Digital security experts say that journalists are not doing enough to protect themselves and their sources online. After all, reporters are expected to share, not hide information. But understanding encryption and cybersecurity are becoming as crucial for foreign correspondents as interviewing and writing stories.
The first thing to understand is that it’s not just the U.S., China or other major military powers that are capable of spying on reporters. Countries including Vietnam, Ethiopia and Belarus also use government surveillance of communications to target journalists, dissidents and human rights activists, according to a report this year from Reporters Without Borders. The three are part of 32 government-run communications agencies the group named “enemies of the Internet” in 2014 that “have gone far beyond their core duties by censoring and spying on journalists and other information providers.”
Private companies are aiding in the spread of surveillance. In Central Asia, home to some of the world’s most restrictive media environments, U.S. and Israeli-based companies are selling surveillance programs to governments that use the technology to intercept journalists’ online communications and that later use the information to threaten and prosecute them, according to a report this month from U.K.-based Privacy International.
Israel-based NICE Systems and U.S.-based Verint both maintain mass surveillance centers for the Kazakh government. The Kazakh, Uzbekh and possibly the Kyrgyz and Tajik governments have built mass-surveillance centers with the aid of foreign companies, the report said.
Pro-democracy activists, from left, Moosa Abd-Ali Ali, Saeed Al-Shehabi and Jaafar Al Hasabi said they were hacked by Bahrain's government while living in Britain, one of a growing number of cases in which refugees say malicious software has been used to keep tabs on their activities abroad. Pictured in October 2014, the three are at the heart of a criminal complaint alleging that Bahrain's government infected their computers with FinFisher, a powerful piece of espionage software. (AP Photo/Matt Dunham)
Next, journalists should stop assuming that certain modes of communication are safe from prying eyes and ears. The online video phone system Skype, for instance, is widely perceived as secure. That perception may come from a 2008 claim the company made saying its calls could not be wiretapped by police. No longer, as there is now off-the-shelf ready software available to agencies seeking to tap Skype calls.
A more secure option is Jitsi Meet, says Sarah Lange, a digital security consultant who collaborates with Community RED, a group that works to improve the security of journalists and activists. The program, developed by an international team of developers, is more secure than Skype because its video chat system is fully-encrypted.
“There is a hunger for safe technologies, but they have to be easy substitutes; they have to be as easy as the preferred network,” says Lange.
Another important step is to make sure the network connection is safe. Browsers such as Firefox, Chrome and Opera automatically connect to a safe network, and it’s easy to know whether a network is safe by checking the URL. The start of the address should read “https,” not “http,” and include a lock to the left side of the URL. The “s” and the lock signify that the address is secure.
The choice of web browser also has security ramifications. Jillian York, director of international freedom of expression for the Electronic Frontier Foundation, a privacy rights group, recommends using a browser called the Tor Project. The browser uses a system of encryption known as “onion routing” originally developed by the U.S. Naval Research Laboratory that uses multiple layers of encryption to hide the content of a message as well as the sender and receiver.
One drawback to the browser is that it loads slower than others, says York. But the browser gets faster as more people use it. “It shouldn’t be just limited to those people that need to circumvent censorship,” she says. “If we all use it then we’re helping each other stay safe.”
Jillian York of the Electronic Frontier Foundation recommends journalists use the Tor Project browser, which encrypts their activity online. (Courtesy photo)
Another tool is Hotspot Shield, a virtual private network tool that offers anonymous surfing and that provides security for those using unsecure public networks, such as those in coffee shops or libraries. There’s also Lantern, a software program people in countries with open Internet can install on their personal computers that lets it act as a server providing unfettered access to others in countries where sites such as YouTube, Facebook and Twitter are blocked.
The tools listed above aid journalists and activists in evading “choke-points” in the Internet where governments can spy on their data. But in addition they need to be wary of malware that can infect their own device, security experts say.
One of the most powerful tools is a surveillance program called FinFisher or Finfly, says Lange, the digital security consultant. Made by a Germany-based company and developed for use by law enforcement, it installs spy software on computers by prompting users to install fake updates to programs such as iTunes.
It has been used to intercept the files, online conversations and passwords of journalists, rights activists and dissidents in countries such as Turkmenistan, Bahrain and Ethiopia, according to Privacy International. Other customers include Qatar, Bahrain, Pakistan, Vietnam and Nigeria, according to WikiLeaks. In some cases, the governments may not even need to purchase the program. Christopher Soghoian, the principal technologist at the American Civil Liberties Union, told a group at Harvard Law School in 2012 that Egypt had launched cyberattacks on activists using a demo version of the program.
As privacy researchers develop tools to flout cyber-spying, the spies come up with new ways to snoop. Given that some government security services have budgets running into the billions of dollars, it’s always going to be a cat-and-mouse game, says Lange.
In general, the threat of surveillance to any journalist will depend on the type of online tools they use, their location and the nature of their work.
Even those who take security precautions online shouldn’t assume they are completely safe, says York, of EFF. “Nothing is foolproof and I don’t think that anyone should assume 100 percent security with whatever they use,” she says.
Additional resources for journalists seeking to evade government surveillance of their communications: