Abstract
Encrypted apps are vital for journalists operating in difficult-to-cover countries, where saying the wrong thing can lead to imprisonment, or death, argues
But WhatsApp has proved useful for more than running a country. Free-to-use cross-platform end-to-end encryption messaging services such as Telegram, WhatsApp (which rolled out encryption last year), Threema, Wickr, Viber (blocked by Saudi Arabia in 2013), ChatSecure and the more secure, but less widely used, Signal are also crucial tools for journalists and their sources, political activists and human rights workers.
In the Gulf region, where WhatsApp remains the most popular messaging service, failing to keep your conversations hidden from the state can lead to disappearance and indefinite incarceration, as Omani political activist Nabhan al-Hanashi discovered. In 2011, security forces abducted al-Hanashi off the street and held him in solitary confinement for 30 days, after which he was jailed for 18 months on terrorism charges. He and other activists had, via social media posts, called for the Sultan of Oman’s power to be curbed. Following his prison sentence, al-Hanashi sought asylum in the UK but continued communicating privately and, he thought, secretly with activists back home. Yet despite keeping their communications hidden, all those he was chatting with were picked up by the authorities one by one, jailed and allegedly tortured.
These encrypted chat services have therefore become important for journalists in the region wanting to communicate away from the prying eyes of state intelligence services. When speaking to victims of torture at the hands of a state or planning how to reach remote locations of US covert actions, using end-to-end encryption is essential to protect sources. In January, I travelled hundreds of miles across Yemen to get to Yakla, a village targeted in a US Navy Seal raid. Getting to somewhere such as Yakla involves finding the best and safest route. A group of Yemeni human rights workers had been arrested on their way back from the village. Before I set off, they contacted me via encrypted channels to warn me where and when this had happened. Without that tip-off, which would have been picked up if not done with encryption, I would never have made it to do the research and then tell the world that story.
My current primary use of encryption is in my volunteer role as spokesperson for the Yemen Data Project. Since March 2015, the YDP has been collecting data on the Saudi Arabian-led coalition’s air war in Yemen. The project’s data collectors have to remain anonymous for their own safety. The only way to have conversations with them while protecting their security is via end-to-end-encryption providers.
WhatsApp was the most restricted globally, according to a report by Freedom House from 2016. Its calling facility is already blocked in Gulf countries such as Oman and the United Arab Emirates, because of “local regulations”. This call barring also appears to have taken effect in southern Yemen since Emirati forces took control of large parts of the south in 2015 and 2016. My activist contacts in the cities of Aden and Mukalla have been forced to switch to Viber for voice calls, sticking to WhatsApp for text messaging.
Western governments have also recently rounded on the end-to-end-encryption providers after it was reported that the perpetrators of terrorist attacks in Paris, London and Stockholm used WhatsApp to communicate with Isis members. After the Westminster Bridge attack, UK Home Secretary Amber Rudd demanded WhatsApp and other technology companies provide the government with access to encrypted messages, calling it “completely unacceptable” that the authorities could not read them.
CREDIT: Mary Anne Smith/Ikon Images
But journalists operating in countries such as Syria, Yemen and Bahrain find encryption a vital tool, although even then they are giving away too much information while out in the field. For example, all these app services need a mobile phone, and that leaves a metadata trail – a trail that security forces and intelligence agencies can already acquire on demand from the technology companies involved. Consequently, digital rights group Electronic Frontier Foundation ranks Facebook-owned WhatsApp very poorly because it has a history in the USA of handing over metadata showing which numbers contacted each other, when they did so and for how long, as well as IP addresses and phone identifiers.
In places such as Yemen, where US drones are used for targeted killings, this metadata might help the US government. I have warned those I have exchanged messages with – as is my duty as a journalist with any source – to change the way they were communicating or risk being killed. Metadata can be a breadcrumb trail.
During the first six months of 2015, US drones killed more senior figures from Yemen’s al-Qaeda in the Arabian Peninsula (AQAP) branch than they had done during the previous 15 years. Despite my warnings, other AQAP militants continued to use the same methods to contact me. “We have no choice but to use these applications made by Western companies,” noted one AQAP official when I met him face-to-face in early 2016. “God will decide our time to die.”
Journalists and their sources also need to be aware that encryption is not foolproof. As illustrated in Weapons of Mass Surveillance, a recent BBC documentary, Britain’s largest arms manufacture, BAE Systems, has sold cryptanalysis, or decryption, tools to states including Qatar, Oman and the UAE. As noted in the film by Ross Anderson, professor of security engineering at Cambridge University, there is little to stop these nations from using these tools on British nationals from their embassies in the UK.
That a UK company is helping nefarious governments with poor human rights records to monitor political activists and civil society members under the guise of national security is no surprise. That this gives them the capabilities to do the same in the UK should be seen as a national security threat in itself.
As decryption tools become more widespread and our metadata trails more extensive, it is clear governments already have the necessary tools to track down “security threats”, whether these are defined as extremists wanting to carry out deadly attacks, political activists wanting to organise anti-government protests or journalists needing to communicate with both.
Rudd’s protestations serve as little more than a smokescreen for existing capabilities. As journalists, we have an obligation to make sure we keep ahead in the communications game, as well as making the politicians aware that opening back doors to encrypted apps will make news blackouts even harder to crack.