Below is a letter I’ve sent to Royal Media today regarding a journalist who has gone far beyond his ethical and professional boundaries to harass and attack me. Why you ask? Because I didn’t think a particular subject I was researching was credible enough yet to warrant a story. I wanted to bring this to the attention of the tech community as a lesson to be very careful about which journalists you choose to speak with. When you have new findings to share, the choice of which journalists you discuss them with can be harmful if you choose unethical or unprofessional reporters, who are not willing or able to come to an understanding of the details surrounding your work.

Unfortunately, this is not the first time I have had to deal with less than ethical journalists. If you recall, I’ve recently had to deal with a smear campaign from a ZDNet writer, who seemingly used her position in journalism to launch a libelous attack against me, motivated by my religious beliefs (or what she thinks they are), with the full support of the ZDNet staff, who never took any action. Sadly, today, any hack can become a “reporter”, in today’s sense of the word, regardless of what kind of journalism training, or even ethical training, they’ve had. News agencies rarely hold their own writers accountable, especially in tech, where misogyny / misandry thrive, and where personal attacks generate headlines.

I have a very few select number of journalists that I have built a respect for over time. Some of them are the ones that rarely ever cite me, but get a lot of their information from me, and I respect that – I’m not a media whore by any stretch. Because of the rampant lack of ethics and professionalism in journalism, I have – on many occasions – turned down both print and media interviews (many even on national news shows) simply because I do not know the journalists reaching out to me. How a journalist chooses to portray you and your research is often a matter of their perspective, rather than the facts. Their perspective, of course, is driven by their professional dedication to ethics and the truth. Qualities like that are hard to determine until you’ve seen a few stories go through a reporter’s mind.

My point is, be careful about who you trust.

Mr. Hornblass, Ms. Thomas,

I’d like to bring to your attention some recent abuse, harassment, and public slander I have received this morning from one of your reporters (Ian Kar). Here is a brief summary of events:

I am a (well-respected) forensics researcher and author who had previously reverse engineered Facebook Messenger (a week or two back), and had cited some references to a mobile payment system in a single tweet I made on Twitter. Mr. Kar emailed me asking for the scoop to write a story about it. I informed Mr. Kar that I did not think my findings were credible enough to warrant a story, and that it was not worthy of his time (I also told a few other reporters the same thing). Apparently, yesterday, Tech Crunch posted a story on this same topic. They had not approached me about it personally, but had apparently sought another source who did some deeper research in addition to mine; they posted what I thought was a highly speculative story on Facebook payments.

This morning, Mr. Kar emailed me and proceeded to chew me out about how wrong I was, and proceeded to lecture me on his 22 years of experience, and essentially accuse me of ruining his story. I responded by email, informing him that nobody was going to want to talk to him if he was going to attack his sources. I also blocked Mr. Kar on Twitter. I then posted a tweet explaining that I had just been bitched out via email for not thinking an FB pay story was worthwhile, and chose not to talk to the reporter about it. As I have a number of other security researchers who follow me, it seemed relevant to inform them that some reporters were in fact being abusive to members of our community.

Mr. Kar then let loose on Twitter, with everything from attempting to justify attacking me to eventually calling me a racist, and ending his rant with a “Fuck Him”. I have included screenshots of some of his tweets below for your review. I am completely appalled at such abusive and immature behavior of someone who claims to be a journalist. I do not know if Royal Media has an ethics policy regarding reporters, but if you do, I would think that Mr. Kar behavior has certainly violated it.

I work very hard in my field to provide very accurate and worthwhile research. When I have findings to share, I typically publish them on my blog, or in a white paper, and speak openly to reporters. I have given many reporters hours upon hours of my time to thoroughly explain a complex topic. If you speak to reporters at the NY Times, Washington Post, Mashable, WIRED, ARS Technica, and others, they will confirm that I have taken significant time to discuss important topics with them, such as my recent “Identifying Backdoors, Attack Points, and Surveillance Mechanisms in iOS Devices” paper, published in the International Journal of Digital Forensics and Incident Response.

I have always been very careful not to lend to speculation or half-truths that journalists could (ab)use to puff up their headlines, and am very quick to shut down any malformed ideas about technology that could lead to poor journalism. It was within my best judgment (and still is) that the few details we know about FB’s payment system are too speculative to be credible for a story.

I do not appreciate having a member of your staff attacking me for giving my honest opinion, or declining to discuss a topic I do not feel comfortable discussing. I am thoroughly disgusted that a member of your staff would publicly accuse me of being a racist. This accusation is so absurd, considering that I have never met Mr. Kar, and do not even know what nationality he is! Not that it would matter anyway – as I am not a racist, and never have been, but does go to show just how asinine and judgmental a statement that is. If Mr. Kar is willing to make such ignorant and poor judgments of his own sources, with zero facts, just how poor is his judgment and ethical regard for journalism?

I have asked Mr. Kar to please cease all communication with me. I have since received three more emails from him, and seen numerous tweets go by his Tweet stream. This is now bordering on harassment.

I would appreciate your swift response to this situation. I do not think it is in Royal Media’s best interest to have reporters on your payroll who attack their sources so viciously when things don’t go their way.

Please feel free to contact me to discuss this.

[ contact info and letter closure ]

NOTE: Since the original tweets were deleted by @iankar_, I have uploaded some screenshots, including the apology he did eventually give, which came shortly after contacting his editor, here.

A Code of Ethics

In the future, if new agencies want to earn their sources’ trust, they should post a public code of ethics, which should also have a commitment to and a process for dealing with ethics violations. At the very least, this would show researchers who’s serious about ethics and who’s not. A public, written code of ethics and commitment to journalistic integrity is virtually nonexistent for many news agencies. To put the burden of vetting and policing journalists on the sources is extremely unreasonable, and news agencies really need to step up on controlling this kind of behavior.

Other things news agencies can do would be to better vet their journalists with personality profiles, and to ensure that they use only agency email and social accounts to correspond with sources. I get more journalist email from gmail right now, meaning that there is no accountability (in the form of an email archive) when issues arise. Using agency accounts might at least help restrain this kind of behavior.

Tips for Evaluating Journalists

How a journalist approaches you is also a great indicator about what kind of journalist they’re going to be. If they approach you asking for a better understanding of what you’re talking about, for a “possible” story, then that’s a good sign that they are interested in the factual content of your research. If they approach you asking for a quote for their story, or tell you that they’re writing a story about your research and would like to “interview” you, then this suggests they may have already jumped the gun and be looking for nothing more than headlines to make. After all, a good journalist wants to make sure that they actually have a good story before proceeding. If your research is the story, then it should send up red flags if they’ve already made up their mind to write about it without talking to you first.

Another way to tell a good journalist is to tell them you’d like a chance to review the story, to double check it for factual errors, prior to publishing it. If they decline, or claim that their news agency has rules against this, then you’re possibly dealing with a journalist who doesn’t care about the facts, and possibly is even trying to blame his/her news agency for it. If you were to email the senior editor of any reputable news agency and ask if they want their reporters to double check facts before publishing, you’d be hard pressed to find one that wouldn’t be OK with this practice.

When discussing details with a journalist, the good ones tend to echo what you told them back to you, in their own words, to ensure that they understand what you’re talking about. The less credible journalists tend to echo your own words back to you, to make sure they got the quote right. This can be a good litmus test to find out if a journalist is interested in understanding what you are saying, or only interested in publishing it in his/her story.

There are a couple of really good reporters who call me back frequently (sometimes annoyingly) to clarify a few points. This is a good sign. It means they care about their story enough to want to get it right. If they call you hounding you for quotes, or asking you, “what do you think of this” or that, then that’s different; that, on the other hand, is a sign that they’re ambulance chasing.

If it turns out that a journalist publishes an online article that has some inaccurate content – call or email them and bring it to their attention. I’ve found some great reporters who will go back in and edit the article before it’s reached critical mass on the website. If they tell you that they can’t go back and edit it (and it’s still early on), then they either don’t care enough about their article, or their news agency doesn’t care enough about post to give their journalists the right tools. Everybody makes mistakes, but to be unable or unwilling to fix them is suspicious.

Lastly, of course, if someone publishes a story that quotes you, such as a tweet or a website quote, but never actually approaches you about it prior to publishing – cross them off your list. Anyone who isn’t interested enough in putting your words in context isn’t worth their salt as a journalist. Anyone who is already writing an entire story based on a tweet is not a journalist. The good ones may reach out to you and ask if there’s something worth looking deeper into. The “where there’s smoke, there’s fire” schtick doesn’t hold water, especially in tech. One minor subroutine, or one little detail can derail months of security research. It happens to even the best.

A good journalist seeks knowledge. A poor one seeks a story. Seek out the good ones, and you’ll avoid a lot of headache down the road. Until society starts holding journalism to a higher standard again, unfortunately you’re going to have to pick and choose who is going to screw a story up, and try to avoid being in the middle of it.