Camera Makers Still Showing Zero Interest In Protecting Users With Built-In Encryption
from the thanks-for-the-$$$-but-you're-on-your-own dept
Digital cameras can store a wealth of personal information and yet they're treated as unworthy of extra protection -- both by courts and the camera makers themselves. The encryption that comes baked in on cellphones hasn't even been offered as an option on cameras, despite camera owners being just as interested in protecting their private data as cellphone users are.
The Freedom of the Press Foundation sent a letter to major camera manufacturers in December 2016, letting them know filmmakers and journalists would appreciate a little assistance keeping their data out of governments' hands.
Documentary filmmakers and photojournalists work in some of the most dangerous parts of the world, often risking their lives to get footage of newsworthy events to the public. They face a variety of threats from border security guards, local police, intelligence agents, terrorists, and criminals when attempting to safely return their footage so that it can be edited and published. These threats are particularly heightened any time a bad actor can seize or steal their camera, and they are left unprotected by the lack of security features that would shield their footage from prying eyes.
The magnitude of this problem is hard to overstate: Filmmakers and photojournalists have their cameras and footage seized at a rate that is literally too high to count. The Committee to Protect Journalists, a leading organization that documents many such incidents, told us:
"Confiscating the cameras of photojournalists is a blatant attempt to silence and intimidate them, yet such attacks are so common that we could not realistically track all these incidents. The unfortunate truth is that photojournalists are regularly targeted and threatened as they seek to document and bear witness, but there is little they can do to protect their equipment and their photos." (emphasis added)
Cameras aren't that much different than phones, even if they lack direct connections to users' social media accounts or contact lists. We've covered many cases where police officers have seized phones/cameras and deleted footage captured by bystanders. The problem is the Supreme Court's Riley decision only protects cellphones from warrantless searches. (And only in the United States.) While one state supreme court has extended the warrant requirement to digital cameras, this only affects residents of Massachusetts. Everywhere else, cameras are just "pockets" or "containers" law enforcement can dig through without worrying too much about the Fourth Amendment.
Unfortunately, it doesn't look like camera manufacturers are considering offering encryption. The issue still doesn't even appear to be on their radar, more than a year after the Freedom of the Press Foundation's letter -- signed by 150 photographers and filmmakers -- indicated plenty of customers wanted better protection for their cameras. Zack Whittaker of ZDNet asked several manufacturers about their encryption plans and received noncommittal shrugs in response.
An Olympus spokesperson said the company will "in the next year... continue to review the request to implement encryption technology in our photographic and video products and will develop a plan for implementation where applicable in consideration to the Olympus product roadmap and the market requirements."
When reached, Canon said it was "not at liberty to comment on future products and/or innovation."
Sony also said it "isn't discussing product roadmaps relative to camera encryption."
A Nikon spokesperson said the company is "constantly listening to the needs of an evolving market and considering photographer feedback, and we will continue to evaluate product features to best suit the needs of our users."
And Fuji did not respond to several requests for comment by phone and email prior to publication.
The message appears to be that camera owners are on their own when it comes to keeping their photos and footage out of the hands of government agents. This is unfortunate considering how many journalists and documentarians do their work in countries with fewer civil liberties protections than the US. Even in the US, those civil liberties can be waived away if photographers wander too close to US borders. If a government can search something, it will. Encryption may not thwart all searches, but it will at least impede the most questionable ones.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: cameras, encryption
Reader Comments
Subscribe: RSS
View by: Time | Thread
Hack it like a Deere
[ link to this | view in chronology ]
Re: Hack it like a Deere
Did they? I see 10 camera models added to CHDK in the last year.
Rather than just something like "The encryption that comes baked in on cellphones", public-key cryptography should be supported. That way journalists could take pictures they can't be forced into decrypting—the private key being safely out of the country.
[ link to this | view in chronology ]
Re: Hack it like a Deere
I don't know exactly what you mean by hacking in this context, but there is some form of encryption available in the third-party Canon camera firmware called Magic Lantern:
https://www.magiclantern.fm/forum/index.php?PHPSESSID=bh802p8tj895kfv0rftf41a242&topic= 9963.25
[ link to this | view in chronology ]
I'd say that's the fundamental difference, especially when it comes to marketing, etc.
If a phone is stolen or compromised, "bad guys" can potentially gain access to everything about you on that phone, which can be anything from social media and other logins to financial details to sensitive personal data. Encryption is therefore not only a highly important thing to consider, but increasingly a marketing and sales point.
A camera, on the other hand, largely stores just the photos taken with the camera (although some models may store more, such as GPS data). The majority of people using them don't care so much about protecting that data from prying eyes - for every photojournalist or filmmaker at risk, there's 10 or more wedding photographers or amateur filmmakers who will never be in a situation where this would be a problem). So, it's not a selling point and is potentially even an increased support cost, so it's not a priority until the point where they're convinced it should be.
Right or wrong, I think that this is the reason. If smartphones were just devices to make calls and take the occasional snapshot, I don't think there would be much encryption there either. It's all the other stuff that encouraged its wide adoption.
[ link to this | view in chronology ]
Re:
Some do.
[ link to this | view in chronology ]
Re:
Yeah.... What is odd though is that no one is even trying. Sure, one way to think about it is the "There are not as many users who want it compared to those who don't care." On the over side though, right now if you made a camera with encryption you can take that entire market.
So how much is that market worth? Seems like that is a really rich market being ignored. These photojournalists are not buying the bargain point and shoot, they are getting top end camera and all the lenses and flash attachments. If you made a version of your top of the line camera and added encryption you could charge crazy price for it.
Think about it, you have the only camera with this protection. How much extra do you think that would be worth? I can say that if I was a photographer going into a dangerous area.... That feature would be worth whatever you wanted to charge for it. When it comes to protecting my own skin.... I will find the money somehow.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
As you shoot the photos go un-encrypted to a holding area where the processor encrypts them and moves them over to the removable memory as it has the time. This means there is a time period where there is a risk but it should only be a short window. It also would cause a trade off where you couldn't just do long burst of high speed photos. You would have to plan your shots a bit more.
Security almost always has a trade off with convenience. The question is always "what is more important in this situation" easy of use or security. For some photographers the shower shoot times is fair price for security.
[ link to this | view in chronology ]
Re: Re: Re: Re:
Not exactly the best options for news photographers, and also eliminate the possibility of encrypting videos, which is possibly the main use of all cameras these days, especially for news gathering.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
In the case of smartphones, people have sacrificed instant access in favour of requiring a password/fingerprint and the couple of seconds that takes to unlock. If photographers cannot make this particular compromise, they have to make another one. There will be ways to minimise the impact, but there will need to be some price to pay for greater security, by the nature of what security is.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re:
Probably the better option is to pair with a phone, and get images and videos onto a remote servers as soon as possible. That is better protection especially when dealing with repressive regimes. What are the chances of taking you electronics out of the US is they decide they might contain incriminating evidence against the government?
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re:
Yes.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re:
Phone-pairing (or QR-codes if there's no wireless) is a great idea for the key entry/management interface, because then we can use a secret stored securely in the phone plus a PIN/password entered on the phone's touchscreen. It all needs to work offline: these journalists might be working in areas with bad/no phone service, or where the government is interfering with it, or where data plans are too expensive/limited. The uploading is a good idea, and various groups like the ACLU have released police-recording apps to do it, but remember that "as soon as possible" could be a while.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
Sometimes it is better to only get a few photos and keep your head verses having awesome video and getting killed for it.
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
Symmetric crypto is fast, even on a CPU you'd find in a camera (it's not worse than JPEG encoding really). Especially if you use a CPU with built-in acceleration.
Asymmetric crypto is slower, but x25519 isn't bad. And it's only needed to encrypt a symmetric key, which means you can do it long before a photo is taken. The camera could have a bunch of 25519-encrypted AES or Salsa20 keys ready to go in advance (only in memory of course--there could be some lag on bootup or when taking many photos in quick succession, if you want different keys for each photo).
[ link to this | view in chronology ]
Re: The camera could have a bunch of 25519-encrypted AES or Salsa20 keys ready to go in advance
[ link to this | view in chronology ]
Re: Re: The camera could have a bunch of 25519-encrypted AES or Salsa20 keys ready to go in advance
You'd store them unencrypted—again, only in RAM.
(But hold off on the key-wiping for a minute or so, to give the photographer a chance to review the image.)
[ link to this | view in chronology ]
Re: You'd store them unencrypted—again, only in RAM.
[ link to this | view in chronology ]
Re: Re: You'd store them unencrypted—again, only in RAM.
Sometimes you want to take a burst of photos at 5-10 fps, so ideally the encryption should impact that feature as little as possible.
[ link to this | view in chronology ]
Re: Re: You'd store them unencrypted—again, only in RAM.
But premature optimization being the root of all evil, let's get some numbers:
http://bench.cr.yp.to/results-dh.html
A slow-ish (800 MHz) MIPS CPU takes 509000 cycles (1/1600 s) to generate a curve25519 keypair and another 495000 to generate a 32-byte shared secret. Which means (a) it would be foolish to dismiss the possibility of encryption for performance reasons, without testing, and (b) we should plan to generate the keys as needed, and call the more complex option our "plan B".
[ link to this | view in chronology ]
Re: Re: Re: You'd store them unencrypted—again, only in RAM.
...which the camera would never need to do, so only the 495kcycle cost applies.
[ link to this | view in chronology ]
Re: Re: Re: Re:
yOU ENTER THE CODE AND THE cAMERA, Auto encodes it..
Insted of JPG...it would be JPGE.. your password would be inserted into the JPG encode format.
BUT, the problem is DECODE. THAT part I would require a computer...NOT THE CAMERA.. you cant VIEW or much of anything with the Pics/movie, on the Camera. you would take it/SEND IT to a computer with the DECODE on it..
But no matter what you do..Someone can TAKE THE RAM..which is the problem. They can just destroy it and not worry about anything.
Destroy the camera, and the RAM card is still good, would not be a problem..
[ link to this | view in chronology ]
Re: Re: Re:
Next, you'll be telling us we can't have self driving cars because glass gets dirty.
[ link to this | view in chronology ]
Re: encryption doesn't have to be slow
Public/private key encryption is slow. Like thousands of times slower than secret-key encryption.
[ link to this | view in chronology ]
Re: Re: encryption doesn't have to be slow
[ link to this | view in chronology ]
Re: Re: Re: encryption doesn't have to be slow
Symmetric key encryption of local data has the problem of protecting the key, and in paticular does not protect the data if the device is unlocked when seized.
[ link to this | view in chronology ]
Re: Re: Re: Re: encryption doesn't have to be slow
Except...
$ pgpdump test.asc
Old: Public-Key Encrypted Session Key Packet(tag 1)(524 bytes) ...
New: Symmetrically Encrypted and MDC Packet(tag 18)(8192 bytes) partial start ...
New: (8192 bytes) partial continue
New: (67 bytes) partial end
$
a PGP key is only used to encrypt the symmetric session key. You could use the same symmetric key for several pictures, assuming a proper cipher mode and amenable threat model.
That would be the point, if they want it.
Assuming it's all encrypted with the same key. Multiple keys can be derived from one password or several, so the keys in RAM might not unlock the whole device.
If I designed a camera I'd use include a deadman's switch. Maybe accelerometers or something that wraps around your wrist, and wipes the keys from RAM. You could still take pictures in that mode, just not view them.
[ link to this | view in chronology ]
Re: Re:
It's also possible, as suggested elsewhere here, that they're also trying to work out how to use the encryption as a lock-in to specific applications or some other shenanigans rather than simply giving consumers what they wish. I'd like to say this is unlikely, but some manufacturers do have a somewhat spotty history, at least on the non-camera side where I'm more familiar (e.g. Sony's usual insistence on proprietary memory formats)
Honestly, I wouldn't be surprised if the real answer is somewhere between the two - they're working on something to bring to market but are holding off until either the demand grows to a significant enough level or they have enough backend details worked out until they announce an actual product.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re:
Even amateur photographers may have taken photos of sensitive information, like a passport or (unredacted) boarding pass. And they don't necessarily realize the steps required to sanitize an SD card that once contained unencrypted sensitive data.
[ link to this | view in chronology ]
Besides, if camera makers started encrypting pictures, how long before they tried using the DMCA to lock users into a certain brand of photo processing software?
[ link to this | view in chronology ]
Re:
You forgot "physically destroy the SD card". Or secure-erase, which may or may not be sufficient depending on sector-remapping etc.
If they know how to recover deleted data, now they've got you on lying to an officer.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Insufficient demand
Comparatively, there's probably a hugely larger need for physically rugged laptop computers (industrial use, etc.) and those just barely exist.
On smartphones, I daresay encryption exists much more because customers are concerned about losing their phones and having strangers rummage through them, than they are about the government seizing their party pics.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Missing the marketing opp
[ link to this | view in chronology ]
[ link to this | view in chronology ]
If encryption is important and smart phones have it, why not use them instead?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re: Truecrypt
[ link to this | view in chronology ]
Re:
In which case they would have the camera, but (effectively) not the photos. The point is to protect the photos, not the camera. If what you care about is the camera and not the photos, just wipe the memory. Still no guarantees, but there will be nothing interesting to make the border control agent think it's worth taking.
[ link to this | view in chronology ]
Re: Re:
No, they'll have the camera and the photos. They just can't do anything with them. Remember, the goal here is to get the photos out, which you can't do when they're setting in the camera that you can't get to, or is destroyed.
[ link to this | view in chronology ]
Re: Re: Re:
Not really. They'll have the camera and some encrypted data that may as well be random bits.
The goal of the photographer, yes. The goal of the encryption is to keep the photos away from people who are not supposed to see them. That's all you can ask of it. If you need a way to get photos across a border without exposing them to confiscation by border agents, you need something besides encryption.
[ link to this | view in chronology ]
Re: Re: Re: Re:
Which are the photos. They can't access them but they are the photo files. Which the photographer wants and no longer has.
So, encryption is useless here and now there stands a mountain where there once was a molehill.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
...which would have happened anyway, but now they're in a form in which the authorities can't use as evidence against the photographer.
That's kind of the point. If you want a method by which the photographer can still access the photos, you need some kind of file transfer. That's a different issue to whether or not other people can look at and use the photos, which is the only thing the encryption is intended to prevent.
"So, encryption is useless here"
Yes, so is covering the cameras in peanut butter, and many other things that don't have the effect you're pushing for. Encryption will be very good at delivering the thing it does, not anything else.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re:
Like I said somewhere here before, they'll use coercion to get photographers to open the files. It's like something I read on shredders. Straight-cut is worse than not shredding. You're pointing to the fact you're hiding something and they can easily reconstruct the paper. Same here. You're pointing to hiding something and they can coerce you to open them.
> Yes...
My point was the article seems to think that encryption will allow war-photographers to get their evidence out and how bad it is that major camera companies wont add this feature.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re:
I'd read it again if I were you. That's not the point being made. It's about stopping the footage getting into the wrong hands and prevent is being seen, not transporting it out of the area. You do have a point about coercion, although you don't bother to suggest any solution other than telling people that encryption won't magically do something nobody thinks it will do.
It also mentions a group of actual photographers and filmmakers who are demanding the feature. Have it out with them if you think they're wrong. You obviously know so much better than they do, at least in your incorrect interpretation of what's being said.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
I guess if you want to split hairs you can say they possess the photos but can't access them. However, not only do they not have access to them, they can't even be sure there are photos.
Also I was going to say pretty much what PaulT said, so ditto to that.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re:
A memory card stuck inside a camera! Odds are...
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re:
Let's read it again more carefully. I'll even add emphasis.
they can't even be sure there are photos.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: No, they'll have the camera and the photos.
[ link to this | view in chronology ]
Re: Re: No, they'll have the camera and the photos.
[ link to this | view in chronology ]
Re: Re: Re: No, they'll have the camera and the photos.
If so, it's the action of authorities taking the camera that caused that, which is beyond the ability of anything on the camera to prevent.
[ link to this | view in chronology ]
Workaround time....
By using such a card, you can hand over your camera and allow them to "erase" the images from the device, having safely copied them to (say) a pi based device that then uplinks them to the internet....
[ link to this | view in chronology ]