The Scary Implications of Digital Espionage For Journalists
When the New York Times revealed in late January that Chinese hackers had infiltrated its digital network, including reporters’ email accounts, reaction exploded on Twitter and other social media sites. People speculated that this was yet another example of China’s rising power in the world. But then there was this tweet from writer and reporter Charlie Custer, who manages the translation website ChinaGeeks.com.
On the one hand, NYT hacking is a big story. On the other hand, is it? Isn’t this happening to most foreign correspondents constantly?
— Charlie Custer (@ChinaGeeks) February 1, 2013
That reminded Howard French, the former Shanghai bureau chief of the New York Times from 2003 to 2008, of an earlier era of surveillance.
“I caught people trying to bug my room on my very first reporting assignment,” French said recently at his office in Columbia Journalism School, where he now teaches a seminar on covering China.
The Twitter conversation is a reminder that for foreign correspondents who have worked in China, the former Soviet Union, or other authoritarian regimes, surveillance is nothing new.
In the pre-Internet 1980s, for example, when media professor James Schiffman reported in Beijing for the Asian Wall Street Journal, he assumed that virtually everyone he came in contact with was a government spy. Chinese authorities assigned him and other foreign journalists to live in segregated compounds, where officials could easily track their actions and monitor their phone calls. Translators, drivers and any other employees he hired had to come from China’s Ministry of Foreign Affairs. Formal interviews were closely monitored, often with “lots of people sitting in and taking notes,” Schiffman said.
But today’s electronic surveillance is far less visible and difficult to detect, because it doesn’t take place out in the open in any physical environment. The danger for journalists is that it puts both them and their sources — people who may be under threat already for talking to journalists — at risk.
Before email became a ubiquitous form of correspondence, reporters could notice when someone was following them, or connect the messy state of their apartment with a missing notebook and know that someone had broken in.
“The difference is that it’s now possible for professional teams of hackers to access your information without breaking into your house,” said Eva Galperin, the international freedom of expression coordinator for the Electronic Frontier Foundation, a digital rights group based in San Francisco.
The lack of obviousness means that digital surveillance can be far harder to detect. Most people can’t tell when a digital break-in has occurred. Programs that have become installed or uninstalled on a computer, such as a firewall that has become disabled, are signs of a break-in. So are unusual IP addresses, which suggest someone might be logging into a computer from a remote location. But people usually only notice these indicators upon careful examination of their network activity and internal files.
The result of this lack of understanding and inspection for journalists is that they may not take proper care to protect their sources and the information they provide.
Galperin said the issue is particularly acute for activists and journalists reporting on the conflict in Syria because of the government’s active involvement in trying to lock down information. In the fall of 2011, for example, British journalist and filmmaker Sean McCallister put the lives of several activists in danger when Syrian authorities arrested him and seized his laptop, mobile phone, camera and footage, according to “Kardokh,” a computer expert in Damascus whom McCallister interviewed. Kardokh had been in touch with McCallister for a documentary about underground Syrian activists. Kardokh said in a report in Columbia Journalism Review that McCallister had seemed careless when it came time to encrypting his footage so that others couldn’t access it.
“He was using his mobile and SMS, without any protections,” he said.
When news broke that McCallister had been arrested, activists who had been in touch with him fled the country, including Kardokh, who immediately turned off his mobile phone and escaped to Lebanon. Those who didn’t leave Syria were also arrested, and at least one disappeared, Kardokh said.
McCallister described his fears for the Syrians who assisted him in an interview with Channel 4 News after he was released. “I didn’t realize exactly what those guys are risking until I went into that experience and my God those guys are brave,” he said.
Galperin also found that pro-Syrian government hackers were using malware, or malicious software programs, to target Syrian activists. The malware would spread through email, chat and links left on social media accounts from what activists would presume would be trustworthy accounts. They would then spy on the activist’s webcam activity, steal passwords, record key strokes and disable the notification settings for certain antivirus software programs. And just as one can’t tell when a digital break-in has occurred without careful examination, detecting malware is also difficult.
“Usually they [Syrian activists] don’t know their accounts have been compromised,” Galperin said.
The same is true for reporters from mainstream news organizations.
“I certainly operated on the assumption that my emails were read, all of them, in China,” said Melissa Chan, the former China correspondent for Al Jazeera English who is now a fellow at the John S. Knight Foundation at Stanford University.
Chan covered China from 2007 to 2012 and knows firsthand the difficulties of reporting on the ground and maintaining digital security in the country. She’s received emails of purported “Jasmine Revolution” pictures in China, for example, meant to lure her into clicking on malware. Chan has also noticed suspicious-looking vehicles appearing suddenly during reporting trips, often after she’s checked into a hotel. By law, every foreigner in China must provide passport identification when checking into a hotel so staff can send the information to a local police station.
Chan’s experience is testimony that physical espionage still occurs. But Internet surveillance has reduced the investment perpetrators need to make when it comes to spying on journalists and others, said Milton Mueller, an information studies professor at Syracuse University. The goal may be the same, but the means to achieve it has changed dramatically.
“The technologies are very different, and that creates a different set of opportunities and methods,” he said. “The main thing the Internet does is change the scale. You used to need physical spies, now you don’t need to have people on the ground.”
Journalists are especially vulnerable to virtual attacks because they are highly connected individuals whose work relies on cultivating trust, said Stephan Koch, a digital security trainer for Reporters Without Borders, a non-profit group that defends freedom of the press and information. They are like walking libraries whose sources may be those whom others are trying to target — including government officials and underground activists.
“To target journalists, you can save a lot of time,” Koch said. “That information [about sources] is only in the head of the journalist.”
But in modern-day reporting, the “head” of a journalist also includes where he or she stores information — online and in devices.
For those worried about digital security, the problem isn’t that journalists aren’t aware of the necessity of protecting sources. It’s that the majority of journalists don’t understand the gravity of cyber threats, and that everything they do online can be traced to the real world.
“Security is not about tools,” said Frank Smyth, a security expert who works with the Committee to Protect Journalists, a press freedom advocacy group. “It’s a way of thinking, and it requires a certain level of preparation and then execution.”
That means journalists shouldn’t wait until after an account is compromised before utilizing Google’s two-step verification process when logging into a Gmail account, for example. They should also know how to use a VPN, or virtual proxy network, to change the location of an IP address. These preventive measures can greatly reduce one’s risk of being hacked or found physically — but the journalist first has to have an awareness of vulnerability.
Security experts agree it’s time people lock their digital information the way they would a house, and that the journalism industry must recognize how crucial training is in helping journalists to understand the threats against them — and their sources.
“People somehow operate and act differently [online] than they would in real life,” said Chan. “The reality is, digital life is our real life now.”
“There is no technological solution that can give you complete security,” Smyth added. “Because if people know who you are, then you’re at risk. It’s just harder to figure out what that means digitally.”
Charlie Custer, the reporter who wondered whether today’s digital surveillance is really that different from the past, said he suspected he’d been targeted by hackers when he noticed that emails relating to freelance reporting on China were disappearing from his account. “I thought something was wrong with the spam filter at first, but nothing was in the spam folder and it seemed to be only emails related to freelance employment that was getting affected,” he said in an email interview.
“So I checked and saw some logins on my account from an IP address that clearly wasn’t my own, although it was also located in Beijing,” he said. “I changed my password and added two-step authentication, and that seemed to stop it.”
No technological solution offers complete security. But the following resources contain more information on how you can protect yourself online:
– The Committee to Protect Journalists “Journalists Security Guide”
– “How to Secure Your Digital Parameter,” from the John S. Knight Foundation