Photojournalists are now taking new measures to protect their data and their sources in the event of hacking, surveillance or seizure of their digital devices by border patrols, intelligence agencies or other, non-state actors. In PDN’s June issue we asked photojournalists how they secure their laptops, phones and cameras.
The Freedom of the Press Foundation (FPF) was one resource recommended by Ed Ou, a Canadian photojournalist who was denied entry into the U.S. last year and had his devices seized by U.S. Customs and Border Patrol agents.
FPF is a non-profit whose mission is “to support and defend journalism in the 21st century,” says Trevor Timm, the organization’s executive director and a co-founder. FPF does this in several ways. They have built tools such as SecureDrop, a free, secure submission system that enables whistleblowers to send information to news organizations. FPF also provides in-person digital security training to journalists, and writes and publishes guides that journalists can use to learn how to protect their email communications, what to do if their phone is seized by police, and other measures. PDN recently spoke with Timm to learn more about the digital security threats journalists face, how they can better protect themselves, their sources and their colleagues, and why it’s important that all journalists protect their data, even if they don’t think they’re working on sensitive topics.
PDN: Are the biggest threats to journalists from governments or other, non-state entities?
Trevor Timm: It really depends on the situation and oftentimes it’s both. Just to give you an example: if you are making a film that is focused on exposing wrongdoing within the U.S. government, your big worry might be receiving subpoenas for film footage or having a secret court order target your email account or your phone records. If you are making a film about the criminal underworld in Russia, you may be worried about having your email account hacked, your computer hacked, or somebody getting access to the private information on your phone. In today’s world there are a variety of threats, which is part of the reason learning about digital security can sometimes be challenging—a lot of the solutions for one type of threat may not work for the other type of threat, and vice versa.
PDN: How does Freedom of the Press Foundation work with journalists to come up with digital security solutions?
TT: We have a small team of digital security trainers who are based in New York City. We work with journalists, photographers and filmmakers in small groups or one-on-one to really understand the specific threats that they’re facing and then tailor digital security around the threats that they face. In addition to that, we have a lot of documentation on our website. We write guides for people who are looking for specific advice on topics such as how to protect your email account against hackers or what secure messaging service should you use for text messaging and phone calls on your phone. But really we want to provide hands-on training that gets into the specifics of the subjects that people are photographing or filming so that we can best help their specific needs.
PDN: It sounds like journalists should be in touch with you before they begin working on a project that might expose them to digital security threats.
TT: Absolutely. Ideally we would be able to talk with journalists before they start doing the major reporting or filming or photographing on a specific story that they’re working on, but oftentimes people in the middle of doing an investigation realize that they need some help and so we’ll step in at that point as well.
PDN: What is the biggest challenge to getting journalists to take digital security seriously?
TT: I think the problem has shifted in the past few years. In 2013 and 2014—this is a generalization and didn’t apply to everybody—there were a lot of journalists that didn’t think that they necessarily needed to care about learning about digital security because it didn’t affect them [or] they weren’t covering national security issues or nothing bad had ever happened to them. Over the past few years, there’s definitely been a huge increase in awareness from journalists that it’s incredibly important for them to protect themselves and their sources online, not just because there’s been a whole host of prosecutions of sources in the U.S., but also we’ve seen all sorts of situations where people’s emails are hacked by a variety of actors. There was a huge increase in demand for these trainings ever since the election of Donald Trump, who is attacking the media on a daily basis and said that he wants to make it easier for them to be sued, that he wants more leak prosecutions, that he even wants more journalists in jail. It has rightly scared a whole host of journalists into realizing that they have to better protect themselves with encryption and other digital security techniques.
Now the problem is not necessarily awareness, it’s the learning curve. When you think about how much there is to learn and how many different things you have to think about, it can sometimes be daunting for people. You need to know how to protect your computer itself via encrypting your hard drive; you have to know which apps to use for phone calls and text messages; you need to know what information you’re giving off when you’re just browsing the web; what type of web browser do you use; what type of additional add-ons do you install to make sure that it’s the most secure; how do you protect your email from all sorts of malicious actors. There is a ton of stuff to think about, and it requires a different mindset than people are used to. That’s really the challenge now: how can we help the tens of thousands of journalists who really need to learn about this stuff while making sure that this information sticks for the long-term.
PDN: Realistically, how difficult is it for journalists to secure their data?
TT: You have to look at security on a sliding scale. You can never say that anybody is 100 percent secure. What you’re trying to do is raise the bar for your security to make it more and more difficult for attackers to be able to break into your devices or your accounts. When you’re talking about criminal hackers or government hackers or anyone in-between, often they take the path of least resistance and if you can make it more difficult for them, to make them spend more money to try to attack you, then oftentimes it’s possible that they may give up. And so really what we’re trying to do is just raise the bar for people. When we’re talking about intelligence agencies that have hundreds of billions of dollars at their disposal, it’s very hard to protect everybody all the time against those types of actors. But there are many basic steps that anybody can take that can make them more secure than 90 or 95 percent of internet users, and that really goes a long way.
PDN: We recently spoke with photojournalist Ed Ou, who was stopped and had his devices searched at the U.S. border last year, and he made an interesting point, which is that if the majority of journalists used encrypted messaging apps such as Signal, or other tools, the journalists who need protection wouldn’t stand out because they are the only ones using those tools. Why is it important for every journalist to take digital security seriously?
TT: There are always going to be situations where you may not think that you’re working on a sensitive investigation, but if your emails get hacked and leaked or the wrong person gets ahold of them then that may cause you or your sources trouble no matter what you’re reporting on. But broader than that, say we’re talking about a big news organization and you are not a star national security reporter but you’re an HR representative, or an executive assistant, like I was saying before, attackers will often go for the point of least resistance, so if that person at that news organization doesn’t have a strong password or doesn’t have two-factor [authentication] turned on, somebody trying to get into the emails of a news organization can attack that person first. If they can get into that person’s email, they can then impersonate that person and make it much easier to then go after the reporters that they are trying to target. So I think if you’re talking about large news organizations, it’s very important that everyone has a baseline of security. But then to Ed’s point, it’s certainly useful for more and more people to be using these tools in general. For example, if there are only five people in Egypt for example using Signal, the government may not be able to see what the people using Signal are saying, but they may be able to identify Signal users themselves. However, if you have 20 million people using Signal, then it becomes much, much harder for them to target individual users because there’s a much bigger user base. So for multiple reasons it’s very important for any journalist or photographer or filmmaker to use these types of tools both to protect themselves and to protect other people.
PDN: Last year, FPF drafted a letter, signed by professional filmmakers and photographers who work in journalism, urging camera manufacturers to offer encryption on their cameras. What’s the status of that request?
TT: We sent this letter out in December of last year and there was a bunch of news stories written about it and recently the Financial Times did a follow-up with these camera companies and unfortunately they’re still dragging their feet. They claim that they don’t think there is a market for this even though some of their most prominent customers told them point black that there was a market for it. We’ve been really disappointed with the camera manufacturers’ response to this. I think the good news is there have also been some camera startups that have seen our letter and see it as a call to action and an opportunity in the market. We’ve heard from several small camera manufacturers that they are planning on implementing some form of encryption into their products so they can differentiate themselves from the big players and hopefully provide a safer way for people to film and photograph.
PDN: Why is in-camera encryption important when external hard drives already offer this?
TT: When things are moving fast, it’s very hard to get information off of your camera and onto a hard drive and then encrypt that hard drive. If you’re in a situation where you have your camera confiscated, even if you have transferred information to a hard drive, you may not have deleted the material from the SD card in your camera and there’s countless situations of people having their equipment seized and searched when they’re in a whole host of countries. The filmmakers and photographers should not have to jump through hoops to get their material in a secure place, they should really be able to do it instantly. It’s definitely within the realm of possibility and this is certainly a cause for which they should be spending a bit of research and development money instead of just dismissing the concerns of so many filmmakers out of hand.
PDN: Border searches haven’t been in the news recently. Is there any reason to believe things have improved?
TT: Certainly things have not improved, if anything they’ve gotten worse since the election. It’s too early to tell how many journalists are effected, but those stories may be coming out soon and these types of border searches are exactly the reason why we need better protection on our devices themselves so that they can’t just be confiscated and searched.
The joke is over in the monkey selfie case. Photographer David Slater, who is defending himself against PETA’s copyright infringement claim on behalf of a monkey, has told the Telegraph newspaper that the lawsuit has left him penniless. He is considering giving up his career as a wildlife photographer to become a tennis coach or... More ›
Judges fired tough questions yesterday at a PETA lawyer arguing a copyright appeal on behalf of a monkey in the case of Naruto v. David Slater. The now famous “monkey selfie” case pits an Indonesian macaque monkey named Naruto against photographer David Slater. In 2011, Naruto picked up Slater’s unattended camera and shot a selfie.... More ›
Danny Clinch filed suit in federal court in New York June 2, alleging multiple copyright infringements of two of his photographs of late rap artist Tupac Shakur. The photographs were allegedly reprinted and distributed on T-shirts without permission. Clinch, a noted music photographer, names five defendants, including an agent for Shakur’s estate, two merchandise manufacturers,... More ›