CPJ - committee to protect journalists
By Danny O'BrienIn the days after Marie Colvin and Rémi Ochlik died in the Syrian city of Homs in 2012, fellow conflict reporters speculated on the role that satellite phones might have played. Colvin and Ochlik were working from a makeshift media center that was precisely targeted by rockets. Had the killers hunted them down using signals from the very phones with which the journalists reported their stories?
The risks of working in a war zone were familiar, but the apparent dangers of using a telecommunications device common among foreign correspondents represented a new uncertainty.
Experienced journalists struggled to understand what the technology could reveal about their locations, and to grasp the possibility--raised by Libération journalist Jean-Pierre Perrin, who had been with Colvin in Homs--that Colvin and Ochlik were singled out by the Syrian army precisely for their ability to transmit news from a city deliberately denied communication links. Journalists' phones were being used to broadcast the atrocities taking place in the city, and for that reason, the authorities might have sought to trace and eliminate those transmissions at the source.
While not every journalist is an international war correspondent, every journalist's cellphone is untrustworthy. Mobile phones, and in particular Internet-enabled smartphones, are used by reporters around the world to gather and transmit news. But mobile phones also make journalists easier to locate and intimidate, and confidential sources easier to uncover. Cellular systems can pinpoint individual users within a few meters, and cellphone providers record months, even years, of individual movements and calls. Western cellphone companies like TeliaSonera and France Telecom have been accused by investigative journalists in their home countries of complicity in tracking reporters, while mobile spying tools built for law enforcement in Western countries have, according to computer security researchers working with human rights activists, been exported for use against journalists working under repressive regimes in Ethiopia, Bahrain, and elsewhere.
"Reporters need to understand that mobile communications are inherently insecure and expose you to risks that are not easy to detect or overcome," says Katrin Verclas of the National Democratic Institute. Activists such as Verclas have been working on sites like SaferMobile, which give basic advice for journalists to protect themselves. CPJ recently published a security guide that addresses the use of satellite phones and digital mobile technologies. But repressive governments don't need to keep up with all the tricks of mobile computing; they can merely set aside budget and strip away privacy laws to get all the power they need. Unless regulators, technology companies, and media personnel step up their own defenses of press freedom, the cellphone will become journalists' most treacherous tool.
To examine the center of the mobile phone revolution, one must go not to the labs of Silicon Valley or the iPhone factories of China, but to the Kenyan capital, Nairobi. Kenya's economic and political stability has grown hand in hand with its cellphone infrastructure. The World Bank reported in 2011 that the country's information and communications sector was contributing nearly a full percentage point to economic growth, driven by cellphone ownership that went from a fraction of 1 percent of the population in 1999 to more than 64 percent in 2011. The number using cellphones quickly leapfrogged those using traditional wired telephone and Internet connections, and the country is now held as a model and testing ground for the future of mobile worldwide. Kenya is the home of M-PESA, the first ubiquitous mobile-based payment and banking system, which lets Kenyan citizens use their cellphones to carry the equivalent of a cash balance and make safe, instant purchases of a wide spectrum of items such as electricity and roadside goods. It's also home to Ushahidi, a disaster mapping system first created to let mobile users record instances of election violence in 2007.
Nairobi, with a population of almost 3.4 million, is also home to East Africa's large community of exiled journalists. Having fled oppression in Rwanda, Eritrea, Somalia, or Ethiopia, these reporters depend on Nairobi's cheap mobile phones to stay in contact with family and friends in the diaspora and at home.
The phones also deliver death threats. As I sat in a Nairobi restaurant discussing digital security with an exiled Ethiopian journalist--one of more than 50 exiled for their work in the past decade--he told me how he receives texts telling him that the sender knows where he is and is going to catch him. If they can find my phone number, he asked, can they find me?
The answer for reporters in dangerous situations is not reassuring. Every mobile phone is a tracking device, as Peter Maass and Megha Rajagopalan, reporters on digital privacy at ProPublica, have noted. Phones report their approximate location to the local cellphone company as part of the process of establishing which cell tower to use. The precision of the location mapping depends on how closely those cell towers are placed; in a crowded city like Nairobi, that can resolve to just a few feet. Many exiled journalists in this city scrape a living in the slums of Kibera and Mathare. While these shanty towns have little in the way of sewers, street lighting, or domestic electricity, cellphone towers rise above the shacks.
Location data is retained by cellphone providers; just because someone has your phone number does not mean that person can also obtain your location. But as in most countries, cellphone companies in Kenya have an intimate relationship with the government. They depend on nationally negotiated contracts for radio spectrum, and are frequently the descendants of state-owned monopolies. (The Kenyan government held a majority stake in Safaricom, the country's largest phone provider, until its initial public offering in 2008; now the government stake is 35 percent.)
Governments in other countries, especially those unfriendly to Kenya, are unlikely to get their hands on that tracking data. But within a country, be it Kenya or the United States, use of such data is remarkably unregulated. A person in Nairobi's police force, who spoke on condition of anonymity, told CPJ that cellphone data is regularly used to detect and catch street criminals. U.S. Rep. Edward Markey released data in July 2012 showing that domestic cellphone carriers in the U.S. responded to more than 1.3 million requests for subscriber information from law enforcement in 2011, many without subpoenas or warrants.
In Ethiopia, the entire telecommunications network, including mobile and Internet, is controlled directly by the government through the monopoly Ethio Telecom. Ethio Telecom is managed by France Telecom, but is required to comply with Ethiopian government orders, including the blocking of dozens of news sites (including CPJ's website). In May 2012, the country's mobile broadband system introduced deep packet inspection to identify and block users of the anti-censorship tool Tor. Ethio Telecom's chief executive at the time, Jean-Michel Latute, told La Croix that the decision had been made by the communications ministry, but the deep packet inspection was nonetheless "a very useful tool" for the company.
France Telecom is not the only Western mobile phone company implicated in censorship and control of journalists. In April 2012, the Swedish investigative TV program "Uppdrag Granskning" detailed how the calls, texts, and location information of Agil Khalil, a reporter for the Azerbaijani newspaper Azadlyg, were handed over by Azercell, a subsidiary of the Swedish company TeliaSonera, to local security services in 2008. Khalil was assaulted several times during the period of surveillance. In response to the documentary, TeliaSonera said it would overhaul its compliance process, "start a dialogue" with the authorities in Azerbaijan, and provide employees with human rights training.
The Finnish company Nokia Siemens Networks faced a lawsuit in 2010 by the family of Iranian journalist Issa Saharkhiz, alleging the company supplied equipment used to locate the journalist via his mobile phone after he went into hiding. While on the run, Saharkhiz told Der Spiegel, "I turn on my mobile phone only one hour each day, because they can trace me and arrest me." Just hours after that conversation, Saharkhiz was captured, his ribs and wrists were broken, and he was taken to Evin Prison, where he remained in late 2012. In public statements, Nokia said, "This capability [to locate and monitor cellphones] became a standard feature at the insistence of the United States and European nations. ... It is unrealistic to demand, as the Saharkhiz lawsuit does, that wireless communications systems based on global technology standards be sold without that capability." The lawsuit was voluntarily withdrawn by the family after a U.S. court held that a corporation cannot be subject to liability under the Alien Tort Act, upon which the case depended. Nonetheless, Nokia Siemens Networks has divested itself of its monitoring center business, and says that "with the exception of some technical contractual links," it no longer has "any involvement with it."
Though mobile phones have the built-in capacity to track a journalist's whereabouts, they can be even more lethal in undermining the privacy of reporters and their sources when coupled with malicious software.
In the first few months of 2012, Bahraini activists reported receiving unsolicited email attachments, purportedly from the Al-Jazeera reporter Melissa Chan. The fake messages contained malware aimed at taking over the activists' desktop computers, and reporting back to a central command server in Bahrain. This sort of attack on journalists is increasingly common; Chan herself was a regular target of such malware when reporting in China. Computer security researchers Bill Marczak and Morgan Marquis-Boire discovered that this spyware was a product of a program called FinFisher--commercially produced software, made by the U.K.-based company Gamma Group, supposedly for law enforcement and government agencies. This was notable because spyware targeted at journalists and their sources is usually crafted from software built by criminal fraudsters, rather than code custom-built for government.
Subsequent samples obtained by the same researchers showed variants of FinFisher, such as FinSpy, were aimed not at desktop computers, but at iPhone, Android, BlackBerry, and Nokia mobile phones.
The malware was variously capable of retransmitting text messages, recording phone calls, extracting details from address books, GPS tracking, and even silently calling a mobile phone and having it pick up and transmit conversations in its vicinity. Marczak and Marquis-Boire also discovered servers designed to receive reports from FinFisher products not only in Bahrain, but in Brunei, Ethiopia, Turkmenistan, and the United Arab Emirates. Gamma denied selling to these states, and suggested the software might be pirated copies.
If governments have access to their own telecommunications infrastructure, why would they stoop to putting spyware on reporters' phones? One possibility, Marczak suggests, is to beat what protections activists and sources might already be using. "When a journalist sends emails, messages, etc., from his phone, they are encrypted over the network between his phone and the servers. If you as a government want to read these communications, you have to access them somewhere they are not encrypted. So the practical options are get a warrant or subpoena for the email provider (e.g., Gmail, Yahoo Mail), or read them ... on the journalist's phone. FinSpy allows you to do the latter." Other advantages include being able to spy on communications taking place outside the country. Exiled journalists or dissidents, for instance, could be tracked as easily as local reporters.
Journalists facing digital threats online have become accustomed to defending themselves with anti-virus tools and encrypting their hard drives and other communications. But mobile smartphones are not designed to permit the same degree of configurability--compared with a PC or Mac, their design is sealed against tinkering by the user, and open to control by the manufacturer and network provider. The creators of the technology argue, with some justification, that this locking down increases security for the average cellphone user. But for a reporter with security risks, such lack of control can make matters much worse. Governments can install malware like FinSpy, while the users cannot detect or remove it.
Even protective measures taken by companies can be abused by hackers. Mat Honan, a journalist with Wired magazine, was targeted in August 2012 by a hacker who obtained access to his online accounts, including his Apple iCloud login. The online logins permitted the hacker to take over a news site's Twitter feed; the Apple account allowed the hacker to power down his iPhone and remotely wipe it.
The reason Honan's phone was vulnerable was Apple's intimate connection with every iPhone--a capability that allows the company to find lost phones, shut down stolen devices, and update the iPhone's operating system. Phone service providers wield similar power, generally for good, but with no veto power by the end user. Honan told CPJ last fall: "I'm completely freaked out by mobile security now in all sorts of ways that I wasn't two months ago. As reporters, our data is our most valuable asset. And while I can encrypt folders on my computer and transfer them to USB sticks, which I can then keep locked up in a safe, I can't begin to secure my phone in a similar fashion."
Companies and governments may claim that cooperation to exchange intimate information on mobile subscribers is necessary for law enforcement. But the confidential and sensitive public service performed by reporters has, until now, been protected by the processes of court order and warrants, at least in countries operating under rule of law.
Unfortunately, the laws controlling the release of phone company data have yet to be updated to take into account the far wider repositories of information now collected on users. The law that governs the handing over of this data to third parties in the United States is the Electronic Communications Privacy Act. It was written in 1996, a time when phone companies could offer either records of who called whom or audio wiretaps.
"It simply wasn't written for the mobile age," says Kevin Bankston, senior counsel at the Center for Democracy & Technology, a Washington-based Internet advocacy group. He says the authorities take advantage of the law's ambiguity to push for easier access to data. The standards for protection in the law are in great dispute, Bankston said, "and law enforcement consistently argues that the lowest standards be used." That means that location data can be obtained without a warrant in the United States because law enforcement claims it should be treated the same as billing data. Mobile phone providers in the U.S. are frequently asked to give cell tower "dumps"--mass data on subscribers who were near a certain tower during a certain period of time. That would scoop up reporters' contacts at a riot or disaster as effectively as it would scoop up data on the suspect in a crime, but the security services claim that such data is not protected by statute, and telecom companies do not, on the whole, contest such requests. Other countries largely follow the U.S. lead on such criteria.
Mobile experts say cellphones do not have to be built to act as pervasive spying devices, even when used under repressive regimes. Eric King is head of research at Privacy International, a U.K.-based advocacy organization. His group successfully lobbied the U.K. government to limit the export of FinFisher's tools to Middle Eastern countries where they might be used against journalists and dissidents.
He says that the same Western technical standards--such as those developed by the European Telecommunications Standards Institute (ETSI)--that already include surveillance features could also include safeguards and limits against misuse of those features.
"Why can't ETSI standards put in explicit limits on the number of simultaneous interceptions? Vendors would only be ETSI-compliant if [their networking equipment] cannot intercept more than a certain percentage of calls," King suggested. Another possibility would be for devices to create tamper-proof records whenever the surveillance features of a cellphone network are used. That would make faking telephone-related evidence against journalists harder, and leave permanent evidence of such surveillance (and who conducted it) available for future investigation by journalists or an independent judiciary.
End-user software could help, too. Mozilla, the nonprofit creator of the Firefox browser, says it is building a privacy-protective mobile phone to compete with existing Android and Apple operating systems. Phil Zimmermann, the author of the definitive encryption program for desktop computers, Pretty Good Privacy, has recently launched a new service that, he says, protects mobile phone calls from interception. Other tools, like TextSecure from Whisper Systems, offer the same protections for text messaging, provided both sides of the conversation use the same tool.
For now, while journalists can take some steps to protect themselves and their sources, they are limited by the nature of their cellphones. At a panel in May, investigative journalist Matthew Cole, who works on U.S. national security and intelligence issues, demonstrated how he conducts his work using an elaborate protocol taught to him by digital security expert Chris Soghoian. Cole uses two cellphones; they are bought anonymously; they are never used together; and one always has its battery removed, to prevent it from accidentally being activated and to ensure the two numbers are never linked.
When I mentioned this protocol to another journalist covering similar topics, Amber Lyon, she showed me her new iPhone and pointed out the flaw: Its battery couldn't be removed. We need to make sure that in the future, when all journalism will be mobile journalism, that we can find an off switch for the worst flaws of mobile security.
Danny O'Brien, the San Francisco-based CPJ Internet advocacy coordinator, has worked globally as a journalist and activist covering technology and digital rights.