Sunday, August 1

Burning Phones, Bogus Fonts, and “Evil Twin” Attacks: Journalism in the Age of Surveillance | Bradley Hope

WWhat does the new era of surveillance mean for the work of investigative journalists? Last year, I was preparing to fly from London to a Middle Eastern country for a delicate reporting trip. I was not concerned about my own security, but now I have to take extraordinary measures to protect the security of my data.

Bringing my own personal laptop or phone was out of the question. Instead, I bought a brand new phone. I made sure not to log into any of my accounts from the phone and did not save any numbers in the blank address book. Before I left, I created a temporary email address specifically for this trip, where sources could contact me.

Counterintelligence in journalism used to be the domain of reporters investigating national security matters or engaging with sensitive government whistleblowers; but increasingly these tactics are needed across the board.

With the rise of hacking services and the availability of government-grade penetration software to anyone willing to pay a high price, journalists have never been more vulnerable to having their sources exposed or their projects subverted by those who hope to remain nefarious. secrets safe. Anyone who believes in the value of investigative reporting that holds the powerful accountable should be concerned about this global journalistic emergency.

When the Guardian contacted me to explain that my phone number was on a list of leaked data, supposedly selected by the UAE, I was not surprised. Together with a colleague from the Wall Street Journal, where he used to work, we reported in our book Blood and Oil: Mohammed bin Salman’s Ruthless Quest for Global Power that Saudi Arabia’s smaller neighbor, the United Arab Emirates, had purchased up to three simultaneous licenses, from an Israeli company called NSO, to use powerful intrusion software for their government agencies.

I have reported for years on sensitive matters relating to the UAE, especially related to the global 1MBD scandal that involved a member of the Abu Dhabi royal family, the UAE ambassador to the United States, and two of his sovereign wealth funds. I no longer have the phone I was using at the time my number appeared in the leaked data, so I cannot offer a device for forensics, the only way to know if there was a hacking attempt or success on my phone using NSO’s Pegasus spyware. .

While the government that was supposedly interested in me was not a surprise, the name of the company was. Senior NSO executives have been providing background reports for years to my former colleagues and others on how their powerful tools were designed to stop terrorists and cannot be used against people like me. NSO has explained how its “internal processes” protect against misuse of its software as recently as May, in anticipation of a possible public offering of its shares.

A particularly irritating phrase in the NSO’s lexicon of excuses is “contractually obligated.” By dismissing the allegations, the company has argued that countries that license the technology have agreed on paper not to abuse it.

In my career at the Wall Street Journal and as a freelance journalist at the company I co-founded this year, Project Brazen, I’ve found that journalists covering everything from business to weather, war zones to government, need to raise their standards. alert. and take steps to prevent cyberattacks. Every heartbeat is susceptible to this threat as long as there are well-funded adversaries willing to do whatever it takes to defuse the spotlight of journalism.

Reporters in places like Mexico, Afghanistan and the Philippines face the gravest threats, including murder and prison sentences, for boldly speaking the truth. But around the world, with the United States and the United Kingdom without exception, cybersecurity is a pervasive risk due to the privatization of computer and phone intrusion.

I was lucky that the WSJ took cybersecurity risk seriously and allowed me to replace my phone every six months during sensitive reporting. However, even that is not enough.

In just the last four years, someone I thought was a fellow reporter secretly videotaped me at a lunch meeting (I later saw the full transcript); physically supervised by former law enforcement employees working for private clients; dealt with bogus whistleblowers who contacted me with malware-laden documents; and I got alerts from Google that a nation state was trying to access my personal Gmail account.

To protect myself, I update all my software as soon as it becomes available and use encrypted chat programs like Signal. I also bought a stack of burner phones, which I give to sensitive sources who need to contact me.

I even hired a former government surveillance expert on my own to train me to evade surveillance. We toured London discussing possible scenarios, but my lasting impression was this: Every day, in major cities around the world, there are teams of four or five following businessmen, political figures and journalists to determine who they are meeting with and what they are meeting with. they are saying to each other.

When I asked this expert’s colleague how I could access my phone if he was hired for work, he explained that one way would be to follow me to a subway station with a backpack that transmits a strong Wi-Fi signal with the same name as my mobile phone. . wifi from the service provider in the metro. When my phone was connected to it, without realizing it was fake, it was instantly compromised with malware.

I heard from a political dissident about a suspicious motorcycle parked outside his London home. When the police checked it, they found a Wi-Fi router connected to the bike’s battery with the same name as the Wi-Fi in his house. There is a name for this attack: “evil twin”.

The inevitable conclusion to all these troubling events is simple: go old school. Journalists should do their best to divide the places they make and store their reports, keeping in mind that their smartphone is one of their biggest weaknesses. It will make journalism much slower and annoying, but taking those precautions can sometimes be the only way to responsibly report on a sensitive story where people’s lives are at risk.

  • Bradley Hope, a former Wall Street Journal reporter, is the co-founder of Project Brazen. He is also a co-author of Mohammed bin Salman’s Blood and Oil: Ruthless Quest for Global Power.

Leave a Reply

Your email address will not be published. Required fields are marked *