Burner phones, fake sources and ‘evil twin’ attacks: journalism in the surveillance age

By Bradley Hope* – The Guardian

When I heard my number was on a leaked data list, I wasn’t surprised. Reporters have never been more vulnerable

‘Anyone who believes in the value of investigative reporting that holds the powerful accountable should be worried about this global journalistic emergency.’

What does the new age of surveillance mean for the work of investigative journalists? Last year, I was preparing to fly from London to a country in the Middle East for a sensitive reporting trip. I wasn’t worried about my own safety – but now I have to take extraordinary measures to protect the security of my data.

Bringing my own laptop or personal phone was out of the question. Instead I bought a completely new phone. I made sure not to sign into any of my accounts from the phone, and I did not save any numbers in the blank address book. Before I left, I created a temporary email address specifically for this trip, where sources could reach me.

Counterintelligence in journalism used to be the domain of reporters digging into matters of national security or liaising with sensitive government whistleblowers; but increasingly those tactics are necessary across the board.

With the rise of hacker-for-hire services and the availability of government-grade computer penetration software to anyone willing to pay a high price, reporters have never been more vulnerable to having their sources exposed or their projects subverted by those hoping to keep nefarious secrets safe. Anyone who believes in the value of investigative reporting that holds the powerful accountable should be worried about this global journalistic emergency.

When the Guardian contacted me to explain that my phone number was on a leaked data list, allegedly selected by the United Arab Emirates, I wasn’t surprised. Together with a colleague from the Wall Street Journal, where I used to work, we reported in our book Blood and Oil: Mohammed bin Salman’s Ruthless Quest for Global Power that Saudi’s smaller neighbour, the UAE, had purchased as many as three simultaneous licences, from an Israeli company called NSO, to use powerful intrusion software for its government agencies.

I’ve reported for years on sensitive matters connected to the UAE, especially related to the globe-spanning 1MBD scandal that involved a member of the Abu Dhabi royal family, the UAE’s ambassador to the United States and two of its sovereign wealth funds. I no longer have the phone I was using at the time my number appeared in the leaked data, so I cannot offer a device for forensic analysis – the only way to know whether there was an attempted or successful hack on my phone using NSO’s Pegasus spyware.

While the government that was allegedly interested in me wasn’t surprising, the name of the company was. Senior executives of NSO have been giving background briefings for years to my former colleagues and others about how their powerful tools were designed to stop terrorists and couldn’t be used against people like me. NSO has explained how its “internal processes” protect against the misuse of its software as recently as May, in anticipation of a possible public offering of its stock.

One particularly galling phrase in the NSO lexicon of excuses is “contractually bound”. In dismissing the allegations, the company has argued that countries licensing the technology agreed on paper not to abuse it.

In my career at the Wall Street Journal and as an independent journalist at the company I co-founded this year, Project Brazen, I’ve discovered that journalists covering everything from business to the climate, war zones to government, should raise their alert levels and take steps to prevent cyberattacks. Every beat is susceptible to this threat so long as there are well-funded adversaries willing to do whatever it takes to disable the spotlights of journalism.

Reporters in places such as Mexico, Afghanistan and the Philippines face the gravest threats, including assassination and prison sentences, for courageous truth-telling. But around the world – with the US and UK no exception – cybersecurity is an omnipresent risk because of the privatisation of computer and phone intrusion.

I was lucky that the WSJ took seriously the risk of cybersecurity and allowed me to replace my phone every six months during reporting on sensitive topics. Yet even that is not nearly enough.

Every day in major cities, there are teams who are following businesspeople, political figures and journalists

In the last four years alone, I’ve been clandestinely recorded at a lunch meeting by someone I thought was a fellow reporter (I later saw the full transcript); physically surveilled by former law enforcement employees working for private clients; dealt with fake whistleblowers reaching out to me with documents laced with malware; and had alerts from Google that a nation state was trying to access my personal Gmail account.

To protect myself, I update all my software the moment it becomes available, and use encrypted chat programs like Signal. I have also bought a stack of burner phones, which I give to sensitive sources who need to contact me.

I even hired, at my own expense, a former government surveillance expert to train me in evading surveillance. We traipsed across London discussing possible scenarios, but my lasting impression was this: every day across the major cities of the world, there are teams of four or five who are following businesspeople, political figures and journalists to ascertain whom they’re meeting with and what they’re saying to each other.

When I asked this expert’s colleague about how he might gain access to my phone if hired for the job, he explained that one way would be to follow me into a tube station with a backpack broadcasting a powerful wifi signal with the same name as my mobile service provider’s wifi in the underground. When my phone connected to it, not realising it was a fake, it would instantly become a compromised with malware.

I heard from one political dissident about a suspicious motorcycle parked in front of his London house. When the police checked it out, they found a wifi router connected to the bike’s battery with the same name as his home’s wifi. There’s a name for this attack: “evil twin”.

The inevitable conclusion from all these worrying developments is simple: go old-school. Journalists should do whatever they can to break up the places they do and store their reporting, keeping in mind that their smartphone is among their greatest weaknesses. It will make journalism much more time-consuming and annoying, but taking those precautions may sometimes be the only way to responsibly report on a sensitive story where people’s lives are at risk.


*Bradley Hope, a former reporter for the Wall Street Journal, is the co-founder of Project Brazen. He is also the co-author of Blood and Oil: Mohammed bin Salman’s Ruthless Quest for Global Power