This Week in Technology + Press Freedom: Feb. 2, 2020
Here’s what the staff of the Technology and Press Freedom Project at the Reporters Committee for Freedom of the Press is tracking this week.
Hacks of Bezos, New York Times reporter serve as warning to journalists seeking to protect confidential sources
As we briefly noted last week, two U.N. human rights experts expressed concerns about reports that Jeff Bezos, Amazon CEO and Washington Post owner, may have been targeted for hacking by Saudi Arabia “in an effort to influence, if not silence, The Washington Post’s reporting on Saudi Arabia.”
The experts’ concerns are based on a forensic report, commissioned by Bezos, which concluded with “medium to high confidence” that a WhatsApp account associated with Crown Prince Mohammed bin Salman sent Bezos a video file laced with spyware. The Saudi embassy in Washington, D.C., denied the charge and called it “absurd.”
On Wednesday, Sen. Chris Murphy (D-Conn.) called on leaders at the Office of the Director of National Intelligence and the FBI to investigate the allegations, echoing calls by U.N. experts.
The timing of the WhatsApp message is interesting. According to the New York Times, the Bezos hack came at the beginning of a two-month period in 2018, during which at least four Saudi dissidents living abroad reported having been hacked. This was four months before the disappearance and murder of Jamal Khashoggi, Washington Post Global Opinions contributing columnist, which the CIA has concluded was ordered by the Crown Prince.
One week after the U.N. human rights experts’ statement on Bezos, researchers at the University of Toronto’s Citizen Lab concluded that Saudi hackers also attempted to infiltrate the phone of Ben Hubbard, the New York Times’ Beirut bureau chief, who covered the kingdom and Crown Prince for five years. The hackers reportedly used spyware from Israeli company NSO Group. Citizen Lab previously revealed how NSO’s spyware was used to target at least one of the other Saudi dissidents. Hubbard’s case is the first Citizen Lab has identified against an American journalist.
Last Tuesday, Hubbard explained how researchers concluded the domain used in the attempted hack (a texted link that would have deployed malware if clicked) was part of command-and-control infrastructure connected to NSO Group. Attributing the attempt to an actual user of the software is more difficult, as spyware is deliberately designed to permit the user to evade identification.
The mere possibility that both Hubbard and Bezos were subject to a direct hacking attempt as part of a concerted effort to stifle criticism of Saudi Arabia’s human rights record is chilling.
As the Bezos incident in particular shows (regardless of whether the hack came from the Crown Prince or even the Saudis), everyone is vulnerable to a dedicated adversary, particularly those with access to sophisticated hacking software.
Reporters, especially those dealing with confidential sources, should always be cognizant of their threat profile, and take appropriate steps to calibrate security measures to the level of risk. Newsrooms should also be constantly monitoring for cyber threats.
— Gabe Rottman & Linda Moon
PS: Make sure to subscribe to RCFP’s Special Analysis email list to be the first to get our special analysis on the Bezos hacking.
Quick Hits
Privacy and Surveillance
The New York Times reported that last month Google began charging law enforcement and government agencies fees for legal demands seeking data about users. The fees include $45 for a subpoena and $60 for a wiretap, as well as up to $245 for a search warrant. In 2008, the company reportedly sought reimbursement from the government for compliance with a legal request for user data, but the recent fee implementation is, per a Google spokesman, intended to help offset the costs of complying with the requests. Law enforcement officials can request email, location, and other data from tech companies pursuant to the Stored Communications Act, and companies such as Cox and Verizon charge fees for requests.
—
The fallout from the New York Times’ revelations about Clearview AI, a facial recognition software firm that claims to have collected billions of online photographs from social media and other sources, has continued this week with commentary and a lawsuit against the firm for violating Illinois’ consumer privacy legislation. As the Reporters Committee has previously noted, Clearview’s use of a data collection method called scraping — which allowed it to gather the pictures automatically online and can be a helpful tool for data journalists — can be used to collect large amounts of potentially sensitive information online. In this case, Clearview was using this data to build a for-profit facial recognition database.
—
In a friend-of-the-court brief filed last week, Reporters Committee attorneys argued that the public has a constitutional right of access to wiretap applications and other associated court records once the underlying investigation is closed. The brief was filed in the California Court of Appeal Fourth Appellate District in support of a retired California Highway Patrol Officer who was a wiretap target in 2015 in Riverside County, where county courts authorized a disproportionate number of wiretap orders — three times as many wiretaps as did courts in any other state or federal jurisdiction. The brief discussed the danger government surveillance without public oversight poses to the reporter-source relationship.
Legislation/Congressional Updates
Government sources say the U.S. Department of Justice plans to hold a conference sometime in February involving members of Congress, industry leaders, and federal officials to consider potential changes to Section 230 of the Communications Decency Act. Critics of the statute worry that online platforms use their protection under the statute to censor political content and allow misinformation to proliferate. Supporters, however, point out that the law actually empowers platforms to moderate content and to take down offensive, unlawful, or defamatory content without fear of being sued.
—
Sens. Ron Wyden (D-Or.) and Steve Daines (R-Mont.) introduced a bill, endorsed by organizations like Demand Progress and Free Press Action, that would, among other reforms, end the National Security Agency’s call metadata program, known as the call detail record or CDR program, and limit the types of information intelligence agencies can demand from third parties, like a business or internet service provider, about a target. The Reporters Committee has long raised concerns that mass surveillance like the call data collection program can undermine reporter-source confidentiality.
Leaks/National Security
The trial for accused “Vault 7” leaker Joshua Schulte is set to begin tomorrow in the U.S. Southern District of New York. Per a court filing released last week, a judge denied Schulte’s request to dismiss the Espionage Act charges. We will be monitoring the case closely.
—
Amazon recently filed a motion in court to stop the U.S. Department of Defense and Microsoft from continuing with plans for a $10 billion cloud computing contract, known as the Joint Enterprise Defense Infrastructure, or JEDI. We have previously detailed the concerns Amazon has raised about the project, linking it to Trump’s alleged bias against Amazon, its founder Jeff Bezos, and the Washington Post, which Bezos owns.
—
Politicians from the Parliamentary Assembly of the Council of Europe, which focuses on upholding human rights in Europe, said the U.K.’s detention of Julian Assange “sets a dangerous precedent for journalists.” The body voted last week to oppose Assange’s extradition to the U.S., and the statements will appear in a final published report produced for the Assembly by the Labour peer Lord Foulkes.
—
Gif of the Week: The quick hit on project JEDI, involving allegations of personal bias by the Trump administration, reminded us of this scene from “Star Wars Episode 2: Attack of the Clones.”
Like what you’ve read? Sign up to get This Week in Technology + Press Freedom delivered straight to your inbox!
The Technology and Press Freedom Project at the Reporters Committee for Freedom of the Press uses integrated advocacy — combining the law, policy analysis, and public education — to defend and promote press rights on issues at the intersection of technology and press freedom, such as reporter-source confidentiality protections, electronic surveillance law and policy, and content regulation online and in other media. TPFP is directed by Reporters Committee Attorney Gabe Rottman. He works with Stanton Foundation National Security/Free Press Fellow Linda Moon and Legal Fellows Jordan Murov-Goodman and Lyndsey Wajert.