Simple steps to protect journalists and sources from eavesdroppers

Journalists are among those most likely to face technical attempts at attack and interception. Reporting is based on discussions with sources who may want to remain out of the limelight, and news sites attract extensive readership, making them a desirable target for potential attackers. But there are simple steps to protect against the most common form of eavesdropping, and journalists should be aware of the types of technical adversaries they may face.

Several countries use sophisticated network interception and attack appliances to monitor, filter, and attack the entire country’s Internet connection. Such tools are available for anywhere from $15.5 million to $380,000, a price point described as “dictator pocket change” by Morgan Marquis-Boire, a security researcher who specializes in these sorts of tools at The Citizen Lab, the technology and human rights research institute.

Before we get into the details of the risks journalists and news organizations face, and how they can protect themselves, let’s get some terminology straight. When technologists talk about spies and snoops reading messages we often break those potential interlopers into passive listeners, active “man-in-the-middle” (MiM) interceptors, and advanced persistent threats (APTs).

A passive adversary just listens to communications sent over the network, they don’t interrupt or make changes. In technical discussions we sometimes call a passive adversary “Eve” for “eavesdropper.” An eavesdropper can read a postcard, but if a source puts their letter in an opaque envelope, a passive eavesdropper could only read the destination and return address, or perhaps try to remember the handwriting.

An adversary who engages in active interception is more trouble than a passive eavesdropper. An active interceptor is sometimes called “Mallory” in reference to a “malicious” interloper. Continuing the mail metaphor, an active interceptor is willing not just to read postcards but also to steam open an envelope, read the message, then seal it up and send it on its way. They may even impersonate one of the parties to intercept the message, and there are many encryption systems that rely on being sure that you’re talking to the right person. The SecureDrop secure submission system relies on sources knowing whether a convoluted hidden service address is genuine, which is why the Freedom of the Press Foundation maintains a directory of genuine SecureDrop addresses.

An APT is the most sophisticated and concerning sort of attacker. An APT doesn’t just confine themselves to the postal system. They are the digital version of an attacker willing to wait until the newspaper office is closed for the night before breaking in, reading everyone’s mail, looking through documents, copying hard drives, and maybe hiding a bug or a small camera. This type of threat is sometimes called “Trudy” for an “intruder.” If the attack is against computer systems, it’s called a “breach.”

In practice, all three types of attacker are worth journalists protecting themselves against, but some are more common than others. Even the National Security Agency, with its sophisticated interdiction unit and elite Tailored Access Operations team can afford to play Mallory and Trudy only some of the time. Active attacks run the very real risk of being detected, and APT-style operations depend on exploiting bugs, which are in limited supply. Most of the time even the NSA, as Edward Snowden’s revelations showed, just acts as a passive eavesdropper, able only to look at metadata and read the content of unencrypted communications.

The NSA program XKeyscore passively captures nearly everything a typical user does on the Internet, and stores it for later analysis. When a journalist or source becomes a surveillance target (in NSA parlance, they get “tasked” for XKeyscore), all those passively collected messages go straight to an analyst’s desk. That includes every message sent or received. Recent news reports show that the NSA specifically targets journalists who are critical of the U.S. government, including documentary filmmaker Laura Poitras.

Defending against advanced and persistent threats is complex and requires a lot of ongoing security work. Even defending against an active interceptor requires that encrypted communications be authenticated, which takes a fair bit of logistical effort. Protecting against a passive listener is much easier: it just requires the sort of basic encryption used by every HTTPs website. Advanced threats are exciting to talk about. In practice though, passive interception is ubiquitous–at least by the NSA and potentially by many others.

It’s not really worth planning to deal with complex but rare threats before taking easier steps to mitigate simple everyday eavesdropping.

The protocol for reading websites, HTTP, is not encrypted, and this exposes journalists and their readers to a host of risks. At the very least, a passive adversary can see every page a reader visits, including which articles they’re reading, potentially how long they’re taking, and plenty of other details about a user’s behavior on a site.

This insight and control could make it easy for an oppressive government to graduate from passive adversary to active censor. Such tools even create a perfect avenue to attack readers. Every insecure connection a reader makes is an opportunity to attack that reader with malware and take over their computer. The equipment needed for these attacks is inexpensive, and using unencrypted Web browsing as a route for attack is more efficient and harder to detect than methods such as phishing. This sort of technology appears to be currently deployed in Turkmenistan, according to research by Citizen Lab, which found that a prototype for targeted surveillance network injection appliances had been sold to the government. However, the upgraded Web protocol HTTPs (the “s” stands for “secure”) applies encryption to the whole connection. Many websites support HTTPs, but it’s hard to keep track of which ones do. The technology civil rights group Electronic Frontier Foundation developed a browser add-on called HTTPs-Everywhere, which comes with a list of popular sites that support HTTPs. Once HTTPs-Everywhere is installed, any connection made to one of these sites is automatically upgraded even if https:// hasn’t been typed in the address bar.

HTTPs-Everywhere can only upgrade connections when the site supports it. It can’t force sites to support HTTPs. Although lots of popular research destinations support HTTPs and use it by default, many news sites do not. CPJ’s site is available over HTTPs, and we are working on making that the default for all our users. Journalists working for news sites that aren’t available over HTTPs should ask their colleagues why.

Another important tool to encrypt is email. Sophisticated encryption software like PGP offers end-to-end encryption: the message is encrypted on the sender’s computer and can only be decrypted by the recipient. This level of security is particular appropriate for investigative journalists handling sensitive information. Tools such as PGP add another layer of complexity to sending and receiving email, but they work only when both parties know how to use them. Journalists are safest when all their communications are encrypted by default–and that default is also the norm everywhere. That way there’s no additional inconvenience or suspicion associated with using secure tools, and they work no matter who a journalist needs to talk to.

Email is a juicy target for eavesdroppers. It not only tells them who a journalist is talking to, but what they are talking about, what stories they are considering, and which sources they rely on most. Micah Lee, security specialist for The Intercept, told CPJ: “The life of an email is fraught with peril. At any point during its journey–from your computer to your mail server to the recipient’s mail server and finally to the recipient’s computer–attackers are trying to eavesdrop on it.”

Against a purely passive eavesdropper, sophisticated tools such as PGP are overkill. An email is at its most vulnerable to passive interception when it is being transmitted from the sender’s provider to the recipient’s provider. And there is a simpler way to protect the message during this stage.

Like the Web, email’s protocol–SMTP–does not use encryption by default. Messages are sent between providers without any encryption, and even a passive eavesdropper can read everything about a message–who it’s from and to, and the content. Just like the Web, an upgraded version of email which supports encryption is available, but it works only if both the sender’s and recipient’s provider are configured to use it. If enabled, all a passive eavesdropper can tell is that a message has been sent–they may not even be able to guess the recipient or who sent it.

Journalists can check if their email provider supports this upgraded version of SMTP at starttls.info (StartTLS is the name of the encryption protocol). When the domain name of the email provider (the part after the @ symbol) has been entered, starttls.info will reveal whether incoming messages support email encryption and state how good that support is in the form of a letter grade. Higher grades are better, but any encryption will stymie a passive eavesdropper. If a media organization doesn’t support email encryption, everything a source sends via email can be read by the laziest of eavesdroppers.

Every news organization should be in the stages of planning or implementing these sorts of protections to both their website and their email. Lee said: “[It’s] important that you configure your mail server to encrypt as much as possible, which means setting up StartTLS, and only letting clients connect to it using SSL/TLS.” The New York Times is in the process of switching its site to HTTPs to improve security and performance for readers, and boost the paper’s ranking in search engines. Rajiv Pant, the paper’s chief technology officer, recently called on all news sites to move to HTTPs by default before the end of 2015.

Of course email and the Web aren’t the only things a journalist should think about encrypting, but they are some of the easiest and most useful. Text messages and phonecalls can be encrypted with TextSecure and RedPhone for Android, or Signal for iOS. There are many instant-messaging services that use some basic level of encryption. Taking these sorts of steps won’t protect the press from every possible adversary, only the most basic. But passive eavesdropping is so pervasive that there’s every reason for journalists to protect themselves and their sources.