Philip Di Salvo, a visiting researcher at the LSE, explains how journalists in Europe are responding to increasing and pervasive online surveillance of their work.
In the past few years my research has focused on anti-surveillance practices adopted by journalists to protect their work. In this context, I have recently focused on spyware technology and the threats it poses to journalistic freedom. Examples of this kind are multiplying: Mexico-based NGO Red en Defensa de los Derechos Digitales (R3D) published a new report this month denouncing the way that Mexican journalists have been put under surveillance through the use of spyware aiming at monitoring and silencing their work. This is just one of the many cases that demonstrate the increasing hostility of the contemporary online environment, and the growing list of potential digital attacks that can be launched against reporters.
While Mexico is without doubt one of the most hostile countries for journalists, similar instances of pervasive surveillance are now emerging from Europe where the use of spyware for the same purposes is becoming more and more common. The 2021 “Pegasus Project” focused on new revelations about the proliferation of spyware and its use to target news organizations, showing that journalists are exposed more than ever to a series of threats connected with an ongoing arms race for surveillance technology and its commodification.
It is almost a decade since the Snowden revelations, which shed light on the ubiquity of surveillance by Western countries and the US in particular. Whereas undoubtedly more awareness exists now about surveillance-related issues in the journalistic field, at the same time, most journalists still lack the necessary knowledge to effectively protect themselves, their work and their sources from surveillance and other online threats. Information security (“infosec”), which encompasses a set of practices and tools for securing sensitive information, is still a long way from being adopted on a large scale by most journalists. Yet, some interesting instances and examples of its use are visible, and journalism studies have also started to pay attention. A small but growing corpus of publications dedicated to these issues now exists: it deals with either the use of specific encryption tools and practices, or with the changes in journalistic culture and the organizational issues involved when it comes to professional roles and security cultures.
Journalists can adopt infosec in a variety of situations. My research has focused on whistleblowing platforms and their uses in different journalistic contexts, looking at how the phenomenon that started with the radical experience of WikiLeaks, is now also part of the toolbox of some of the major Western journalistic institutions, especially thanks to the SecureDrop software. During my visiting fellowship at the LSE’s Department of Media and Communications, funded by a Postdoc.Mobility grant of the Swiss National Science Foundation (SNSF), I have continued my work in this area, dealing with the relationship of European journalists with infosec and Internet surveillance at large. Here are some of my findings:
Fear of the “known unknown” of Internet surveillance
The view from Europe about how investigative journalists make sense of Internet surveillance – seen in light of a sample of ICIJ-affiliated reporters – has provided interesting results. Journalists tend to fear the “known unknown” of Internet surveillance and the unanswered questions about how and who may conduct monitoring operations against them. In this context, most of the concern is addressed towards the security and protection of sources and the potential availability of surveillance software to private malicious actors, such as corporations or criminal groups. When it comes to surveillance by the state, journalists are generally not concerned about activities of their own countries of residence, where democratic safeguards are expected to be in place, but those of the barely accountable intelligence sharing agreements among governments that may potentially expose their foreign sources to difficult-to-establish surveillance scenarios.
Underestimation of security risks
The concern about Internet surveillance is generally shared among European journalists, yet the urge for additional protection through infosec practices gets generally influenced by the beat, the nature of the sources, and the topic of reporting which are considered to make a direct difference in calibrating the danger that surveillance may pose to journos. Threat modeling for journalists certainly varies and while not all journalists need to protect themselves in the same way as those working with national security whistleblowers such as Snowden, this approach may also cause an overall underestimation of security risks or what Columbia University’s Susan McGregor has called “security by obscurity”, or “the belief one need not take particular security precautions unless one is involved in work that is sensitive enough to attract the attention of government actors.” Today’s digital threats are actually ubiquitous and all journalists are potentially exposed to some risks, most of which can be mitigated through day-by-day practices and accoutrements that fall under the “digital hygiene” hat.
For instance, European investigative journalists have expressed concern about phishing and other remotely-conducted attacks that may end up in hacking or infection through various malicious software, such as spyware. These scenarios are also an interesting point for discussing surveillance invisibility, as the inner mechanisms of spyware and their technical specifications are, in most cases, pure “black boxes”: overall, Internet surveillance is perceived as a “constant, taken-for-granted threat, but whose inner mechanisms, effectiveness, and effects on journalists’ practices and safety remain in some cases obscure” because of contemporary surveillance’s inner elusiveness and multiform nature, as I explain in this paper.
Advanced spyware, such as NSO’s Pegasus, is the ultimate nightmare scenario for journalists, as this kind of technology can be installed exploiting vulnerabilities in the code of apps and operating systems without the need for targeted individuals to do anything. These are called “Zero-Click” exploits. At the ECREA Journalism studies Section Conference that took place in Utrecht in June, I presented the preliminary results of my new project into how journalism is being threatened by spyware. Based on a series of interviews with European-related journalists and technologists with extensive experience in infosec and surveillance issues, the research aims at looking at how journalists make sense of spyware and what they are doing to protect themselves and their work.
Results of my research indicate a profound sense of uncertainty among journalists and technologists: uncertainty about the possibility of being a target; uncertainty about who could be responsible for such attacks and uncertainty about the effectiveness of the defence strategies available. All these results are connected with the features of spyware technology itself, which is designed to attack in “invisible” ways and to mask their presence on infected devices. Moreover, in those cases where spyware is installed exploiting unknown software vulnerabilities, even strong encryption strategies for protecting data in transit (like using end-to-end encryption messaging apps) can’t do little or nothing to prevent an attack from taking place. Consequently, journalists (and anybody else) are left with no active defence strategies to rely on and could only hope to mitigate the consequences of an attack.
When it comes to Internet surveillance, journalism seems to face a sisyphean and profoundly unbalanced task: respond to a growing, rich and shady business that is arming journalism’s enemies with sophisticated (digital) weapons. Given the current weak state of regulation when it comes to exploits, spyware and other forms of surveillance, unfortunately, the sky’s the limit for cyber-weapons. The good news is that help, support and technical advice is often coming from outside the journalistic field, as a growing number of technologists, activists and hackers are willing to help protect journalists and their work through providing tools, forensic analyses and, in some cases, access to source materials for conducting investigations into the shady surveillance market.
This article gives the views of the author and does not represent the position of the Media@LSE blog, nor of the London School of Economics and Political Science.