Our correspondent, Noah Aderoju writes on the need for journalists and media organisations to ensure the security of audience data in their care.
Virtually all news publishing websites of media houses now have an Opt-In tab for email newsletter subscriptions where interested readers who would like to get content subsequently in their emails exchange their details for a free daily or weekly subscription. They enter Personally Identifiable Information(PII) like email, first name, last name, phone number and some others.
Little do they know that the simple transaction of exchanging personal data for a service has initiated a contract where the person, a data subject, is vulnerable to the actions of the media house, a data controller who is responsible under data protection regulation to protect the PII submitted.
Journalism as a practice revolves around the collection, processing, and publication of information by both individual and organizational entities. Journalism, at its core. also puts a premium on protecting sensitive information, interests, and especially the safety and privacy of sources. There is an abstract and open-to-personal-definition sense of privacy that the subjects of reportages are entitled to, which guides each journalist and media outfit – depending on their degree of volition –- in the adjudication of their roles and functions.
The ideals of Data protection laws and regulations globally, and especially in Nigeria, has never been of much concern to journalists. The concept of getting the consent of data subjects, who are individuals whose personal information will be used before the processing is not new to journalists, and the understanding of the specificity of the use of provided information, and so is the sacred nature of information provided. However, there is a need for optimum security for the information and the need to keep journalists up to date on what actually protects people’s data. Journalists, more than ever, need an objective benchmark for how people’s data is stored, processed, and shared.
With the evolving digital media space and a need to satisfy the niched content needs of media consumers with tailored distribution methods like newsletters, paid subscriptions and UGC platforms, media platforms now collect and process huge amounts of personal information of their audience through signup information and email lists and subscriber details. This is aside from the information collected, stored, and processed for investigation purposes as many digital investigative projects are being embarked on by journalists.
Where there is data, there has to be privacy.
NiemanLab, a leading international journalism think-tank, has an over 60,000 subscription base of journalists, reporters, and editors across many countries who subscribe to get content only about journalism. PremiumTimes, an online investigative newspaper in Nigeria recently boasted of 40 thousand newsletter subscribers on their platform and launched a voluntary profile update where subscribers were asked to add more personal details for better content recommendation. TechCabal’s TC Daily senior editor Timi Odueso, last month, said TC sends 5.5 million emails per month, with its four different newsletters, that is roughly about 5000 subscribers whose email and maybe more personal information is kept in a database. Stears and The Republic are some publication in Nigeria that runs paid subscriptions.
While a lot of news websites now have a newsletter subscription bar on their websites offering email content delivery to their readers, many of these media outfits do not have correlating data infrastructures to the level of sensitive data they process. These datasets are subjected to the same infrastructures that vaguely anonymize them to allow the runners to be able to make business decisions — including ads — off them.
But what is anonymized data in this age is rapidly changing.
Anonymized data is data that has gone through the process of either erasing or encrypting personally identifiable information (PII) preventing identifiers that can connect individuals to the stored, shared or published data thereby compromising their privacy. Popular techniques of doing this are pseudonymization and masking of data. Other techniques include generalization, data perturbation, data swapping and synthetic data creation.
However, industry realities have shown that requirements for data anonymization keep going higher. An anonymized data in an investigation of corruption and match-fixing by tennis players published by BuzzFeed News and BBC was later deanonymized and published by some undergraduate students a few days after, stressing the need for more sophistication by journalists in data protection.
Netflix’s 2006 competition where an anonymized dataset of 10 million movie rankings by customers was published as part of a challenge to improve the streamer’s recommendation system proved that simple anonymization isn’t enough for data protection. The data which was anonymized by removing personal details and replacing them with random numbers was deanonymized by two researchers sixteen days later simply by comparing rankings and timestamps with publicly available information in the Internet Movie Database (IMDb).
In the age of data engineering and OSINT complexity, more than simple anonymization is needed. Journalists need to take a more active approach to protecting identities.
When processing information gathered for reporting purposes, usually obtained from interviewing witnesses, researching reference documents, and conducting polls and surveys which may contain varying kinds of sensitive information, a trained journalist knows the importance of data and information protection and the consequences of negligence in the task.
Now, more than ever journalists need to get the needed skills and infrastructure to assume the role and responsibilities of data controllers and processors which is chiefly to protect the personal information of data subjects from bad actors.
How capable are journalists in upholding data privacy laws?
According to a recent research published in 2023 that looked into how Nigerian journalists understood, applied, and struggled with privacy laws, 95% of journalists have a thorough understanding of privacy law and apply it to their work as journalists. The researchers randomly interviewed 30 working journalists and surveyed the thoughts of 195 more in Abuja, the capital city of Nigeria where many multi-cultural national and international journalists reporting issues in the country are concentrated.
Despite affirming the knowledge and application in their works, these journalists agreed that implementing privacy laws will be extremely challenging and that the age of rapidly advancing high technology will only exacerbate the issue.
This is not surprising as journalists and media outfits now process more personal information of individuals even outside their reporting scope. The sheer amount of personal data obtained from subscriptions to media products like newsletters, pay-walled content, UGC platforms and other services offered by media houses and independent publishers is huge and if carelessly handed can be a lethal weapon in the hands of bad actors.
In Nigeria especially where many citizens still fall victim to social engineering attacks. Scammers now leverage the knowledge of WhatsApp groups that unsuspecting victims are in to construct social engineering scam tactics which many have fallen for.
Many publications are now so niched that when their subscribers’ personal information is leaked, it can amount to bad actors having enough sensitive personal information or even confidential personal information to do great harm.
Information and Cybersecurity expert, Emmanuel Bassey described the Nigeria news publishing and media sector as one that showcases a spectrum of commitment to data privacy protection standards. “While some organizations demonstrate robust measures to safeguard personal data, others encounter challenges due to factors such as resource constraints or a lack of awareness regarding regulatory requirements,” he said.
He noted that there’s a notable opportunity for improvement in ensuring a comprehensive embrace of data privacy protection practices across the sector.
By virtue of being custodians of this information, media houses, independent publishers and journalists may assume the identity of data controllers and or processors.
According to the principal data protection legislation in Nigeria, the “Nigeria Data Protection Act 2023” (NDPA) signed into law by President Bola Ahmed Tinubu on 14 June 2023, a “Data Controller” is an individual, private entity, public Commission or agency or any other body who or which, alone or jointly with others, determines the purposes and means of the processing of personal data. While, a “Data Processor”, is an individual, private entity, public authority, or any other body, who processes Personal Data on behalf of or at the direction of a Data Controller or another Data Processor.
Taking a case study of media houses that have newsletters, paid subscriptions, and registered accounts, as data controllers, they wield the authority to determine the purposes and methods of processing personal data, and as data processors, they handle data on behalf of the controller.
A clear example is when users sign up for newsletters or create accounts, media outfits not only collect and store personal data like name, address, email, phone number, etc provided by the subscribers but also assume the responsibilities aligned with data processing activities under pertinent data protection regulations. In the instance of a paid subscription, the financial information of the subscriber may also be involved.
What needs to be done to promote data privacy
Although most media outlets’ publications are for the public interest, the responsibility that comes with controlling and processing the personal data of data subjects cannot be shirked. They need to handle personal data responsibly and in ways that align with the stipulations of applicable data protection laws.
To achieve this, media houses need to put in place the human, structural, and cyber infrastructure to ensure information security across their platforms. Starting with employee training on data security best practices, media platforms need to invest in creating secure communication channels, Access control to ensure only authorised people can have the privilege to necessary data, encryption of sensitive data being shared and stored, regular audit and monitoring and the creation of an incidence response plan for when the unfortunate event of data breach happens.
Bassey specifically advised that enhancing information security for news publishing and media outfits is imperative and stakeholders should implement standard and international best practices to safeguard their platforms.
Some of his recommended practices include:
Conducting regular audits and assessments of data handling processes to pinpoint vulnerabilities and compliance gaps. Looking through the typical journey of data in the media outfits’s workflow and spot where data privacy can easily be compromised.
Implementing robust access controls and encryption mechanisms to fortify sensitive data against unauthorised access or disclosure making access to sensitive data need-based and only to priviledged persons.
Prioritizing comprehensive staff training on data protection best practices and regulatory requirements and establishing definitive policies and procedures for data collection, processing, retention and disposal to ensure a pervasive culture of awareness and compliance adhering to principles of transparency, purpose limitation, and data minimization throughout the organization.
Since journalists have limited capacity to ensure optimum data protection, engaging with legal and data privacy experts to stay abreast of evolving regulatory frameworks and industry standards, adapting policies and practices accordingly is an effective strategy to employ.
Finally, fostering a culture of accountability and responsibility concerning data protection, and promoting clear channels for reporting and addressing privacy-related concerns or incidents among other strategies will go a long way to ensure more guaranteed data protection in the media space.