Sign up for The Media Today, CJR’s daily newsletter.
In his new HBO film, Surveilled, investigative journalist Ronan Farrow travels from Israel and Spain to Canada and Washington, DC, investigating the power of spyware. The technology can turn your phone into a highly sophisticated eavesdropping device, able to track your every move, record your every word, and read your most intimate messages. In a companion piece for The New Yorker, Farrow explored how commercial spyware technology could be deployed in the United States.
Farrow and I have collaborated on a number of projects related to press freedom. He’s had the experience of being surveilled himself, and he’s thoughtful about digital security. So I called him to ask him what advice he might have for journalists worried about spyware attacks. Below are five tips we came up with together, with input from Trevor Timm from the Freedom of the Press Foundation and Ela Stapley, the digital security adviser at the Committee to Protect Journalists.
Start with a risk assessment. If you’re worried about your own security and that of your sources, it’s critical to understand your potential adversaries and their capabilities. You should consider the likelihood of an attack, and also the consequences of failure. Clearly, not every story or beat requires a journalist to declare code red, especially in the United States. Sometimes the purpose of a risk assessment is to give you peace of mind.
That said, when it comes to spyware, “the categories of people who are vulnerable are growing and growing,” Farrow told me. “At this point, any journalist in countries where there are known cases of spyware having been deployed are potential targets.” This is a pretty large group that includes Spain, Poland, Mexico, El Salvador, and many others.
In the United States, law enforcement needs a warrant in order to access a phone. There is no indication to date that the US government has deployed spyware inside the country, although there is growing concern that it could.
But around the world, non-US journalists pursuing sensitive stories in their own countries have no legal protection against US spying. In 2014, in my role as the head of the Committee to Protect Journalists, I had a (contentious) discussion with Robert Dietz, a former NSA general counsel and CIA adviser, in which I tried to make the case that surveilling journalists reporting on Al Qaeda in Pakistan was a violation of press freedom. Dietz scoffed, saying that the CIA was going to do what it needed to protect national security. I assume this to be the operative guidance today.
Reboot your phone (and keep your operating system up to date). Okay, so now you may be worried. What can you do? The most essential defense is actually simple. “The head of a major spyware company did tell me, ‘Look, reboot every day,’” Farrow said. This is excellent advice according to Timm, the executive director of the Freedom of the Press Foundation. Shutting down your phone initiates what’s called a secure boot, which may mitigate or disable some types of malware. Likewise, keeping your operating system up to date makes it harder for spyware to exploit vulnerabilities.
While rebooting your phone may eliminate spyware applications already present, and keeping your operating system up to date could make reinfection more difficult, neither is a perfect defense against a determined adversary. “If the spyware uses a zero-click exploit [in which a phone can be taken over without the user clicking a malicious link] for infection and that exploit is reliable, an attacker can just reinfect the device after a reboot,” Farrow said. There’s also the challenge of making the daily reboot a habit, like brushing your teeth. Even Farrow said he’s not always as conscientious as he would like to be.
If you have an iPhone, use lockdown mode. If you believe you are a likely target, there is an additional defense available to those using Apple devices: lockdown mode. It’s a relatively new feature designed “to protect devices against extremely rare and highly sophisticated cyber attacks,” according to Apple.
“Lockdown mode blocks complicated interactions via Apple services from unknown accounts,” Farrow explained. “So that has the effect of making zero-click attacks a lot harder.”
Because many iPhone features are disabled when lockdown mode is employed, using the feature on a permanent basis would be inconvenient for some users. But if you reboot your phone and then deploy lockdown mode immediately, this will give you strong protection against reinfection during periods of heightened vigilance.
Keep your phone securely with you at all times. Commercial spyware like Pegasus and Paragon were marketed to governments willing to pay handsomely—around $1 million for ten targets, according to a 2016 report in the New York Times.
But there’s a much cheaper option: surveillance apps that can be surreptitiously installed on your phone by anyone who can gain physical access. For the incredibly low price of just $48.99 for the premium plan, you too can have many of the capabilities of Pegasus!
In order to stay on the right side of the law, these apps are marketed as a form of parental control. One example, mSpy, developed by a Ukrainian company, gives users the ability to read emails and texts and track location. It can be downloaded in about ten minutes and hidden behind an innocuous icon, making it almost undetectable.
I first heard about mSpy from a security specialist employed by a global media company who was investigating a data breach. He came to the conclusion that the former spouse of an employee had deployed the spyware, though he was not able to prove this conclusively.
If it seems unlikely that an adversary could somehow get into your phone, consider the case of Basque journalist Pablo González, whom The Guardian accused of being a Russian asset. He ingratiated himself among the community of international journalists and activists covering conflict, including Ukraine, and actually dated a Polish freelancer.
Leave your phone at home. In some instances it’s best to go low-tech and meet in person. This is in fact the only failsafe means of thwarting spyware. Farrow says that he has used this strategy in a handful of cases related to highly sensitive stories. “We’re going to have to be meeting sources in garages more, and we’re going to have to be more conscientious about distance from devices that could easily become listening devices unbeknownst to us,” Farrow noted. Obviously, if you are leaving your phone at home, power it down and keep it in a secure location for the reason described above. You don’t want someone messing with it.
The upshot is that there is no perfect defense against spyware, in part because it’s unregulated and in part because we don’t understand the ways in which it’s proliferating and evolving. Farrow believes that, given the risks, journalists need new routines. “Updating and rebooting your devices should be like flossing, and keeping your phone on you should be like the way you watch your drink at a bar,” he said. The best advice: trust no one.
Has America ever needed a media defender more than now? Help us by joining CJR today.
