Award Abstract # 1513875
TWC: Medium: Collaborative: Studying Journalists to Identify Requirements for Usable, Secure, and Trustworthy Communication

NSF Org: CNS
Division Of Computer and Network Systems
Recipient: CLEMSON UNIVERSITY
Initial Amendment Date: September 16, 2015
Latest Amendment Date: September 16, 2015
Award Number: 1513875
Award Instrument: Standard Grant
Program Manager: Dan Cosley
dcosley@nsf.gov
 (703)292-8832
CNS
 Division Of Computer and Network Systems
CSE
 Directorate for Computer and Information Science and Engineering
Start Date: October 1, 2015
End Date: September 30, 2018 (Estimated)
Total Intended Award Amount: $304,924.00
Total Awarded Amount to Date: $304,924.00
Funds Obligated to Date: FY 2015 = $304,924.00
History of Investigator:
  • Kelly Caine (Principal Investigator)
    caine@clemson.edu
Recipient Sponsored Research Office: Clemson University
201 SIKES HALL
CLEMSON
SC  US  29634-0001
(864)656-2424
Sponsor Congressional District: 03
Primary Place of Performance: Clemson University
300 Brackett Hall
Clemson
SC  US  29634-0001
Primary Place of Performance
Congressional District:
03
Unique Entity Identifier (UEI): H2BMNX7DSKU8
Parent UEI:
NSF Program(s): Secure &Trustworthy Cyberspace
Primary Program Source: 01001516DB NSF RESEARCH & RELATED ACTIVIT
Program Reference Code(s): 7434, 7924, 9102, 9150
Program Element Code(s): 806000
Award Agency Code: 4900
Fund Agency Code: 4900
Assistance Listing Number(s): 47.070

ABSTRACT

This research focuses on understanding the digital security and privacy needs of journalists and their sources to evaluate and design communication technologies that better support the fundamental operations of a globally free and unfettered press. Journalists -- along with their organizations and sources -- are known to be high-risk targets for cyberattack. This community can serve as a privacy and security bellwether, motivated to use new technologies, but requiring flexibility and ease-of-use. Many existing secure tools are too cumbersome for journalists to use on a regular basis. Moreover, these tools may lack important security and privacy-protecting features that are needed not only by the large and diverse community that is part of journalistic activity, but by other individuals and groups that may have a harder time recognizing and articulating their needs. By learning about the needs and constraints of the journalism community, this project will identify both technical and training interventions that can improve the daily security and privacy of journalists, the many communities with which they interact.

The researchers will perform in-depth interviews and usability tests with journalists and their sources. The insights gained will illuminate both the conceptual and technical issues they encounter with respect to cybersecurity. Using the specific risk- and resource-models relevant to these populations, the researchers will propose, prototype, and begin evaluating novel technical solutions to issues like communications metadata, as well as data management, syncing, search and permission controls, and the possibilities of trusted distributed key servers and "disappearing data." The results of this work will lay the groundwork for future technical advances, not only for journalists but also for use by researchers and organizations interested in implementing and testing these tools and processes for other communities.

PUBLICATIONS PRODUCED AS A RESULT OF THIS RESEARCH

Note:  When clicking on a Digital Object Identifier (DOI) number, you will be taken to an external site maintained by the publisher. Some full text articles may not yet be available without a charge during the embargo (administrative interval).

Some links on this page may take you to non-federal websites. Their policies may differ from this site.

Caine, K. "Local Standards for Sample Size at CHI" Proceedings of the SIGCHI conference on Human factors in computing systems , 2016 , p.981
Lerner, A., Zeng, E., Roesner, F. "?Confidante: Usable Encrypted Email -- A Case Study With Lawyers and Journalists.?" IEEE European Symposium on Security and Privacy , 2017
McGregor, S.E., Watkins, E. "Security by Obscurity": Journalists' Mental Models of Information Security" #ISOJ , v.6 , 2016 , p.33
McGregor, S., Watkins, E. & Caine, K. "Would You Slack That? The Impact of Security and Privacy on Cooperative Newsroom Work." Proceedings of the ACM: Human-Computer Interaction. , v.1 , 2017 https://doi.org/10.1145/3134710
SE McGregor, F Roesner, K Caine. "Individual versus Organizational Computer Security and Privacy Concerns in Journalism" Proceedings on Privacy Enhancing Technologies , v.4 , 2016 , p.418
Watkins, E. A., Roesner, F., McGregor, S., Lowens, B., Caine, K. & Al-Ameen, M. N. "Sensemaking and Storytelling: Network Security Strategies for Collaborative Groups" Proceedings of the 2016 IEEE International Conference on Collaboration Technologies and Systems (IEEE CTS) , 2016 , p.622

PROJECT OUTCOMES REPORT

Disclaimer

This Project Outcomes Report for the General Public is displayed verbatim as submitted by the Principal Investigator (PI) for this award. Any opinions, findings, and conclusions or recommendations expressed in this Report are those of the PI and do not necessarily reflect the views of the National Science Foundation; NSF has not approved or endorsed its content.

A growing number of communities are required to regularly exchange, analyze and store sensitive information. For example, journalists -- along with educators, lawyers, and healthcare professionals -- are among those who must carefully safeguard their digital communications and data. However, there are few within these communities who are computer privacy or security experts, and many lack knowledge about issues of information security.

 

This project used the journalism community as a bellwether for understanding the challenges faced by non-experts in identifying and adopting secure communication practices. Through both quantitative and qualitative research with key stakeholder groups involved in the production of journalism -- including reporters, newsroom leaders, their organizational security personnel and even the many regular people who act as journalistic sources -- this project has offered insight into the many competing factors that influence why and how these groups make the security decisions they do.

 

One key set of findings from this work revealed both how journalists reason about their information security risks, and how they adapt their behaviors to cope with these risks. For example, we found that many professional journalists did not report taking special precautions to protect their communications or data, unless they covered highly sensitive topics like national security. At the same time, however, further research revealed that these self-reports may obscure behavioral adaptations journalists have already made to working with largely insecure communications technologies. In follow-up work we found that many journalists simply declined to communicate or store certain information digitally, because they already recognized the privacy and security limitations of their existing tools. These adaptations, while reasonable and even necessary given current technologies, severely limit the potential benefits of an information technology-enabled workforce; improved usable security technologies are needed to allow journalists and others to reap these benefits.

 

This project also revealed some of the cultural and institutional concerns that may influence communities' information security practices. For example, in-depth interviews with individual journalists revealed that they often deferred to their sources' communication preferences, even if they had concerns about its security. This deference may also influence professionals' behavior in other sectors -- such as health and assistance organizations -- where the less-expert partner in an exchange often has final say over how it is conducted. At the institutional level, moreover, we found that journalistic organizations -- like many others -- can suffer from an  "us-vs-them" mentality between technology teams and journalists. These tendencies were compounded by failures to actively cultivate a sense of shared priorities across teams, reducing incentives for journalists to take on the added work of better security practices, especially against general threats like phishing attacks.

 

These findings in turn led us to examine a rare case where security went "right": the International Consortium of Investigative Journalists' (ICIJ) "Panama Papers" project, which succeeded in coordinating hundreds of journalists globally to produce dozens of stories without an pre-publication leaks or compromise of their source. In this work, we found that even in a highly-diverse, globally-distributed team, meeting the group's defined security goals was possible through both careful, iterative testing and engineering of protocols, and through clear, consistent communications around security priorities.

 

Our project has also had significant broader educational impacts, and impacts on the interdisciplinary computer science workforce. Our project supported three women principal investigators, two PhD students from backgrounds underrepresented in computing and one post-doctoral researcher who is now a new tenure-track assistant professor in computer science. One PhD student?s dissertation grew out of this work and will continue beyond the project period, and the other PhD student described work conducted as part of this project in his successful application for this year?s Heidelberg Laureate Forum in Heidelberg, Germany. He was among only 200 young researchers from around the world to receive this honor.

 

Looking ahead, our results studying journalistic sources suggest opportunities for future research with this population, who -- like legal clients, students, and healthcare recipients -- are members of the general population who need both a better understanding of, and greater agency within, information security systems. Through the production of rigorous, peer-reviewed research, this project succeeded in identifying key individual and organizational issues that secure technologies must address to improve both usability and adoption. These methods also led to a detailed understanding of how journalists and others may cope with the security shortcomings of the tools available to them, and identified factors that contribute to successful security practices, even in very diverse, highly-distributed organizations. In addition to broadening understandings of these issues across related academic disciplines, the insights from this work have supported the creation of new tools, protocols, and practices within journalistic organizations and NGOs. More broadly, this work has laid the foundation for a robust collaboration between the technical computer security, human-computer interaction, and journalism communities, as well as a model for similar collaborations with other sectors.


Last Modified: 12/03/2018
Modified by: Kelly Caine

Please report errors in award information by writing to: awardsearch@nsf.gov.

Print this page

Back to Top of page