Countering electronic surveillancePosted: May 4, 2012
In a chilling account in this month’s issue of the Columbia Journalism Review, freelance journalist Matthieu Aikins recounts how hackers in the employ of the Libyan government were able to access the email accounts of foreign journalists. It wasn’t that difficult – nothing that a hacker of average skills in say, Manila or Bucharest, couldn’t do. Among other things, Libyan authorities got a spreadsheet from a CNN email account; it had a list of names, phone numbers, and e-mail addresses of the network’s underground sources in Tripoli.
In the past few years, the surveillance capacities of intelligence bodies around the world have multiplied beyond imagination, thanks in part to surveillance technologies developed in the U.S. and Western Europe. But even without those technologies, governments in many countries have been able to count on the cooperation of telecoms companies who willingly release data on subscribers in exchange for leniency on their licensing and other requirements.
Last month, the Swedish Television aired an hour-long documentary on the Swedish state-owned telecoms firm, TeliaSonera, which has co-invested in phone companies in the “dictatorship belt” of former Soviet Republics. These companies, the documentary showed, routinely provided intelligence agencies with mobile-phone data on journalists, human rights activists, opposition politicians, unionists, and even ordinary citizens. A TV viewer in Azerbaijan, for example, was questioned by state security after he had sent an SMS vote for the Armenian, instead of the Azerbaijani, candidate in the hotly contested EuroVision song contest.
Earlier this week, the Columbia Journalism School hosted a panel on information security to mark the launch of the Committee to Protect Journalists’ revised Security Manual for Journalists. The consensus: Unlike activists, journalists are painfully unaware of how their many devices – computers, tablets, mobile phones – expose them and their sources to great risks. And despite the ubiquity of electronic surveillance, most news organizations, even the biggest ones, do not train their reporters on data security.
As Danny O’Brien, CPJ’s Internet Advocacy Coordinator said, we have seen in recent years the “democratization” of surveillance. The capacities to monitor phone calls, email and other electronic traffic are now available not just to governments, but also to organized crime and to hackers for hire. Yet journalistic security practices still hark back to the pre-digital era.
There is no foolproof way to secure electronic data. And many journalists covering regular news beats probably don’t need to resort to high-level counter-surveillance measures. But everyone, particularly investigative journalists, has to be careful. The first step is to assess risks and map out the individuals or groups – government agencies, criminal gangs, companies – that may be interested in a journalist’s data and sources. Journalists should also remember that even if they are not being surveilled, their sources might be, and so the email correspondence and voice communications they have with those sources may be compromised. (Read more on Information Security in CPJ’s safety manual.)
Some tips from the panel:
- As a general rule, says Chris Soghoian, an Internet privacy expert, free services for the mass market are not secure because they are built so providers can collect data on users. Facebook, Yahoo Mail and HotMail don’t encrypt their traffic; Gmail does, but Google servers have access to users’ email so they can place ads. Google also has a track record of surrendering data on its users on the request of governments.
- Katrin Verclas of SaferMobile, says “mobile devices are a dictator’s wet dream” because these are phenomenally insecure. Safer Mobile recently released a Mobile Security Survival Guide for Journalists. The group’s website also has tips for safer voice calls, securing mobile e-mail and doing secure chatting. But while there are tools and applications that allow users to encrypt their mobile phone data, says Verclas, encrypted data leaves a footprint in the network, and might raise a red flag.
- Encrypt sensitive documents and data. A simple way to do this is through TrueCrypt, a free, downloadable open-source encryption program that allows users to encrypt files or an entire disk or flash drive.
- Cloud services – Dropbox, Google Docs, iCloud, etc. – are not secure, says Soghoian. It’s better to use the word processor on your computer and then back up on secure services like Spider Oak, which is relatively simple to use (Spider Oak also gives free accounts of up to two gigabytes of data).
- Don’t bring laptops or smartphones when traveling to sensitive areas. Use a netbook instead, and a cheap, disposable phone that has minimal information.
- Skype encrypts calls but is not totally secure and it keeps contact lists on its server (more on Skype vulnerabilities here). SaferMobile also says that Skype has a history of providing user data to governments.
- Simpler is better, says O’Brien: In some cases, it might just be easier to use just a notebook. You know where it is and you can hold on to it.