After researching the subject of digital security, I realized that there have been occasions in my own work as a freelancer covering the conflicts in Libya and Afghanistan when I’ve exposed myself and my sources by carrying unencrypted data or e-mailing sensitive information over insecure channels. It’s unclear what, if anything, major news organizations are doing about it. When CJR’s Alysia Santo recently tried asking outlets like The New York Times, she got a firm “no comment.” Curious, I e-mailed an informal survey to journalist friends and colleagues, and several who’ve worked as senior correspondents in Afghanistan for major US news outlets said they’d had little-to-no formal training or assistance from their organizations in digital security.
“I think that the journalism community in the US, and to some degree elsewhere, is just beginning to grasp the fact that they need to protect their information and, by extension, their sources,” said Frank Smyth, who is the senior adviser for journalist security at the Committee to Protect Journalists and also runs a private company, Global Journalist Security. “It’s just too easy to get in and lift their information or monitor their communications without them ever knowing they were compromised.”
For correspondents who report from conflict zones or on underground activism in repressive regimes, the risks are extremely high. Recently, two excellent investigative series—by The Wall Street Journal and Bloomberg News—and the release of a large trove of surveillance industry documents by Wikileaks dubbed “The Spy files,” provided a glimpse of just how sophisticated off-the-shelf monitoring technologies have become. Western companies have sold mass Web and e-mail surveillance technology to Libya and Syria, for instance, and in Egypt, activists found specialized software that allowed the government to listen in to Skype conversations. In Bahrain, meanwhile, technology sold by Nokia Siemens allowed the government to monitor cell-phone conversations and text messages.
Journalists are tempting targets for spies armed with these technologies. During a reporting trip to Libya after the revolution, I spoke with former members of Qaddafi’s regime who told me that there had been an extensive program of surveillance targeting journalists both online and at the Rixos Hotel, where foreign correspondents visiting Tripoli were required to stay.
One of the sources, Marwan Arebi, was in charge of information technology at the Ministry of Foreign Affairs and had access to Libyan intelligence correspondence. He says hackers working for the regime had been able to access the accounts of foreign journalists using simple techniques, such as embedding a so-called Trojan-horse virus in a video ostensibly about human-rights violations in Tripoli, and then sending it to reporters. When the reporters opened the video file, spyware would be installed, allowing Qaddafi’s spies to access their computers remotely. Arebi said he was given access to the e-mail accounts of journalists working at CNN and other media organizations. “The problem wasn’t the sophistication of the tools, but rather the lack of knowledge of the reporters,” he said. “I think many sources who were speaking to these correspondents have been captured or killed.”
Arebi, no fan of Qaddafi, was secretly in contact with the Libyan opposition. In an attempt to warn the people named in the e-mails, he contacted Ahmed Ali, a Libyan activist in the US at the time, and passed him a list of the journalists who’d been hacked, as well as a spreadsheet which showed the names, phone numbers, and e-mail addresses of underground sources in Tripoli that he said he’d obtained from a CNN account. As proof, he provided the journalist’s username and password to Ali, and Ali was able to log into the journalist’s CNN account with Outlook. Ali then passed along the information to CNN. A CNN spokeswoman told me the network had been informed of “a possible breach,” and had taken steps to remedy it. She declined to go into further detail.