Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Encryption The Media

Camera Makers Resist Encryption, Despite Warnings From Photographers (zdnet.com) 291

An anonymous reader shares an article from the security editor of ZDNet: A year after photojournalists and filmmakers sent a critical letter to camera makers for failing to add a basic security feature to protect their work from searches and hacking, little progress has been made. The letter, sent in late 2016, called on camera makers to build encryption into their cameras after photojournalists said they face "a variety of threats..." Even when they're out in the field, collecting footage and documenting evidence, reporters have long argued that without encryption, police, the military, and border agents in countries where they work can examine and search their devices. "The consequences can be dire," the letter added.

Although iPhones and Android phones, computers, and instant messengers all come with encryption, camera makers have fallen behind. Not only does encryption protect reported work from prying eyes, it also protects sources -- many of whom put their lives at risk to expose corruption or wrongdoing... The lack of encryption means high-end camera makers are forcing their customers to choose between putting their sources at risk, or relying on encrypted, but less-capable devices, like iPhones. We asked the same camera manufacturers if they plan to add encryption to their cameras -- and if not, why. The short answer: don't expect much any time soon.

This discussion has been archived. No new comments can be posted.

Camera Makers Resist Encryption, Despite Warnings From Photographers

Comments Filter:
  • SD card feature? (Score:3, Interesting)

    by Anonymous Coward on Sunday February 04, 2018 @11:38AM (#56065801)

    not excusing the camera makers here, but couldn't this be designed into an SD card?

    • I don't think SD cards have a whole lot of processing power. I may be wrong.
      • You might be surprised what SD cards can do.
        http://www.toshiba-memory.com/... [toshiba-memory.com]

    • Re:SD card feature? (Score:5, Informative)

      by BronsCon ( 927697 ) <social@bronstrup.com> on Sunday February 04, 2018 @11:50AM (#56065855) Journal
      Why, yes it could [wikipedia.org]. In fact, one of the things that supposedly made SD better than MMC, which it replaced, was this (emphasis mine):

      Cards can protect their contents from erasure or modification, prevent access by non-authorized users, and protect copyrighted content using digital rights management.

      Of course, no implementation that I've come across since the format was released over 18 years ago has implemented that highlighted bit.

      • by kenh ( 9056 )

        There is the eyefi SD card [eyefi.com] that includes a wifi implementation, allowing you to shoot photos from your camera to your smartphone without any interaction, turning your smartphone into a secure, encrypted photo vault, which can sync with a cloud data service.

        • Eye-Fi is pretty much defunct. And I say this as a long time user and previously ardent supporter of that tech.

          I used it all the time to auto-download to a tablet in my backpack.
        • Perhaps a card could have it's functionality oriented in the opposite direction and function based on what it receives. It could self encrypt the data with a resident public key, and play it back so long as it can receive a requested private key via WPA2 connection to an external device (eg your phone). People with phone confiscation worries could use the phone as a fragile conduit to a remote key server.
      • There was an article (likely here) years ago about cameras with digital signing technology built in in order to satisfy evidence chain of custody requirements for police photographers.

        It is odd that these types of features are not available in mass-market devices.

    • Interesting.

      The workaround, for photographers, has to be that if the pictures are sensitive they need to download their pictures to their laptop (or other device) which is encrypted as soon as they leave the photography site.

      ... then take a lot of pictures of the floor, to overwrite the images on the camera's storage...

    • by Entrope ( 68843 )

      The problem is key management. A camera does not have a good way to enter a long password or passphrase, and an SD card is worse. It seems just as feasible to plug the memory card into a laptop (or into an adapter attached to a phone) that can apply whatever encryption the photographer wants.

      A country could, of course, outlaw the use of apps to do that -- but they could, and presumably would, do the same for cameras that incorporate strong encryption.

      • The problem is key management. A camera does not have a good way to enter a long password or passphrase, and an SD card is worse

        This seems like a trivial problem. Have the camera look for a my.key file on the sdcard. If it's there, copy it to onboard and overwrite it on the card. All future pictures are encrypted using the key. Have a button which the user can push to wipe the key from onboard memory.

        • by Immerman ( 2627577 ) on Sunday February 04, 2018 @12:47PM (#56066163)

          You don't even need to do that - use asymmetric encryption and let the my.key file hold only the public encryption key and you can just leave it on the card - it can't be used for decryption, so it doesn't matter who else gets access to it.

          Of course that would mean that you can't review your photos on the camera, but also means that the photos are protected even if someone takes your camera without giving you a chance to push the "wipe" button.

          And really, there's very little need for on-camera reviewing in an evidence-collecting situation - at most you just need to be able to review the just-taken photo to be certain it clearly captures what you intended, and a professional photographer should have the skills and familiarity with their camera to make that unnecessary. Film cameras didn't have *any* on-camera review options, and did the job just fine for decades.

          • Being able to review is a handy feature, though, so it would be a shame to get rid of it completely.

            But your suggestion is a good one, and there's no reason why both encryption schemes couldn't be implemented. Then the user would have the option to decide which scheme to use based on what level of usability/security they need.

          • Encryption could also be built into online photo sync systems like Adobe Creative Cloud, so that encryption would take place when you upload the contents of an SD card to the service using a tablet or phone at the end of a shooting day. By the time you cross a border, all your SD cards can be reformatted in camera (not just erased) and your images are encrypted on a server until you get home. This keeps all of the encryption and decryption off the vulnerable camera.

            • Unless you're trying to get out a country with no internet.

              Maybe you're a journalist in Iran, involved in the recent protests. Iran cut off the internet in entire parts of the country. They also block a lot of sites when you can get access.

              Or maybe Syria?
              Or North Korea?

              • by Teun ( 17872 )
                Or the USofA where all your rights are waved within a significant distance of the international borders?
    • Any such encryption would have to be invisible to the camera in order to work, so the camera would still be able to view the pictures, and this is how anyone would check your pictures anyway.
  • High resolution, more stops of dynamic range, and the ability to use different lenses does. For really high end models, there are a few other things too, like full frame DSLR formats, high frame rates (for shooting sports etc.), the ability to shoot HD video, etc. The vast majority of people shooting with a camera other than the one on their phone (which is already a shrinking market) don't care about encryption (which would slow down their camera even more), so don't expect the Nikons, Canons, and Sonys
    • Correct. Camera companies are in competition to sell cameras. Adding an expensive option that very few people would want to use would just handicap that company in the sales competition.
      • How expensive would it be though? Cameras already have the necessary CPU power to do all sorts of image processing, encryption is no more difficult. All they need to do is load a public key from the SD card and, if in "encrypt mode" use it to encrypt the the photo rather than storing it unmodified on the SD card. Maybe that means it takes 5x longer to store each photo if the CPU is especially weak, but so what? If you're taking photos where encryption is important you should be willing to make compromise

    • by ThomasBHardy ( 827616 ) on Sunday February 04, 2018 @12:12PM (#56065985)

      Agreed. The number of folks who are interested in using encryption on a camera is a very very small slice of the consumer base.

      I've worked as a photographer in a news organization. Even with my time there, never was there any case for encryption. Having the entire camera industry switch to encryption would be having the 1% of actual use cases drive the cost and performance factors for the 99%.

      Lets see one company make a single camera that has encryption. If it sells like hotcakes to news organizations, fine. but I'll be willing to bet that it the sales will be minuscule because it's not a feature that needs to exist for realistic situations.

    • Not only that, but encruption fights those features. Recording more data faster to the card is consisdered a feature (I need to store that higher resolution, extra dnamic range, more frames per second, etc.) Already some cameras require CF cards because SD isn't fast enough. Encryption will invariably slow down the write speed.

  • by JoeyRox ( 2711699 ) on Sunday February 04, 2018 @11:51AM (#56065863)
    If you're a photojournalist leaving a dangerous field assignment then there's a high likelihood you will be stopped and searched. If you hand over your camera and it comes up with a prompt for an encryption password then your camera and its media will be confiscated or destroyed in front of you. There go your photos.

    As for protecting sources, why would you photograph them if you didn't intend to publish the photos anyway, which would still put them in danger?
    • by kobaz ( 107760 ) on Sunday February 04, 2018 @11:55AM (#56065883)

      There go your photos... but then the powers that be can't prove you were taking pictures of the super-secret-government-coverup and hopefully would be less likely to send journalists to a dark hole.

      Think about it... If you were searched by border patrol in a fscked up country and you were taking pictures of things that "no one is supposed to know about". What would you prefer: a smashed camera, or blatant evidence of actions which would definitely put your life in danger.

      • by DigiShaman ( 671371 ) on Sunday February 04, 2018 @11:59AM (#56065911) Homepage

        but then the powers that be can't prove you were taking pictures

        Depends on the host nation. Many don't adhere to the presumption of innocence in law.

      • by mridoni ( 228377 )

        Think about it... If you were searched by border patrol in a fscked up country and you were taking pictures of things that "no one is supposed to know about". What would you prefer: a smashed camera, or blatant evidence of actions which would definitely put your life in danger.

        There's no win-win scenario here, a lot would be riding on the actual situation on the ground, and on the stakes at risk. This is why having the possibility of encryption would be a good thing.

        The reason why we're not having it even on high-end SLRs (after the Nikon encryption fiasco in 2011 and the half-assed attempts years ago by Canon to implement it, along with digital signature) is completely clear: while professionals and their endorsement help to sell a camera (and a brand), they're only a tiny fract

      • What would you prefer: a smashed camera, or blatant evidence of actions which would definitely put your life in danger.

        I'm assuming if you are a journalist with that task then you don't value your safety much in the first place. It's really surprising more don't just end up "missing". Anyhow the best bet in this case is to have a satellite link and dummy photos on your camera. Because I agree with you and xkcd on the security of encryption. [xkcd.com]

    • by davecb ( 6526 )
      Journalists have been aware of this problem since glass-plate cameras: they look for ways to hide their images from passing police, and only have harmless ones to display. Once they get home, they can crop and mask out persons at risk and still show, for example, the violent breakup of a protest by the military.
    • by pots ( 5047349 )
      If they destroy your camera rather than killing you, that's a win. As for protecting sources: sometimes you take pictures with the intention of publishing some of the picture, and redacting the rest. It's very common to blur peoples' faces.
    • Why would the camera ask for an encryption password? Store the public key used to encrypt the photos on the card, and then just completely ignore any encrypted photos when browsing, since it can't decrypt them anyway.

      A professional photographer has no particular need to look at the photos they just took - they didn't even have the option in the film days. It may be convenient for many things, but it's a small convenience to sacrifice to ensure their sources remain safe. Once they get back home, then they

  • by fennec ( 936844 ) on Sunday February 04, 2018 @11:56AM (#56065889)
    It looks like it's possible using Magiclantern open-source firmware for Canon cameras: https://www.magiclantern.fm/fo... [magiclantern.fm]
    • First thing I thought when I read the article.

      I have not tried the encryption functionality, but Magic Lantern rocks.

    • It looks like it's possible using Magiclantern open-source firmware for Canon cameras: https://www.magiclantern.fm/fo... [magiclantern.fm]

      Interesting. But it should be pointed out that the implementation is very badly done from a security perspective. I only spent a few minutes looking at it and found several showstoppers in both design and implementation. Among them:

      1. The basic file encryption algorithm is a stream cipher construction using a simple LFSR as the stream generator. This is almost certainly trivial to break; standard LFSRs are in no way designed for cryptographic security. I suspect the LFSR was used for performance, and I'm sure it does in fact perform much better than, say, AES in CTR mode (where AES is used to generate a bitstream XORed with the plaintext in the same way the LFSR output is). While no good stream cipher is likely to match the LFSR performance, there are several that would provide moderate performance and high security, such as ChaCha20 -- or perhaps even a reduced-round variant like ChaCha12 or even Salsa20/12.

      Note that someone has contributed an XTEA implementation which is much better, security-wise, than the LFSR but actually slower than AES. If you're going to do that, just use AES.

      2. Even if the LFSR-based encryption algorithm were good, it uses 64-bit keys, which is just too small. Oddly enough, when you use the provided RSA mode for asymmetric write-only encryption (decryption can only be done on your PC), the author seems to recommend a 4096-bit RSA key size, which is roughly equivalent to a ~160-bit symmetric encryption key, and which is quite slow. It makes no sense to use such a huge, slow RSA key to protect small symmetric keys.

      3. Password hashing uses the same LFSR plus some shifting and masking. Almost certainly insecure, and there's really no reason at all not to use a good password hashing algorithm like Argon2, or at least scrypt.

      4. In asymmetric mode, the code appears to use random padding for RSA operations. There are really good reasons for the PKCS#1 v1.5 and RSA-OAEP padding modes that are normally used. It's possible that a very careful analysis of this implementation may show that under certain operational assumptions random padding is okay... but I seriously doubt that any such careful analysis has been done. I would never bother doing anything of the sort and would simply use OAEP. (Or, better yet, avoid RSA and instead use an elliptic curve algorithm -- less tricky to use correctly, faster, smaller keys and even the provides possibility to derive keys from passwords. There's really no reason to use RSA for anything anymore unless you have to interoperate with legacy infrastructure that already uses it.)

      5. RSA key generation is done on-device, with the private key written to the SD card, then later deleted. You can't actually delete things from SD cards, not with any confidence. Much better to do keygen off device so only the public key ever exists on the SD.

      6. A glance at the RSA key generation code throws up a number of red flags. I suspect the key generation is buggy.

      7. I didn't find the random number generator, but given all of the above, I'd be shocked to find that it's actually good. A bad RNG can easily destroy the security of the best cryptographic design.

      When I get some time (ha!) I'm going to see if I can get ML running on my 70D and hack together a better version, using Curve25519 ECDH and ChaCha20 with 128-bit keys, with asymmetric keygen done off-device, and a decent PRNG plus the best seeding mechanism available. To make it more usable, I'll see if I can keep the last few dozen per-file keys in RAM, which will allow the photographer to look at the images on the camera, until the camera is turned off. More paranoid users should be able to disable the retention of keys in RAM.

      Sounds like a fun project. One which I may or may not get to before 2025 or so...

  • Sure, it'd be a useful feature for a small number of people, but the vast majority of users of high end cameras (and there aren't that many) wouldn't need it. And doing it this would either require a special encryption chip, increasing the cost for all users, or would be so terribly so that it would make the camera effectively unusable.

    • by Entrope ( 68843 )

      This would not require a special encryption chip. Most high-end cameras are built with ASICs that are designed by the manufacturer. There is an extensive market of reusable logic cores, including ones that perform encryption and decryption, that can be integrated into an ASIC. Most modern encryption algorithms are designed to need very little in terms of hardware resources, so it should not significantly increase the size of the ASICs in question.

  • They exist (Score:4, Insightful)

    by hcs_$reboot ( 1536101 ) on Sunday February 04, 2018 @11:59AM (#56065913)
    still, they're called film cameras. Nobody can see the pictures before the film is processed, and good luck to find a shop that still processes films nowadays.
  • by AndyKron ( 937105 ) on Sunday February 04, 2018 @12:05PM (#56065941)
    If you're not doing anything wrong you shouldn't have anything to worry about. Don't you hate it when people say that?
  • It's not just encryption that cameras need, they also need a cryptographic signature to indicate that the image it took is fresh from the camera and has not been edited since the photo was taken. (Obviously this can be defeated by photographing a photoshopped image, but still...)

  • by kenh ( 9056 ) on Sunday February 04, 2018 @12:09PM (#56065971) Homepage Journal

    The lack of encryption means high-end camera makers are forcing their customers to choose between putting their sources at risk, or relying on encrypted, but less-capable devices, like iPhones.

    Or, you know, pulling the memory card out of the camera and hiding it.

    I've seen wifi SD cards for cameras [eyefi.com], so it should be easy to have your high-end camera send it's pictures to your smart phone, tablet, etc. as soon as you take it, then the photojournalist can simply delete the local copy on the camera. when your camera is searched, no images are found, they are all on your secure, encrypted smartphone, and who knows, maybe the smartphone could sync with a cloud service to get the images out of the region moments after captured?

    • Given the remoteness of most of these regions, and that RAWs can be upwards of 50MB each, I don't think a phone's data connection would cut it.

      Syncing via WiFi to another device could be an option, depending on the scenario, but it's relatively battery intensive so it requires preparation & knowledge of exactly when you're going to shoot. Not so great for journalists travelling in remote regions, often off-the-grid, who need to be able to whip out their camera at a moment's notice.

  • Have your camera connected to your smart phone via an SD Wifi adapter. Automatically transfer the photos and delete them on the camera as they are taken.
    • You'd still need to actually wipe the camera - deleting typically only mangles the filename. And without hardware support, reliably wiping requires completely filling the card with other images - and even that may not do it if the flash storage is over-provisioned so that it can maintain its capacity as flash cells begin to fail (I have no idea if that's common with SD cards, but it's standard procedure for SSDs)

      • by ceoyoyo ( 59147 )

        An SD card doesn't technically have to have any memory at all. For the paranoid, make one that's just a wifi transmitter.

  • by stevegee58 ( 1179505 ) on Sunday February 04, 2018 @12:33PM (#56066085) Journal
    Good luck when you're stopped by the police/military in some shit-hole country. Encrypted files? No problem, just beat them until they decrypt.
    • Good luck when you're stopped by the police/military in some shit-hole country. Encrypted files? No problem, just beat them until they decrypt.

      Don't you know its racist to call countries where the police beat would-be free press photographers "shit-holes"?

  • Canon offers a kit that includes an encrypted SD and flash drive. There are also a bunch of hackers around that do anything from running Arkanoid to implementing zlib on their dSLR camera. There are options, a bit of research and/or a knowledgeable it staff would help them more than bitching at the manufacturers.

  • You want a niche feature that would be detrimental or confusing to most users. An average photographer's nightmare is losing an amazing shot and encryption is likely to screw up any recovery attempts. Others would get in more trouble because of encryption than because of actual photos. Sounds like a good case for a Kickstarter project to make an Android-based camera where you can use a photo app that suits your specific needs. If there is mobile data, you would ideally upload shots to your studio and the se

  • OK, so you're in a country where they're suspicious of photographers. A cop comes up and asks to see what's in your camera. Sure, you say, and let him download your files. Oh, I see they're encrypted, he says...well, thank you for your time. Right?

    • Exactly. This is why camera makers haven't bothered.
    • by Zocalo ( 252965 )
      The idea is that you load the public key that will be used to encrypt the images on the camera and you leave the private key back home. This is all fully documented by the camera manufacturer so that if the photographer gets challenged to decrypt the images it's easy to establish that they can't actually do that and there's no point in getting out the rubber hose. Ideally there would also be some options for having unencrypted images on the card and simply hiding the encrypted ones from the image review i
    • Wrong. They will ask for you to decrypt them, and when you don't, you go to jail.

  • Every human endeavor can be used for both good and evil. In this case, those who are arguing for protection against a government agency looking at the contents of the cameras are ignoring the fact that the cameras can be used for illegal purposes.

  • by ka9dgx ( 72702 )

    WTF? If some authority can't browse the photos in your devices, they will simply seize the devices. Encryption isn't going to help you there.

    Adding a digital signature, created by the camera before compression, etc.. to an image, would be a much better value add. This could help assure that images aren't tampered with after they are taken. Heck, my name is even on one of those patents, though I wouldn't get any $ from it.

Karl's version of Parkinson's Law: Work expands to exceed the time alloted it.