“I think that the journalism community in the US, and to some degree elsewhere, is just beginning to grasp the fact that they need to protect their information and, by extension, their sources,” said Frank Smyth, who is the senior adviser for journalist security at the Committee to Protect Journalists and also runs a private company, Global Journalist Security. “It’s just too easy to get in and lift their information or monitor their communications without them ever knowing they were compromised.”
For correspondents who report from conflict zones or on underground activism in repressive regimes, the risks are extremely high. Recently, two excellent investigative series—by The Wall Street Journal and Bloomberg News—and the release of a large trove of surveillance industry documents by Wikileaks dubbed “The Spy files,” provided a glimpse of just how sophisticated off-the-shelf monitoring technologies have become. Western companies have sold mass Web and e-mail surveillance technology to Libya and Syria, for instance, and in Egypt, activists found specialized software that allowed the government to listen in to Skype conversations. In Bahrain, meanwhile, technology sold by Nokia Siemens allowed the government to monitor cell-phone conversations and text messages.
Journalists are tempting targets for spies armed with these technologies. During a reporting trip to Libya after the revolution, I spoke with former members of Qaddafi’s regime who told me that there had been an extensive program of surveillance targeting journalists both online and at the Rixos Hotel, where foreign correspondents visiting Tripoli were required to stay.
One of the sources, Marwan Arebi, was in charge of information technology at the Ministry of Foreign Affairs and had access to Libyan intelligence correspondence. He says hackers working for the regime had been able to access the accounts of foreign journalists using simple techniques, such as embedding a so-called Trojan-horse virus in a video ostensibly about human-rights violations in Tripoli, and then sending it to reporters. When the reporters opened the video file, spyware would be installed, allowing Qaddafi’s spies to access their computers remotely. Arebi said he was given access to the e-mail accounts of journalists working at CNN and other media organizations. “The problem wasn’t the sophistication of the tools, but rather the lack of knowledge of the reporters,” he said. “I think many sources who were speaking to these correspondents have been captured or killed.”
Arebi, no fan of Qaddafi, was secretly in contact with the Libyan opposition. In an attempt to warn the people named in the e-mails, he contacted Ahmed Ali, a Libyan activist in the US at the time, and passed him a list of the journalists who’d been hacked, as well as a spreadsheet which showed the names, phone numbers, and e-mail addresses of underground sources in Tripoli that he said he’d obtained from a CNN account. As proof, he provided the journalist’s username and password to Ali, and Ali was able to log into the journalist’s CNN account with Outlook. Ali then passed along the information to CNN. A CNN spokeswoman told me the network had been informed of “a possible breach,” and had taken steps to remedy it. She declined to go into further detail.
Ali later showed me the spreadsheet, which included detailed information about sources in Tripoli who were in contact with the regime. One entry, titled “Hasan,” included a phone number and read: “Eyewitness who did not want to be named even with first name. Has a land line to prove he is in Tripoli but does not want to talk on it.” The spreadsheet’s authors also seemed to recognize the sensitivity of the information: “Please keep these contacts internal for just the int’l desk—and our team in Cairo. Do not pass these around to shows, etc.” Chillingly, Ahmed Ali recognized his fiancee’s phone number, though her name was not mentioned—she was still in Tripoli at the time. “I told her she needed to ditch that SIM card,” he said.
Despite the fact that the technology is complex and always changing, there are some basic practices that reporters can learn about online—such as how to encrypt your hard drive—that will only take an evening or two to implement. These precautions should extend to your smartphone as well. Look for a model that offers hardware encryption, and lock it with a longer password that includes random numbers and letters. It’s not rocket science (though it would have helped the NASA engineers who, it was reported in March, lost an unencrypted laptop with codes for the International Space Station).