One day last summer, I noticed that one of our Middle East correspondents was visiting the Financial Times newsroom. I’m head of cyber security at the paper, and I have found that foreign correspondents are often at the tip of the spear for strange and interesting threats. So I stopped to chat.
The correspondent, who I will not name for reasons that will soon become clear, mentioned that in recent weeks they had been receiving mysterious WhatsApp calls. The numbers were unrecognized. Afterward, their phone battery had drained quickly. And they were sometimes unable to end other calls, because the screen seemed to freeze.
They had been working on an investigation into surveillance on journalists and human rights activists in a particular Middle Eastern nation, and had been in contact with sources the government was hostile to. We decided the reporter was safer with a separate device for this story.
The next morning, as I took a similar turn around the newsroom, four other correspondents reported that they, too, had had the same issue. All were either on the same desk or helping out on the same story. It is vastly unlikely that five phones would face such a specific issue at the same time by chance. This was no ordinary bug.
The draining battery indicated that something or someone was using the phone’s resources. We did a forensic analysis, and could not easily identify this software or person. So we began to suspect a sophisticated effort, one that not many people, or even companies, could manage. It was almost certainly an attack by a nation state—most likely the one we were investigating. There’s no real way to defend against such attacks. So we decided to use disposable phones and SIM cards.
It was the first incident in a summer of relentless and sophisticated attacks on our journalists, most of which bore the hallmarks of state actors. About one a week was reported (and I don’t want to think about how many were unreported or unknown).
It has long been the case that state actors and big companies have sought to intimidate and attack journalists. But in my experience the incidence has spiked since the 2016 elections in Britain and America, when such efforts came off without consequence. State actors seem to feel they can now act with impunity.
One group of foreign correspondents, working on sensitive stories, were finding that their phone calls to some sources were automatically redirected. That is not an easy thing to do—it suggested to me that those numbers, or people, were being watched at all times. Nobody but a nation state would have access to such capabilities.
Others in the newsroom had fake SMS authentication codes——which would ordinarily act as a one-time password for logging into Instagram or Telegram or WhatsApp—sent to them unprompted. Some were tricked into downloading questionable software. Others had their phones taken from them physically — at checkpoints or conferences– only to find they were behaving strangely when they returned.
Late last year, I visited several Financial Times bureaus around the world. I found that each region or nation has its own signature style of attack on reporters. In parts of Eastern Europe, the flavor seems to be plausible deniability: threats commonly manifest in the form of creative phishing attacks, such as imposters trying to connect on LinkedIn or impersonating emails from known contacts. Someone pretending to be a source might send attachments or link you to material containing malware. The Moscow office router turned out to have the default username and password combination. That might not have been such a big deal, but the office is overlooked by the offices of the FSB, the Russian intelligence agency.
In Asia, journalists are more often targeted by people on the ground. State agents often inexplicably show up where correspondents and their sources are scheduled to meet. Some countries have a centralized database of residents’ IDs, including facial recognition, so the federal police and regional police are largely in sync. In some areas, messaging apps can be disabled based on where you’re located.
One FT bureau, in an Asian nation, felt that security was robust. But then the state bureaucracy started calling to question precise wording in stories that they had never been sent.
Private companies, who have fallen behind recently in their efforts to surveil and intimidate reporters, seem to be catching up. Several months ago, the FT was pursuing an investigation into a bank. One lunchtime, staff members crossing the bridge over the Thames from the office into the City of London caught on video a shadowy figure rather unashamedly pointing what appeared to be a laser microphone straight into the editorial floor from across the river.
In some ways, big corporations like banks and tech companies now have greater resources than state actors; including targeted data about individuals, and the finances to deploy their tactics of intimidation with relative impunity.
What journalists can do to help themselves is determined by individual paranoia. But at the least, it’s essential to ensure that two-factor authentication is turned on everywhere, especially personal social media and any messaging apps. Phishing is the easiest way to compromise, and is now widespread not just on email, but on texting apps. It is imminently sensible to assume surveillance and eschew digital communication for very sensitive topics, if your sources are available in person. If not, it is perhaps worth the extra five minutes to encrypt the contents of an email. Whilst traveling to a high-risk location, you might carry your devices in a Faraday bag — which blocks their signals.
The truth is that something like WhatsApp is probably fine for most communications. The sensitive stuff, though, should go on something more trustworthy, such as Signal. The app is open source, which means its code is available to anyone. Any breach, then, will be immediately known—not be hidden for months while a company tries to navigate the PR consequences, leaving its users exposed in the meantime. It may also be worth separating your work into two devices: business-as-usual and more critical material, with the latter device a disposable one.
As newsrooms shrink, and as publishers invest less in secure technology, there’s a danger that journalists will develop a sense of complacency born of hopelessness: They’re listening to me anyway, so why bother. It has never been more important that we not give in to that feeling.
FROM THE ARCHIVES: Tech journalism’s ‘on background’ scourge
Proceeds from this article were donated by the author to the charity Privacy International.Ahana Datta is the head of IT risk and cyber security at the Financial Times, prior to which she served in the UK government for a number of years. She can be reached at email@example.com.