Camera Makers Still Showing Zero Interest In Protecting Users With Built-In Encryption
from the thanks-for-the-$$$-but-you're-on-your-own dept
Digital cameras can store a wealth of personal information and yet they’re treated as unworthy of extra protection — both by courts and the camera makers themselves. The encryption that comes baked in on cellphones hasn’t even been offered as an option on cameras, despite camera owners being just as interested in protecting their private data as cellphone users are.
The Freedom of the Press Foundation sent a letter to major camera manufacturers in December 2016, letting them know filmmakers and journalists would appreciate a little assistance keeping their data out of governments’ hands.
Documentary filmmakers and photojournalists work in some of the most dangerous parts of the world, often risking their lives to get footage of newsworthy events to the public. They face a variety of threats from border security guards, local police, intelligence agents, terrorists, and criminals when attempting to safely return their footage so that it can be edited and published. These threats are particularly heightened any time a bad actor can seize or steal their camera, and they are left unprotected by the lack of security features that would shield their footage from prying eyes.
The magnitude of this problem is hard to overstate: Filmmakers and photojournalists have their cameras and footage seized at a rate that is literally too high to count. The Committee to Protect Journalists, a leading organization that documents many such incidents, told us:
“Confiscating the cameras of photojournalists is a blatant attempt to silence and intimidate them, yet such attacks are so common that we could not realistically track all these incidents. The unfortunate truth is that photojournalists are regularly targeted and threatened as they seek to document and bear witness, but there is little they can do to protect their equipment and their photos.” (emphasis added)
Cameras aren’t that much different than phones, even if they lack direct connections to users’ social media accounts or contact lists. We’ve covered many cases where police officers have seized phones/cameras and deleted footage captured by bystanders. The problem is the Supreme Court’s Riley decision only protects cellphones from warrantless searches. (And only in the United States.) While one state supreme court has extended the warrant requirement to digital cameras, this only affects residents of Massachusetts. Everywhere else, cameras are just “pockets” or “containers” law enforcement can dig through without worrying too much about the Fourth Amendment.
Unfortunately, it doesn’t look like camera manufacturers are considering offering encryption. The issue still doesn’t even appear to be on their radar, more than a year after the Freedom of the Press Foundation’s letter — signed by 150 photographers and filmmakers — indicated plenty of customers wanted better protection for their cameras. Zack Whittaker of ZDNet asked several manufacturers about their encryption plans and received noncommittal shrugs in response.
An Olympus spokesperson said the company will “in the next year… continue to review the request to implement encryption technology in our photographic and video products and will develop a plan for implementation where applicable in consideration to the Olympus product roadmap and the market requirements.”
When reached, Canon said it was “not at liberty to comment on future products and/or innovation.”
Sony also said it “isn’t discussing product roadmaps relative to camera encryption.”
A Nikon spokesperson said the company is “constantly listening to the needs of an evolving market and considering photographer feedback, and we will continue to evaluate product features to best suit the needs of our users.”
And Fuji did not respond to several requests for comment by phone and email prior to publication.
The message appears to be that camera owners are on their own when it comes to keeping their photos and footage out of the hands of government agents. This is unfortunate considering how many journalists and documentarians do their work in countries with fewer civil liberties protections than the US. Even in the US, those civil liberties can be waived away if photographers wander too close to US borders. If a government can search something, it will. Encryption may not thwart all searches, but it will at least impede the most questionable ones.
Filed Under: cameras, encryption
Comments on “Camera Makers Still Showing Zero Interest In Protecting Users With Built-In Encryption”
Hack it like a Deere
It is odd that people seemed to have stopped hacking camera firmware. There was a time when they started to do so. Is it because of the ubiquity of camera phones that reduces the draw?
Re: Hack it like a Deere
Did they? I see 10 camera models added to CHDK in the last year.
Rather than just something like "The encryption that comes baked in on cellphones", public-key cryptography should be supported. That way journalists could take pictures they can’t be forced into decrypting—the private key being safely out of the country.
Re: Hack it like a Deere
I don’t know exactly what you mean by hacking in this context, but there is some form of encryption available in the third-party Canon camera firmware called Magic Lantern:
https://www.magiclantern.fm/forum/index.php?PHPSESSID=bh802p8tj895kfv0rftf41a242&topic=9963.25
“Cameras aren’t that much different than phones, even if they lack direct connections to users’ social media accounts or contact lists. “
I’d say that’s the fundamental difference, especially when it comes to marketing, etc.
If a phone is stolen or compromised, “bad guys” can potentially gain access to everything about you on that phone, which can be anything from social media and other logins to financial details to sensitive personal data. Encryption is therefore not only a highly important thing to consider, but increasingly a marketing and sales point.
A camera, on the other hand, largely stores just the photos taken with the camera (although some models may store more, such as GPS data). The majority of people using them don’t care so much about protecting that data from prying eyes – for every photojournalist or filmmaker at risk, there’s 10 or more wedding photographers or amateur filmmakers who will never be in a situation where this would be a problem). So, it’s not a selling point and is potentially even an increased support cost, so it’s not a priority until the point where they’re convinced it should be.
Right or wrong, I think that this is the reason. If smartphones were just devices to make calls and take the occasional snapshot, I don’t think there would be much encryption there either. It’s all the other stuff that encouraged its wide adoption.
Re: Re:
Some do.
Re: Re:
“for every photojournalist or filmmaker at risk, there’s 10 or more wedding photographers or amateur filmmakers”
Yeah…. What is odd though is that no one is even trying. Sure, one way to think about it is the “There are not as many users who want it compared to those who don’t care.” On the over side though, right now if you made a camera with encryption you can take that entire market.
So how much is that market worth? Seems like that is a really rich market being ignored. These photojournalists are not buying the bargain point and shoot, they are getting top end camera and all the lenses and flash attachments. If you made a version of your top of the line camera and added encryption you could charge crazy price for it.
Think about it, you have the only camera with this protection. How much extra do you think that would be worth? I can say that if I was a photographer going into a dangerous area…. That feature would be worth whatever you wanted to charge for it. When it comes to protecting my own skin…. I will find the money somehow.
Re: Re: Re:
How will that encryption work? Having to unlock a camera to take a shot is a great way of missing news worthy shots. The only encryption that works on an unlocked device is a public key system, where the device encrypts the images or video, and it is decrypted on a difference device with more secure access control. That runs into the problem that the camera CPU cannot deal with the encryption, indeed even top of the range CPUs would be slow, which is why public key cryptography is often limited to signatures, and key exchange.
Re: Re: Re: Re:
A public key system would actually work pretty well. As for the speed problem. That is not impossible to deal with. You for example could put on-board memory buffer.
As you shoot the photos go un-encrypted to a holding area where the processor encrypts them and moves them over to the removable memory as it has the time. This means there is a time period where there is a risk but it should only be a short window. It also would cause a trade off where you couldn’t just do long burst of high speed photos. You would have to plan your shots a bit more.
Security almost always has a trade off with convenience. The question is always “what is more important in this situation” easy of use or security. For some photographers the shower shoot times is fair price for security.
Re: Re: Re:2 Re:
Not exactly the best options for news photographers, and also eliminate the possibility of encrypting videos, which is possibly the main use of all cameras these days, especially for news gathering.
Re: Re: Re:3 Re:
It’s all down to use cases at the end of the day. You cannot have a perfectly secure camera that takes images at the maximum quality and speed, retains instant access to operate & view and remains secure against 3rd parties trying to access it. Security requires compromise with ease of use, ease of access or some other metric.
In the case of smartphones, people have sacrificed instant access in favour of requiring a password/fingerprint and the couple of seconds that takes to unlock. If photographers cannot make this particular compromise, they have to make another one. There will be ways to minimise the impact, but there will need to be some price to pay for greater security, by the nature of what security is.
Re: Re: Re:4 Re:
Have cameras grown touch screens yet? Otherwise unlocking is likely to be insecure, or very cumbersome.
Probably the better option is to pair with a phone, and get images and videos onto a remote servers as soon as possible. That is better protection especially when dealing with repressive regimes. What are the chances of taking you electronics out of the US is they decide they might contain incriminating evidence against the government?
Re: Re: Re:5 Re:
Yes.
Re: Re: Re:5 Re:
Phone-pairing (or QR-codes if there’s no wireless) is a great idea for the key entry/management interface, because then we can use a secret stored securely in the phone plus a PIN/password entered on the phone’s touchscreen. It all needs to work offline: these journalists might be working in areas with bad/no phone service, or where the government is interfering with it, or where data plans are too expensive/limited. The uploading is a good idea, and various groups like the ACLU have released police-recording apps to do it, but remember that "as soon as possible" could be a while.
Re: Re: Re:3 Re:
Like I was saying, it would be a trade off. Think about it though, your in a country covering a story and taking photos that could be sensitive, as in you might get killed over them. You really think “aww sucks, I can’t take video” is a big issue?
Sometimes it is better to only get a few photos and keep your head verses having awesome video and getting killed for it.
Re: Re: Re:2 Re:
DSLRs use a write buffer already anyway.
Re: Re: Re: Re:
Symmetric crypto is fast, even on a CPU you’d find in a camera (it’s not worse than JPEG encoding really). Especially if you use a CPU with built-in acceleration.
Asymmetric crypto is slower, but x25519 isn’t bad. And it’s only needed to encrypt a symmetric key, which means you can do it long before a photo is taken. The camera could have a bunch of 25519-encrypted AES or Salsa20 keys ready to go in advance (only in memory of course–there could be some lag on bootup or when taking many photos in quick succession, if you want different keys for each photo).
Re: Re: Re:2 The camera could have a bunch of 25519-encrypted AES or Salsa20 keys ready to go in advance
If the key is encrypted, how is the camera supposed to use it to do encryption, exactly?
Re: Re: Re:3 The camera could have a bunch of 25519-encrypted AES or Salsa20 keys ready to go in advance
You’d store them unencrypted—again, only in RAM.
(But hold off on the key-wiping for a minute or so, to give the photographer a chance to review the image.)
Re: Re: Re:4 You'd store them unencrypted—again, only in RAM.
Why store them at all? Why not generate them as needed?
Re: Re: Re:5 You'd store them unencrypted—again, only in RAM.
Sometimes you want to take a burst of photos at 5-10 fps, so ideally the encryption should impact that feature as little as possible.
Re: Re: Re:5 You'd store them unencrypted—again, only in RAM.
An earlier poster was concerned about speed. JPEG compression isn’t free, so there are likely some spare CPU cycles when the camera isn’t compressing.
But premature optimization being the root of all evil, let’s get some numbers:
http://bench.cr.yp.to/results-dh.html
A slow-ish (800 MHz) MIPS CPU takes 509000 cycles (1/1600 s) to generate a curve25519 keypair and another 495000 to generate a 32-byte shared secret. Which means (a) it would be foolish to dismiss the possibility of encryption for performance reasons, without testing, and (b) we should plan to generate the keys as needed, and call the more complex option our “plan B”.
Re: Re: Re:6 You'd store them unencrypted—again, only in RAM.
…which the camera would never need to do, so only the 495kcycle cost applies.
Re: Re: Re:2 Re:
whY NOT CREATE A FORMAT THAT USES ENCRYPTION BUILT INTO THE FORMAT..
yOU ENTER THE CODE AND THE cAMERA, Auto encodes it..
Insted of JPG…it would be JPGE.. your password would be inserted into the JPG encode format.
BUT, the problem is DECODE. THAT part I would require a computer…NOT THE CAMERA.. you cant VIEW or much of anything with the Pics/movie, on the Camera. you would take it/SEND IT to a computer with the DECODE on it..
But no matter what you do..Someone can TAKE THE RAM..which is the problem. They can just destroy it and not worry about anything.
Destroy the camera, and the RAM card is still good, would not be a problem..
Re: Re: Re: Re:
This is a bullshit argument. For starters, encryption doesn’t have to be slow. AES256 encryption, for example, is uncrackable but doesn’t impose any heavy workload; if it did, public safety radios would run their batteries down faster than would be acceptable. For seconders, any storage device, whether it be a camera or a memory card, can do encryption as a background task when resources are available.
Next, you’ll be telling us we can’t have self driving cars because glass gets dirty.
Re: Re: Re:2 encryption doesn't have to be slow
Public/private key encryption is slow. Like thousands of times slower than secret-key encryption.
Re: Re: Re:3 encryption doesn't have to be slow
Does “slow” mean setup time or throughput or both? Remember you’re normally just encrypting a symmetric key (~32 bytes) with the public key algorithm.
Re: Re: Re:4 encryption doesn't have to be slow
Throughput, which is why it has found its niche for key exchange, digital signing, and encrypted emails. All relatively low throughput applications. For documentary and instigative photographers, it could mean that the encrypted photos and videos can only be decrypted after they return home.
Symmetric key encryption of local data has the problem of protecting the key, and in paticular does not protect the data if the device is unlocked when seized.
Re: Re: Re:5 encryption doesn't have to be slow
Except…
$ pgpdump test.asc
Old: Public-Key Encrypted Session Key Packet(tag 1)(524 bytes)
…
New: Symmetrically Encrypted and MDC Packet(tag 18)(8192 bytes) partial start
…
New: (8192 bytes) partial continue
New: (67 bytes) partial end
$
a PGP key is only used to encrypt the symmetric session key. You could use the same symmetric key for several pictures, assuming a proper cipher mode and amenable threat model.
That would be the point, if they want it.
Assuming it’s all encrypted with the same key. Multiple keys can be derived from one password or several, so the keys in RAM might not unlock the whole device.
If I designed a camera I’d use include a deadman’s switch. Maybe accelerometers or something that wraps around your wrist, and wipes the keys from RAM. You could still take pictures in that mode, just not view them.
Re: Re: Re:
That’s all true, but it is possible that it’s still too much of a niche market to deal with, especially with the inevitable support costs, liability for data loss or hacked encryption, etc., that would be incurred among the users who do buy them.
It’s also possible, as suggested elsewhere here, that they’re also trying to work out how to use the encryption as a lock-in to specific applications or some other shenanigans rather than simply giving consumers what they wish. I’d like to say this is unlikely, but some manufacturers do have a somewhat spotty history, at least on the non-camera side where I’m more familiar (e.g. Sony’s usual insistence on proprietary memory formats)
Honestly, I wouldn’t be surprised if the real answer is somewhere between the two – they’re working on something to bring to market but are holding off until either the demand grows to a significant enough level or they have enough backend details worked out until they announce an actual product.
Re: Re: Re: Re:
I’d say camera buyers are pretty locked in anyway. Once you buy a Nikon camera, only Nikon-compatible accessories will work with it, and similarly for all the other brands. If the encryption made it so you couldn’t swap your memory card from your Nikon into your Canon, that probably wouldn’t be a big deal because 1) not that many people have multiple brands of high end camera and 2) you would have memory cards for all of them anyway, and if you’re a serious photographer like a photojournalist, spares as well.
Re: Re: Re:2 Re:
True on the hardware side, what I mean is that added encryption may just encourage locking on the software end as well. You have a Nikon and you like using Affinity to edit your photos? Sorry, they now have an exclusive contract with Adobe, hope you like that monthly creative cloud subscription…
Re: Re: Re:3 Re:
That would also sounds like hard luck if want to use Linux.
Re: Re: Re:3 Re:
Well if they roll their own encryption I wouldn’t want to use it anyway. If they use a standard like AES 256, then you can decrypt the photos anywhere.
Re: Re:
Even amateur photographers may have taken photos of sensitive information, like a passport or (unredacted) boarding pass. And they don’t necessarily realize the steps required to sanitize an SD card that once contained unencrypted sensitive data.
Would prefer that the camera makers not include encryption. If I need my pictures encrypted, I can just pull the sdcard, insert into a laptop or other device and copy/encrypt the pictures. “Only pictures on that camera, Officer, are ones from the wildlife preserve. Totally worth the trip!”
Besides, if camera makers started encrypting pictures, how long before they tried using the DMCA to lock users into a certain brand of photo processing software?
Re: Re:
You forgot "physically destroy the SD card". Or secure-erase, which may or may not be sufficient depending on sector-remapping etc.
If they know how to recover deleted data, now they’ve got you on lying to an officer.
Re: Re:
“Would prefer that the camera makers not include encryption.” In that case there are still a HUGE selection of cameras for you. On the other hand, those who want this feature….. they have zero selection.
Insufficient demand
I’m a former camera store owner and professional photographer. I have NOT ONCE had a customer request an encrypt-able camera, nor ever had a desire for such a feature myself. Granted, I don’t live or work in the third world, and recognize there are those who do. But given the complexity of such a feature, and the extremely small market for it, it’s entirely reasonable that manufacturers show little interest.
Comparatively, there’s probably a hugely larger need for physically rugged laptop computers (industrial use, etc.) and those just barely exist.
On smartphones, I daresay encryption exists much more because customers are concerned about losing their phones and having strangers rummage through them, than they are about the government seizing their party pics.
It will happen when it becomes a request from the porn industry.
Missing the marketing opp
The first company to put encryption on their camera models preferred by journalists wins.
Roadmap: Not dealing with decryption requests from LEOs. Done.
How would this work? Would the pictures be hidden? Or would they get a message saying that the images cannot be opened, please provide password? If it’s the latter then I see them threatening and/or torturing until they get it, or they destroy the card. Then they’ll be in the same boat they are now.
If encryption is important and smart phones have it, why not use them instead?
Not sure encryption will actually solve anything. They seize the camera if unencrypted, they will definitely seize the camera if it is encrypted.
Re: Truecrypt
Remember the Truecrypt model…you don’t necessarily know the device in your hand is in fact encrypted…
Re: Re:
In which case they would have the camera, but (effectively) not the photos. The point is to protect the photos, not the camera. If what you care about is the camera and not the photos, just wipe the memory. Still no guarantees, but there will be nothing interesting to make the border control agent think it’s worth taking.
Re: Re: Re:
No, they’ll have the camera and the photos. They just can’t do anything with them. Remember, the goal here is to get the photos out, which you can’t do when they’re setting in the camera that you can’t get to, or is destroyed.
Re: Re: Re: Re:
Not really. They’ll have the camera and some encrypted data that may as well be random bits.
The goal of the photographer, yes. The goal of the encryption is to keep the photos away from people who are not supposed to see them. That’s all you can ask of it. If you need a way to get photos across a border without exposing them to confiscation by border agents, you need something besides encryption.
Re: Re: Re:2 Re:
Which are the photos. They can’t access them but they are the photo files. Which the photographer wants and no longer has.
So, encryption is useless here and now there stands a mountain where there once was a molehill.
Re: Re: Re:3 Re:
“Which the photographer wants and no longer has.”
…which would have happened anyway, but now they’re in a form in which the authorities can’t use as evidence against the photographer.
That’s kind of the point. If you want a method by which the photographer can still access the photos, you need some kind of file transfer. That’s a different issue to whether or not other people can look at and use the photos, which is the only thing the encryption is intended to prevent.
“So, encryption is useless here”
Yes, so is covering the cameras in peanut butter, and many other things that don’t have the effect you’re pushing for. Encryption will be very good at delivering the thing it does, not anything else.
Re: Re: Re:4 Re:
Re: Re: Re:5 Re:
“My point was the article seems to think that encryption will allow war-photographers to get their evidence out”
I’d read it again if I were you. That’s not the point being made. It’s about stopping the footage getting into the wrong hands and prevent is being seen, not transporting it out of the area. You do have a point about coercion, although you don’t bother to suggest any solution other than telling people that encryption won’t magically do something nobody thinks it will do.
It also mentions a group of actual photographers and filmmakers who are demanding the feature. Have it out with them if you think they’re wrong. You obviously know so much better than they do, at least in your incorrect interpretation of what’s being said.
Re: Re: Re:3 Re:
I guess if you want to split hairs you can say they possess the photos but can’t access them. However, not only do they not have access to them, they can’t even be sure there are photos.
Also I was going to say pretty much what PaulT said, so ditto to that.
Re: Re: Re:4 Re:
A memory card stuck inside a camera! Odds are…
Re: Re: Re:5 Re:
Let’s read it again more carefully. I’ll even add emphasis.
they can’t even be sure there are photos.
Re: Re: Re:6 Re:
Now you’re playing with semantics. Can they be 100% positive? No. Like I said (or left unsaid which is maybe you don’t understand.) Odds are high that a file on a memory card inside a camera is a photo file. Even if you remove the card they’ll see the camera and add two and two.
Re: Re: Re: No, they'll have the camera and the photos.
Just not in a form that they can use as evidence. They can suspect all they like, they can’t prove it.
Re: Re: Re:2 No, they'll have the camera and the photos.
Which does what? Either they see files they can’t access and coerce you to unlock them, then they have the evidence they need, or, Judge Kangaroo cares not for evidence. Either way you’re screwed.
Re: Re: Re:3 No, they'll have the camera and the photos.
“Either way you’re screwed.”
If so, it’s the action of authorities taking the camera that caused that, which is beyond the ability of anything on the camera to prevent.
Workaround time....
there are SD card sized adaptors which take a µSD card (of appropriate size; few seem to take larger than 32GB) and act both as an adaptor for the purposes of the camera, and a Wifi access point for external access to the images.
By using such a card, you can hand over your camera and allow them to “erase” the images from the device, having safely copied them to (say) a pi based device that then uplinks them to the internet….