Investigating the Digital Threat Landscape

Digital surveillance is now everywhere: from the moment you open your phone in the morning, your activity is generating data through the apps you use, the antennas to which your phone connects, and the calls you make. Most of this data is recorded, stored, and processed either by companies to generate profits, or by state entities to investigate crime and other illegal activities. In this chapter I focus on common forms of digital surveillance you may encounter as a journalist, and briefly talk about how to investigate and counter it.

What Is Digital Surveillance and Who Is Behind It?

To better understand digital surveillance, it is important to differentiate between two forms: mass surveillance and targeted surveillance.

Mass surveillance is the process of indiscriminately surveilling a large part of the population regardless of whether they are suspected of wrongdoing. It can, for instance, be done by capturing all phone communications within a country, or by using facial recognition on video cameras positioned across a city.

Targeted surveillance is the surveillance of specific individuals, often using techniques that are significantly more intrusive, such as spyware or microphones in a person’s home.

Most surveillance affecting civil society is done by government agencies (typically either law enforcement or intelligence services) but is often supported by a surveillance industry working with very little regulation or ethical boundaries. State surveillance has an evil twin: corporate surveillance used to generate profits in what many people now call surveillance capitalism. The purpose of surveillance capitalism is to generate revenue through mass collection of private data. Its primary purpose is not to surveil journalists and civil society, so it won’t be a core focus for us. However, it’s certainly the case that corporations can be involved in targeted digital surveillance of journalists, and that corporate surveillance can be used for threat intelligence.

State surveillance is often discreet and clandestine. Intelligence services prefer not to reveal their capacities and seek to avoid oversight and scrutiny. Yet, it is possible to gather information about the surveillance industry in different places.

• They want to hide but they need to exist. While they sell surveillance, these companies also need to operate like normal corporate firms in some respects. This means they have a legal entity registered somewhere, recruit employees, and post job offers on LinkedIn or elsewhere, and in some cases need to attract investors. All the traditional journalistic tools used to track companies can be applied.
• They want to hide but they need to market themselves. Surveillance vendors and law enforcement agencies gather annually for a dozen surveillance conventions around the world, such as ISS World or Milipol. While most of these events are quite restricted for journalists, the sometimes publicly available list of companies, sponsors, and talks provide interesting insight into products and companies. As an example, NSO Group is the lead sponsor of ISS World Europe in June 2023 in Prague. It is often possible to find brochures for surveillance products, or catalogs of the defense industry maintained by some countries such as the Israel Ministry of Defense’s Defense and HLS Directory. In many cases, the form of surveillance is not clearly explained, with euphemisms like “remote data extraction” used instead of “spyware.”
• They want to hide but they need to run. Any form of digital surveillance requires a digital infrastructure that often leaves traces online. (See our separate installment on tracking through digital infrastructure.)

Different Forms of State Surveillance

The evolving and complex digital surveillance landscape can make it hard to paint a full and precise picture of the industry. But it is important to understand the major forms of digital surveillance that states use to monitor civil society.

Phone Network Monitoring

Phone network monitoring is probably one of the oldest and most legitimized forms of digital surveillance. Almost all countries have a system in place to wiretap standard phone calls and SMS for police investigations. Such systems are also widely used by intelligence services, with various degrees of oversight.

The development of mobile phones has extended these capabilities, since, by design, mobile phones need to interact with nearby cell towers in order to communicate. This allows outsiders to geolocate the position of a mobile phone at any given time. This geolocation is available with different degrees of precision. Key factors include whether the system is only checking the latest cell tower the phone was connected to (which gives a location between a few hundred meters to a few hundred kilometers, depending on the density of cell towers); or if it’s doing active geolocation by triangulating the signal using multiple cell towers (in which a location can be pinpointed down to a few meters).

Mobile phones are designed to connect to the closest cell tower in order to maximize the signal. Thus, it’s possible to create portable cell towers able to hijack communications of nearby devices. These tools are called IMSI Catchers (or sometimes, colloquially, Stingrays, using as a synonym one of the best-known IMSI Catcher products) and are available to law enforcement in many countries. More recent mobile protocols have made these attacks harder. Today, the level of intrusion depends on the hardware and the configuration. Simple systems can only identify cell phones in an area, while more complex systems are able to wiretap and modify data communications from these phones.

The traditional Stingray IMSI Catcher. Image: US Patent and Trademark Office

The international phone network relies on an old protocol called Signalling System No. 7 (SS7), and has been known to have serious security issues, in part because there is little incentive for telephone companies to invest in the security of their network. This security vulnerability has allowed some surveillance companies (like Circles) to register as SS7 operators (or pay existing operators to use their network access) and use this access to remotely track cell phones around the world. This type of surveillance was used to track Princess Latifa al-Maktoum as she tried to escape from her father, Sheikh Mohammed, the ruler of Dubai, in 2018.

It’s worth noting that metadata (such as the caller number, receiver number, and time of the call) can be more interesting and easier to analyze than data itself. This data is often available with less oversight to the police, and can allow them to identify networks of people working together.

Monitoring of Internet Networks

In 2011, during the Libyan civil war that saw the end of Muammar Gaddafi’s reign, a small group of activists discovered a hidden government surveillance center equipped with systems installed by the French company Amesys (later renamed Nexa Technologies). These systems were able to monitor and record all the data going through Libya’s internet, extracting emails, chat, voice-over-IP (VoIP) calls, and browsing history. In many cases, data extracted from these surveillance systems was used to arrest, question, and sometimes torture activists.

Internet-wide surveillance has become a regular tool used by countries to monitor the activity of citizens. The Snowden revelations provided the first look into the internet monitoring capabilities of the United States, with secret programs like XKEYSCORE allowing the state to search for details in this data. These types of tools have become more widely available for countries with smaller budgets, largely thanks to technologies developed in North America, Europe, and Israel. For instance, in 2021, Amnesty International showed that the Israeli company Verint sold network monitoring equipment to South Sudan, and documented the chilling effect this permanent surveillance has on activists.

Phishing and Spyware Attacks

With the increasing usage of encryption, many states are turning to attacks on end devices or accounts through phishing or spyware attacks. Phishing is a form of social engineering in which attackers send messages or emails in order to trick the targeted person into opening a malicious file (most of the time containing spyware) or to trick them into entering their login and password into a malicious website. Spyware are malicious programs that covertly monitor device activity and gather data.

The tools and skills for these attacks are in some cases developed by states that invest time and resources to hire spyware developers. But many countries find it easier to rely on the commercial spyware industry. Historically, this industry emerged in Europe with companies like FinFisher and Hacking Team, and then in Israel with companies like NSO Group and Paragon. The surveillance enabled by this industry has been documented over the past 15 years, and had included the targeting of hundreds of journalists and activists. The spyware industry often provides advanced tools like NSO Group’s Pegasus, which can compromise a smartphone by exploiting vulnerabilities in software that are unknown to the developer (usually called zero-day vulnerabilities). In its early years, Pegasus infected a device via links sent by SMS to victims that, once clicked, would silently compromise the phone.

Pegasus spyware-embedded links targeting UAE-based human rights defender Ahmed Mansoor in August 2016. Image: Screenshot, Citizen Lab

Around 2018-19, NSO Group reportedly moved to what are known as zero-click exploits — attacks done without any interaction with the user. In other words, a user’s phone can be silently infected even if they do not click on a malicious link. Such attacks exploit either vulnerabilities in applications (like WhatsApp in 2019) or use network injection, which redirects a target’s browsers and apps to malicious websites.

While these attacks are technically advanced and elicit headlines, most spyware and phishing attacks targeting journalists and activists are less complex. The vast majority of attacks I have seen in my career take more simple forms, such as variations of phishing. One classic attack is sending emails impersonating online platforms (such as Google or Yahoo) in order to trick the user into providing their login and passwords. Another one is to send files or even applications on chat applications, trying to make the victim open or install the malicious files.

A phishing attacker trying to trick a victim into installing a malicious application. Image: Screenshots, Amnesty International

Many of the attacks targeting civil society rely on social engineering, a tactic that involves manipulation of a target in order to convince them to take an action such as handing over their password or other valuable information. This can be done by impersonating existing trusted organizations, or even by creating fake NGOs. One technique, called spoofing, masquerades bad links as familiar email addresses. All these attacks, even if far less technically complicated than Pegasus, are much cheaper to carry out and often still largely effective against civil society.

Forensics Tools

The Cellebrite UFED device is one of the most common forensics tools used by law enforcement. Image: Wikipedia, Creative Commons

When journalists or activists are arrested, the authorities often confiscate devices in order to extract data using digital forensics tools. Even if these tools can sometimes be developed in-house by the authorities, they are typically acquired from digital forensics companies such as Cellebrite or Magnet Forensics.

Forensics companies like Cellebrite have been criticized for selling their products to authoritarian governments in Bangladesh, Belarus and Myanmar.

The efficiency of these tools depends on many factors, such as the age and security of the phone, and the price and complexity of the tools used by the police. In 2015-16, for instance, there was an important debate around a legal case where the US government, led by the FBI, attempted to compel Apple to weaken the encryption of its iPhones. This came after the FBI was unable to extract data from a phone that belonged to the suspect of a mass shooting. After a long legal battle, the FBI withdrew its request because it found a third-party company that was able to extract the data using a security issue in the device. Cases like this provide an interesting peek into to the capabilities available to law enforcement. But it should be noted that, in many cases, the authorities will try to force a user to give access to a device using legal or physical threats. It is, for instance, a criminal offense to refuse to provide a mobile passcode to the police in France.

Open Source Platforms

Finally, a more recent type of surveillance comes from open source intelligence and web intelligence platforms. These platforms collect online data from publicly available websites and social networks. They organize everything in centralized databases in order to map the activity of a person. While this may seem relatively benign given that the data was public to begin with, the data is often enriched with private information such as phone calls from telecommunication providers or geolocation data obtained by trackers hidden in smartphone applications. This allows users to precisely track the activity of an individual.

Meta’s December 2022 surveillance industry report and recent reporting by the Forbidden Stories consortium suggest that this industry is growing. Recent revelations from Colombia, for instance, clearly show that these tools can be abused to target journalists and civil society.

Digital Security Tips and Tools

After reading this guide to the frightening digital surveillance landscape, you may be left with a feeling of insecurity and think that digital security is a lost battle. It isn’t.

Even if it’s a challenge to stay secure over a long period of time against a dedicated and well resourced adversary, there are many tools you can use and steps you can take to significantly improve your digital security. And you don’t always need to be perfectly secure — you just need to be secure enough to counter the surveillance of people wanting to monitor you.

A comprehensive guide to digital security is beyond the scope of this chapter, but let me use this last section to highlight important methods and tools you should be aware of as a professional journalist.

Tools

Use end-to-end encrypted chat applications. End-to-end encryption means that the server managing data between users is unable to see the content of the data exchanged. This is critical because it means that you do not have to trust the company or people behind the application, as long as the encryption is done correctly. The most famous and most respected end-to-end encrypted chat application is Signal. But more and more applications are being developed with end-to-end encryptions, including for file transfer (like Tresorit) or even shared documents (like CryptPad). On chat applications like Signal, make sure to enable disappearing messages to avoid keeping history of sensitive conversations on your phone.

Secure your phone as much as possible. Even if there is still a lot of work to be done, the security of smartphones continues to improve. You can follow some simple steps to keep your devices secure. If you’re using Android, make sure that you are using a phone that routinely gets security upgrades from your manufacturer, and that you update the system and apps you use. (If you are technically oriented, think about migrating to GrapheneOS.) For iPhone users, make sure to upgrade your phone to the latest software. If you’re at risk of advanced spyware, be sure to enable Apple’s Lockdown Mode, which Citizen Lab recently found can help block a zero-day exploit attack from the NSO Group. In both cases, try to limit the number of apps you have installed, and try to have separate personal and work phones.

Use two-factor authentication. Two-factor authentication (2FA) requires you to enter additional information along with your password to log into an account. It can be a code sent by SMS (which isn’t perfect, but better than nothing), a code generated by an app on your phone such as FreeOTP (which is solid), or even a number automatically generated by a hardware key like Yubikey (which is quite secure). 2FA is one of the strongest tools against phishing attacks, and I strongly recommend having it enabled on any sensitive account. If you’ve already been targeted by phishing attacks, I recommend investing a bit of time and money to use hardware keys. Also known as security keys or U2F keys, these are small bits of hardware that typically fit into a USB port, and they can make your accounts almost unbreakable.

Methods

Assess the threats you are facing. You don’t need to be protected against everything, just against threats that may affect you. Think about the work you do and the kind of digital surveillance you may face. Think about what you have already faced, consult people doing the same kind of work, and write down a list of scenarios. Then, for each case, think about how you can improve your security. (Frontline Defenders Workbook on Security can help you understand this process.) If you are working in a newsroom or as part of a network of journalists, encourage everyone to go through this process. Digital security is a team effort.

If you can’t be secure all the time, compartmentalize. In some cases, you may not be able to make your devices or accounts secure enough for the work you do. In that case, think about compartmentalizing. For instance, use a different work and personal phone, or different email accounts for different projects. If you are working on a very sensitive investigation, consider having devices and accounts dedicated to it. You could also use a separate operating system, such as Tails, which is designed to protect against censorship and surveillance. If you’re working with extremely sensitive data or files, you could use an air-gapped computer. This is a device that can’t connect to digital networks such as Wifi or Bluetooth, and is therefore incredibly difficult to crack into.

Understand digital security and know when to get support. As a journalist, your objective isn’t to become a digital security expert, but you should have basic knowledge, such as what’s outlined in this chapter, and you should know when you need to seek expert advice. If you can, develop a network of tech people you trust and who can help when you face an issue or a new threat. If you are heading into research and reporting that is higher profile than the work you usually do, make sure to anticipate as much as possible. It is always better to be proactive rather than reactive.

You can find great digital security resources on Surveillance Self-Defense, a portal by the Electronic Frontier Foundation, or on Frontline Defenders’ Security in a Box website. GIJN also has some useful resources on this topic. If you need digital security support as a journalist, you can also get in touch with Access Now digital security helpline.

Case Studies

The Snowden Revelations. It is hard to speak about digital surveillance without mentioning the Snowden revelations, which totally changed the surveillance landscape by bringing global attention to the widespread spying by the US National Security Agency (NSA). The revelations are extraordinarily wide and the reporting went on for more than a year. I recommend reading the Lawfare summary of Snowden’s revelations and The Intercept’s Snowden archives. For context, the award-winning Citizenfour documentary by Laura Poitras is also worthwhile.

Project Raven. In January 2019, Reuters revealed that the United Arab Emirates hired former NSA employees to develop the country’s offensive digital spying capabilities. These tools were then used to target heads of state and human rights activists.

The Pegasus Project. In July 2021, a consortium of journalists coordinated by Forbidden Stories with Amnesty International’s Security Lab as technical partner, revealed the abuses enabled by the NSO Group’s Pegasus spyware. The reporting originated with a list of 50,000 phone numbers selected for surveillance by NSO customers in 11 countries, including Saudi Arabia, Morocco, Hungary, India, and Mexico.

Inside the Global Hack-for-Hire Industry. In 2022, the UK-based Bureau of Investigative Journalism and the Sunday Times went undercover to meet people at the core of the growing hacker-for-hire industry in India. This story provides insight into how hacking tools that were once available only to governments are becoming accessible to private actors.

Story Killers. Earlier this year, the Forbidden Stories consortium published Story Killers, a series that investigated the disinformation-for-hire industry. Even if it doesn’t directly constitute digital surveillance, there is often overlap between the shady disinformation industry and digital surveillance techniques.

Additional Resources

Investigating Digital Threats: Disinformation

Investigating Digital Threats: Digital Infrastructure

Tips from the Pegasus Project: How to Report on Predatory Spyware

Etienne “Tek” Maynier is a security researcher at Amnesty International’s Security Lab. He has been investigating digital attacks against civil society since 2016, and has published many investigations on phishing, spyware, and disinformation campaigns. He can be found on his website or on Mastodon.