the news frontier

Spying on Journalists is Easy

Lax computer security creates easy targets
January 9, 2012

When promising anonymity, discreetly stashed notes and a tight lip are the precautions of journalism’s past. Reporters have gone to jail rather than share the information they’ve gathered for a court proceeding, but as reporters increasingly depend on technology to correspond and collect material, the fruits of that labor can be accessed without a summons, subpoena, or the journalist even realizing it.

Telephone, Skype, e-mail, texts, and instant messaging are easy to intercept with the right technology. The surveillance industry is big business, and governments are regular customers. The stealth and sophistication of this monitoring merchandise was revealed in December when WikiLeaks released The Spy Files, a leak containing hundreds of documents from surveillance companies, including contracts, pricelists, and marketing literature. There were even some eerie animated videos from a firm called Gamma International, creator of Finfisher spyware, showing how their product can access a computer via a fake iTunes update, along with options for bugging a person’s e-mail, cell phone, or Skype conversation.

Journalists Ben Elgin and Vernon Silver produced a series for Bloomberg News called “Wired for Repression,” reporting that western technology companies like Nokia, Ericsson, and Hewlett Packard, to name just a few, are selling surveillance technologies to countries with very poor human rights records, who then use these tools to spy on dissidents. There are chilling examples in the series, including the story of Saeid Pourheydar, an activist and opposition blogger in Iran who was arrested for protesting the Iranian government. Pourheydar was accused of speaking with foreign media and interrogated with transcripts from correspondence he’d had with Voice of America and BBC.

Elgin spoke with Dave Davies on NPR’s Fresh Air about the “Wired for Repression” series and how it’s changed the way he thinks about his own communications:

Elgin: …I began very carefully choosing the words I would use in communications to people, particularly if they’re inside these countries. I mean, I don’t know what triggers the filters there. Sometimes I would seek out people’s help, human rights activists and such who have worked in these countries, and just trying to get a sense for: How can I effectively communicate with somebody inside of these countries?

Communications with those outside the United States aren’t the only ones that require caution. The Obama White House has prosecuted more whistleblowers than all previous administrations combined, so there’s plenty of safeguarding needed domestically as well.

Sign up for CJR's daily email

The most common way of hiding the contents of a message is through encryption, which scrambles the text, requiring a key to unlock it. The following message, “you will not be able to read this,” looks like this after encryption:


But secure communication is not on the radar for most journalists and news organizations. Computer security expert Christopher Soghoian wrote an op-ed this past October for The New York Times, “When Secrets Aren’t Safe With Journalists,” about these dangerously negligent practices and journalists’ ignorance of the insecurity of their own communications:

As an expert on privacy and communication, I regularly speak with journalists at major news organizations, here and abroad. Of the hundreds of conversations I’ve had with journalists over the past few years, I can count on one hand the number who mentioned using some kind of intercept-resistant encrypted communication tools.

After the piece was published, Soghoian says he received thirty or forty e-mails from journalists around the world. “Basically everyone said the same thing, which is, ‘You’re right. We don’t know what we’re doing. Please tell us what to do.’” For the journalists at established news organizations, he recommended the same thing: “I told them, you need to hire security experts and have them in house.”

But for freelancers or those who work for smaller organizations with less to spend, there are a number of simple and free tools which can help protect both the journalist’s information and the people taking a risk to pass it along.

Laptops are lost, stolen, and confiscated everyday. Seth Schoen, a senior staff technologist for the Electronic Frontier Foundation, a digital rights advocacy organization, suggested full disk encryption as a New Year’s resolution for 2012. Schoen says encryption is a very important step for journalists, who often have a goldmine of confidential information on their laptops. While lots of people have a password prompt when they power up their computer, this doesn’t protect the actual hard drive. “People might think that’s safe, but it’s very straightforward to bypass that password,” says Schoen. The contents of the computer could be accessed by simply disconnecting the hard drive and plugging it into another computer.

It is not unusual for computers to be searched at border crossings. The Electronic Frontier Foundation (EFF) recently published some tips about this in regards to entering the United States. Most major operating systems have a built-in option for full disk encryption, but this tool is also available through third parties like TrueCrypt. Saved documents that contain notes, contacts, and sensitive reporting material would be scrambled with full disk encryption, so its contents are illegible to those without the key.

For communicating with sources through instant messaging, Off The Record Messaging (OTR) encrypts the text, and allows users to authenticate the identity of who they are communicating with. It works in conjunction with other chat services, so it can be configured to work with an existing IM account, while blocking that messaging service provider from having access to the communications. OTR should not be confused with AOL Instant Messenger or Google Chat’s off-the-record functions, which simply block the account from keeping a log of the chat. Using OTR on top of an IM system is powerful, Schoen says, “because it says regardless of what kinds of privacy protections the intermediate system or systems do or don’t provide, only the parties to the conversation will be able to decrypt its contents.”

Pretty Good Privacy (PGP) is a popular tool for encrypting and decrypting the contents of e-mail messages, also allowing users to digitally “sign” a message to authenticate its origins. PGP was built twenty years ago, making it one of the oldest digital privacy technologies. In the case of both OTR and PGP, both parties in the communication must be correctly using the tool. Schoen recommends OTR because it’s easier to use than PGP, and says it may be better for “journalists having sensitive conversations” because it provides something called “forward secrecy.” This means that if a private key was ever stolen for an OTR-encrypted machine, the person could only record future conversations; if it was stolen with PGP, the stolen key could also be used to decrypt previous conversations.

Tor (previously known as “the onion router”) makes it very difficult to track which computer an action came from by ping-ponging the data packet between many participating servers. Tor, combined with other encryption tools, is the most secure and private means of communicating over the Internet, since encryption can’t hide where a message originates, just its content. “Suppose you wanted to leak something to WikiLeaks and didn’t use Tor. In that scenario, your ISP, if it cared to, could see that you’re connecting to the site, while WikiLeaks, if it cared to, could log your real IP address, which could eventually be associated with your true physical location,” explains Schoen. “But if, instead, you decide to use Tor, your ISP sees that you’re using Tor, and WikiLeaks sees that you’re using Tor, but no single entity can easily see the whole picture.”

The vast majority of journalists care deeply about protecting their sources, and while no tool can completely guarantee anonymity, these small steps can help improve the chances that those who stick out their necks don’t do so in vain. While governments, banks, law firms, corporations, and other organizations that deal in sensitive information have embraced security, journalism has lagged behind, and CJR will have more on security operations and its relationship to journalism in the coming weeks.

Alysia Santo is a former assistant editor at CJR.