There are not always special provisions that protect journalistic communications from being collected or assessed.
As more content and metadata (information generated as one uses technology) is collected and stored, the picture of a journalist and his or her sources becomes clearer.
By analyzing the metadata of time, place and frequency of communication, it is possible to identify the individuals involved in a particular journalistic exposé.
According to a recent statement by several international Organizations, to the Office of the High Commissioner for Human Rights:
“The historical distinction between data about an individual’s communications
and the content of his or her communications has become insignificant. As
data becomes more and more revelatory, either in isolation or when paired
with other data, it is no longer appropriate to subject communication data
to lower thresholds or consider its collection and processing a less invasive
practice than interception of content. Communications data can now reveal
equally sensitive information as communications content, and must enjoy equal
protections under human rights law.”
Software and Hardware
The market for surveillance technologies and network intrusion capabilities is booming. Technologies that detect encrypted and obfuscated Internet usage are hot ticket items, as are technologies that enable users to analyze web and mobile interceptions in real-time.
Software and hardware technologies developed by commercial entities have been found on networks in many countries.
software has also reportedly been used to target individual journalists and activists.
Some journalists assume they are being monitored depending on what type of story or information they are working on.
Sometimes, journalists and human rights defenders sometimes only have proof that their accounts have been compromised or that they have been monitored after they are arrested and charged.
Other times, journalists may be targeted via their location data. Geo-tagging is accurate within 2 to 5 meters if a phone is on (even in cases where privacy settings are on and location settings are off) and within 50 meters if a phone is turned off.
A 2013 study by researchers at the Massachusetts Institute of Technology (MIT) in the USA and the Catholic University of Louvain in Belgium, shows that location data reveals a significant amount of information about a person, resulting in little anonymity.
Zero Day Attack
Journalists might also be targeted with a ‘zero day attack’ – when an adversary exploits a vulnerability in software or hardware when there is no prior knowledge of the flaw in the general information security community, and therefore no fix or software patch available yet.
This is done to gain access to a target’s device in order to deliver malware. Once an adversary has access to someone’s computer, he or she can then install software to monitor the communications on that computer, such as keystroke logging, remote webcam/microphone access, email monitoring, file extraction, etc. It also allows the attacker to bypass encryption.
Entities can also target journalists for surveillance by installing a physical ‘bug’ (or hardware tweak in an Internet router) or a hidden microphone on a journalist’s communications devices or person.
This might occur in the journalist’s home, or from long distances through windows using high-powered microphones. A journalist could be the subject of
wiretapping, where the content of his or her phone calls and Internet communications could be secretly monitored by those wishing to exert control.
A common variant of a MitM attack involves an attacker who uses a WiFi router to
intercept user communications.
A MitM (man in the middle) attack occurs when attackers insert themselves, or their technology, in between a user and a target site.
During a MitM attack, the man in the middle can silently obtain information from both sides and even change the content without either the user or the target knowing. Their exchange continues while the man in the middle watches.
One illustration of this is when an attacker configures a wireless device to act as a WiFi hotspot and then gives it a common name in a public place to trick individuals into believing it is a legitimate connection. As individuals connect
to it and access sites such as online banking or email, their credentials are captured and stored for later use by the attacker.66
Journalists should also be concerned about the ownership and independence of their ISP, because they could still be targeted by a MitM attack even if they are not using WiFi.
As yet, there is no international comprehensive picture of the digital issues and attacks affecting the safety of journalists such as communication blackouts, online copyright issues, content filtering or blocking. Below are four of the most common types of attacks or issues faced by journalists.
Information control is influenced by a countries government, communications
infrastructure, such as the number of Internet Service Providers (ISPs), telecommunication companies, market competition and the overall level of Internet penetration and growth.
Sometimes journalists are intimidated into giving up their digital account information. For example, authorities might detain or threaten a journalist, forcing him or her to divulge passwords and/or email accounts.
To try to circumvent some of these restrictions, individuals sometimes share passwords with colleagues. If they are arrested, colleagues can log in and remove information that might be enough to detain someone under strict freedom of expression laws.
Sometimes, organizations are able to shut down the account of a journalist as soon as it is reported that he or she has been abducted or arrested.
Disinformation and Smear Campaigns
Disinformation campaigns can also be waged against online news sites.
For Example in September 2013, the online investigative news site, Ukrainska Pravda (Ukrainian Truth) suddenly noticed the appearance of an imitation site called Ukrainska Kryvda (Ukrainian Lies) that mimicked Ukrainska in design.
Disinformation and smear campaigns are significant to the safety of online media organizations and individuals because they damage the credibility, integrity and confidence of journalists.
Compromised User Accounts
The goal of most attackers is to steal information they do not already have. User accounts, such as for email, social media or Skype, can be compromised in a variety of ways.
A phishing attack may install malware on a journalist’s device that uses software which can capture passwords and other sensitive information, as a journalist types their login information.
An attacker can also use a fake website, and after the user puts in his or her login information, the attacker can then use it to access the real website, without alerting the user.
There are many ways a website might be defaced. A common tactic involves using MitM attacks to compromise legitimate user accounts.
Alternatively, an attacker might exploit vulnerabilities in the website’s web server software. Defacement of a web page is a frequently used attack against media organizations.
Collection of Information
Mass surveillance reduces the ability of a free press to function because it facilitates the indiscriminate collection of information on the communications of all possible sources.
In addition, mass surveillance is often governed by many secret and ambiguous laws,which can sow confusion among journalists and their sources about how closely they might be monitored.
This lack of information makes it difficult for journalists and their sources to try to shield themselves from mass surveillance and protect their sources. Journalism depends on a sources’ willingness to talk on and off the record; if communications between journalists and sources cannot be kept confidential, then it is possible sources will stop talking.
The assumption that they are under surveillance is harming freedom of expression by prompting journalists to self-censor their work in multiple ways, including reluctance to:
• Write or speak about certain subjects
• Pursue research about certain subjects
• Communicate with sources, or with friends abroad
Digital Safety Challenges
The ultimate goal of addressing online challenges is to improve the safety and protection of all those who contribute to journalism.
The issue of digital security is complex because it extends across the entire value chain of digital communications.
From devices to infrastructure used to transmit and store data, it also includes the acts of electronic interviews and research and communication of data, as well as publishing and interaction.
Journalists and others who contribute to journalism face a variety of technological challenges when carrying out their work.
These can range from the practical – such as the limited usability of digital security tools or the lack of a sustainable funding model to support regular buying or updating of digital security tools – to the more complex, such as weathering actual digital attacks and threats.
It is not a purely digital realm, devices can be physically stolen or destroyed, not merely subject to electronic theft or disruption. Location and social media data can also be used for targeting and timing of physical attacks.
The dimensions of safety are many, and cover aspects as diverse as the technological, institutional and economic, as well as political, legal, and psychosocial.
Open Source Development
Most individual journalists often cannot afford commercial software that provides digital security.
Therefore they need to rely on open-source technologies that are free, however, this can be a problem.
Open-source digital security technologies are often conceptualized and developed without sustainable funding, making them sometimes problematic to use, as it is hard for them to remain updated against vulnerabilities.
Funding and Resources
There are donors who provide funding or other resources to help facilitate the maintenance and update of open-source digital security tools for journalists and human rights defenders, which help to ensure open-source technologies remain available and updated.
Although developers who work on open-source technologies generally do so for the intrinsic love of developing, resources aimed at helping the project become sustainable would help to ensure that journalists and human rights defenders are able to use up-to-date, verifiable open sourced tools.
Political and Legal Challenges
Laws and Policies
Any legitimate limit on freedom of expression or privacy should be narrowly defined.
It should be proportionate and justifiable to ensure that those doing journalism can still carry out their role providing and disseminating independent information that helps to inform society and government.
However, many stringent laws and policies exist with overly broad interpretations that can serve to unduly restrict freedom of expression and privacy.
Laws and Policies
In addition, laws and policies are not keeping up with the rapid pace of technological change, leading to gaps in the protection of journalists and others doing journalism.
Political and legal challenges facing journalists include ambiguous and opaque laws around data retention and surveillance, few export controls on technologies that have been used to repress human rights, and a lack of political will to address crimes against journalists.
Digital Security Principles
Journalists may improperly apply or avoid implementing digital security
tools because they are unaware in general of digital security threats.
Sometimes they are unaware of the connection between digital security hygiene and physical safety and psychological well-being.
Journalists and media organizations need to increase information sharing of digital security risks and training to make journalists aware of what digital security resources are relevant and available.
In general, all journalists interfacing with digital technology should implement the following five points:
1. Develop a risk assessment plan or threat model
3. Prioritize security needs based on individualized risk assessment
5. Understand that digital and physical security are linked
7. Treat digital hygiene as a habit and practice
9. Consider implementing open source technologies