Spies, newshounds and watchdogs

Rhodes>Perspective>2013 Archive

Journalists are increasing falling prey to hacking attacks and there is little to protect them.  As media watchdog organisations flag a growing trend towards state internet censorship and surveillance, journalists around the globe are urged to heighten their information security.

In its 2012 Freedom on the Net report, Freedom House, the US-based oganisation that monitors press freedom, said that more than a quarter of the 47 countries rated for internet freedom and access had “disproportionately enhanced surveillance or restricted user anonymity”. It warned that while much of this communication interception may be necessary for fighting crime and terrorism, surveillance powers were being abused for political reasons in many countries. Freedom House wrote: “The proliferation of surveillance without appropriate safeguards almost inevitably leads to abuse or inadvertent violations of user privacy.”

Freedom House ranked South Africa and Kenya as the only ‘free’ African countries in terms of online freedom. South Africa topped the rankings, but the watchdog organisation drew attention to two bills currently before parliament that could jeopardise the country’s standing at number one in Africa: the infamous Protection of State Information Bill (also known as the ‘secrecy bill’) and the lesser-known General Intelligence Laws Amendment Bill (or ‘spy bill’). The former would affect netizens’ access to information, while the latter could legalise large-scale surveillance of digital data and circumnavigate judicial oversight of this surveillance.

So far, the spy bill, introduced in late 2011, has resulted in relatively little public engagement or media coverage when compared with the much publicised secrecy bill. In the public submission on the spy bill in March, the South African History Archive highlighted concerns about the transparency of South African intelligence services, as well as the bill’s failure to protect an individual’s right to privacy.

The Right2Know Campaign, which launched as a coalition of groups responding to the secrecy bill, but has broadened its scope to tackle related issues, also flagged the lack of judicial oversight for the interception of “foreign signals”, as described in the bill.

“Foreign signals” are defined in the spy bill as “intelligence derived from the interception of electromagnetic, acoustic and other signals, including the equipment that produces such signals, and includes any communication that emanates from outside the borders of the Republic, or passes through, or ends in the Republic”.

This could mean that emails sent using a foreign company – as in all major web-based email companies including the likes of Gmail, Yahoo, and Hotmail – or through social media such as Twitter or Facebook, could count as “interceptable communication”, according to Freedom House.

Meetings of the Ad Hoc Committee of the National Assembly considering the spy bill were suspended in May 2012, raising concerns that the bill would be pushed through Parliament while the South African public and media were distracted with the secrecy bill. There has been little news on the status of the spy bill since then, but the global trend towards heightened surveillance does not bode well for journalists and rights advocates, who are increasingly vulnerable to political abuse of communication interception.

“The volume and sophistication of attacks on journalists’ digital data is increasing at an alarming rate,” according to the Committee for the Protection of Journalists (CPJ). The CPJ cites recent examples in China where foreign correspondents have reported that their personal computers have been infected by surveillance software. In Ethiopia, the only African country to be ranked ‘not free’ by Freedom House, activists and journalists have reported their telephone, email and text conversations hacked.

Freedom House noted a growing concern that, given Ethiopia’s close relationship with Chinese authorities, the latter will assist the government in developing more sophisticated internet censorship and surveillance mechanisms. This concern seems warranted as Ethiopian activists report that state surveillance of their emails, text messages and other digital communication has been increasingly presented as evidence in politicised trials.

As new forms of communication develop, so do forms of communications interception and surveillance. “Information security poses unique challenges,” according to CPJ. It’s hard for one to detect an attack on your data. The committee adds that the damage caused by leaked information is virtually impossible to repair and, because of the constant evolution of complex information technologies, it is often difficult to keep up. The CPJ stresses the importance of security awareness among journalists.

In August, the CPJ reported that Venezuelan freedom of expression group Espacio Público documented at least 44 cases of hacking against journalists, writers, human rights activists and opposition politicians. These attacks have been largely attributed to a group of pro-government hackers known as N33, which in September 2011 said it was formed to wage cyber attacks against “irresponsible and ignorant” critics of President Hugo Chávez.

The Chávez-supporting vigilantes are known to hack into dissidents’ Twitter accounts where they tweet pro-government messages or insult other dissidents. According to the CPJ, N33 took credit for hacking the Twitter accounts of Ibéyise Pacheco, a prominent opposition journalist, and writer Leonardo Padrón.

“The hacking goes beyond fake messages and insults,” warns the CPJ. As the hackers gain access to dissidents’ Twitter accounts, they can also access account profiles and therefore the owners’ email address and the content of private direct messages. Using this information, hackers can then gain access to dissidents’ email accounts and other personal details.

“Because they also get into your email, they can get your contacts, learn your home address and telephone numbers, learn the number of children you have, or the numbers of your bank accounts,” Erika Rosales, who tracks hacking cases for Espacio Público, told the CPJ. She said that after having their Twitter accounts hacked in September 2011, Berenice Gómez, a Caracas journalist, received threatening phone calls from people identifying themselves as members of N33.

Gómez had to abandon her Twitter account and open a new one, like most of the other victims. Her hacked account was given a new name and pro-Chavez messages began being posted on it. The hackers recorded the conversation with Gomez and then posted it on the internet. “They were trying to force a change in my reporting,” Gomez told the International Press Institute. “They said the information I had in my accounts would cause me problems, but what scares me now is that they know who gives me information.

They could take advantage of that and intimidate, prosecute or even kill my sources. After being a journalist for 30 years, for me it is sacred to protect my sources.”

Even where your accounts are not maliciously hacked by groups like N33, just sharing an open wi-fi network can be extremely risky. For example, anyone sharing the wireless network at a café could hack your Facebook account, as Bobby Soriano of the Tactical Tech Collective demonstrated during a workshop at Highway Africa at Rhodes University in September. Using the campus internet network and a simple free application on his smart phone, Soriano was able to hack into any one of the 400 delegates’ webmail, Facebook and Twitter accounts.

The Tactical Tech Collective is an initiative geared towards empowering rights advocates to utilise information and communications in order to help their communities and “affect progressive social, environmental and political change”, the group explains on their website. As rights advocates increasingly use digital tech for their work, so too do they increase their vulnerability to exposure.

In response, Tactical Tech has developed a ‘toolkit’ of information and methods that advocates – and, by extension, journalists – can use to protect their data from unauthorised access and surveillance: securityinabox.org.

While journalists and activists should be concerned that if the ‘spy bill’ is passed in its current form by the South African Parliament, state surveillance will be legalised and without judicial oversight. Journalists must take the necessary precautions to protect their digital data from snoops, government and otherwise, now rather than after the ‘spy bill’ is passed.

This story was first published in the December 2012 issue of The Media magazine.

By Michelle Solomon