are truly involved in events, be those controversial topics such as terrorism or anything else. If journalists, and equally sources, feel they won't be able to do that, public interest journalism will suffer.

"Yet again we have a situation where the police are riding roughshod over press freedom and using anti-terror legislation to get their hands on journalistic information," said Michelle Stanistreet, general secretary of the UK's National Union of Journalists in a statement.

"There are serious questions to be answered about why the order obtained by the police warranted the seizing of a journalists' laptop—which may well have contained confidential information on other sources and other stories too." (According to a BBC spokesperson quoted in The Independent, "The man had featured in Newsnight reports and was not a confidential source").

Newsnight editor Ian Katz told Motherboard in a forwarded statement that "While we would not seek to obstruct any police investigation we are concerned that the use of the Terrorism Act to obtain communication between journalists and sources will make it very difficult for reporters to cover this issue of critical public interest."

It's not clear whether Kermani's laptop was encrypted. Newsnight said it could not answer a set of questions from Motherboard. But, even if full-disk encryption is used by a journalist, some adversaries can still access data stored on the device: for example, governments can legally force the reporter to decrypt the computer's contents. (There are some technical solutions to the problem of being forced to reveal a password, but they are not guaranteed to succeed.)

So, instead of simply hoping that the authorities won't come across anything that harms a source once they have obtained the journalist's computer, why not make sure that there is no information for them to uncover?

Some journalists might consider just deleting information stored on a laptop once it has been used for a story and is no longer necessary. But it's not that easy: recoverable remnants of a file still exist on a computer's hard-drive after it has been churned through the Recycling Bin or dragged into the Trash.

There are programs designed to make deleted data totally unrecoverable, but then that process has to be applied to every instance of the data such as USBs or external hard-disks, and the approach isn't going to work at all if the data is stored on a cloud service or on someone else's computer. If a media organization receives an order and it starts deleting reams of chat logs or evidence, it's likely going to get into even more legal hot water.

But no law or police force can compel a journalist to produce data that never existed in the first place. Generally, if a piece of information is so absolutely confidential that it must not fall into the hands of a third party, and there is a genuine risk of an adversary using extraordinary means to obtain that information, just don't record it.

A source's real name; a sensitive address; or anything else that would result in the compromise of a source: if possible, don't save it to a computer hard drive.

Of course, that is easier said than done when it comes to working on large stories with lots of moving parts, but journalists can still be very selective in the small pieces of data that they decide not to store: if a chat log really does have to be saved, maybe redact the source's username before saving the text. It's not necessarily all or nothing—recording or keeping everything quiet—but journalists should seriously consider if archiving certain pieces of information will backfire at a later date.

In an age of mass government surveillance, and the cracking down on journalism all over the world, it's time for journalists to up their data security.