AJR  Features
From AJR,   August/September 2012

Playing Defense   

With digital information so vulnerable to theft, it’s imperative for journalists to be proactive in protecting confidential sources and data. But too few people are taking the threat seriously. Thurs., August 30, 2012.

By Sherry Ricchiardi
Sherry Ricchiardi (sricchia@iupui.edu) is an AJR senior contributing writer.     


Spying on journalists has never been easier.

A reporter covering the Syrian conflict is chatting on Skype with her editor back home about a story she just filed. Suddenly a message pops up offering access to a video of atrocities committed by government forces. All she has to do is click on the link.

The moment she does, a malicious Trojan is downloaded, turning her computer into an espionage tool, logging all keystrokes, passwords and screenshots, and transmitting information back to whatever power controls it. In the hands of a tyrant like Syria's President Bashar al-Assad, this surveillance device could track dissidents, rebel fighters and reporters who slip across the border into forbidden terrain.

In the cyber world, it is known as malicious software, or malware. Masquerading as a legitimate file or link, it enables intelligence agencies, terrorist groups and criminal cartels to monitor journalists' activities and their sources. Cyber thieves use it to steal or destroy information. Governments use it to punish critics.

All computer users can be targeted by malware, but for the media, the stakes are especially high. Digital stalkers can intercept electronic tools journalists routinely use – mobile phone conversations, e-mails, text messages and satellite communications are prime targets. They can track information and pinpoint locations. The Committee to Protect Journalists sees the threat increasing "at an alarming rate."

Danny O'Brien, co-author of CPJ's updated Journalist Security Guide published in April, calls losing control of data "one of the gravest dangers facing journalists today." Yet, the notion of cyber safety training has been slow to take hold, he says.

"The hardest thing for us to get across is that besides publishing information, journalists are keepers of secrets that people have confided in them. The danger can be everywhere and anywhere," says O'Brien, CPJ's Internet advocacy coordinator. "Everybody in the organization has the potential to be the weakest link" for compromising confidential electronic information.

In an October 2011 op-ed piece in the New York Times,"When Secrets Aren't Safe With Journalists," privacy expert Christopher Soghoian wrote that from "hundreds" of conversations with media professionals, he found that few journalists "use secure-communication tools, even ones that are widely available and easy to use."

Government spying and journalists being stalked are nothing new. It's the methods that have changed. The Washington Post's Bob Woodward and Carl Bernstein didn't have to worry about Trojans stealing the identities of their Watergate sources.

Just as technology has been a boon to journalism, it helps the government keep tabs on news organizations, says Lucy Dalglish, who for 12 years was executive director of the Reporters Committee for Freedom of the Press. The threat has escalated from "Hey, I'm going to subpoena you. Come in here and tell me who your sources are" to a new level. Dalglish related an encounter she had with a national security official at a conference last year.

"I had one of these guys tell me point-blank, 'we don't need to subpoena you anymore. We know who you're talking to.' Maybe he was blustering, but there was a certain Stephen Colbert 'truthiness' to it. I believed him," says Dalglish, who in August became dean of the Philip Merrill College of Journalism at the University of Maryland. She doesn't see journalists "taking it seriously enough yet."

The issue is particularly critical at a time when the Obama administration has shown unprecedented enthusiasm for investigating leaks of classified information.

The killing of three journalists over the past year – one in Mexico and two in Syria – has raised questions about the role electronic surveillance might have played in their deaths and what precautions could have reduced their risks.

Prior to her demise in September 2011, Maria Elizabeth Macías Castro had been posting information about drug traffickers on the Internet under a pseudonym. Police found her head on top of a stone pillar. Her battered body lay nearby with her computer keyboard, cables, disks and a handwritten note left by her executioners.

According to a number of accounts, Castro, 39, worked for Primera Hora in Nuevo Laredo and posted comments on her Web site and on Twitter under the name "La Nena de Laredo" – The Girl from Laredo. How the killers tracked her remains a mystery. Was it traditional shoe-leather stalking or did they use electronic surveillance to find her?

"It's possible they could have gotten an electronic footprint that led them to her," says Frank Smyth, CPJ's senior adviser for journalist security. "It's also possible they pegged her due to her behavior in a small town in Northern Mexico. Without evidence, there's no way to know." Castro's murder was the first CPJ has documented in direct retaliation for journalism posted on social media.

If she was being tracked electronically, what could Castro have done to reduce the danger? "She could have used Tor," says Smyth, main author of the CPJ guide. Tor is described on its Web site as free software that "prevents anyone from learning your location or browsing habits." It also is known as a censorship circumvention tool.

Similar questions surfaced when a rocket-propelled grenade made a direct hit on a makeshift press center in the war-torn town of Homs, Syria, on February 22, killing American-born war correspondent Marie Colvin, 56, and French photographer Rémi Ochlik, 28.

After the attack, the Telegraph in London reported that journalists in Homs had worried "that Syrian forces had 'locked on' to their satellite phone signals and attacked the buildings from which they were coming."

Colvin filed stories via a satellite uplink and had been vocal about the Syrian government's human rights violations during interviews on CNN and other news outlets just before the attack. Without precautions, the journalists could have been easy targets, Smyth says. CPJ advises against multiple parties transmitting from the same location in a hot zone like Homs.

"Basically, the paranoia game is what we need to play," says Steve Doig, Knight Chair in Journalism at Arizona State University. Doig has given presentations on "Spycraft: Keeping Your Sources Private" at Investigative Reporters and Editors' conferences and elsewhere.

The veteran journalist – he spent 19 years at the Miami Herald – talks about keeping Internet searches private, making and receiving untraceable calls and encryption/decryption programs. Reporters who cover national security and have sources in the intelligence community are aware of these tactics, Doig says, but many journalists still "have their head in the sand."

"My goal in doing these talks has been to wave the flag and get people thinking about it," Doig says. "Someday, when a young reporter has a 'Deep Throat' source for the first time in his or her career, they won't start out by leaving a trail of bread crumbs."

Some journalists are leading the way.

To illustrate how the Associated Press addresses cyber safety issues, Media Relations Director Paul Colford sent a link to an article about the AP's 2012 Pulitzer Prize-winning investigation of the New York Police Department's surveillance of minority and Muslim populations. The story described the security measures the journalists took while reporting the pieces.

The AP kept drafts of the series off of its internal content management system "until the 11th hour each time, to ensure security," wrote reporter Joe Pompeo for the online publication Capital New York. Pompeo reported that when one of the journalists on the story, Adam Goldman, was in the Middle East on a separate assignment, he communicated with other team members "via encrypted e-mails on a GPG-enabled loaner laptop." Ted Bridis, who oversees the AP's investigative news team, issued special instructions when reporter Matt Apuzzo attended a meeting with a confidential source in New York.

"Bridis instructed Apuzzo to remove the battery from his cell phone so it would be harder for anyone to trace either his location or the identity of his informant," Pompeo wrote in his October 2011 story. Encryption is similar to coding a message. A GPG, trade name GNU Privacy Guard, allows users to encrypt data to make it undecipherable. Only those with the password can read it.

The AP declined requests for an interview on how reporters secured information during the NYPD investigation. "AP is working across departments to solidify guidelines in this area," Colford wrote in an e-mail.

Across the board, news organizations are reluctant to talk about safety protocols. Fox News Channel spokeswoman Dana Klinghoffer says executives there don't feel comfortable discussing security that "could compromise us."

Eileen Murphy, vice president for corporate communications at the New York Times, wrote in an e-mail that the paper does "not have written guidelines on this issue but it is something we encourage our journalists to be mindful of." The Washington Post and TV networks did not respond to requests for information about their policies.

Some media outlets have posted guidelines on their Web sites. In the Thomson Reuters Code of Conduct, for example, employees are encouraged to "use encryption for electronic files during storage and transmission" and, when traveling with highly sensitive information, to "consider using a removable hard drive and packing it separately."

McClatchy Newspapers advises that "Confidential information..must not be transmitted via an unsecured cell phone, e-mail or electronic data transmission, and must never be posted on the Internet or an electronic bulletin board."

One of the most detailed postings, "Be paranoid – protecting sources in the digital age," appeared on the BBC's College of Journalism Web site. The author, BBC world affairs producer Stuart Hughes, posed the question, "with so much potentially sensitive information sitting on laptops and smartphones, and being shared through phone calls, emails and text messages, how can a journalist ensure the safety of their sources without acting like an amateur James Bond?"

Hughes sought guidance from an expert in the international cyber security industry who told him, "There's no silver bullet – you can't go out and buy one thing that will give you 100% security."

Following is a sample of Hughes' guidelines for creating what he calls a "layered defence system":

∙ "Keep any device that holds sensitive information with you at all times. Don't let it out of your sight. If it's impractical to carry your laptop with you 24 hours a day, consider using an encrypted memory stick, or create an encrypted hidden partition on your hard drive using commercially available software."

∙ "Lock your laptop and smartphone with a strong password made up of a long string of letters and numbers... Don't use any word appearing in a dictionary. A determined hacker will be able to bypass a password but it may deter an opportunist intruder." [Another source interviewed for this story suggested creating a tougher password by using the first letters of each word of a favorite line from a poem, song or familiar saying – something the user would never forget.]

∙ "'Chunk' sensitive information and send it in small blocks using different methods of communication – email, SMS, instant messenger. Anyone monitoring your digital traffic may be able to intercept part of the message but they're less likely to be able to see the full picture if it's divided up and sent over various platforms."

Journalists can find help on the Internet. Some of the tips and tricks listed in guidelines and manuals are basic and can be used immediately; others have a higher learning curve and may require technical assistance.

For the first time, CPJ has added a chapter on digital safety to its Journalist Security Guide posted on cpj.org. CPJ provides an overview of cyber threats and suggestions about where to turn for help, but it does not offer "magic incantations" or explicit, concrete advice, says Danny O'Brien, who wrote the new section.

"Security is a process. It involves being aware of the threats and coming up with your own best practices for combating them," says O'Brien, who has covered technology for the Irish Times and the Sunday Times of London.

The CPJ guide, published in French, Spanish and Arabic as well as English, offers reminders: "Do not use public computers in cybercafés or hotels for confidential conversations or to access your USB drive. And don't enter passwords into public computers." There are links to more detailed information. Online training materials cover a wide range of topics, from protecting computers from malware and "hacktivists" to using encryption tools and constantly updating and using antivirus software. Some were written for political activists, dissidents and human rights workers but apply to journalists as well.

In its "Guide to Safely Using Satphones," Portland, Oregon-based Small World News, whose mission is to help "citizens to engage with the international community in crisis areas and conflict zones," provides tips for avoiding detection and observation, especially when operating in countries with repressive regimes. During a Skype interview from the Libyan capital of Tripoli where he was working, the group's cofounder and director, Brian Conley, made a pitch for cyber safety awareness.

"The guidelines we publish are aimed at helping us do a better job of covering our backs. We know it is possible to be safer. Maybe not 100 percent safe or secure, but we can do better," Conley says. Some parts of the guide are for the more technically astute. There also is practical advice:

1. "Do not save communications information on the satphone. Although security services may obtain calling records through other means, do not make it easy for them."

2. "Voice calls are a very risky method for communicating via satellite." Keep calls as short as possible to avoid interception of the phone's radio signals or GPS location.

3. "Deceive by speaking in code." Use a term "to indicate authorities such as 'uncle.' When checking with a contact to first determine whether the contact is safe from authorities, one might ask, 'Has your uncle come to town?' 'Yes' may indicate it is not a good time to talk."

The Electronic Frontier Foundation, headquartered in San Francisco, is a watchdog for digital civil liberties. Its Surveillance Self-Defense site focuses on raising consciousness about government snooping: "What can the government legally do to spy on your computer data and communications? And what can you legally do to protect yourself against such spying?" Its online guide deals with risk management and has links to articles about specific defensive technologies.

"Journalists must understand their threat model, what information they are trying to protect and who they are protecting it from," says Eva Galperin, EFF's international freedom of expression coordinator. "They cannot make intelligent, informed decisions about privacy and security until those decisions have been made."

Warnings from Galperin, CPJ and other experts come at a time when the vast network of spies, criminals and terrorists is expanding in cyberspace.

Surfacing in Iran and parts of the Middle East earlier this year, a malware called Flame was labeled in a BBC report as "one of the most complex threats ever discovered." The Telegraph in London reported that Flame "can gather data files, remotely change settings on computers, turn on computer microphones to record conversations, take screen shots and copy instant messaging chats."

The Syrian government and its supporters continue to use state-of-the-art electronic surveillance and hacking. From March to mid-August, EFF posted warnings concerning more than 20 separate malware attacks, Galperin says. In one example, she co-authored a blog post describing how a fake YouTube site targeted Syrian activists through links sent via chats and e-mails.

EFF posted a screenshot of the bogus page with an explanation of how users were attacked: It "requires you to enter your YouTube login credentials in order to leave comments, and it installs malware disguised as an Adobe Flash Player update." The site was taken down, but the post warned, "If you encounter a similar page do not click 'install' to update Flash."

The tentacles of cyber espionage are digging deeper into America's psyche.

In April, Wired magazine ran a cover story about the National Security Agency's new mega spy center in Bluffdale, Utah, slated to become operational in September 2013. Investigative journalist James Bamford reported that "for the first time since Watergate and the other scandals of the Nixon administration [the] NSA has turned its surveillance apparatus on the US and its citizens.

"It has established listening posts throughout the nation to collect and sift through billions of email messages and phone calls... It has created a supercomputer of almost unimaginable speed to look for patterns and unscramble codes."

Bamford described how the NSA is poised "to intercept, decipher, analyze, and store vast swaths of the world's communications as they zap down from satellites and zip through the underground and undersea cables of international, foreign, and domestic networks."

None of that bodes well for the Fourth Estate.

"The biggest risk for the journalists is the government discovering who they're getting information from, then taking action against those people who could lose jobs or go to prison," says Bamford, author of "The Shadow Factory: The Ultra-Secret NSA from 9/11 to the Eavesdropping on America." "That would have a very chilling effect on reporters in the future getting sources to cooperate with them."

He believes that to many journalists, electronic invasion remains an esoteric, invisible threat. "They don't have the slightest idea what capacity the NSA has," Bamford says.

He points out the challenges of finding what security tools work best, figuring out how to use them and staying up to date on changes.

The evidence that journalists need to pay attention to securing information in the digital age, to safeguard their sources and media institutions, is overwhelming. Where do news managers start?

Some lessons might be learned from Kenneth G. Lieberthal, a China expert at the Brookings Institution. A February New York Times article outlined the precautions he takes when he travels to the People's Republic, a nation saturated with government espionage.

Lieberthal leaves his cellphones and laptops home in favor of "loaner" devices that have been wiped clean. In meetings, he turns off mobile phones and removes batteries, so the microphone cannot be turned on remotely. "He connects to the Internet only through an encrypted, password-protected channel," the Times reported.

Instead of typing in a password, he copies it from a USB thumb drive, because, "the Chinese are very good at installing key-logging software on your laptop," he told the Times. Any of Lieberthal's practices could be adapted to a newsroom.

CPJ's O'Brien would like to see media bosses inventory all electronic tools their journalists regularly use and come up with protective measures as part of newsroom policy. He hasn't noticed that happening yet.

Neither has Brian Krebs, who from 2005 to 2009 wrote more than 1,300 blog posts on washingtonpost.com's Security Fix. He believes a lack of awareness gets journalists in trouble. "It's not necessarily the technology that's bad; it's our approach," says Krebs, pointing to the heavy use of instant messaging as an example.

"Reporters can expose confidential sources to incriminating themselves if the sources' communications are being monitored by authorities unless the reporter and source agree ahead of time to ensure end-to-end encryption of the [IM] conversation," says Krebs, a cyber crime expert who blogs about security news and investigations.

For example, Krebs says users of Pidgin – the free instant messaging software for AOL's IM service – can use a free third-party plug-in called Off-The-Record Messaging, which allows users to authenticate the other party in the conversation and encrypt all communications so that no one else can read them.

While it might not be practical for every newsroom staffer to become a cyber safety guru, advocates like Krebs and O'Brien argue that basic knowledge is a hedge against hazards that lurk in the online world.

"If you don't figure this stuff out and you don't plan for it, it's going to come back and bite you in the ass, and it may have consequences that go way beyond the reporters," Krebs says. "Information has a way of striking back in multiple forms these days. It's our responsibility to keep up."

###