Exactly what difference do you think using end to end crypto would have made to the facts on the ground here?
We are talking about a database that has just been dumped in the wild by a celebrity hacker group. The thing is public.
Meanwhile, off to the side, a tiny investigative journalist association, wishing to investigate the material to see if it contains newsworthy information, shares a link to the (already massively public) material on a private IRC chatroom.
You now say you feel this was unethical because Brown didn’t use end to end crypto.
Your threat model here is what exactly? Let’s presume SSL was not in use on this IRC server, which is not a foregone conclusion. So your threat model is… that identity thefts subvening on the hacked data might eventuate from an adversary performing a MITM attack on Barrett Brown’s connection to the IRC server in order to intercept… an already publicly available link to a database that has been posted somewhere else in the clear? Really?
At a more general level, I agree with the principle that journalists should use best security practice in their online communications. All of their communications, whether “sensitive” or not.
But information security involves relative judgments of risk where you evaluate the cost of security measures against the risk and severity of threats. Journalists with limited time and resources should probably allocate those resources to high risk situations, where failure to employ information security potentiates serious consequences. Actual situations where they are handling actually sensitive information. Leaving aside that there is no actual harm alleged arising from BB sharing this link, what is the potential harm arising from Brown’s alleged neglect here; what is its scope, it’s severity and its likelihood?
There is a miniscule risk of harm, because he was sharing a link in a private IRC populated only by investigative journalists with whom he was familiar, for the purposes of researching the new information. The data was already public, the link was already public. Anyone who wanted to obtain the link or the data could do it without the exorbitant cost in time and effort involved in intercepting packets between Barrett Brown’s irc client and the ProjectPM server. And lest we forget, we are not talking about BB sending people’s CC information, he was sending a link to a file hosted on someone else’s server, published by someone else, of which some tiny proportion was sensitive information. So our hypothetical attacker would, upon intercepting the link, have to go and dig through the data like everyone else in order to sate his malice. The risks here are exceedingly negligible. Employing a form of end to end crypto, whether it’s otr, pgp or some hyperobscure doodad using the btc blockchain and working over geological epochs, makes a negligible difference to those already infinitesimal likelihoods.
As I say, journalists in general should ideally use crypto for everything. But failing that, infosec is about dealing with what is probable and mitigating risks, not about creating work environments hermetically sealed against the most outlandish risks our imaginations can come up with, and I see more of an ethical problem with journalists failing to use crypto when there is a reason to use it, than with journalists failing to use crypto when there is no real reason at all to use it short of pedantry.