The spy who came in from the code

How a filmmaker accidentally gave up his sources to Syrian spooks
May 3, 2012

Last fall, “Kardokh,” a 25-year-old dissident and computer expert in the Syrian capital of Damascus, met with British journalist and filmmaker Sean McAllister. (Kardokh is his online pseudonym, used at his request.) McAllister, who’s made award-winning films in conflict zones like Yemen and Iraq, explained that he was shooting a documentary for Britain’s Channel 4 about underground activists in Syria, and asked if Kardokh would help him.

At the time, the situation in Syria was deteriorating rapidly, as protests against President Bashar al-Assad’s repressive regime turned violent following a vicious crackdown by security forces. The Syrian government had drastically curtailed visits by foreign journalists, but McAllister had managed to get in undercover. Kardokh was grateful for a chance to tell his story. “Any journalist who was making the effort to show the world what was happening, that was a very important thing for us,” he told me in February.

At the time, Kardokh was providing computer expertise and secure communications to the resistance. He agreed to be interviewed about his work on camera by McAllister, who filmed his face, telling Kardokh that he would blur it out before publishing the footage. McAllister also asked Kardokh to put him in touch with other activists.

But some of McAllister’s practices made him uneasy, Kardokh said. He worried that the filmmaker didn’t realize how aggressive and pervasive the regime’s surveillance was. Kardokh and his fellow activists took elaborate measures with their digital security, encrypting their communications and using special software to hide their identities online. “I started to feel that Sean was careless,” Kardokh told me. He said he had urged McAllister to take more precautions in his communications and to encrypt his footage. “He was using his mobile and SMS, without any protections.”

Then, in October, McAllister was arrested by Syrian security agents. He wasn’t harmed, but was held for five days and said that he could hear the cries of prisoners being tortured in nearby rooms. Eventually, he was released and returned to the UK. “I didn’t realize exactly what they were risking until I went into that experience,” McAllister said in an interview on Channel 4 after his release.

The Syrians had interrogated McAllister about his activities, and seized his laptop, mobile phone, camera, and footage. All of McAllister’s research was now at the disposal of Syrian intelligence. When Kardokh heard that McAllister had been arrested, he didn’t hesitate—he turned off his mobile phone, packed his bag, and fled Damascus, staying with relatives in a nearby town before escaping to Lebanon. He said that other activists who had been in touch with McAllister fled the country as well, and several of those who didn’t were arrested. “I was happy that I hadn’t put him in contact with more people,” Kardokh said.

Sign up for CJR's daily email

Rami Jarah, a Syrian activist based in Cairo, said that he tried to help another activist, known as Omar al-Baroudi, get out of the country after McAllister’s arrest. “He was terrified,” Jarrah said. “His face was in those videos. He said that his number was on Sean’s phone.” The next day, Baroudi disappeared, and Jarah said that he has not been heard from since.

Officials at Channel 4 say they took action to help McAllister’s sources after his arrest. “We have been in contact with everyone who felt at risk because they spoke to Sean,” said Amy Lawson, the channel’s head of communications. “He is an experienced filmmaker and took steps to protect his material. Syria is an extremely difficult environment to work in, so we continue to look for ways to minimize that risk whilst ensuring we tell this important story.”

It’s easy to argue that McAllister should have taken stronger precautions, but what, exactly? How many reporters are familiar enough with the technical aspects of digital security that they could protect their computers and phones from the Syrian intelligence service? The fact that McAllister, an experienced and committed journalist, jeopardized his sources with inadequate digital precautions is indicative of a broader problem in journalism today: We haven’t kept pace with technological advancements that have revolutionized both information-gathering and surveillance.

After researching the subject of digital security, I realized that there have been occasions in my own work as a freelancer covering the conflicts in Libya and Afghanistan when I’ve exposed myself and my sources by carrying unencrypted data or e-mailing sensitive information over insecure channels. It’s unclear what, if anything, major news organizations are doing about it. When CJR’s Alysia Santo recently tried asking outlets like The New York Times, she got a firm “no comment.” Curious, I e-mailed an informal survey to journalist friends and colleagues, and several who’ve worked as senior correspondents in Afghanistan for major US news outlets said they’d had little-to-no formal training or assistance from their organizations in digital security.

“I think that the journalism community in the US, and to some degree elsewhere, is just beginning to grasp the fact that they need to protect their information and, by extension, their sources,” said Frank Smyth, who is the senior adviser for journalist security at the Committee to Protect Journalists and also runs a private company, Global Journalist Security. “It’s just too easy to get in and lift their information or monitor their communications without them ever knowing they were compromised.”

For correspondents who report from conflict zones or on underground activism in repressive regimes, the risks are extremely high. Recently, two excellent investigative series—by The Wall Street Journal and Bloomberg News—and the release of a large trove of surveillance industry documents by Wikileaks dubbed “The Spy files,” provided a glimpse of just how sophisticated off-the-shelf monitoring technologies have become. Western companies have sold mass Web and e-mail surveillance technology to Libya and Syria, for instance, and in Egypt, activists found specialized software that allowed the government to listen in to Skype conversations. In Bahrain, meanwhile, technology sold by Nokia Siemens allowed the government to monitor cell-phone conversations and text messages.

Journalists are tempting targets for spies armed with these technologies. During a reporting trip to Libya after the revolution, I spoke with former members of Qaddafi’s regime who told me that there had been an extensive program of surveillance targeting journalists both online and at the Rixos Hotel, where foreign correspondents visiting Tripoli were required to stay.

One of the sources, Marwan Arebi, was in charge of information technology at the Ministry of Foreign Affairs and had access to Libyan intelligence correspondence. He says hackers working for the regime had been able to access the accounts of foreign journalists using simple techniques, such as embedding a so-called Trojan-horse virus in a video ostensibly about human-rights violations in Tripoli, and then sending it to reporters. When the reporters opened the video file, spyware would be installed, allowing Qaddafi’s spies to access their computers remotely. Arebi said he was given access to the e-mail accounts of journalists working at CNN and other media organizations. “The problem wasn’t the sophistication of the tools, but rather the lack of knowledge of the reporters,” he said. “I think many sources who were speaking to these correspondents have been captured or killed.”

Arebi, no fan of Qaddafi, was secretly in contact with the Libyan opposition. In an attempt to warn the people named in the e-mails, he contacted Ahmed Ali, a Libyan activist in the US at the time, and passed him a list of the journalists who’d been hacked, as well as a spreadsheet which showed the names, phone numbers, and e-mail addresses of underground sources in Tripoli that he said he’d obtained from a CNN account. As proof, he provided the journalist’s username and password to Ali, and Ali was able to log into the journalist’s CNN account with Outlook. Ali then passed along the information to CNN. A CNN spokeswoman told me the network had been informed of “a possible breach,” and had taken steps to remedy it. She declined to go into further detail.

Ali later showed me the spreadsheet, which included detailed information about sources in Tripoli who were in contact with the regime. One entry, titled “Hasan,” included a phone number and read: “Eyewitness who did not want to be named even with first name. Has a land line to prove he is in Tripoli but does not want to talk on it.” The spreadsheet’s authors also seemed to recognize the sensitivity of the information: “Please keep these contacts internal for just the int’l desk—and our team in Cairo. Do not pass these around to shows, etc.” Chillingly, Ahmed Ali recognized his fiancee’s phone number, though her name was not mentioned—she was still in Tripoli at the time. “I told her she needed to ditch that SIM card,” he said.

Despite the fact that the technology is complex and always changing, there are some basic practices that reporters can learn about online—such as how to encrypt your hard drive—that will only take an evening or two to implement. These precautions should extend to your smartphone as well. Look for a model that offers hardware encryption, and lock it with a longer password that includes random numbers and letters. It’s not rocket science (though it would have helped the NASA engineers who, it was reported in March, lost an unencrypted laptop with codes for the International Space Station).

If you’re reporting from a country with sophisticated electronic surveillance capabilities, like China or Iran, or trying to shield sources from Western intelligence agencies, then the techniques involved are more complicated and might require expert assistance. News organizations need to have in-house resources for their reporters, and they should offer assistance to the freelancers with whom they work.

Smyth, who helps train journalists in security practices, believes that part of the problem is one of mindset, as veteran reporters and editors find it frustrating and unnecessary to change longstanding practices. “You’re asking someone who’s already established and proven themselves to learn a new language,” he said.

Too many journalists I spoke to still regard digital security as an esoteric province of the technically inclined, and expressed fatalism that if “they” want to get it from you, they’ll get it. But as our research methods and communications are increasingly digitized, we need to accept that digital security is a fundamental aspect of the trade, as basic as maintaining accurate notes or paying attention to libel law.

The stakes can be incredibly high. Kardokh is still hiding. He’s now working on the Cyber Arabs Project, sponsored by the Institute for War and Peace Reporting, which aims to build an out-of-the-box laptop and mobile kit for activists that supports secure and anonymous communication.

Kardokh said that he is still grateful that McAllister helped draw attention to the situation in Syria, and noted that Channel 4 had been very active in providing assistance to their sources after the arrest. “For me, this was enough to say that Sean is still a friend,” he told me. He wished, though, that journalists would better inform themselves about the risks before visiting. “I think Western journalists can’t imagine the power of the regime here.”

Matthieu Aikins is a freelance journalist who writes for Harper’s, The Atlantic, GQ, and other magazines