CNTI’s Summary

The digital security of publishers, journalists and their sources is under threat in many parts of the world. At the governmental level, policymakers must acknowledge the very real threats facing journalists specifically and ensure that digital policy initiatives both protect them and, in doing so, do not threaten free expression, basic privacy rights, or encryption and VPN protections. At the platform level, technology companies can establish and protect human rights and privacy safeguards, but they also must at times navigate challenging state demands (at times via legislation) to provide private data and information on their users, potentially permitting governments’ abuses of power. At the publisher level, proactive efforts around cyber education, safety and support, as well as sharing experiences within the industry, are equally critical. Finally, researchers and civil society need to do their part to collaboratively shed light and provide data on the trends, risks and potential avenues forward.

The Issue

The physical and digital security of journalists and their sources are under threat in many parts of the world. Digital security and cybersecurity threats, in particular, have become more important than ever for the global news media as journalists and publishers are becoming high-profile targets for malware, spyware and digital surveillance, compromising their and their sources’ personal information and safety. More broadly, digital security and cybersecurity have gained the attention of policymakers globally, with 156 countries having enacted cybercrime legislation as of 2021.

Cybersecurity threats come in many forms, including increasingly sophisticated domestic and transnational spyware, denial-of-service (DDoS) and malware (malicious software used to gain unauthorized access to IT systems and spread across a network), ransomware (malware where attackers demand a payment or ransom in exchange for restoring access), and phishing attacks. A range of actors can be behind these tactics, including nation-states and politicians, powerful individuals, corporations, criminal networks and extremist organizations. 

Digital security challenges facing the global news media also involve broader threats to data privacy and security which include growing concerns about software vulnerabilities as well as the use of digital platform surveillance. For example, some governments attempt to chip away at encryption protections offered by secure apps like Signal, WhatsApp, ProtonMail or SecureDrop. Additionally, there are digital safety and privacy concerns about legacy social media platforms like X (formerly known as Twitter) — a staple of global journalism practice and sourcing — where data and communications are rapidly becoming far less secure for journalists and civil society organizations in the wake of ownership and infrastructure changes.

Digital and physical threats to journalists are connected. For instance, the use of spyware has been linked to hundreds of acts of physical violence around the world. In particular, human rights organizations and cybersecurity experts have expressed concerns about the use of spyware largely developed by companies in Europe, the Middle East and the U.S. — including NSO Group’s ‘Pegasus’ and QuaDream’s ‘Reign’ — being used in dozens of countries around the world, especially in Latin America. There is also an increasingly important link between governments’ use of spyware and their use of lawfare (i.e., the weaponization of legal systems or institutions) against journalists. Together, these threats have critical detrimental effects on journalists’ mental health (discussed in more detail in CNTI’s upcoming issue primer on journalist safety), leading to calls for a holistic approach to security efforts.

In addition to raising safety and psychosocial concerns, digital security threats also damage trust in the news media. In an attention economy, cyberattacks can eliminate entire business models and push audiences away by slowing or crashing websites. A lack of digital security training in newsrooms — particularly newsrooms outside of large national (and largely Western) publishers with the means to provide such training — can create chilling effects for sources and whistleblowers who increasingly fear being unintentionally exposed by journalists. These patterns are representative of the public’s broader lack of trust in the safety of personal data, including in the hands of news publishers. In cases where sources are less aware of digital security concerns, research finds journalists are often hesitant to request protective measures for fear of scaring off sources. 

These threats are expensive and difficult for newsrooms to address on their own. They are even more difficult for independent journalists or publishers operating in (or in exile from) countries with hostile governments or authoritarian regimes. Thus, collaboration among policymakers, platforms, researchers and domestic and international civil society organizations is critical to ensure digital security of the global press.

What Makes It Complex

State of Research

In parallel with the rise of other threats to press freedom and journalists’ security – particularly in the wake of the Snowden revelations – a burgeoning academic field has turned its attention to questions around the digital and information security of the global press. Academic and public attention to cybercrime, ransomware, and spyware have also grown, both in the wake of prominent attacks and amid growing concerns about the adoption of generative AI technologies in cyberattacks – for instance, leveraging these systems to manipulate journalists’ likeness – and AI’s broader threats to digital privacy and security (see CNTI’s issue primer on AI in journalism).

It is clear from this body of work that journalists and their sources in many countries are increasingly concerned about or actively experiencing a range of digital threats (whether from domestic, foreign or unknown actors), but for several cultural, institutional and individual-level reasons, this does not often result in changes to practices or policies to counter such threats. 

Further, work by organizations including Forbidden Stories, the University of Toronto’s Citizen Lab and the Committee to Protect Journalists have tracked at least 180 cases of spyware targeting journalists, particularly by clients of NSO Group. Other research has depicted the unique threats of digital surveillance to (1) investigative journalists and (2) marginalized people and communities including women, queer and gender-nonconforming people and people of color. This work, as noted earlier, has revealed the relationship between journalists’ digital presence and offline abuse, including but not limited to physical violence. These risks are often amplified in non-Western regions as well as in areas of conflict. (We will discuss the related issue of online harassment in detail in a separate issue primer.)

Research on the targeting of journalists (and the public more broadly) using digital surveillance or “dataveillance,” hacking and spyware often focuses specifically on:

• How journalists perceive and adapt to information security challenges, including their protection of and secure communication with sources and whistleblowers.
• How digital intimidation tactics threaten press freedom and journalists’ ability to deliver stories in the public interest.
• The influence of new technologies and the rise of “dataveillance” by state and corporate actors.

While this research speaks to the global nature of digital security threats to an independent press, future research should continue to examine how journalists, technology companies, researchers and policymakers can collaborate to defend against these threats, including tracking trends and sharing practices. Currently, many conversations about how to address these threats also lack global evidence. For instance, it is unclear how, or to what extent, digital security technologies such as encryption software have been implemented by journalists outside of Western countries. It is also important to understand how communication between journalists and their sources has evolved in an increasingly digital but often less safe environment.

Further, a lack of resources continues to play a critical role in news publishers’ and journalists’ ability to protect against and respond to digital security threats. Digital forensics efforts by organizations such as Citizen Lab and Amnesty Tech illustrate the critical role intermediaries play in creating networks, developing resources and establishing support mechanisms to protect the digital security of the global press. What other areas within this ecosystem must be strengthened to account for these growing threats, and what could those resources or collaborations look like?

State of Legislation

Cybercrime has become a growing concern among policymakers in many parts of the world. As of 2021, the UN Conference on Trade and Development found that 156 countries (80%) had enacted cybercrime legislation, though adoption rates vary by region. 

However, cybercrime policy (including but not limited to “cyber libel,” “cyberterrorism” and “online hate speech” laws) does not always account for — and at times directly threatens — the digital safety of journalists. Often, cybercrime policy efforts are led by countries’ security or banking sectors, leading to policymaking that may not take into account — or be at odds with — international standards for press freedom and privacy. Research has found that a majority of cybercrime laws include few safeguards to protect against investigatory overreach and incorporate provisions with vague or broad wording that can be used to target journalists, thus threatening an independent press and free expression.

Over the past two decades, legal frameworks established to protect an independent press and the confidentiality of journalistic sources and information have been under threat in many parts of the world. New legislation and policies, including national security or anti-terrorism legislation, override and/or contradict existing protections. Other policies pressure or force digital intermediaries to provide private user data. When legislation does not adequately account for new uses of, or technological tools for, digital data by journalists and sources, it will not provide them with necessary legal protections, thus making forward-thinking policymaking critical.

Broader debates around who qualifies as a ‘journalist’ and what qualifies as ‘journalism’ also play an important role in cyber policy, as they affect who receives which legal protections. Do the same data or source protections, for instance, extend to freelancers or citizen journalists, or to international journalists doing cross-border or conflict reporting? A lack of definitional clarity in policymaking can lead to inconsistent or unequal entitlement to protections.

Global experts have called for collaborative approaches to global cybersecurity regulations through private and public sector coordination as well as strengthened international data protection frameworks. Such frameworks loosely exist, to some extent, within agreements to advance citizens’ privacy rights by the Council of Europe and the Organisation for Economic Cooperation and Development (OECD) and as a part of efforts to establish a global cybercrime treaty by the United Nations’ Office on Drugs and Crime’s Global Programme on Cybercrime. However, these protections are not currently codified and do not account for the unique digital security threats posed to journalists and other sectors of civil society. Harmonizing these standards cross-nationally could also promote the development of more resilient digital infrastructures – though, as illustrated in recent UN efforts, consensus on definitional considerations and cross-border oversight are difficult to achieve, particularly between democratic societies and authoritarian regimes.

Finally, it is critical at both the supranational and national levels to have open legislative processes around cybercrime or cybersecurity so that the voices of the news media and journalists, as well as civil society more broadly, are taken into account from the start.

Notable Legislation

Australia

Australia’s controversial 2018 anti-encryption laws (the TOLA Act), aimed at requiring technology companies to grant national security and law enforcement agencies access to encrypted messages, have been widely criticized by cybersecurity experts. Key concerns about the act include both its lack of independent judicial oversight and its broad scope. Oversight agencies and civil society organizations have recommended changes but they have not been implemented.

Bangladesh

In August 2023, the Bangladesh government approved the final draft of its Cyber Security Act (CSA), developed to “tone down” the country’s Digital Security Act (DSA) amid global criticism and allegedly remove vaguely worded provisions that can easily be abused to restrict press freedom (e.g., replacing imprisonment with monetary fines for journalists in defamation cases). Human rights organizations have argued the CSA retains most provisions used to curtail free expression and privacy.

Council of Europe

In September 2023, the Parliamentary Assembly of the Council of Europe’s Committee on Legal Affairs and Human Rights released a spyware report, citing “mounting evidence” that member-states have used spyware for illegitimate purposes and asking five countries to investigate abuses. The committee also requested information from Israel on how it ensures Pegasus spyware is not acquired to violate human rights. The Council has called on member-states to establish spyware oversight structures.

European Union

Announced in September 2022, the E.U.’s proposed Cyber Resilience Act aimed to bolster European protections against cyberattacks. In June 2023, European Parliament members voted to urge the E.U. to tighten regulations around commercial spyware, noting their threats to human rights and adopting a resolution outlining reforms needed to curb abuse. The resolution includes calls for rules on spyware uses by law enforcement and for five countries to comply with investigations into abuses. This is expected to take effect in early 2024.

Jordan

In September 2023, a cybercrime bill (Law No. 17) took effect after approval by King Abdullah II. Among other provisions, the law restricts certain online speech designated as “cybercrimes,” including content “undermining national unity,” as punishable by prison time and/or fines, with penalties determined by judges. There are concerns that the law threatens digital rights and free expression.

Kenya

In August 2022, Kenya’s government launched its National Cybersecurity Strategy as a framework to address new challenges and emerging cyber threats, emphasizing a commitment to global collaboration. In July 2023, Kenya faced a series of DDoS cyberattacks. In response, the Ministry of Information, Communications & Digital Economy announced a multistakeholder cybersecurity roundtable, though civil society, academia and local technology voices were notably absent.

Poland

In September 2023, Poland’s Senate published the findings of a special commission’s 18-month investigation into the governmental use of Pegasus spyware in a 2019 hacking scandal, noting “gross violations of constitutional standards” and recommending potential criminal charges against the politicians implicated in the scandal. The report concluded that spyware such as Pegasus cannot be used under Polish law.

United Kingdom

The U.K.’s proposed Online Safety Bill, a complicated and sweeping set of measures, is intended to counter a broad range of digital harms. Related to cybersecurity is the bill’s potential threat to the security of encrypted services. One clause would allow U.K. regulator Ofcom to scan end-to-end encrypted messages for child abuse content. There are concerns that it could be exploited to spy on users’ private conversations, eroding encryption protections and threatening human rights.

United Nations

In September 2023, negotiations concluded for the UN’s proposed global treaty on cybercrime. While intended to help countries share information on such crimes, autocratic governments have sought to broaden the scope of cybercrime, which could curtail an independent press and free expression. Consensus was not reached on fundamental issues, including the scope and definition of cybercrimes or human rights safeguards. Experts have noted concerns that a flawed treaty may empower human rights abuses and authorize broad cross-border surveillance.

United States

In early 2023, the Biden administration released a wide-ranging cybersecurity strategy aiming to bolster protections against cyberattacks. Separately, the administration has taken action to counter spyware abuses, including announcing a multi-country collaboration to control the proliferation of these technologies and signing an executive order to prohibit U.S. governmental use of commercial spyware.

Read more here.

Resources & Events