How might a responsible journalist behave?

Let’s do a little thought experiment, starting with a few assumptions.

  • I’m an investigative journalist, and I have come into possession of some sensitive information.
  • Publication of either the information itself, or news articles based on it, would have a substantial public interest.
  • I need to transfer the information from A to B without, myself, travelling from A to B.

What are my options?

  1. Given that the information is in digital form, I could just attach it to an email and send it to B.
  2. I could encrypt it first, and then email it.
  3. I could encrypt it and have it hand carried by a trusted courier, and not give the courier the decryption keys.

If I use strong, standardised encryption (for instance, of the kind approved by a recognised national standards body and implemented in mainstream commercial products), I am entitled to a reasonable belief that the information is protected against brute force decryption. I could also use, say, asymmetric and/or out-of-band key exchange to ensure that B can decrypt the information once the courier has delivered it.

This is all hypothetical, but it seems to me that option 3 and the subsequent paragraph would be good evidence of a “responsible” approach on the part of the journalist.

Equally hypothetically: if it subsequently emerges that the apparently strong, standardised cryptography has been intentionally weakened in the course of the standardisation process, that does not imply that I was irresponsible in my ‘reasonable belief’ in the strength of the encryption. There may be irresponsibility there, but it is not mine.