Slashdot Mirror
150 Filmmakers and Photojournalists Call On Nikon, Sony, and Canon To Build in Encryption (zdnet.com)
Some of the world's leading photojournalists and filmmakers are calling on the manufacturers of the cameras they use to add encryption to their products, as the number of threats they face from having their devices seized is "literally too high to count." From a ZDNet report: Over 150 documentary makers and reporters signed an open letter by the Freedom of the Press Foundation, asking for camera makers -- including Nikon, Sony, and Canon -- to ensure that their work is protected while often "attempting to uncover wrongdoing in the interests of justice." "Documentary filmmakers and photojournalists work in some of the most dangerous parts of the world, often risking their lives to get footage of newsworthy events to the public," said Trevor Timm, the foundation's executive director. But, he said, "they face a variety of threats from border security guards, local police, intelligence agents, terrorists, and criminals when attempting to safely return their footage so that it can be edited and published." The filmmakers say that camera security has lagged behind the rest of the industry, leaving their work "dangerously vulnerable."
It's not encryption. They need a sim card and a good antenna that can let them either stream data out live or immediately push data to DropBox or Google Drive.
*sigh*
https://xkcd.com/538/
Much better to have a camera that autoloads the pictures onto a website far, far away, so that even if they are forcefully erased by the authorities, there is a copy somewhere anyway.
Or a camera with a kill switch that would act like the digital equivalent of "opening the film tray" and blanking it in a second... Could fry the microSD card, or wipe it clean.
Imagine you interview someone and they say something that might incriminate themselves. On the way back to the office the corrupt police take your camera. If the video is encrypted at least they don't have video of your source incriminating themselves.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
That could certainly be a stopgap solution. But pros want something that "just works", so it does make sense to urge the big manufacturers to officially support such a feature right out of the box.
Another feature restricts playback to a single folder, rather than all the folders in chronological order.
It became very handy when I was abusively threatened with arrest unless I deleted the pictures I took of an abusive train ticket inspector...
Afterwards, I climbed the few stories to the transit authority headquarters to lodge a complaint against that inspector, who eventually got fired...
Why not simply employ a Sat-phone-like device to upload the data on the fly (assuming they can get a signal)? The data can be transmitted before the SD is compromised. Then, it won't matter if the SD is compromised.
In a similar fashion, have an SD card reader for a cellphone for instances where a cell signal can be received (i.e. domestic use).
Alternatively, simply build cell / encryption capability into the camera itself.
-- RD
This is something that struck me as well. As it is, we get pretty detailed photos from our phones, if there is a necessity to immediately encrypt them or back them on the cloud, or do anything w/ them that needs to be online.
But if someone is using an actual SLR camera, then why not just let the camera do the basic stuff - taking photos or videos? Once they are back at the office/hotel, they can take out the laptop, transfer all the files, encrypt it, upload it to the crowd and do whatever. If they have to do the encryption and data transfers right at the spot, then just use the phone. But having 2 completely different classes of products just increases the risk that one of them will go the way of the dodo.
If there is the fear that corrupt or tyrannical authorities would confiscate them, that's a risk they run every moment. Such an authority would probably already have control over all ISPs in that country, making it impossible to do a mobile cloud back-up. Best solution would be copy the stuff to the laptop and encrypt it there, rather than make 3 camera companies make something that adds hundreds of $$$ to the price of a camera
For all of you quoting XKCD or talking about rubber hose cryptography, I have three words: Public Key Cryptography
There is no reason why a keypair can't be generated on a safe computer in a safe country and only the public key gets loaded into the camera, while the private key remains safe. The border people could still eat the memory card, and they could add new encrypted photos/videos to it using the public key, but they couldn't view old stuff.
You could even set the system up so that the encryption key gets encrypted twice, once with the NV public key, and once with a volatile key that gets erased after a few minutes, or at the press of a button. That way the photographer would have time to make sure they got the shot they wanted.
See that "Preview" button?
I think anyone with half a brain sees the benefit of having something encrypted vs. no encryption. With encryption your opponents may know you have something they don't want to see but they don't know what that something is. If you don't think it is worth that much you can give it up to them - no harm no foul. If it is something you might be murdered for having then I think you would want that hidden, even if it means eventually losing it or being subject to enhanced interrogation.
It also reduces the risk of "smuggling". Its exactly why Clinton ran her own e-mail server.
1) There is a chance you just get away with it
2) If you do get "caught" you have options; without encryption, if you get caught, for instance, exposing massive corruption, the outcome is entirely up to the corrupt.
3) The options are a) reveal what you have if it is not that bad b) deny you have anything but offer to delete or destroy the data or the camera c) you try to keep the data or they don't accept a or b and then you are in the same situation as no encryption but they still don't have the data.
Encryption is a tactical WIN WIN WIN.
And if you really need the data to go straight to encrypted storage, well, there's a way to do that.
Are you thinking of Eye-Fi? It doesn't work that way(*). It's a regular 32GB SD card with the wireless-copy-off agent read-only spying on the filesystem, so the photos are still written unencrypted to the card.
Once you write something unencrypted to blackbox flash like an sdcard, you can never really delete it because blocks are just "marked free". A very simple form of encryption would be:
- put a USB port on the camera that acts like an SD card reader
- put a TPM in the camera that is "effaceable"
- when formatting the sd card, rotate the effaceable key.
This would give a way to really wipe the SD card and do nothing else. Unfortunately it also means destroying the camera destroys all SD cards written by it, including ones hidden away.
A more complex form with similar limitations would be per-photo keys, so individual photos could be deleted by rotating the TPM master key and re-wrapping the keys of all the photos you don't want to delete.
The best form IMHO would be ecryptfs. With a little work Chromebooks could just mount the sdcard.
With a lot of work you could "pair" the camera with a user account on a laptop, wrap keys twice per photo, once symmetrically to the camera's TPM key and a second time with RSA to the laptop's key, and after an hour or two efface the symmetric keys so that the camera can only read photos its written recently.
A step further from that would be to pair the camera with your desktop on the other side of the border instead of your laptop so that nothing discoverable passes the border.
They need a sim card and a good antenna that can let them either stream data out live
First, you still have to store the data before you stream it, so you still need encryption. The "very simple form" would be enough, while without streaming the other forms make sense.
But second, cel service isn't reliable everywhere because infrastructure. For video it's a pretty high bar in cheapness and performance. Where it is, it gets shut off by the government during protests and may increasingly be so if your proposal becomes standard. Using a cel radio means your movements can be tracked which may be more useful to the adversary than the photos. Many people think "five eyes" has exploits for many cel radios which, depending on how the radio is wired up inside the camera, could allow debug access to main memory and bypassing dropbox TLS.
And third, there's a push to close the loop and deliver practical tools that get used instead of abstractly-ideal tools that end up having fatal flaws or no adoption, so I don't think this imagined tool should block the tool they're asking for.
(*) I don't have one. just reading pre-sales docs at eyefi.com.
Pfft. You'd need some kind of, I don't know, "International Network" to do that.
systemd is Roko's Basilisk.
Cameras use ASIC chips. The "firmware" in question is simply there to tell the ASIC which functions to enable/disable from what is already available. Encryption would break the existing data chain of sensor > ASIC > storage. It would then need to go sensor > ASIC > CPU > storage. Think of the amount of CPU power required to handle data encryption in the first place, these CPUs simply could not keep up. So to add the functionality of encryption, it would have to be implemented in a new generation of their ASIC image processors.
Pfft. You'd need some kind of, I don't know, "International Network" to do that.
It would have to be some kind of network of networks. I'm envisioning something like a series of tubes.
In the free world the media isn't government run; the government is media run.
The encryption does not necessarily need to happen on the fly. You can save the images and videos as usual, and then pipe it for the camera to process slowly, even when it's been turned off. Making it use little power is more important than speed IMHO. Although I see no reason why encryption cannot be added to the ASIC.
Non-Linux Penguins ?
Photo journalists do already have their devices seized. All the time. And they are often stripped of their memory card before before having it given back to them (if it is given back). The problem encryption is meant to solve is not to prevent the device from being seized, it's to prevent the seizing agency from having access to what you've been photographing. Photo journalists going behind enemy lines, taking pictures of rebels groups or doing interviews with people who want their faces blurred later. Losing the photographs altogether is not as bad as having the photographs fall into the hands of an adversary. They are already going to lose them if the device is seized. They just want the photographs to be safe if that happens.
Unfortunately, seeing encryption applied to new classes of devices is a controversial topic now. Not for the end user, who would support that. But governments across the world - across the (ironically named) "free" world - are aiming at encryption and labeling it as evil and helping the cause of terrorists and child molesters. The first time a camera comes out with encryption and is involved in child pornography will be huge. It will be splashed by law enforcement across every newspaper as showing how encryption is evil, how it's enabling criminals and terrorists, and how it's good that government should legislate back doors into every piece of encryption on the market. For that reason, until we settle the fight that is brewing about encryption and openly legislated (as opposed to the private ones the NSA strong arms into products already) encryption back doors are firmly rejected, I would like to see cameras remain free of encryption. I don't want to see another class of device used as propaganda and leveraged as a way of taking away more of our rights and privacy.
If Nikon, Sony, and Canon (for example) handled it like the MPAA, we'd end up with: the encryption can only legally be unlocked on licensed products (in certain countries) and don't allow making copies of the files. Instead, you'll need to buy a license per-format to export it to the file you want, such as an iPhone or an HD TV. Ensure that the file can only be exported in the country the license was purchased in and may not be moved to another country. Make some kind of claim of "you're not really buying our camera's - you're buying a license to use them" - then sue for 10x the actual damages for any studio/reporter/etc that makes copies, backups, or anything else related to making a film that infringes on the license.
Cameras lack a secure erase.
Cameras lack a decent secure upload if they have wifi at all. Secure wifi drivers are probably a problem.
Cameras lack encrypted storage (which should be done in a way that does not indicate the user trashed the key.)
Cameras give off forensic information identifying the brand and possibly the model camera (I'm not talking about metadata but analysis of the CCD noise at full resolution, which I read exists even after jpeg compression; plus dead pixels could be a fingerprint.)
Cameras lack the option to strip out metadata.
Cameras will 1st probably get a censorship recognition feature: using special visual codes during a movie or a government location disabling the camera or notifications sent.... features which will be abused.
Democracy Now! - uncensored, anti-establishment news
The moment they see encryption or something "not right" with that camera, it's not going to go well for the camera's presumed owner.
Twitter supports and protects racists - by smearing their critics with the "Hate Speech" label.
And if it's a standard feature? The photographer could feign complete ignorance of how it works because they don't care about the details; they know how to shoot pictures.
Well, there's spam egg sausage and spam, that's not got much spam in it.
Sure. Every inch of the world has free and open internet access. There isn't a single country that blocks websites, intercepts data, blocks VPNs or does anything else with commodity traffic that would stop this from working. Oh, and the internet is never disturbed when a country is in crisis. Ever.
Not free. But if you're willing to pay, there's satellite internet in every inch (or centimeter) of the world.
And, you know, these photojournalists are usually on assignments so yeah, the companies they work for CAN pay for satellite internet.
Like in the UK.
That should teach tech-obsessed journos who is boss.
Any questions ?
Unless the hardware is vastly overqualified, just fixing it in software probably isn't an option. Doing encryption in software isn't too painful on a real computer; but cameras tend to have fairly feeble, power constrained, processors with any special-purpose hardware dedicated either to image processing or shovelling data from the sensor to the SD card as fast as possible. I'm sure you could fit an encryption implementation within the limits of a reasonably modern camera's hardware; but actually using it would do horrible things to the frame rate.
A sensible encryption setup for a camera would use asymetric crypto. So recording stuff would only require the public key, the private key could remain safely at home.
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
I'm not sure these guys understand what'll happen if there's in-camera encryption. I can see at least two possible outcomes:
1. The device is encrypted, so the authorities just take and destroy it
2. The device is encrypted, so the authorities just take and destroy it, and kill the jouro when they refuse to unlock it.
I'm not sure either of these are really want the person in question wants. I can think of other issues (and you can too), but encrypting the device is probably not the right answer.
Encryption implemented in hardware is fast. Note that there are plenty of embedded devices that do encryption and decryption at high bit rates (Blu-ray player, HDCP endpoint, encrypted hard disk, link-layer network encryption).
A fast flash storage card for a camera has a write speed of about 100 MB/s. It's pretty easy to get hardware AES implementations that are around a gigabit/sec.