The Guardian published a shocking story a few weeks ago showing that in 2008 Britain’s spy agency GCHQ collected and stored the e-mails of some of the world’s biggest news organizations, including the New York Times, Washington Post, and BBC. We wanted to find out which news organizations are still vulnerable to this mass spying technique, so we conducted a survey of 65 major news organizations to see if they have implemented a common security protocol known as STARTTLS that can protect their e-mails from being intercepted as they travel across the Internet.

We found that news organizations like the Associated Press, Le Monde, LA Times, CBS News, Forbes, Baltimore Sun, and Der Spiegel are still not protecting journalists and their sources from this type of surveillance, and are putting all of the people who communicate with them at risk of being spied on. You can see the full results of our survey below.

STARTTLS is a form of encryption which allows e-mails sent from one e-mail server to another server to be encrypted in transit. If implemented correctly at every newsroom, it would largely prevent the type of surveillance done by GCHQ described in the Guardian article. Without it, e-mails directed to a certain mail server can be snooped on at any point between the sender’s mail provider and that of the recipient, and eavesdroppers can obtain the entire contents of the e-mail, assuming PGP isn’t being used.

Yet even with PGP it's still useful since it guards the metadata (subject line and other headers). STARTTLS functions as a simple extension to common e-mail transmission standards such as SMTP.

Imagine that a source within the government wants to talk to a reporter at the Baltimore Sun and set up a meeting. So [email protected] sends an e-mail to [email protected], but the server handling mail for baltimoresun.com doesn’t have STARTTLS capability. This means that even if the source’s e-mail server has this form of encryption, it doesn’t matter, because the news organization’s server can’t support it. So the communications are transmitted and received in the clear, actively exposing the metadata and messages of sources and other correspondents.

If news organizations are serious about protecting sources and the communications of journalists, then they should make sure that their e-mail servers support STARTTLS—and that it’s configured in a secure way. For the popular Postfix mail server, you can go here to learn how.

Survey Results

Using the website STARTTLS.info¹, we surveyed the domains of 65 major news organizations. About 25% of them didn’t have STARTTLS at all. Another 25% had STARTTLS, but their configuration could use improvement.²

STARTTLS is not difficult to implement, and has been around for 15 years.³ The largest tech companies have all implemented it for their e-mail services, according to EFF’s Encrypt the Web report. Google has been openly shaming companies who have not adopted STARTTLS in their Safer e-mail transparency report, while Facebook has also surveyed the state of STARTTLS deployment and encouraged its adoption. If most major service providers on the Internet support it, why hasn’t every news organization followed suit?

Our survey found that regional, local and city newspapers tend to be less protected than large national outlets, which was expected as they operate with less resources and lower stakes. But many of these city papers also cover national and international news, such as those owned by The Tribune Company. Some organizations route their mail through commercial security/filtering systems (such as Websense or Symantec MessageLabs), but remarkably, even these solutions—which news organizations are likely paying money for in order to enhance security—typically don’t have STARTTLS!

Many news organizations host their e-mail with third parties like Google or Microsoft. This comes with the risk of making it easier for governments to secretly obtain information through various legal processes without the news organization’s knowledge. However, these providers always scored the highest grade possible on STARTTLS.info. If your organization uses Google Apps you can enable a secure transport (TLS) compliance setting or Postini’s Policy Enforced TLS to enforce encryption for specific domains or even all incoming and outgoing mail.

A recent study by the Pew Research Center showed that fully half of the journalists polled feel that their organizations are not doing enough to protect them and their sources from surveillance and hacking. If systems administrators and technical support people at news organizations want to do more, they can start by making sure that their incoming e-mail is encrypted in transit—since e-mail is a primary tool of virtually every reporter these days.