“R2D2, you know better than to trust a strange computer!” – C3PO in “The Empire Strikes Back”
In its 2021 World Press Freedom Index, which ranks countries and regions according to the level of freedom afforded to journalists, Reporters Without Borders noted that independent journalism is partially or totally stymied in 73% of the 180 countries ranked. While the press has a tendency to shy away from self-reflective coverage, there has been recent acknowledgement of the many journalists targeted by threats such as surveillance, censorship and harassment: Maria Ressa (a current Shorenstein fellow and co-founder of the Philippine news site Rappler) and Dmitry Andreyevich Muratov (editor-in-chief of the Russian newspaper Novaya Gazeta) won the Nobel Peace Prize “for their efforts to safeguard freedom of expression, which is a precondition for democracy and lasting peace.” The Norwegian Nobel Committee noted that both winners “are representatives of all journalists who stand up for this ideal in a world in which democracy and freedom of the press face increasingly adverse conditions.”
Some of the dangers faced by journalists are overt — the physical attacks on press when covering protests in 2020, for example — while others, like national security laws encroaching on source protections, are more insidious. Both kinds of threats can be facilitated by the so-called “consumer Internet of Things” (the IoT): networked devices that are growing in prevalence and ability, ranging from smart cars to fitness trackers. The general risks associated with such systems have been reported on by technology and security journalists (for example, here, here, and here). Similarly, more specific examples of journalists targeted through their smartphones are scattered throughout the media and raised as issues in journalist-focused materials.
One prominent example of a high-profile smartphone-related threat is that of the NSO Group’s Pegasus spyware. Clients of the Israeli technology firm, including various national government officials, reportedly identified many journalists as surveillance targets, in countries including Canada and Mexico.
In comparison, there is limited awareness of the implications of other devices, specifically for journalists and their sources, with mentions of the dangers of the IoT notably absent from safety guides for journalists. That this makes the IoT effectively an “unknown unknown” is particularly concerning, given the ubiquity of such technologies, which can be found in homes, offices, shops — even on the street. Furthermore, they are often designed to blend into their environments, subtly replacing older versions with less intrusive functionalities — an example being the rise of the smart doorbell. Like spyware, these devices can be coopted to monitor messages, location information and daily actions. Unlike spyware, the IoT can also facilitate cyber-physical threats.
This article outlines how journalists can begin to think about the various environments they pass through, which IoT devices they might encounter on their travels in each place, and how these devices may pose a risk to their work and wellbeing. It draws on my PhD research, which began with a pilot study assessing the extent to which journalists recognize and understand IoT threats (spoiler: not well). My work then involved mapping IoT threats to journalists by environment (information that will be shared here, as an awareness aid). So far, my research has involved interviewing over 70 cybersecurity experts and journalists in the U.S., U.K., Australia and Taiwan, and the initial findings have been presented to both computer science and public policy audiences.
The pilot study results indicated abstract concerns regarding technological threats are causing some journalists to move back to analog methods of information gathering, communication and storage — like using pen and paper rather than voice recorders, and choosing physical dead drops over online ones. Cybersecurity expert recommendations spanned both immediate and long-term mitigation methods, including practical individual actions that are technical and socio-political in nature. However, all proposed individual mitigation methods are likely to be short-term solutions, as 76.5% of the 34 cybersecurity experts who participated in the study answered that within the next five years it will not be possible for the public to opt-out of interaction with the IoT.
Four categories of IoT threats
Bearing in mind the most likely journalistic workflow, my research has divided the common environments in which to consider IoT threats into four categories: (1) private homes, (2) public spaces, (3) workplace and (4) wearable devices. There is overlap between the categories — for example, many journalists’ homes are also their workplaces — especially amid the pandemic and budgetary cutbacks that are closing physical newsrooms. Still, this method of categorization should enable journalists to get an initial idea of the scale of the issue, and to cross-reference relevant categories, as needed. Each of the four sections has been further subdivided by function of device, to make it easier for journalists to spot these likely poorly secured devices as they hide in plain sight. (The links in each section highlight real-life examples of IoT device hacks.)
In Private Homes, there are three kinds of IoT devices: those used primarily for leisure, for security, and for household management/utilities. Here, journalists should consider threats such as:
- Leisure: Internet-connected children’s toys are easy tools for espionage, as demonstrated by the ‘My Friend Cayla’ doll, the spiritual descendent of the Furby. Cayla was banned from Germany because of the ease with which hackers could access her microphone to listen in on private conversations, which could be a goldmine for discovering potential passwords (for example, children’s and pet’s names).
- Security: A smart doorbell that someone uses to check on home deliveries from the office can be an easy way for an attacker to livestream footage of the surrounding area, including neighboring properties, providing useful pattern-of-life information for residents in and around the owner’s home – even those who do not themselves own a smart doorbell.
- Household management/utilities: Voice assistants, popular for their ability to order shopping and cue mood-setting music without users needing to lift a finger, have been known to “wake” and start listening even without “hearing” their name, as well as to send out snippets of recordings to people on their owners’ contacts lists, which could compromise confidential calls with sources or editors regarding unpublished stories.
In Public Spaces, there are three sub-environments where networked devices of different kinds may be found: transportation, indoor public areas, and outdoor public areas. In each, journalists should consider threats such as:
- Transportation: Smart cars’ GPS systems could be hacked to track the vehicle and the brakes could be hijacked to cause a crash.
- Indoor public areas: Smart alarms, which are controlled remotely through smartphones and other wireless devices, can be subject to flaws and hacks that could trap people in buildings or keep people out, which could inhibit journalistic work.
- Outdoor public areas: Drones can be hijacked to surveil those below, and are now commercially available in forms small and quiet enough to fly by surreptitiously — threatening even clandestine outdoor meetings with sources in areas otherwise devoid of closed-circuit TV.
In Workplaces, there are three kinds of IoT devices: those used primarily for meeting/waiting room entertainment, for security, and for utilities. Here, journalists should consider threats such as:
- Meeting/waiting room entertainment: Smart televisions can come with cameras, microphones, and access to online accounts that link to credit cards. These devices could easily be hacked to show the array of people meeting with newsroom executives, even before partnerships have been publicly announced, perhaps endangering the already-limited sources of funding afforded to the media.
- Security: Remote-access closed-circuit TV systems could be hacked to allow continuous video-monitoring of employees at a news organization.
- Utilities: Internet-connected printers could be an entry point to a network, or they could even log both the content and metadata associated with a document, enabling it to be reprinted by unauthorized users.
In all environments, journalists should consider threats stemming from Wearable devices, such as:
- Smartwatches and fitness trackers can perform many of the functions of a smartphone, and have other intimate purposes. If hacked, they can divulge a journalist’s vital signs and tracking information, leading to the publicization of confidential locations through apps — akin to recent military debacles relating to drinking (UnTappd) and running (Strava).
Building on my pilot study, I am developing a risk assessment framework of strategic and tactical countermeasures that journalists and news organizations can use to protect themselves from these emerging technological threats. If you’re interested in the framework, please follow me on Twitter and keep an eye out for more of my work in The Journalist’s Resource. If you’d like to be involved in the process of commenting on iterations of the framework, please feel free to get in touch directly!