Satphones, Syria, and Surveillance
Yesterday morning, journalist Marie Colvin of the Sunday Times of London was killed, along with French photographer Rémi Ochlik, in the beseiged city of Homs, Syria, where more than 400 people have been reported dead in recent weeks.
Disturbingly, the Telegraph, the Toronto Globe and Mail, and the Associated Press all reported that Colvin and Ochlik were likely deliberately killed by the Syrian army and their location may have been tracked down through their satellite phones.
On Monday night, Colvin appeared on CNN, telling Anderson Cooper that “the Syrian army is shelling a city of cold, starving civilians.” Responding to Syrian president Bashar Al Assad’s statement that he was not targeting civilians in the barrage of rocketfire raining on Homs, Colvin accused the regime of “murder” and said: “There are no military targets here…It's a complete and utter lie that they are only going after terrorists.” A few hours later, she was dead.
The Telegraph quoted Jean-Pierre Perrin, a journalist for the Paris-based Liberation newspaper who was with Colvin in Homs last week, as saying: “The Syrian army issued orders to 'kill any journalist that set foot on Syrian soil'” and that the Syrian authorities were likely watching the CNN broadcast. The Telegraph then described how “[r]eporters working in Homs, which has been under siege since February 4, had become concerned in recent days that Syrian forces had ‘locked on’ to their satellite phone signals and attacked the buildings from which they were coming” (emphasis ours).
How could this happen?
At this point, we don’t know how Colvin and Ochlik were located, but based on the various reports, it is possible that they were located using surveillance technology that tracked their satellite phones.
There are a few different ways by which satellite phones can be tracked. The first—and easiest for a government actor—would be to simply ask or pressure a company to hand over user data. This is not beyond the realm of possibility (readers might recall an incident in which Yahoo handed over information about a Chinese dissident to his government, resulting in a ten year prison term), but is just one of several methods.
Satellite phones can also be tracked by technical means and there is ample technology already on the market for doing so. For example, this portable Thuraya monitoring system by Polish company TS2, which also counts several US government agencies as clients; these systems for monitoring Thuraya and Iridium phones, created by Singaporean company Toplink Pacific; or this satellite phone tracking technology from UK based Delma MMS.
Authorities can find the position of a satellite phone using manual triangulation, but in order to track a phone in this manner, the individual would need to be relatively close by. Nowadays, however, most satellite phones utilize GPS, making them even easier to track using products widely available on the market such as those mentioned above. Some of these products allow not only for GPS tracking, but also for interception of voice and text communications and other information.
Security researcher and Tor developer Jacob Appelbaum says that satellite communications systems do not respect user location privacy needs, and aside from surveillance without the cooperation of a satellite phone provider, “such a company may betray a user’s location on purpose or by accident.” Research published last year by the German Horst-Goertz Institute for IT Security, found that satellite phones use weak cryptographic ciphers that could easily be broken by sophisticated attacks. The research identified serious security flaws in the encrpytion systems used by the two competing satellite phone standards, GMR-1 and GMR-2.1
Appelbaum added via email:
Satellite phone systems and satellite networks are unsafe to use if location privacy or privacy for the content of communications is desired. These phone protocols are intentionally insecure and tracking people is sometimes considered a feature. Some high security users are given special access that merely send the spot beam ID, rather than the full GPS into space and thus to the satellite network. This privacy option should be available to everyone today without any action on their part - it would partially improve the location privacy needs of users. Sadly, direction finding would be entirely unaffected. Also sadly, it will not make the communications secure but it would probably save lives. It's too bad that journalists have had to die for this discussion to happen.
A Growing Problem
The news of this potentially deliberate attack on journalists, possibly using surveillance gear sold to them by Western companies, follows a report by CNN on Sunday which claimed that dozens of opposition activists in Syria have found their computers infected with malware that can spy on their every move. The virus, according to CNN, “passes information it robs from computers to a server at a government-owned telecommunications company.” And just today, the New Scientist quoted several Syrian activists fearful of the regime's technological capabilities.
Earlier this week, EFF profiled Italian mass surveillance company Area SpA, which in 2011 was rushing to install mass surveillance gear for Syrian intelligence agents just as the Syrian government was ramping up its violent crackdown on peaceful democratic protesters. As Bloomberg originally reported, Area SpA was to install “monitoring centers” that would give the Syrian government the ability “to intercept, scan and catalog virtually every e-mail that flows through the country” as well as “follow targets on flat-screen workstations that display communications and Web use in near-real time alongside graphics that map citizens’ networks of electronic contacts.” After a barrage of media attention and local protests at its Italian headquarters, Area SpA announced in late November that it would not complete the project as planned.
Colvin has put a human face on a problem that has plagued citizens of the Middle East for years now: surveillance equipment being used by despotic governments to track down journalists and activists, provided to them by Western technology companies. Now it’s possible this equipment directly led the murder of an American journalist. The White House acknowledged Colvin’s death, saying, “It's a reminder of the incredible risks that journalists take...in order to bring the truth about what's happening in a country like Syria to those of us at home and in countries around the world.” It is time the President and Congress get serious about stopping these companies from selling this dangerous technology to authoritarian government who violate human rights.
To that end, EFF has proposed a “know your customer” framework, based on already existing legal frameworks in the U.S. and E.U. that can be implemented without significant overhead cost to government or businesses. Simply put, companies selling surveillance technologies to governments or government providers need to affirmatively investigate and "know their customer" before and during a sale. EFF has already detailed extensive framework for such regulations including questions, definitions, and procedures for how to accomplish it.
- 1. Benedikt Driessen et al., Don’t Trust Satellite Phones: A Security Analysis of Two Satphone Standards, Horst-Goertz Institute for IT Security, http://gmr.crypto.rub.de/