Investigative reporters around the world are tightening their digital safety habits, out of concern that emergency pandemic laws, new spy technologies, and the lockdown itself have exposed journalists to even greater threats of surveillance and harassment.
In Hong Kong, the recent arrest of Apple Daily founder Jimmy Lai highlighted the threat posed by the city’s new national security law, which China imposed while the world was distracted by the pandemic. The law effectively criminalizes dissent toward Beijing and allows the seizure of “journalistic materials.”
Governments in places like Thailand, Brazil, and Hungary have used the pandemic crisis as a pretext to limit access to information. Even democracies like South Africa have created sanctions against the publication of information deemed to be false.
Smaller countries out of the global news spotlight have also introduced some particularly harsh measures. Cambodia has increased arrests and harassment of journalists and banned publication of “information that could generate public alarm or fear.” The Inter American Press Association stated in August that state intimidation and harassment of the press in Nicaragua has worsened during the pandemic, citing a record of 351 cases of online smears, censorship, and other attacks during the lockdown.
“You need basic security tools just to make sure you don’t get hacked — in life, period — but it really is now your responsibility as a journalist to have good digital hygiene,” says journalist Gisela Pérez de Acha, who also works as a cybersecurity expert at the Human Rights Center Investigation Lab at the University of California, Berkeley. “Surveillance was already pervasive before the pandemic, but the thing right now is that certain kinds of surveillance are being legitimized and legalized because of the pandemic.
“And we’re also spending a lot more time online, which means some of the reporting we used to do face to face, we’re doing it digitally whether through Zoom, which is not end-to-end encrypted, and even just phone calls with sources,” she said.
Online Work Adds to Threat
Journalists have reported instances of “doxing,” social media harassment in which the identity, address, or other personal details or someone is revealed, and spying in recent weeks. In August 2020, an investigative reporter with Ukraine’s Schemes TV program, Mykhailo Tkach, reported signs of audio surveillance at his home, following warnings from his sources that his reporting had “irritated” senior government officials. (Days later, a car used by Schemes staff was torched.) In July, another Ukrainian investigative reporter, Lyubov Velychko, received threats and abusive messages after she had exposed Russian state control behind Telegram propaganda channels.
But these incidents remain isolated, at least for now. Interviews with a dozen journalists working on the pandemic, combined with a search of news stories and reports from nongovernmental organizations, found no evidence of a general uptick in digital breaches or harassment during the current crisis.
What those interviews did uncover, however, was deep concern that reporters are now more vulnerable than ever to such attacks — and that several leading journalists are either adding extra digital security measures or offline reporting, or both, to their procedures.
The primary concern for these journalists centers on how the lockdown has forced reporters to migrate their working model from face-to-face to digital platforms: that the sheer volume of their work in the digital space has increased the threat that their communication with sources might be intercepted. In many cases, they might never know that breaches happened, according to digital safety specialists.
Experts agree that reporters should not allow the apparent ubiquity of online threats to have a chilling effect on their investigations, by using basic digital hygiene for most investigations, and by upgrading to advanced security and low-tech methods for stories that they pre-identify as high risk. Not every story requires burner phones and end-to-end encryption. But they say the heightened hacking threat posed by pandemic conditions means that — “like flossing your teeth” — certain hygiene principles are no longer optional, like using password managers, always updating apps, using two-factor authentication, and recognizing that phones represent the primary vulnerability.
“Zero-click” Spyware a New Stealth Weapon
The recent cyber attack against Moroccan investigative journalist Omar Radi offers perhaps the most chilling example of the use of new generation technology to hack reporters — and the threat that governments could use the purchase of legitimate COVID-19 contact tracing technology as cover for buying surveillance gear from the same companies.
Radi was given a four month suspended sentence in March for criticizing a judge who upheld a verdict against pro-democracy activists, and has since been detained several times by police.
A forensic investigation by the Amnesty Tech unit at Amnesty International revealed that Radi’s phone had been the focus of a sophisticated “network injection” attack, which redirected the device’s browser to a site that quietly uploaded Pegasus spyware. “NSO Group, the Israeli company marketing its technology in the fight against COVID-19, contributed to a sustained campaign by the government of Morocco to spy on Moroccan journalist Omar Radi,” the report states. “When Pegasus is installed, an attacker has complete access to a phone’s messages, emails, media, microphone, camera, calls, and contacts. Network injection attacks are notoriously difficult for a victim to spot as they leave few clues.” Both NSO and the Moroccan government have denied Amnesty’s findings.
Most troubling about the new threat is its “zero-click” attribute, says Danna Ingleton, deputy director of Amnesty Tech. “In the past, NSO technologies — particularly Pegasus — would have to send you some sort of socially engineered text message, saying something to get you to click on a link, and that website would then infect your system. But with this network injection, you don’t even have to click anything. You could just get a missed call. You can do everything to keep yourself safe, and still be at risk.”
Ingleton says there is an urgent need for a global moratorium on sales of this kind of software until effective regulations are created to prevent abuses.
“We need journalists to continue to be concerned about their privacy, expose violations of their privacy, and contact organizations like Amnesty to expose and get accountability,” she says.
Assessing Risk for Each Story and Beat
California-based investigative journalist Pérez de Acha suspects that sources in a terrorism story she is investigating could be under surveillance by federal authorities in the United States — and that as a result her own communications may be being monitored.
Having previously used “burner phones” only in developing countries like Mexico, she is now using disposable sim-card numbers, rather than a phone connected to her identity, in the US. “But that’s only because of the nature of the story,” she says. “So I adjust my behavior. To that, you add that because of the pandemic, I can’t see my sources in person. Everything is either digital or through the phone, even though I will push [sources to use] Signal [an encrypted message app]. But it doesn’t always happen.”
Pérez de Acha emphasizes that most investigative stories are not high risk for sophisticated hacks, and that reporters need to use basic threat modelling to assess how much digital protection they need, and not be constrained by paranoia.
“It’s also good to divide surveillance concern per beat — it’s not the same risk reporting on homelessness as on terrorist activities,” she says. “If you’re reporting on healthcare you’re probably fine, just have strong passwords, and don’t be dumb. I’m in Berkeley, so let’s say I’m investigating the Berkeley police. What are the chances they could have a tap on my phone? Well, they’d need a warrant from a judge, or maybe someone from T-Mobile could be a leaking source, or they have advanced tools to hack me. Honestly, for local police, that risk is not that high.”
Pérez de Acha says the pandemic has underlined the importance of preventing professional and personal worlds from merging online.
She says one reporter she knows in California recently filed a public information request for gun ownership data, using his personal details. She says he then received a series of threats to himself and his family — via those personal contact details he had listed on the application — from “alt right” activists that were so serious that he was forced to abandon the investigation.
Fahmida Rashid, a senior reporter at security news site Decipher, says many reporters — including herself — are now using old-school P.O. boxes for document drops, for sources who might not be willing to create encrypted email, like Protonmail.
“We definitely are going to see government overreach in this pandemic, and you have to worry that it’ll stick,” she said. “There is precedent in the US, after 9/11, with the Patriot Act used to force journalists to reveal their sources, all under the name of terrorism investigation.”
Rashid says most of her reporter colleagues in Hong Kong and Taiwan are using Telegram and Signal for messaging, rather than WeChat — despite that platform’s ubiquity in the region. China-based WeChat is a frequent target of Chinese government censors and trolls, while Telegram and Signal are encrypted and have records of independence.
Safety Challenge Grows for Freelancers
Perhaps most ominously, malicious actors are beginning to exploit a core journalism strength — curiosity — as a digital vulnerability.
Last year, The Great Saudi Podcast — an investigative series first hosted by exiled Saudi journalist Safa al-Ahmad — received a strange direct message to its Twitter account.
The first season of the podcast dealt with the murder of Jamal Khashoggi — the Saudi dissident and Washington Post columnist — and the Twitter message requested a secure email in which to send a video that was said to relate to the murder.
In addition to being an award-winning independent filmmaker — who revealed an uprising in eastern Saudi Arabia in 2015 — Al-Ahmad was a long-time friend of Khashoggi.
“So I was like, ‘OK…’ and then they started saying things like: We have smuggled a video out of the consulate, we have the entire murder on tape, we’ve taken a lot of risks,” Al-Ahmad recalls. “And then they sent screenshots of the alleged video. The person who was managing our account opened the screenshots. The pictures were strange and intriguing, from a journalistic perspective. It showed a dead body on the floor, quite graphic images. The first thing I had to think about was digital security, and I was thinking: ‘We’ve been breached … you need to throw away your phone now.’”
Al-Ahmad says she still doesn’t know the true intent behind the message, although she did find the original of that video, and concluded that it did not show the murder of her friend.
However, for Al-Ahmad, the incident echoed a recent pattern in which journalists have been targeted with messages that either piqued their professional curiosity or personal connections.
“This is how other reporters have been hacked with Pegasus. I remember how one reporter was sent a ‘Ministry of Justice alert’ to a court case they were covering,” she says. “It was such a reminder for me of how dangerous digital communications can be for a journalist. This is important, because I’m more cautious than most, and I still could have been [hacked]. As a journalist, I wanted to see that link, that picture. I’ve known Jamal for 20 years; this wasn’t just a story, it was personal for all of us.”
However, Al-Ahmad points out that, as a freelancer, it was only due to her relationship with the University of Toronto’s Citizen Lab digital threats research unit that she was able to evaluate the potential threat.
In general, she says the increased surveillance threat presented by pandemic-related regulations and practices presents a particular challenge for freelance journalists, who don’t have institutional support for their digital security.
“This is also part of what it means to be a Saudi journalist in exile now: This absolute paranoia about every digital interaction, constantly, and now, because of COVID-19, there is increased risk of monitoring,” she says. “I can’t just set up a meeting and say: ‘OK, I’ll just ask you what I need to know when I meet you’. Everything has to be digital, or over the phone — and Signal is my best friend during the pandemic. Digital security is paramount right now, and freelancers are extremely vulnerable as a group,” she says.
“We are on the backfoot to staffers, who often get clean laptops and cell phones on assignments. But, as a freelancer, I can’t afford to be constantly having burner phones. I can’t afford to lose the number [my contacts] know to reach me on. The cost of true digital hygiene is impossible for me, so the question is, how can I be as responsible as feasible?”
Al-Ahmad says she was dismayed by the recent revelation that Zoom was vulnerable to hacks for users with older versions of Microsoft Windows.
“I usually agree to do Zoom and then delete it afterwards, but after this news of the [hacking vulnerability on Windows], I don’t even want it on my computer,” she says. ”I mean, the person who is doing the Zoom call — I don’t even know what their computer is. I can’t be asking sources: what’s the spec on your computer? Have you updated it recently?”
Phones Remain the Prime Spying Target
A more common threat emerging under the various lockdowns implemented worldwide is the use of basic call data by authorities — rather than the content of conversations — as leverage to harass both reporters and their sources.
In Nigeria — prior to the pandemic — police were found to have used call records from reporters’ phone accounts to identify sources from frequently-called numbers.
“The reporters affected in Nigeria were shocked — this was not the type of surveillance they were expecting,” says Jonathan Rozen, senior Africa program researcher for the Committee to Protect Journalists (CPJ). “We’re talking about pretty rudimentary call data. Seemingly innocuous information was leveraged quite seriously in order to arrest journalists for their work. The police have access to the reporters call data, which includes most frequently called people, and based on that information, they would contact those people, and in some cases bring them into custody and compel them to summon the targeted journalists.”
Rozen says early signs of added surveillance under the pandemic mean that reporters in Africa, and elsewhere, need to be extra vigilant. In July, Rozen authored a CPJ report which revealed that Ghana’s law enforcement entities had acquired advanced phone hacking technology that has been used elsewhere to target journalists’ cell phone communications.
“There has been a broad concern from journalists since the beginning of the pandemic that states may expand surveillance powers in the context of the lockdown, and have the potential to be abused and leveraged against reporters,” says Rozen.
Extreme digital hygiene procedures could include steps such as unchecking boxes like “Check your spelling as you type,” “Provide search suggestions,” and “Block all cookies” in browser search preferences, to reduce the chances of your search engine reaching out to external nodes. Or avoiding data-hungry browsers like Chrome and Internet Explorer, instead using a privacy-focused search engine like DuckDuckGo. But experts like Pérez de Acha see the limitations of some of these settings as outweighing the low risk of exposure.
Several journalism support organizations have developed general digital security guides for reporters, including the CPJ. After interviews for this story, GIJN is updating its own guidelines. Here are 10 tools and techniques that experts say are particularly effective for the pandemic period, and beyond:
- Create a Virtual Burner Phone: Set up Google Voice as a “virtual burner phone.” One striking feature of the interviews we conducted was that the numbers GIJN dialed for several sources was not their personal phone, but a random number assigned by Google Voice. “I think probably only my boyfriend and my mom know my actual number,” notes Perez de Acha. But she warns that Google itself is still vulnerable to legal probes for data.
- Get a Protected Browser: Use a well-protected browser like Firefox, and delete unsupported browsers like Internet Explorer from your system.
- Use Encrypted Comms: For sensitive stories, ask sources to use end-to-end encrypted communication systems like Protonmail for email and Signal for texting. More familiar encrypted systems like WhatsApp can suffice — but keep in mind that WhatsApp does archive metadata. If that fails, offer sources a P.O. box address for sensitive documents.
- Upgrade Windows: If you’re using Windows 7 or an older Windows version on your PC, then avoid using Zoom until you’ve either upgraded to a newer Windows version, or installed a micropatch to fix a security hole in Zoom detected on July 9. Jitsi is a good open source virtual meetings alternative, although its participant numbers are limited.
- Separate Personal & Professional: If possible, prevent your professional and personal digital worlds from merging, by using methods including burner social media accounts and encrypted communications. Never use your own address when making access to information requests.
- Report Attacks: While there are no current safeguards against “zero-click” spyware attacks — beyond an entirely offline reporting approach — report these attacks to forensic units like the team at Amnesty Tech, and perhaps to your audience as well.
- Create “Burner” Accounts: Use “burner” social media accounts — not tied to your personal identity — when passively monitoring extremist or potentially threatening chat groups. But use your professional account, and your status as a journalist, when approaching a potential interviewee identified from those chat groups.
- Get a Password Manager: Use a free password manager trusted by journalists, like LastPass, that will generate secure passwords beneath a single master password that you choose.
- Use a VPN: Set up a virtual private network (VPN) that encrypts your internet connection — using a trusted system like Tunnel Bear — to help protect your digital privacy.
- Use Two-Factor Authentification: Using only a username and password for accounts today is like having only a simple Yale lock and a peephole on your front door during a crime wave. So experts recommend two-factor authentication, which — while briefly annoying — can be easy while following good step-by-step guides, like this one produced by The Verge.
If there is one good pandemic fallout for the press, it may be that security finally becomes a routine practice for journalists doing sensitive work. “I actually think it’s a myth that digital security requires a lot of tech resources, and a lot of money,” says Pérez de Acha. “It can be really easy, and even really fun — you just need to look it up.”
For more information on digital security see GIJN’s Resource Center Guide to Digital Security; this primer on increasing your digital defenses as an investigative journalist; and this GIJN story on how journalists in different regions need to assess their digital security in different ways.
Rowan Philp is a reporter for GIJN. Rowan was formerly chief reporter for South Africa’s Sunday Times. As a foreign correspondent, he has reported on news, politics, corruption, and conflict from more than two dozen countries around the world.