Editor’s note: In March, Columbia University Press released Journalism After Snowden: The Future of the Free Press in the Surveillance State. The contributors — including Alan Rusbridger, Jill Abramson and Edward Snowden himself — analyze the implications of the Snowden affair for journalism and the future role of the profession as a watchdog for the public good.
The excerpt below is taken from Chapter 17, “Digital Threats Against Journalists,” written by Ron Deibert, director of the Citizen Lab at the University of Toronto. It deals with targeted surveillance and off-the-shelf interception tools, and offers a clarion warning to journalists worldwide that now is the time to take better precautions to protect their sources and themselves.
Mass surveillance is an omnipresent risk, but there are other types of surveillance that are more concentrated and focused. Targeted digital attacks are defined by Citizen Lab “as persistent attempts to compromise and infiltrate the networked devices and infrastructure of specific individuals, groups, organizations and communities.” These types of attacks are becoming a more common threat across the civil society landscape, especially for journalists. It is important for every journalist to be aware of the character of targeted digital threats and how to equip him or herself for safe and secure digital communications.
We know that targeted digital attacks are undertaken by all major state powers, but public reports on those originating in China date back at least ten years and are the most notorious. In the past five years, the number of reports on these activities has exploded with documentation of high-profile compromises against government and industry around the world, including major media corporations such as The Washington Post and The New York Times.
Journalists working on China-related issues are also routinely targeted for surveillance. In 2009, Citizen Lab uncovered a major China-based cyberespionage campaign called Ghostnet, which affected numerous high-profile targets including the email servers of the Associated Press. Later that year, Citizen Lab documented a digital attack that compromised the computers of the Foreign Correspondents’ Club of China.
In 2014, Citizen Lab published the results of a four-year study involving ten participating NGOs — including several independent media groups — that were persistently targeted by digital attacks during the course of the study. Attacks like these typically involve malicious software embedded in email attachments. For example, the email messages are drafted as “lures” to entice the recipient to click on the link.
Other types of malware are delivered via hyperlinks that are clicked on or through compromised websites that are visited using web browsers that are not updated with security patches. Once a target is compromised, attackers typically install remote-access trojans (RATs) that exfiltrate data from target machines; some RATs even give the attackers the ability to turn on webcams, microphones, and record keystrokes.
Products such as Hacking Team’s Remote Control System and Gamma Group’s FinFisher allow governmental purchasers the ability to remotely and secretly access and monitor the computers and phones of their targets. Research published by Citizen Lab as well as other investigative groups has demonstrated that some governments and security services abuse these tools by hacking political opponents, human rights groups and journalists both within their own jurisdictions and abroad.
For example, in the United States, journalists working at an independent Ethiopian news organization were compromised with Hacking Team’s Remote Control System spyware. At the time of writing, the government of Ethiopia is facing a lawsuit brought by the Electronic Frontier Foundation on behalf of the Maryland-based victim. Meanwhile, Privacy International has asked the U.K. National Cyber Crime Unit (NCCU) to investigate the Bahrain government’s targeting of victims on UK soil, with the knowledge of Gamma Group, the manufacturer of the lawful intercept product FinFisher. Despite the potential for abuse, the market for these tools is very difficult to regulate, which has helped the governmental customer base grow and has likely led to substantial profits for developers.
Even in zones of conflict, where basic internet connectivity is sparse, targeted digital threats are becoming a major concern. Since at least January 2012, Syrian opposition groups and independent media have experienced a growing volume of suspicious messages and social media postings directed at them to download documents and programs purporting to contain useful information for the opposition.
While physical risks to journalists working in war zones may be the most immediate and palpable concern, digital risks are an increasing threat. Markets for digital-attack techniques, and even more homegrown solutions to digital attacks, are becoming larger and more widely available. This suggests that the risks around this area are going to expand in the near future. For journalists working in sensitive topic areas or zones of conflict, this is likely to be a growing risk area. Unfortunately, many journalists are not equipped to understand the risks and can easily be putting themselves, their colleagues, and/or their sources at risk.
Laws, Policies and Practices
Laws, policies and practices set the context within which digital media can be employed and how journalism can be undertaken. These can include rulings or conventions that restrict access to information and freedom of speech. Over the past decade, research by Citizen Lab and others has documented a growing range of these types of information controls, many of which are directed at or impact journalism and journalists.
In general, legal and regulatory information controls are becoming more stringent, creating more risks for journalists and journalism while stifling critical voices. Another type of information control seeks to restrict what defines a “journalist.” With the widespread availability of social media and blogs, many individuals and groups are undertaking journalistic reporting that in ways would be considered legitimate journalism. However, these individuals and groups lack institutional affiliation and hence the protections that are typically afforded by those connections.
Independent journalists present a challenge for authorities because they are less contained, therefore less controllable, than institutionalized media. For example, the latter may require licensing to operate or have other connections to the government that can be leveraged by government to apply pressures. To rectify this problem, governments are now implementing laws and regulations that pertain to social media, blogs and bloggers, in addition to conventional media.
Although a comprehensive review of cases is out of the scope for this chapter, a cursory glance at particular cases indicates a troubling trend worldwide:
In 2014, the Hungarian government introduced new laws that require media agencies to release in-depth data about their employees and contracts to the government; the government has also been helping “friendly” media companies with advertising purchases at the same time they are withdrawing support from other critical media outlets. Observers note that the government is intending to extend such restrictions to internet publications.
In September 2015, the OSCE representative on Freedom of the Media Dunja Mijatović called out Hungary’s authorities for harassment of journalists covering refugees, saying that “Hungarian police beat reporters with batons, forced journalists to delete heir footage, broke their equipment, and threw teargas.”
The Vietnamese government has introduced a decree that restricts online anonymity, prevents the use of pseudonyms, and requires journalists to reveal their sources. According to Reporters Without Borders, “This decree is trying to apply the censorship already in force for traditional media to blogs.”
In a speech at Malaysian Journalists Night on June 12, 2013, Malaysian Prime Minister Najib Razak pronounced that freedom of speech “must be suited and match Malaysian norms which are synonymous with good manners and noble values.” To that end, he called for the public to submit proposals for a new “form of monitoring and control to ensure what is written in the social media do not breach the laws.”
The Malaysian communications and multimedia ministry then announced that it “will review all aspects of the law, control and education, pertaining to the abuse of social media.” As an indication of a growing trend, the Malaysian communications minister also mentioned that his department will work closely with the Malaysian cybersecurity offices to monitor posts to Twitter, Facebook and other social media to ensure they are “accurate.”
In April 2015, Malaysia’s parliament approved sweeping new powers to censor online media in what some observers see as pressure to control journalists’ and independent bloggers’ coverage of a growing financial scandal sweeping the government.
In 2013, the Singaporean government proposed a news-licensing plan that would require certain news websites to obtain licenses to operate, and may oblige them to remove content. The new rules affect websites that attract more than 50,000 visitors a month. Owners of these websites are required to obtain a license and to remove posts, within 24 hours, that are deemed by the government to be infringements of its policies. Singaporean activists denounced the regulations as a justification of state censorship of online media in a rare public protest (organized through social media) against the government.
In 2016, an Australia-based editor of a popular (but subsequently shuttered) website, The Real Singapore, was sentenced to 10 months in prison for “sedition” related to posts made on the website.
In Russia, internet access was previously more or less unrestricted. However, in 2012, anti-Putin demonstrations prompted the government to become more aggressive. An internet-control agency, Roskomnadzor, quickly took action on information controls, including developing a blacklist of websites to be censored by ISPs, and eventually requiring foreign web-service companies to host their data in Russia, where the companies and their data can be more easily controlled.
At the same time that standard regulations around journalist practices are being tightened and extended to independent web-based media, governments are also applying pressures around content. There are an increasing number of cases of journalists being arrested for content they post online, or website editors being arrested for what they allow to be posted. The latter is particularly noxious for the liabilities that are passed on to website editors or blog-platform hosts.
In 2014, a Thailand magazine editor, Thanapol Eawsakul, was arrested for posting comments critical of the Thai military on his Facebook website. He was released on July 9 on the basis that he sign a written agreement to cease all political activities. Also in 2014, a web editor named Nut Rungwong was sentenced to four and a half years in jail for allowing an article to be published on his website in 2009 that was judged to be defamatory to the king of Thailand.
Vietnamese authorities have arrested an increasing number of bloggers for posts critical of the regime. On May 26, 2013, Truong Duy Nhat was detained in Da Nang and taken to Hanoi for “abusing democratic freedoms in order to infringe upon the interests of the state, the legitimate rights and interests of organizations and/or citizens.” His blog was disabled for a short time following his arrest. Upon reactivation, the blog was booby-trapped to download malware onto the PCs of its visitors.
On June 13, 2013, Pham Viet Dao was arrested in Hanoi under similar accusations. Dao used his blog to criticize Vietnam’s single-party government. Dinh Nhat Uy was arrested on June 15, 2013, for using his blog to “distort the truth and defame state organizations.” These concerted attempts to stifle online expression by the Vietnamese government have continued into the time of writing.
Numerous journalists and bloggers have subsequently been jailed in Vietnam, including, in 2016, Nguyen Quang Lap and Hong Le Tho under article 258 of Vietnam’s penal code for “abusing democratic freedoms” for writings posted on their blogs.
In India, a computer engineer who police claimed ran a Twitter account glorifying the Islamic State terrorist organization was arrested in December 2014, and charged with violating internet regulations and attempting to “wage war against Asiatic powers.” In Sudan, the government has voiced intentions to enact legal measures to restrict content regarded as “a threat to national and social security” and employs a “Cyber Jihadist Unit” that actively monitors social media and infiltrates online forums, even going so far as reportedly hacking into dissident journalist websites and email accounts.
Iran is one of the world’s most prolific jailers of writers and female journalists, according to Reporters Without Borders, including many web-based and social media writers. As of July, at least 65 journalists, bloggers and social-media activists were in prison on various charges related to their speech or writings. In August 2014, Soheil Arabi, a blogger, was sentenced to death by hanging for Facebook posts he allegedly made “insulting the Prophet.” In 2015, the Iranian tech reporter and blogger Arash Zad was arrested, even though he did not routinely comment on political issues, in what one observer saw as “a strong signal from the Revolutionary Guards,” of a growing threat to online freedom.
In Kenya, a new national security law proposes heavy criminal penalties for journalists who publish information that authorities deem undermining to “investigations or security operations relating to terrorism” and for internet users who “post updates that praise, advocate or incite acts of terrorism.”
Growing information controls on content include internet censorship at the ISP and national levels, and government requests to websites to remove content. Dozens of countries now routinely filter access to websites online. Some do so in a limited sense and on the basis of access to content, content related to child abuse, pornography or that which is considered “hate speech.” Many other countries, however, take a broad view of content targeted for censorship — including that which criticizes the regime in power — and block social and political content, including media.
Restricting the type of content that appears online extends to government requests to the private social media companies themselves. Numerous countries have requested that social media remove information or turn over information about users, which are reflected in transparency reports of the companies. For example, in the period from January to June 2014 (the most recent data available), Google reports that Brazil requested to remove content from 342 requests for 1,244 items. In the same period, Turkey made 487 requests for the removal of 2,284 items.
Digital media have empowered journalists and journalism in unprecedented ways, and have contributed to a remarkable transformation in the journalism profession. These changes have not gone unnoticed by those for which they present the most risk: autocratic and authoritarian regimes and others caught in the crosshairs of independent reporting are taking stock and developing sophisticated countermeasures.
While the Snowden disclosures have opened a window into the phenomenal extent to which all digital communications are at risk of surveillance to governments, and journalists and others are developing safeguards, there are unintended impacts of the disclosures that muddy the waters. The disclosures have alleviated pressures on governments such as those of China and Russia, and have provided a model of how to undertake advanced computer espionage for countries just starting to develop such programs, and thus created a convenient excuse to put in place more expansive domestic-level information controls. Therefore, the risks around digital media for journalists are likely to expand in the short term.
Addressing these challenges is daunting, but there are steps that should be taken immediately:
- Media outlets can implement HTTPS encryption on their websites by default. While the costs are significant, such a basic step will do much to alleviate a certain class of risks and establish a norm for the industry.
- Journalism programs can include digital-security modules as foundational. There is a pressing need to educate entire communities as to best practices and instill a culture of security in the journalism profession from the schools to the newsrooms and beyond.
- Journalists and editors should evaluate the digital-security practices of their organizations in a comprehensive fashion. More independent and systematic research is required to evaluate existing practices and the risks to journalists around digital media in specific cases.
- Secure communications tools are necessary but not sufficient. Changes in communication practices are essential. No amount of sophisticated encryption will immunize a journalist from the full range of growing risks. Some of the growing information controls around digital media, such as laws, regulations and practices, cannot be counteracted with tools and software. Even while some technological proficiency can help guard against targeted digital threats, behavioral changes are equally as important.
This excerpt was taken from Chapter 17, “Digital Threats Against Journalists,” of the book Journalism After Snowden, edited by Emily Bell and Taylor Owen, with Smitha Khorana and Jennifer R Henrichsen. It is republished here with permission from Columbia University Press.
Ron Deibert is a professor of political science and the director of the Citizen Lab at the Munk School of Global Affairs, University of Toronto. He is a founder and former principal investigator of the OpenNet Initiative (2003-2014) and a founder of Psiphon, a world leader in providing open internet access. Along with numerous books and articles on internet censorship, surveillance and cyber security, he is author of Black Code: Surveillance, Privacy and the Dark Side of the Internet (Random House, 2013).