150 Filmmakers and Photojournalists Call On Nikon, Sony, and Canon To Build in Encryption (zdnet.com) 229
Some of the world's leading photojournalists and filmmakers are calling on the manufacturers of the cameras they use to add encryption to their products, as the number of threats they face from having their devices seized is "literally too high to count." From a ZDNet report: Over 150 documentary makers and reporters signed an open letter by the Freedom of the Press Foundation, asking for camera makers -- including Nikon, Sony, and Canon -- to ensure that their work is protected while often "attempting to uncover wrongdoing in the interests of justice." "Documentary filmmakers and photojournalists work in some of the most dangerous parts of the world, often risking their lives to get footage of newsworthy events to the public," said Trevor Timm, the foundation's executive director. But, he said, "they face a variety of threats from border security guards, local police, intelligence agents, terrorists, and criminals when attempting to safely return their footage so that it can be edited and published." The filmmakers say that camera security has lagged behind the rest of the industry, leaving their work "dangerously vulnerable."
Custom firmware (Score:2, Insightful)
Customer firmware is available for many cameras. Seems to me this can be addressed (or maybe it has already?) by 3rd parties. It might not be universal to every brand and model camera, but it should be possible to achieve this on specific models, which the photographers would then select from for use in these kinds of situations.
Re:Custom firmware (Score:4, Insightful)
Re:Custom firmware (Score:4, Informative)
Cameras use ASIC chips. The "firmware" in question is simply there to tell the ASIC which functions to enable/disable from what is already available. Encryption would break the existing data chain of sensor > ASIC > storage. It would then need to go sensor > ASIC > CPU > storage. Think of the amount of CPU power required to handle data encryption in the first place, these CPUs simply could not keep up. So to add the functionality of encryption, it would have to be implemented in a new generation of their ASIC image processors.
Re:Custom firmware (Score:5, Insightful)
Re: (Score:2)
I'm kind of surprised this isn't really a thing already. Even given all the crazy reasons listed in the summary, there are probably a lot of people that would prefer that it not be super easy to have someone root through their camera. I know I had a girl accidentally leave her Nikon camera at my house when she left the next morning, and you bet I went though that thing (mostly boring). Even thought about leaving her a few surprises on it (didn't) before I took it back!
Remember we're not talking about triple
Re: (Score:2)
The encryption does not necessarily need to happen on the fly. You can save the images and videos as usual, and then pipe it for the camera to process slowly, even when it's been turned off. Making it use little power is more important than speed IMHO. Although I see no reason why encryption cannot be added to the ASIC.
For that matter, encryption doesn't necessarily even need to be in the camera. There are already SD cards out there with wifi builtin. It should be almost trivial to setup the receiving computer (or smartphone/tablet for mobile use) to encrypt the received images upon receipt and optionally delete the original files. The use cases they are describing don't require instant encryption ... just as long as the files are secured before they reach the next security checkpoint.
Re: (Score:2)
Sure, but you try uploading your images to your computer when there are literally bombs raining around you.
Re: (Score:2)
Cameras already use processors that have nearly the feature set of a general-purpose CPU. (Canon's DIGIC is x86, and DIGIC II is ARM.) They run actual firmware. In fact, they often run an embedded operating system (e.g., VxWorks). That firmware can implement arbitrary features. Take as an example. You can see in the source code that it is not, in fact, simply enabling and disabling existing functions. [bitbucket.org]
CPUs are slow to perform encryption because it's a lot of bit-level modification. CPUs don't have the instr
Custom handcuffs (Score:3)
Like in the UK.
That should teach tech-obsessed journos who is boss.
Any questions ?
Re: (Score:3)
Re: Custom firmware (Score:4, Insightful)
A sensible encryption setup for a camera would use asymetric crypto. So recording stuff would only require the public key, the private key could remain safely at home.
Blanket policy at the border... (Score:2)
Blanket policy at the border... confiscate all cameras.
Duh.
Re: (Score:2)
You just inspect their cameras and media on the way out and if either you find content that you cannot access, or you find a discrepancy between the size of the content reported plus the free space when compared against the size of the media, you take steps anywhere from seizing the offending device to tying them to a chair, putting a football helmet on their head, and then beating their helmeted head with a baseball bat until they tell you how to access the content.
Unfortun
Re: (Score:2)
Unfortunately I cannot think of any good way to smuggle video or picture content that a photojournalist or video journalist will be able to do in the field in adverse conditions like this that couldn't somehow be detected if the investigator is committed enough to being thorough. In some ways the presence of strong encryption might actually make it more dangerous as it means to look closely at this person because they've got that strong encryption...
Put it on a microsd card and shove it up your arse.
Re: (Score:2)
Unfortunately I cannot think of any good way to smuggle video or picture content that a photojournalist or video journalist will be able to do in the field in adverse conditions like this that couldn't somehow be detected if the investigator is committed enough to being thorough. In some ways the presence of strong encryption might actually make it more dangerous as it means to look closely at this person because they've got that strong encryption...
Put it on a microsd card and shove it up your arse.
New blanket policy; anyone with a camera is cavity-searched.
Re: (Score:2)
Put it on a microsd card and shove it up your arse.
I'm pretty sure I can swallow a MicroSD card.
He didn't say which cavities they would search...
Re: (Score:2)
That might actually be why pros would like the manufacturers to implement encryption, especially as a default. You could mod your own camera to encrypt the data, but that makes you suspicious.
But if *everyone's* camera contains encrypted data, then it's no longer suspicious. And policies that work fine when directed at the few become far more problematic when directed at the many - you can only push the populace so far before getting troublesome backlash, so the administration has to choose their battles
Re: Blanket policy at the border... (Score:2)
Re: (Score:2)
The encryption may not be so much for protecting the journalist, but rather protecting the journalist's sources.
Re:Blanket policy at the border... (Score:5, Funny)
Pfft. You'd need some kind of, I don't know, "International Network" to do that.
Re: (Score:3, Funny)
Pfft. You'd need some kind of, I don't know, "International Network" to do that.
It would have to be some kind of network of networks. I'm envisioning something like a series of tubes.
Re: (Score:2)
You can't fit a truck in a tube, dummy.
Re: (Score:2)
Pfft. You'd need some kind of, I don't know, "International Network" to do that.
By the way that you have stated this, it appears that you think that the term "internet" is shorthand for "International Network". It is not.
Re: (Score:2)
I know it's not. I was playing off the "out of the country" bit from the parent.
Re: (Score:2)
Re: (Score:3)
Sure. Every inch of the world has free and open internet access. There isn't a single country that blocks websites, intercepts data, blocks VPNs or does anything else with commodity traffic that would stop this from working. Oh, and the internet is never disturbed when a country is in crisis. Ever.
Re: (Score:3)
Not free. But if you're willing to pay, there's satellite internet in every inch (or centimeter) of the world.
And, you know, these photojournalists are usually on assignments so yeah, the companies they work for CAN pay for satellite internet.
Will that actually help? Also, Wi-Fi (Score:2)
If you're a photojournalist and your memory card is encrypted, you're just never going to get it back intact. And if you really need the data to go straight to encrypted storage, well, there's a way to do that. Although I'm not sure if those Wi-Fi memory cards (you know what I mean, I forget what the brand is) use meaningful encryption anyway...
Are journalists actually not just having storage devices seized in those situations?
Re:Will that actually help? Also, Wi-Fi (Score:4, Insightful)
Imagine you interview someone and they say something that might incriminate themselves. On the way back to the office the corrupt police take your camera. If the video is encrypted at least they don't have video of your source incriminating themselves.
Re: (Score:2)
Re:Will that actually help? Also, Wi-Fi (Score:4, Insightful)
I think anyone with half a brain sees the benefit of having something encrypted vs. no encryption. With encryption your opponents may know you have something they don't want to see but they don't know what that something is. If you don't think it is worth that much you can give it up to them - no harm no foul. If it is something you might be murdered for having then I think you would want that hidden, even if it means eventually losing it or being subject to enhanced interrogation.
It also reduces the risk of "smuggling". Its exactly why Clinton ran her own e-mail server.
1) There is a chance you just get away with it
2) If you do get "caught" you have options; without encryption, if you get caught, for instance, exposing massive corruption, the outcome is entirely up to the corrupt.
3) The options are a) reveal what you have if it is not that bad b) deny you have anything but offer to delete or destroy the data or the camera c) you try to keep the data or they don't accept a or b and then you are in the same situation as no encryption but they still don't have the data.
Encryption is a tactical WIN WIN WIN.
Re: (Score:2)
Why store it on the camera at all. In a situation where you or a source is risking their life/freedom, it seems like some kind of satellite-based relay that sends stuff off ASAP would be worth investigating. You could even make it look to the camera like a flash card, so it works with any camera.
Probably doesn't matter much, though. Any jurisdiction where that would be an issue would just make possession of such a device (or encryption-capable recording devices) carry similar penalties.
Re: Will that actually help? Also, Wi-Fi (Score:2)
Re: (Score:2)
They may well ask for your key, but actually arresting and especially beating the key out of a journalist carries much more risk than simply taking the camera. Especially with foreign journalists, where the journalists's country will inevitably become involved, there will be media coverage etc.
Re: (Score:2)
especially in north korea, cuba, venezuela...
Re: (Score:2)
I don't think governments in warzones/dictatorships really care about that.
As I post this the confirmed current count for journalists killed in 2016 is 46. [cpj.org] Cases of imprisonment and beatings are a multiple of this.
Re: (Score:2)
This wouldn't be a key you memorize, it would be a public-private key where the other part of the key is on another computer which may not even be in the same country as the journalist. There is nothing the journalist can do to get the key other than ask the colleagues back home to send the unit to Bumfuckistan which is a huge huge red flag.
Good luck convincing the police in Bumfuckistan this.
Re: (Score:2)
Reality is funny that way. It doesn't care if you are convinced or not.
Re: (Score:2)
Reality is funny that way. It doesn't care if you are convinced or not.
The reporter being rubber hosed most certainly will care.
Re: (Score:2)
The physical separation of the decryption device is important here. The trick is to find a safe haven where you can store the decryption key where it won't be seized. The US likes to play by the Constitutional rules about seizure, but they also like to cooperate with most governments. Does Switzerland still have strict privacy laws governing access to safe deposit boxes? Should you hide them someplace with fewer laws and less enforcement capabilities, (a shoebox in Belize)? Or do you store them somepla
Re: (Score:2)
Re: (Score:2)
Imagine that this happens. Then you return to a free country, and publish the interview.
The police back in Bumfuckistan see the interview on TV/internet/smoke signals/whatever. Guess what they're going to do now?
If you guessed they'd say "Damn, but he pull
Re: (Score:2)
Obviously you edit it first, to disguise voices, hide faces, remove incriminating bits.
Re: (Score:2)
Imagine you interview someone and they say something that might incriminate themselves.
This is why the smart people disguise themselves before going on camera. You can't trust the reporter. They might be idiots, in bed with local LE, or just want to leave your country with all of their appendages intact.
From this point on, it's not so much a matter of hiding the raw footage from the police as it is getting it to a neutral jurisdiction for later publication. If they (LE) want to see it, just tell them to watch 60 Minutes next week.
Re: (Score:2)
Re: (Score:2, Insightful)
And if you really need the data to go straight to encrypted storage, well, there's a way to do that.
Are you thinking of Eye-Fi? It doesn't work that way(*). It's a regular 32GB SD card with the wireless-copy-off agent read-only spying on the filesystem, so the photos are still written unencrypted to the card.
Once you write something unencrypted to blackbox flash like an sdcard, you can never really delete it because blocks are just "marked free". A very simple form of encryption would be:
- put a USB port on the camera that acts like an SD card reader
- put a TPM in the camera that is "ef
Re: (Score:2)
If you're a photojournalist and your memory card is encrypted, you're just never going to get it back intact. And if you really need the data to go straight to encrypted storage, well, there's a way to do that. Although I'm not sure if those Wi-Fi memory cards (you know what I mean, I forget what the brand is) use meaningful encryption anyway...
You missed the point entirely. The point isn't that the card will be seized. It could be. The point is that the when they are seized, anyone can read the files on them. Now if you are documenting something that the state doesn't want to be seen, they have evidence that you are a threat. Sometimes you might be documenting something you don't think is sensitive.
Contrast that with the situation if there is encryption. The state can't read it. It could be photos and videos of flowers and wildlife. It could be o
Re: (Score:3)
The moment they see encryption or something "not right" with that camera, it's not going to go well for the camera's presumed owner.
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
Journalists are well aware of the risks they take. And they are expected to take some personal risk to protect their sources.
Re: (Score:3, Insightful)
Photo journalists do already have their devices seized. All the time. And they are often stripped of their memory card before before having it given back to them (if it is given back). The problem encryption is meant to solve is not to prevent the device from being seized, it's to prevent the seizing agency from having access to what you've been photographing. Photo journalists going behind enemy lines, taking pictures of rebels groups or doing interviews with people who want their faces blurred later.
Re: (Score:2)
Congratulations, the "journalist" will be seized along with their camera and storage.
You just made it that much worse for the individuals out there.
Re: (Score:2, Insightful)
Re: (Score:2)
Given that many DSLRs nowadays feature Wi-Fi tethering, it should be possible to have a mobile phone download the images off the camera immediately after exposure and delete them from there after uploading them to ${CLOUD}. There's still the issue that such tethering usually is done unencrypted, though, so they'd need to add TLS and preferably a way for the user to install/change/generate the keys/certs and use client cert authentication.
Re: (Score:2)
Nope. Won't work. First, it won't work for video (except perhaps some low quality variants). Secondly, modern DLSRs take 10-40 megabyte files every tenth of a second. You need an awfully robust wireless network to support this. Something not typically found in a trench in the middle of a war zone.
Re: (Score:2)
modern DSLRs also can write smaller sized JPGs along with the RAW files that could be sent over a "background worker" sync method. Something like dropbox
Re: (Score:2)
It's not encryption. They need a sim card and a good antenna that can let them either stream data out live or immediately push data to DropBox or Google Drive.
In the meantime they can use a USB MicroSD adapter and an OTG adapter on an Android phone to get their files into the Cloud. It's a bit cumbersome, it won't work in all locations / jurisdictions, and it requires sending a bunch of files at once rather than sending each picture as it's taken. But it's better than nothing.
On a different note, I wouldn't trust the camera manufacturers to not backdoor their encryption and provide access any government that asks. A better solution would be a memory card that con
Re: (Score:2)
It's not encryption. They need a sim card and a good antenna that can let them either stream data out live or immediately push data to DropBox or Google Drive.
That's not always a practical solution. There are places in industrialized countries where can't get a good cell signal much less in remote regions.
Custom firmware (Score:5, Insightful)
*sigh*
https://xkcd.com/538/
Much better to have a camera that autoloads the pictures onto a website far, far away, so that even if they are forcefully erased by the authorities, there is a copy somewhere anyway.
Or a camera with a kill switch that would act like the digital equivalent of "opening the film tray" and blanking it in a second... Could fry the microSD card, or wipe it clean.
Re: (Score:2)
Maybe selective encryption to a hidden partition could be useful there.
For example, you're a journalist in North Korea. In the morning before you head out, you load your encryption key into the camera's RAM for future use via an on-screen keyboard and D-pad (no touch support for security), where it will stay until the SD card is removed or a USB connection is made for example. This won't stop the NSA but it's plenty good enough for less sophisticated attackers. You're taking pics of the things your "guide"
Re: (Score:2)
I'd bet it would work against any non-Five-Eyes government. It would even have a chance against those, if they don't suspect you heavily enough to pull a cold boot attack and do firmware inspection on a camera.
This would make me spend money. (Score:2)
You can somehow do this. (Score:3)
Another feature restricts playback to a single folder, rather than all the folders in chronological order.
It became very handy when I was abusively threatened with arrest unless I deleted the pictures I took of an abusive train ticket inspector...
Afterwards, I climbed the few stories to the transit authority headquarters to lodge a complaint against that inspector, who eventually got fired...
Re: (Score:2)
If your main source of threat is an angry train ticket inspector then you're not the type of person who needs these features. The people who need these features are those at risk of being forcefully separated from their camera.
How about Satellite communications (Score:3)
Why not simply employ a Sat-phone-like device to upload the data on the fly (assuming they can get a signal)? The data can be transmitted before the SD is compromised. Then, it won't matter if the SD is compromised.
In a similar fashion, have an SD card reader for a cellphone for instances where a cell signal can be received (i.e. domestic use).
Alternatively, simply build cell / encryption capability into the camera itself.
-- RD
Delete is not secure erase (Score:3, Interesting)
Cameras lack a secure erase.
Cameras lack a decent secure upload if they have wifi at all. Secure wifi drivers are probably a problem.
Cameras lack encrypted storage (which should be done in a way that does not indicate the user trashed the key.)
Cameras give off forensic information identifying the brand and possibly the model camera (I'm not talking about metadata but analysis of the CCD noise at full resolution, which I read exists even after jpeg compression; plus dead pixels could be a fingerprint.)
Camera
Money (Score:2)
Well for one they are ridiculously expensive unless you already have one. Even if you do, the "plans" are exorbitantly expensive. They make the worst cell phone plans look like [insert some cheap analog here]. Particularly when dealing with video and large image files it just isn't feasible.
Many of you are missing something (Score:5, Interesting)
For all of you quoting XKCD or talking about rubber hose cryptography, I have three words: Public Key Cryptography
There is no reason why a keypair can't be generated on a safe computer in a safe country and only the public key gets loaded into the camera, while the private key remains safe. The border people could still eat the memory card, and they could add new encrypted photos/videos to it using the public key, but they couldn't view old stuff.
You could even set the system up so that the encryption key gets encrypted twice, once with the NV public key, and once with a volatile key that gets erased after a few minutes, or at the press of a button. That way the photographer would have time to make sure they got the shot they wanted.
Re: (Score:3)
and they could add new encrypted photos/videos to it using the public key, but they couldn't view old stuff.
[Setting: A border crossing station in a nondescript, corrupt nation. Definitely not the US. No sir, not the USA] ... OK
Border Guard: Is this your camera?
Photog: Yes it is.
BG: I just have to take it to this back room to inspect it.
Ph:
[5 mins later]
BoG: You are under arrest!
Ph: What for?
BG: For the possession of child pornography that we found on your camera.
Re: (Score:2)
Re: (Score:2)
Good idea in terms of key management, but by itself it doesn't entirely solve the rubber hose problem, it just makes sure they'll beat you until they're sure you really can't decrypt the files, leaving you without the photos and with extensive injuries.
Combined with deniable encryption it's a pretty good solution though. The only trouble is keeping your adversary from finding the key which would blow your deniability out of the water. I had the idea to use symmetric-key encryption with a user-entered key he [slashdot.org]
Re: (Score:2)
Sounds like a good reason to not tell the wife the key.
DRM paradise (Score:2)
While this request has DRM implications I really don't like (lense to screen encryption) and is no doubt an MPAA wet-dream, I unfortunately have to support this, as the clear and present danger to journalists, and the potential for regimes like the Trump Administration, Putin, et. al. to distort or destroy evidence of wrongdoing, demand something like this. At least with encryption journalists can keep their data safe, and if done properly, we can detect changes to the raw video/audio data. Both of which
Steganography (Score:2)
Re: (Score:2)
Wifi upload is the best.
This.
You can upload to a small Raspberry Pi (or similar) device concealed somewhere nearby. From there, you can implement whole disk encryption and/or forward it to The Cloud. If law enforcement stops you, you can offer to show them how many views their current activity is getting on YouTube.
Re: (Score:2)
Add an extra 5-10 % of data onto each larger RAW file size depending on the brands average RAW file size? Split the hidden files so the RAW files can hold part of another hidden RAW or a few hidden jpegs. Over the many 10's of gb on average consumer storage cards that could spread an extra percentage of of images in the parades and landscapes.
Some hidd
All or nothing ... (Score:2)
... why are we talking about professionals?
LEO wants to ban encryption period [rietta.com]
Here's our chance! (Score:3)
Re: (Score:2)
Write Speeds? (Score:2)
Re: (Score:3)
Encryption implemented in hardware is fast. Note that there are plenty of embedded devices that do encryption and decryption at high bit rates (Blu-ray player, HDCP endpoint, encrypted hard disk, link-layer network encryption).
A fast flash storage card for a camera has a write speed of about 100 MB/s. It's pretty easy to get hardware AES implementations that are around a gigabit/sec.
Rubber Hose. (Score:2)
A rubber hose and a few other things will make short work of whatever is done.
Re: (Score:2)
Suppose you encrypt it with the public key for which you DO NOT HAVE the corresponding private key? Hmmmm? Maybe the private key is known only to a third party with whom you have a secret canary agreement. Maybe this third party is in a safe jurisdiction. The rubber hose about which you boast will not be worth shit then.
Why camera makers? (Score:2, Insightful)
Compact Flash|SD - custom SSD (Score:2)
I'm sure Sandisk, Samsung and co could come up with a Compact-Flash or SD-Card that was more akin to a SSD (with TPM-like chip).
Sounds more like the technically-challenged thinking something is a good idea. Like how so many people are replacing all their old audio-gear to get something with bluetooth... when you could just add a $20 bluetooth dongle to your existing kit.
Literally too high to count? (Score:2)
I can count pretty damn high, since I know basic math, my ability to count only stops when I get tired.
So, "literally too high to count" (from the summary) is BS.
Re: (Score:2)
You're walking through a train station. The train pulls up and all the passengers pile out. If you could somehow stop time, you could easily count them all, but how can you handle it in real time? You can't even see all of them, let alone count that fast.
It's not the quantity that is uncountable. It is concealment, and the rate at which events are happening, that makes them uncountable.
I made an Adroid app for this once... (Score:2)
It only leaves the public key on the phone, and the private key on your computer (which presumably is in a safe environment), and encrypts the files one-way. You can't even review them on the phone itself. Needless to say, nobody understood what the app was for... so I pulled it.
Will not happen (Score:2)
Um. . . no (Score:2)
Do you know how much time encryption would add to the photo process ?
Right now we have to buy the blistering fast cards in order to utilize extended shooting with fast frame rates.
Even THEN, the cameras will eventually fill their buffers because we can't write to the cards fast enough.
Imagine how long it would take to write a dozen 30MP+ shots to the card if we encrypted them first.
Besides, your Smartphone is likely protected by a password and they have no issues with beating it out of you, using a hack to
Re: (Score:2)
Imagine how long it would take to write a dozen 30MP+ shots to the card if we encrypted them first.
If you're doing AES chiper in realtime on the ASIC, the performance-hit to the write operation is going to be quite minimal. AES Encrypted data is the same size as the plain input + 1 block (16 bytes).
Bad idea. Why? (Score:4, Informative)
I'm not sure these guys understand what'll happen if there's in-camera encryption. I can see at least two possible outcomes:
1. The device is encrypted, so the authorities just take and destroy it
2. The device is encrypted, so the authorities just take and destroy it, and kill the jouro when they refuse to unlock it.
I'm not sure either of these are really want the person in question wants. I can think of other issues (and you can too), but encrypting the device is probably not the right answer.
Re: (Score:2)
With cheap media and a lot of sets of HDR images https://en.wikipedia.org/wiki/... [wikipedia.org] , a number of real images could be hidden.
Anyone looking at a few 100 images would see art and allowed sites. Within that would be
Avoid making cameras more complicated (Score:3)
This is something that struck me as well. As it is, we get pretty detailed photos from our phones, if there is a necessity to immediately encrypt them or back them on the cloud, or do anything w/ them that needs to be online.
But if someone is using an actual SLR camera, then why not just let the camera do the basic stuff - taking photos or videos? Once they are back at the office/hotel, they can take out the laptop, transfer all the files, encrypt it, upload it to the crowd and do whatever. If they hav
Re: (Score:2)
If there is the fear that corrupt or tyrannical authorities would confiscate them, that's a risk they run every moment. Such an authority would probably already have control over all ISPs in that country, making it impossible to do a mobile cloud back-up. Best solution would be copy the stuff to the laptop and encrypt it there, rather than make 3 camera companies make something that adds hundreds of $$$ to the price of a camera
What it'll cost in design and they'll charge for it is another matter, but SD card speed hardware encryption is achieved in a few thousand logic gates and single digit milliwatts of power and the rest is basically software management. On the hardware bill of materials I'm thinking $5 tops. Whether they want to is less certain, it also sounds like a function many people trying to take creepy shots would use and cause bad PR.
Re: (Score:2)
Re: (Score:2)
"io_crypt - encrypt your photos while you shoot them"
http://www.magiclantern.fm/for... [magiclantern.fm]
Re: (Score:2)
Re: (Score:2)
What belongs to a decrypt?