Phone burners, spurious sources and ‘evil twin’ attacks: journalism in the age of surveillance | Bradley hope
WWhat does the new era of surveillance mean for the work of investigative journalists? Last year I was preparing to fly from London to a country in the Middle East on a sensitive reporting trip. I wasn’t worried about my own security, but now I have to take extraordinary measures to protect the security of my data.
It was out of the question to bring my own laptop or personal phone. Instead, I bought a brand new phone. I made sure I didn’t log into any of my accounts from the phone and didn’t save any numbers in the blank address book. Before leaving, I created a temporary email address specifically for this trip, where sources could reach me.
Counterintelligence in journalism used to be the domain of journalists dealing with national security issues or liaising with sensitive government whistleblowers; but increasingly these tactics are needed at all levels.
With the rise of hacking services and the availability of government-grade computer penetration software for anyone willing to pay a hefty price, journalists have never been more vulnerable to disclosure of their sources or subversion of their plans by those who hoped to remain nefarious. secrets safe. Anyone who believes in the value of investigative journalism that holds powerful people accountable should be concerned about this global journalistic emergency.
When the Guardian contacted me to explain that my phone number was on a leaked data list allegedly selected by the UAE, I was not surprised. With a colleague from the Wall Street Journal, where I worked, we reported in our book Blood and Oil: Mohammed bin Salman’s Ruthless Quest for Global Power that Saudi Arabia’s little neighbor, the United Arab Emirates, had bought until three concurrent licenses, from an Israeli company called NSO, to use powerful intrusion software for its government agencies.
I have reported for years on sensitive issues related to the UAE, particularly in relation to the global 1MBD scandal involving a member of the Abu Dhabi royal family, the UAE Ambassador to the United Arab Emirates. United States and two of its sovereign wealth funds. I no longer have the phone I was using when my number appeared in the leaked data, so I cannot suggest a device for forensic analysis – the only way to find out if there is had an attempted or successful hack on my phone using NSO’s Pegasus spyware.
While the government that allegedly took an interest in me was not surprising, the name of the company was. Senior NSO executives have been giving background information for years to my former colleagues and others about how their powerful tools were designed to stop terrorists and could not be used against people like me. NSO explained how its “internal processes” protect against misuse of its software as late as May, in anticipation of a possible public offering of its shares.
A particularly infuriating phrase in the ONS lexicon of apologies is “contractually bound.” In dismissing the claims, the company argued that the countries licensing the technology have agreed on paper not to abuse it.
During my career at the Wall Street Journal and as a freelance journalist at the company I co-founded this year, Project Brazen, I discovered that journalists covering everything from business to climate, from war zones to government , should increase their alert level. and take measures to prevent cyber attacks. Every beat is susceptible to this threat as long as there are well-funded opponents willing to do whatever it takes to turn off the spotlight on journalism.
Journalists in places like Mexico, Afghanistan and the Philippines face the most serious threats, including assassination and prison terms, for courageously speaking the truth. But all over the world – without exception in the US and UK – cybersecurity is a pervasive risk due to the privatization of computer and phone intrusions.
I have been fortunate that the WSJ takes cybersecurity risk seriously and allows me to replace my phone every six months when reporting on sensitive topics. Yet even that is not enough.
In the last four years alone, I have been smuggled into a lunch meeting by someone I thought was a fellow reporter (I saw the full transcript later); physically monitored by former law enforcement employees working for private clients; dealt with bogus whistleblowers contacting me with documents containing malware; and I received alerts from Google that a nation state was trying to access my personal Gmail account.
To protect myself, I update all of my software as it becomes available and use encrypted chat programs like Signal. I also bought a stack of burner phones, which I give to sensitive sources who need to contact me.
I even hired, at my expense, a former government surveillance expert to train me in evading surveillance. We traveled around London discussing possible scenarios, but my impression is this: Every day in major cities around the world, teams of four or five follow businessmen, politicians and journalists to find out who they meet. and what they say to each other.
When I asked this expert’s colleague how he could access my phone if he was hired for work, he explained to me that one way would be to follow me to a subway station with a diffusing backpack a strong wifi signal with the same name as my mobile the wifi of the service provider in the basement. When my phone connected to it, not realizing that it was a fake, it instantly became compromised with malware.
I heard from a political dissident about a suspicious motorcycle parked outside his house in London. When the police checked him, they found a wifi router connected to the bike’s battery with the same name as his house wifi. There is a name for this attack: “evil twin”.
The inevitable conclusion to all of these disturbing developments is simple: go old school. Journalists should do everything in their power to divide the places they do and store their stories, bearing in mind that their smartphone is one of their greatest weaknesses. It will make journalism much more time consuming and boring, but sometimes taking these precautions can be the only way to responsibly report on a sensitive story where people’s lives are in danger.
Bradley Hope, a former Wall Street Journal reporter, is the co-founder of Project Brazen. He is also co-author of Blood and Oil: Mohammed bin Salman’s Ruthless Quest for Global Power