- Resources for Journalists
From the Pegasus spyware investigation to mass surveillance: a dialogue with researcher Philip Di Salvo to understand the impact of new technologies for all those involved in journalism and beyond.
Philip, we’ve heard about the investigation on Pegasus, an intrusive software that targeted many journalists all over the world. Can you explain how these tools can endanger journalists, their sources, and how widespread is the issue of surveillance in journalism?
The answer is something that has been echoing for years: the most about surveillance in journalism has still to be found out, and that's the main concern. That’s why it was so important to see the publication of the Pegasus Project investigation last summer. It was one of those moments of reckoning, where we got evidence about how dangerous and widespread the use of spyware technology is. That's a rare thing, as having access to details and evidence about how surveillance companies work is very difficult. These companies are very secretive and difficult to approach, they tend to work very much under the radar. This investigation was fundamental in raising even more questions about how states and private actors are using spyware technologies to target dissidents and journalists. At least 180 prominent journalists have been targeted through Pegasus around the world and my fear is that this is just the tip of the iceberg. For instance, we still don't know much about the users of this spyware. The scariest thing is that once someone becomes a target, there is little that this person can do. There is no way of having any evidence that this spyware has been installed on a device, without running a professional, technical forensic analysis. So, in the constellation of today’s surveillance, and digital surveillance in particular, spywares are one of the most dangerous devices. They are capable of providing remote, full access to everything that is stored into a smartphone, including all the communication that are passing through that device. This is a nightmare scenario when it comes to source protection, protecting the advancement of an investigation, and the safety of journalists themselves.
How about the awareness around this issue within newsrooms?
The Snowden revelations in 2013 have been a turning point for information security in journalism. Before, even the awareness of the existence of the problem was limited to the most advanced investigative journalists. It translated into the adoption of anti-surveillance strategies and tools within some newsrooms but, overall, I'm afraid that the awareness is still very low, and most journalists have little or no idea about what is going on in the field and what the risks involved are. When it comes to Pegasus, we should underline how the use of such a sophisticated spyware is something demanding very high rank technical knowledge. So, a spyware is definitely the scariest scenario, but at least so far it belongs to very narrow scenarios. On the other hand, surveillance beyond spyware, and mass surveillance in particular, are issues of the utmost urgency for everyone involved in journalism.
Philip Di Salvo is a postdoctoral researcher at Università della Svizzera Italiana in the field of media and journalism. Currently he is a visiting fellow at the London School of Economics and Political Science, Department of Media and Communication, and he does research about whistle-blowing, investigative journalism, internet surveillance and the relationship between journalism and hacking.
Fear is an emotional condition that affects journalistic capabilities to carry out meaningful work. Can we say that the psychological damage is not strictly related to the certainty of having a spyware on a mobile phone, but instead about the possibility of such a threat?
Yeah, definitely. Spywares are not meant to just to gain information access, but to have control on journalists’ lives, to silence them. Installing fear is not strictly related to installing a spyware. Think about Jamal Khashoggi: we must be aware that surveillance against journalists sometimes leads to having journalists killed. Also, surveillance is becoming increasingly commodified, so access to tools like spyware or other surveillance software is becoming easier and cheaper. Of course, it's not something that you buy for €20, but it is becoming more accessible. Recently the Swedish public broadcast published a story about how banks in Sweden were using spyware to monitor journalists who were investigating offshore economies. When the Snowden revelations were published, we heard this dismissive take on surveillance, saying that you have to fear it only if you are covering national security or the intelligence apparatus: that's no longer the case. This raising sense of fear and paranoia around journalists has long term consequences on the practice of journalism, it may lead to censorship and self-censorship, and definitely it has an impact on the quality of information that the public is served with. We need more evidence, we need to open more of these black boxes were surveillance thrives in order to produce more accountability. This is the only way to fight this sense of fear which is impacting on the work of journalists all over the world.
I guess there is a difference between freelancers and employees working for big media companies in how they perceive this level of paranoia. Is the freelance condition part of the issue?
It ultimately comes to a threat assessment: every journalist should be aware of who are the potential players trying to put them under surveillance and take consequent actions. Definitely freelancers are left alone when it comes to an investment of time and money to have the tools and the strategies you need to feel safe. I think more should be done by the state: there should be programs of assistance for freelancers. For instance, the only strategy to feel safe against spyware is to change smartphones on a regular basis. This is very expensive for freelancers. Also, what we learned from the Pegasus Project investigation is that sometimes those who get targeted with spyware are not the journalists themselves, but the people around them. In the Khashoggi’s case for instance, there is evidence that people in his closest circle of friends and family were targeted with spyware. So maybe journalists have some information security background and that can make targeting them directly more difficult. But people around them may be even more exposed.
You mentioned the necessity of addressing the surveillance industry, which can be done in two ways, through regulation and through oversight. What kind of regulations at national and international level, and what kind of bodies, capable of actual oversight on the market and the use of surveillance technology, are we in need of?
The issue of regulation is crucial and there are some rules around, for instance, to discipline the export of surveillance technologies by the EU to prevent surveillance technologies to be sold to non-democratic countries.
Unfortunately we learned from investigations that this is easy to bypass. A very powerful investigation by Al Jazeera called Spy Merchants showed how European companies were capable of selling digital surveillance to Iran, Saudi Arabia and other blacklisted countries by using intermediaries, hiding their transactions this way. The problem is that spyware and other surveillance techs are so called dual-use technologies, and this is the issue here, because it is easy to say let's put a ban on nuclear weapons, as there is no use of nuclear weapons except of killing thousands of people. But it is trickier when it comes to spywares, because law enforcement agencies may still use them to investigate crimes.
My view is that, with the exclusion of very limited cases like investigations into terrorism, organized crime and other serious felonies, there shouldn't be any use of spyware, period. Spywares’ use and circulation are almost impossible to monitor, so I think there should be very strict regulations around who is capable of using these tools, who can purchase them and so on. Limitations should be put on companies as they shouldn't be selling these products to other than a list of approved clients.
Then to enforce this is still problematic, because companies in this industry are usually very well connected to states, to the point that sometimes it is difficult to separate the two entities. To answer your question briefly, I think there should be an international regulation, may be at the United Nation levels, deciding what are the acceptable uses of spyware and that should be the red line for everyone.
Talking about journalism, can surveillance technologies represent an opportunity other than a threat?
Trust is definitely the core issue when it comes to the impact of surveillance and we don't have enough transparency, especially from state actors. We have little to no idea about what are the surveillance capacities of most democracies around the world, starting from EU. Unfortunately, in the wake of the Snowden revelations, some European countries have even given themselves more surveillance powers when it comes to mass surveillance and there is very limited transparency about how this work. Plus, there is the big question mark about private actors having access to surveillance technologies, which is even shadier.
This said, it is absolutely true that there are forms of surveillance which are beneficial. I mean, we take care of people with surveillance in order not to have them get hurt, so that that's the starting point of what surveillance is. But surveillance is easy to be abused, in particular surveillance related to times of crisis. We saw this twenty years ago with all the surveillance programmes introduced in EU and US following the 9/11 attacks. We are seeing this with facial recognition technologies for instance, introduced all over the country by exploiting fears. Even when surveillance techs are beneficial, they should be put under strict oversight because the abuse is always around the corner and it's way too easy to exit from the acceptable beneficial area and enter something else.
How can researchers, journalists and the wider civil society contribute to shedding light on the opaque world of surveillance?
We need alliances between academia, geeks and journalists. The Pegasus project in this sense is very interesting for how it was conducted. It started with journalistic investigations coordinated among 16 media partners around the world. They asked for assistance to Amnesty International, which has a very important technical department that corroborated the initial findings with technical analysis on the phones of the victims. They also worked with the Citizen Lab, a research centre hosted by University of Toronto, which is also doing extremely important research work and awareness raising on the spyware world. We need this type of alliance because it's a combination of skills and capacities that we can see fully operational only when journalists, activists and researchers work together.
There is still little work coming out from the academia in this area. What we have is great, and it's becoming even more visible, but we need more of it. The level of in-depth analysis that the academia can provide is needed in order to have an understanding of how journalists can address and narrate the problem.
We need all these forces to come together in order to have the needed push from all these areas for a positive change. Otherwise, without oversight nor accountability, I'm afraid this is a battle that we are going to lose.
This article has been produced within the Panelfit project , supported by the Horizon 2020 program of the European Commission (grant agreement n. 788039). The Commission did not take part in the production of the article and is not responsible for its content. The article is part of the independent journalistic production of EDJNet.