While governments around the world have very different perspectives on freedom of expression online and the nature of Internet governance, they are in fundamental agreement on the use of online surveillance for domestic law enforcement and international espionage. The indignation expressed by countries like Germany and Brazil in the aftermath of the NSA-spying revelations stem from the magnitude of the surveillance, not its existence. China, meanwhile, expressed no particular qualms. Its criticism is all about the U.S. double standard and the fact that it has used its control of Internet infrastructure to secure an unfair advantage in the online surveillance arms race.
The irony is that China may be the country least affected by the NSA spying program, at least based on what had been revealed by late 2013. U.S. Internet companies have a limited presence in China. The most popular search engine in the country is not Google but Baidu, a Chinese company partially owned by the government. While documents released by Edward Snowden have made clear that the NSA had access to the data stored by U.S. companies like Facebook and Google, presumably they had less reach into Baidu, which is not subject to U.S. jurisdiction or oversight.
The fact is that governments on all continents have found the Inter net to be an incredibly valuable tool for monitoring the activities of their citizens and for carrying out global information-gathering operations. That is not going to change. Journalists are ideal targets for state surveillance. Their job is to communicate with politicians, critics, dissidents—and even terrorists. They rely heavily on their mobile devices, which are extremely easy to monitor and intercept, and in general they are not particularly tech savvy or security conscious. Many journalists I speak with about information security tell me they just assume their communications are monitored and behave accordingly. Their sources, however, may not be operating with the same assumption.
It’s obviously difficult to discern the level of surveillance of journalistic communication, but recent examples suggest that snooping is extremely widespread. A clandestine Chinese cyber security operation widely linked to the government hacked the personal e-mail accounts of individual journalists and also infiltrated international media organizations like the New York Times, Bloomberg, and the Washington Post. At CPJ we’ve had e-mails with journalists in Ethiopia and Colombia intercepted by government intelligence agencies in those countries.1 The NSA hacked into the internal communications of al-Jazeera in 2006, according to documents leaked by Edward Snowden and cited in Der Spiegel.2
In a report issued in April 2013, UN Special Rapporteur for Freedom of Expression Frank La Rue described growing government surveillance efforts as a fundamental threat to global freedom of expression. La Rue noted,
States cannot ensure that individuals are able to freely seek and receive information or express themselves without respecting, protecting, and promoting their right to privacy. Privacy and freedom of expression are interlinked and mutually dependent; an infringement upon one can be both the cause and consequence of an infringement upon the other. Without adequate legislation and legal standards to ensure the privacy, security, and anonymity of communications, journalists, human rights defenders, and whistle-blowers, for example, cannot be assured that their communications will not be subject to States’ scrutiny.3
The NSA spying program, though, did real damage to La Rue’s proposition by making it more difficult to argue that massive state surveillance—including the hacking operations carried out by China—violates international norms. While there is of course a real difference between the hacking of the accounts of international journalists carried out by Chinese authorities and the use of metadata by the NSA to analyze patterns of communication, the Chinese operation looks less aberrant today and more like an effort to level the playing field.4
Obviously journalists can—and should—make a greater effort to ensure that communication is secure. But there is a broader and unresolved question as to whether online surveillance has become so pervasive and effective that it is having a chilling effect on the global media. In other words, is surveillance a new form of censorship? Already, some of the more sophisticated media organizations have changed the way they do business. Many reporters now limit electronic communication with sensitive sources and even with their editors. Even more fundamentally, “You can no longer guarantee anonymity to a source,” said Janine Gibson, the U.S. editor of the Guardian who oversaw Glenn Greenwald’s coverage of the Snowden leaks. “That’s a terrifying thing for the journalists we work with.”
I first began to appreciate how online surveillance and monitoring can be used not only to undermine the work of the press but also to dismantle information networks when I met the Iranian journalist Maziar Bahari, who was imprisoned for three months following the disputed 2009 presidential elections in Iran. While the common perception is that online information is gleaned through hacking, spyware, or government surveillance, these are not the only methods. In Bahari’s case the sensitive online information was extracted through torture.
I had become deeply involved in Bahari’s case after he was arrested at his mother’s home in Tehran in June 2009. Agents from the Revolutionary Guards turned the apartment upside down, confiscated his video collection, and hauled him off to Evin prison, where for three months he was interrogated about his reporting for Newsweek and his documentary work for British Channel 4. Soon after his arrest, I got a call from Bahari’s editor at Newsweek, Nisid Hajari, who was seeking advice on how to garner international attention and put pressure on Iran to release him. Those efforts, eventually successful, included an online petition campaign, a media strategy, and direct interventions with Iranian officials.
After Bahari was released, he came to New York, and we spoke about his interrogation. We discussed the kinds of questions he had been asked. Bahari’s interrogator, whom he nicknamed Rosewater in reference to his powerful cologne, berated, manipulated, and at times brutalized him. Rosewater immediately demanded access to the password for Bahari’s e-mails and Facebook page and began poring over all of the information they contained—his friends, his posts, his likes. Bahari, who had been educated in Montreal and lived in London, had sophisticated and sometimes ironic cultural interests. He “liked” the Russian playwright Anton Chekhov and the American comedian and B-movie actor Pauly Shore. This made Rosewater suspicious—he assumed Chekhov was a Zionist and Shore a spy. He also went through Bahari’s Facebook friends one by one, aggressively accusing Bahari of having sexual relationships with all the women he had friended, including the Nobel Prize–winner Shirin Ebadi. He even tried to use Facebook to establish that Bahari was having an extramarital affair in an apparent effort to blackmail him into cooperating. Bahari’s British wife Paola was in London at the time of the incarceration, pregnant with their first child.
Later, Rosewater discovered an incriminating video online. It featured Bahari being interviewed by the Daily Show correspondent Jason Jones, who was pretending to be a spy. The skit, which was intended to highlight U.S. ignorance about Iran, was hilarious, but Rosewater was not amused and could not be convinced that the segment was intended as a joke. After his release, Bahari developed a close relationship with Jones and with the Daily Show’s host, Jon Stewart, who in the summer of 2013 took a hiatus from his television show to direct a movie based on Bahari’s experience. The film is tentatively titled Rosewater.
While Bahari’s interrogation was at times bizarre—even comical—it highlights what a treasure trove of information can be obtained through a Facebook page and how that can be used to dismantle networks. In the first giddy weeks following the June 2009 elections, as protesters took to the streets of Tehran and other cities to express their outrage at the manipulated results that extended the term of President Mahmoud Ahmadinejad for four more years, new technologies were widely seen as helping fuel Iran’s Green Movement. Social media and new information technologies facilitated communication between the protesters, allowing them to stay informed and coordinate action. After international reporters were expelled or confined to their offices in Tehran, their most crucial source of information became tweets, blogs, images, and videos provided by the protesters themselves. The most iconic image of the uprising was the death of the protester Neda Agha-Soltan, captured not by a professional photographer but by fellow demonstrators.
But subsequent reports made clear that the Iranian twitterati were a tiny portion of population, concentrated in the affluent sections of Tehran. Social media helped shape elite opinion and action inside Iran and had a profound effect on the international media trying to cover the protests from outside the country. But its importance as a tool of mass organization was greatly overstated.
Moreover, the Iranian government was able to launch an effective counterattack combining old-fashioned brutality and new technologies to reassert control over the information sphere and stamp out the protest movement. During the 2009 postelection crackdown in Iran, the security services routinely tortured journalists and activists like Bahari to obtain their social media and e-mail passwords and then used the information to reverse engineer the protests’ networks, hauling in friends and torturing them and so on. Iranian security officials populated Facebook, surreptitiously friending journalists, activists, and others and then accessing their networks. Iranians exiles returning home were made to log into their Facebook accounts when they arrived at the airport. Security forces used social media to crowd-source photos of protesters, posting pictures and asking for help identifying individuals. At times, the government slowed the Internet to a crawl, blocked critical sites, and used a technique known as deep packet inspection to monitor Web traffic. Dozens of reporters were rounded up. Some were released after undergoing interrogations, but many were jailed for extended periods.5
Iran’s Green Movement was supposed to be the first Twitter revolution. In fact, it should be viewed as a cautionary tale about the limitations of new technologies as a tool to confront autocratic regimes and the competing power of surveillance. Two years after Iran’s 2009 elections, the revolutions in Tunisia and Egypt prompted a similarly optimistic response about the power of social media. But on closer examination Twitter and Facebook played a comparable role during the Arab revolts. Initially, they mobilized the elite, made it more difficult for the authorities to contain news and information, and fueled global awareness about the abuses. These are not insignificant contributions. But it is also important to recognize that most of the people who participated in uprisings in Tunisia and Egypt were not even online, and satellite networks, notably al-Jazeera, were a more important source of independent information than Facebook. More importantly, the use of Facebook and other social media platforms by governments to dismantle political networks has become a standard practice. The Syrian government used Trojan horse viruses—attachments and links that appear legitimate—to install spyware on the computers of activists and journalists.6 As in Iran, those arrested by Syrian state security forces were immediately compelled to surrender their passwords under the threat of torture. Clearly, while activists took one lesson from the Arab Spring, Iranian authorities and other repressive leaders took another. They determined to put more resources into ensuring control of online information. Online and real-world repression has accelerated as a result.
Under President Ahmadinejad, the Iranian government sought to develop what could be termed a permanent solution to its Internet problem: Building a national Web featuring only approved content. In announcing in April 2011 that Iran planned to use filtering and monitoring to create a “Halal Internet,” Iranian officials praised China’s efforts, describing the country as a global model for online censorship. Evidence suggests that China may have offered more than just inspiration. Two Chinese companies, Huawei and ZTE, provided surveillance and censorship technology to Iran. In many ways the Iranian project is even more ambitious and draconian than the Chinese model. Iranian officials have described a project whereby the “approved” Iranian Internet would exist alongside a filtered version of the global Internet for a period, but at some point Iran would opt out of the global system, limiting access to the “halal” version. The hope of officials is that the new system would replace the Web not only in Iran but in other Muslim countries.7
During the 2009 elections, Iran thought it could gain legitimacy by having a more open media, but by 2013 it had given up on that approach. While authorities arrested dozens of journalists during the postelection crackdown in 2009, in 2013 they arrested them before the vote took place. By March 2013, as Iranians prepared to go to the polls to elect a new president, forty-five journalists were in jail, and dozens more were under threat of reincarceration after having been released on furlough.8 For a brief period following the 2009 election, the Internet was seen as a safe space where activists could associate and share information. By 2013 that perception had changed. While there was considerable online activity, it was more circumspect and more cautious. The concern was understandable, as the Iranian government repeatedly demonstrated new ways of exploiting technology for repression. In one incident in January 2013, Iranian security officials picked up in Tehran the sister of a BBC reporter based in London, forced her to give up her Facebook password, and took over her account. The interrogators used the Facebook chat feature to menace and threaten the reporter in London, essentially using her sister as hostage. It may have been the first-ever state security interrogation carried out via Facebook.
Standing up Against Secrecy
What can we do to counter the threat of online surveillance? While it’s important to keep the pressure on governments, authoritarian and democratic alike, it’s unrealistic to expect them to change their behavior, at least in the short term. So journalists and information activists must first work to improve their own online security while simultaneously putting pressure on technology companies to provide support to vulnerable users.
One challenge is that journalists have become so utterly dependent on insecure communications technologies to do their work. Cell phones, BlackBerrys, and iPhones have become essential reporting tools for both professional journalists and amateurs. But these devices are also repositories of vast amounts of personal information that governments crave as keenly as any advertiser. Internet communication via e-mail, Skype, or chat is never totally secure, and using SMS is “like sending a postcard through the mail,” according to Katrin Verclas, a cofounder of MobileActive, an organization that supports activists using mobile technology to create social change. In an October 2011 New York Times op-ed, the technologist and privacy activist Christopher Soghoian took journalists to task for their general cluelessness about digital security. “Government officials often attempt to get journalists to reveal their sources by obtaining subpoenas and compelling testimony and the required telecommunications records,” he wrote. “But sometimes that’s not even necessary, because sources have already been exposed by their own lax communications.”9
The risks, varied and evolving, have been brought into high relief by the Snowden revelations. E-mail, for example, is never secure. Using encryption technology can make e-mail safer, but reports by Pro-Publica based on the Snowden leaks indicate that the NSA cracked many of the codes “using supercomputers, technical trickery, court orders and behind-the-scenes persuasion to undermine the major tools protecting the privacy of everyday communications in the Internet age.”10
Meanwhile, smart phones can be converted to tracking and monitoring devices that record movements and conversations. The only way to make sure you are not being tracked from a GPS-enabled phone is to remove the battery completely at sensitive times, something that is not even possible with an iPhone. BlackBerrys are generally considered more secure, which is why the company has come under tremendous pressure from countries like the United Arab Emirates, Saudi Arabia, and India to provide security forces and law enforcement with backdoors to monitor communication.
Much of the technology used to carry out this kind of cyberspying is developed by U.S. and other international companies. For example, FinFisher software, which allows a remote user to take control of a smart phone or computer, is marketed to law enforcement but sometimes used by repressive governments to monitor the political activities of their own people. Bahraini activists received an e-mail that seemed to come from an international journalist but when clicked open installed FinFisher on their devices. “Everything a regime would need to build an incredibly intimidating digital police state is commercially available now, and export restrictions are currently insufficiently monitored and enforced,” note Google’s Eric Schmidt and Jared Cohen in The New Digital Age.11 The ability of governments to track their citizens will likely increase as voice and facial recognition software come online.
One strategy that activists and journalists use to mitigate risk is to disable e-mail and Facebook accounts when their colleagues are detained. They have at times enlisted support from technology providers. When a wave of journalists was detained in Iran prior to the 2013 elections, Google was contacted by an Iranian journalist outside the country and agreed to disable the Gmail accounts of those in custody.
But activists and journalists believe the companies can do more. At a meeting organized by CPJ in Silicon Valley, Rami Nakhle, an activist and blogger who helped provide video footage to international journalists covering the Syrian conflict, explained the risk to a group of engineers and technologists who helped build and maintain the modern Internet. “People I know lost their lives or were tortured for months as a result of security bugs. I am not saying this to blame you, because they know the risks they are taking, and they’re brave enough to take risks. If you really can help them here with just a small investment in their security, you may save many people’s lives.”12
On occasion, companies have been called to task. The son of an Iranian journalist imprisoned in Iran filed a lawsuit in the United States against Nokia Siemens, alleging that the company had provided technology used by the Iranian government to intercept cell phone communication and round up dissidents. The Finnish company said it had provided off-the-shelf software, but it did eventually announce it would not do business with Iran.13
In 2007, Yahoo! chief executive Jerry Yang was raked over the coals at a congressional hearing for providing to Chinese authorities access to the personal e-mail account of the Chinese journalist Shi Tao. One e-mail, which Shi had forwarded to sources outside of China, contained the propaganda directives sent to Chinese journalists for their coverage of the fifteenth anniversary of the Tiananmen uprising. Shi was convicted and sentenced to ten years in jail for “leaking state secrets abroad.” A chastened Yang offered a personal apology to the journalist’s mother, who attended and sat in the first row.14
Facing the threat of legislation that would have regulated information and technology companies operating in repressive countries, Google, Yahoo!, and Microsoft began discussions with human rights groups and socially responsible investors to develop a set of principles and standards around freedom of expression. Those discussions eventually led to the formation of a nonprofit organization called the Global Network Initiative, or GNI. Working together, the GNI developed a set of principles around freedom of expression and privacy grounded in international human rights standards. The adoption of these principles gave the companies additional leverage to push back against intrusive demands from governments. The GNI has succeeded in creating greater accountability and transparency within the participating companies, although the enforcement mechanism remains weak. More importantly, it has created dialogue and trust that have made it easier for human rights groups to engage with the tech companies around their concerns.
While participation in the GNI has not grown as rapidly as once hoped, the organization got a big boost in early 2013 when Facebook became an official member. Another significant development, while not a formal GNI initiative, took place in October 2013 when GNI members Google, Facebook, Yahoo!, and Microsoft, along with Apple and AOL, sent a joint letter to members of the U.S. Senate registering their objections to the scope of the NSA spying program. The letter noted, “Our companies believe that government practices should be reformed to include substantial enhancements to privacy protections and appropriate accountability mechanisms for those programs.”15
Generally, the way that tech companies respond to public pressure to improve the security of vulnerable users is based on their corporate culture and business model. Suppliers of software and hardware used for monitoring and surveillance have been the least responsive. Their position is that they are selling a legal product that has a legitimate purpose and that they can’t be responsible if it is misused. Google’s business model, on the other hand, depends on maintaining the confidence of individual users. Their unspoken commitment is, “We might know everything about you, but you can totally trust us.” When events occur that cause people to lose trust—such as the state-sponsored attack on Chinese dissidents’ e-mail accounts—the company takes action to protect its brand. Google’s decision to pull out of China and its aggressive response to the NSA surveillance revelations are highly rational from a business perspective. Google was also one of the first e-mail providers to implement across-the-board encryption, and activists believe that e-mailing between Gmail accounts is still one of the more secure ways of communicating, although the assumption at this point is that the NSA can gain access to such communication.
Facebook takes a very different approach. The company believes that since the platform is all about sharing information, users should understand that posting on Facebook is essentially a public activity. Facebook has taken some steps in response to user demands for greater privacy and control over information, but the company ethos—and the default setting—is to encourage users to be as public as possible. In the view of Rebecca MacKinnon, Facebook has become a quasi-public space with its own rules about privacy and free expression. These rules change constantly and are enforced by a company with limited accountability and oversight. In acknowledgment of the arbitrary and capricious standards, MacKinnon has dubbed this space “Facebookistan.”16 Like other Silicon Valley–based social media companies, Facebook relies on a team of “deciders” to screen content and remove postings that violate its terms of service. For example, Facebook removes posts that attack individuals based on “race, ethnicity, national origin, religion, sex, gender, sexual orientation, disability, or medical condition.”
One of the key battles with activists is centered on Facebook’s real-name policy. Facebook does not permit pseudonyms, anonymous users, or multiple profiles. It actively enforces this policy and deletes accounts that are in violation. The company argues that the real-names policy ensures more civil discourse—since you can’t hide behind a pseudonym—and protects activists by making it more difficult for government supporters or even state security agents to use the network to harass and monitor their opponents. This makes a certain amount of sense until you realize it’s exactly the same argument made by the Chinese government to justify its real-names policy. It’s also unenforceable since already more than one billion people are on Facebook, and the company can’t possibly check every name. The policy is actually prejudicial to political activists, since they are likely to come to the attention of authorities who can turn to Facebook and request that their accounts be removed. Finally, these policies are unlikely to stop a security agency with the resources to create a fake online identity.
Activists using social media to disseminate news and information find Facebook’s position deeply frustrating. In fact, Facebook’s real-names policy nearly killed off Wael Ghonim’s We Are All Khaled Said page, which would eventually grow to a million followers and serve as a hugely important source of information during the Tahrir Square protests in Egypt. Because Ghonim—who feared detection and arrest in Egypt—was administering the page anonymously, Facebook shut down the page for violation of its terms of service. A colleague of Ghonim’s in the United States got in touch directly with Facebook and informed them she would serve as the administrator for the group under her real name. The group was restored in less than twenty-four hours.17
Esraa Abdel Fattah, one of the founders of the April 6 movement in Egypt that also played a critical role mobilizing online support for the Tahrir Square uprising, told me during a visit to Cairo in March 2013 that she was scandalized by Facebook’s indifference. She described a visit to Facebook’s Washington, D.C., office earlier that year during which she made the case that the company should adapt its product to better meet the security needs of activists working in dangerous environments. “I said, ‘don’t you realize that people are using your tools to spread democracy and human rights?’ You have to take responsibility. You have developed a very important tool that is changing the whole world. You have to find ways to help people use it safely. You can’t just stand by and let people be killed for their beliefs.” Abdel Fattah said she got sympathy from the company representatives but no commitment.
While continuing to rally against government policies that undermine the free circulation of information online, journalists and activists need to improve the security of their own communications, recognizing that they are likely targets of surveillance. They also need to apply systematic pressure on companies like Google, Yahoo!, Twitter, and Facebook, whose services provide the backbone of the social aspect of the Internet. In the current environment, these companies have become convinced that pervasive government surveillance under mines their business interests, as customers around the world want to be able to communicate securely. Making them explicit allies in the struggle for press freedom is the most immediate challenge.