
Filmmakers Ask Nikon and Canon to Sell Encrypted Cameras - SonicSoul
https://www.wired.com/2016/12/200-filmmakers-ask-nikon-canon-sell-encrypted-cameras/
======
jfindley
I'm not certain this has been thought through sufficiently. If an organization
is in a position to confiscate the camera from a journalist, they're almost
certainly ALSO in a position to extract the encryption password from the
journalist.

It would be far better if the cameras automatically uploaded these photos[0],
and could be configured to upload them somewhere outside of hostile reach,
such as servers owned by the magazine/paper they work for.

A side issue is that being able to prove authenticity would be valuable, as
the issue of faked news/images becomes more visible in the eyes of the general
public. Having some sort of GPG signing of (image + gps time + gps position)
would be valuable, although establishing the trust chain in practice would be
quite difficult and requires some serious thought.

0: Yes, there's a question of how you get internet access in places such as
the middle of a warzone, but something generic like wifi would allow
individual papers to provide something like a satellite wifi bridge to enable
uploads regardless of location (although the cost would obviously be large).

~~~
yason
One-way encryption to a private key which is kept overseas back home. None of
the data can be decrypted on foreign ground no matter what the authorities
demand. Automatically upload data home over a secure link when there's a
connection.

~~~
Cerium
We should be able to implement that on the SD card level. We could also make
it selective and hide encrypted photos from the camera so there is no evidence
that the system is in place.

For example: after attempting to delete an image the next image is stored
unencrypted. That way you can take pictures of non sensitive targets and build
a false trail alongside the shadow encrypted images. When a camera is
inspected scrolling through the image viewer will look normal.

~~~
bitJericho
Simpler, store two images, one encrypted, one not. You can only review and
delete the unencrypted one. Your decrypter back at home could automatically
remove the deleted images so you don't have to review as much if there were no
problems.

~~~
scott_karana
Good idea for most cases!

Concealing ALL photos will still need to be an option for some, though:
plausible deniability of "did you take pictures of X" when questioned :)

------
devb
Could this be accomplished at the storage level instead of at the camera
level? Could an SD card have an onboard encryption engine? We have cards with
built-in wifi already.

~~~
heartbreak
We also have professional cameras that can be tethered to a laptop and record
directly to the encrypted disk. Encrypted camera storage sounds cool, but the
filmmaker of Citizen Four could have just tethered to her MacBook.

~~~
falcolas
But it wouldn't be locked out until the MacBook was shut down. Until then, the
keys would be available in memory, and effectively unencrypted. Not much
protection against immediate physical seizure.

~~~
cuckcuckspruce
Standard procedure here would be to have the computer plugged into AC power
with no battery so you can yank the power the moment anything remotely like a
raid to seize happens.

~~~
falcolas
How do you do this with something without a removable battery, like your
average (modern) macbook?

~~~
cuckcuckspruce
Obviously, you wouldn't do this on a Macbook, and not just because the battery
is not removable.

IIRC FileVault stores a "forgot my disk" password with iCloud, which is likely
subject to subpoena. That assumes there's no law enforcement/nation-state
investigative service backdoor in FileVault. The built-in, OS level disk
encryption is likely insufficient, so why use a Mac at all here?

You could just offboard the footage to a machine running a Free version of
Linux running LUKS and then after shooting and in a secure location and manner
give the files to somebody to do the video editing on the Mac.

~~~
Bud
No, that's not correct. FileVault does not store any password with iCloud
unless you tell it to. Otherwise, it generates a 24-character password that
you have to write down, and that is the only key, other than the user's
password, of course.

The disk encryption is actually quite adequate on a Mac.

We also have no evidence of any backdoors in the encryption in Apple products,
and quite a bit of recent evidence that there are no such backdoors.

~~~
cuckcuckspruce
Take a look at Snowden, Poitras, and Greenwald's communications and the
recording of the footage for Citizenfour as an example here.

They had all already stopped relying on any closed system to keep their
communications secure. They were all using Tails to communicate through Tor
without leaving a minimal unencrypted footprint. At the point where you are
relying on Tor to communicate and are explicitly using Tails to keep your
communication secret then why would you start relying on a Macbook, running a
proprietary OS, with non-open crypto, to hold your secrets if you're already
scared the neo-Stazi are going to break down the door and steal your unlocked,
decrypted Linux machine that you have all of the trust in the world in? For
that reason alone you would skip the Mac.

------
jdfellow
How about an SD card in to which SmartCard, the size of a micro SIM card, can
be inserted. The SmartCard holds a public key, and any files written to the SD
card are signed and encrypted using that public key. Decrypting the files
would be accomplished with the corresponding private key which is kept
separate on a different hardware device and using a PC.

~~~
teh_klev
I don't think you need new hardware for this. Just a place you can drop your
public key on the camera.

[edit] But then I hadn't thought about legacy devices.

Minor nitpick:

 _signed and encrypted using that public key_

You don't sign things with a public key, it's your private key you sign with.

~~~
sirclueless
Re: your nitpick.

It's true that TLS as implemented on the internet encrypts with a private key
and decrypts with a public key, but this is not universal. Encrypted PGP
communications, for example, work the opposite way.

Encrypting with a public key is a common technique if you want to ensure that
only one person or device can decrypt it, which is what is desired here. It
doesn't prove authenticity, unless you also sign the message with your own
private key, but that's not the goal -- protection of the message from
unwanted actors (and yourself even under compulsion) is the goal.

~~~
teh_klev
I wasn't mentioning this nitpick from a TLS point of view, I raised it as a
PGP thing which is more likely to be the use-case per the point of the
article.

------
peterbonney
This is a great idea for the public good, but unfortunately there just isn't
much economic imperative for the camera companies to invest in it. Security-
sensitive filmmakers and journalists represent a vanishingly small niche, not
a meaningful market. For the rest of users, photos taken on stand-alone
cameras are generally meant to be shared, not strongly protected, meaning
encryption is at best a "nice to have" not a "need to have" or perhaps even a
"want to have". And _that_ means that if it comes at the price of even a tiny
degree of inconvenience, consumers will refuse it.

Having said that, it's not inconceivable that camera makers can solve this
problem (a) cheaply and (b) in a way that is "off by default" for most
consumers but available if needed. But I'm not holding my breath.

I think it's far more likely that we'll see the quality of phone photo/video
quality become "good enough" for security-sensitive users to abandon
standalone cameras entirely than that we'll see camera encryption catch up in
the other direction.

~~~
anigbrowl
Yes, but the market for high end cameras is an incredibly small niche anyway -
small enough that it's not that hard for buyers to have direct contact with
business decision makers. If Canon/Nikon won't do it, someone like BlackMagic
will.

~~~
Joeboy
There's also (possibly) the Axiom open source camera, if it ever sees the
light of day.

~~~
anigbrowl
I highly doubt it will - developing cameras for professional use is fairly
capital-intensive and commercial offerings have such a huge head start that
the open source proposition isn't very compelling to cinematographers. The
best camera is the one you have in your hands right now, not the one that
sounds like it would be great in the future. Even Red camera almost choked on
its own hype about the Scarlet and had to do a marketing pivot to get into the
mid-price bracket.

Ultimately, people drop thousands on a pro camera in order to shoot beautiful
pictures, not because they want to write their firmware, so you have a
chicken-and-egg situation. And while a few people do write amazing firmware -
Magic Lantern being an excellent example - that's a liability on a commercial
shoot. I might use ML on an art or micro/no-budget project, but as a producer
I'd probably nix the idea; you absolutely don't want to be locked into
someone's quirky personal workflow to the extent that you can't fire them if
they turn out to be shitty photographers or hard to work with on set.

~~~
Joeboy
I dunno, everything looks like vapourware until it exists. For the time being
I think they're supported by EU funds and they do still seem to be making
progress. I would not bet my house on it appearing though.

Of course not many people are going to literally write their own firmware, but
I can see it being compelling to be able to expand your range of codecs, LUTs
etc in a relatively cheap camera, and not have to put up with what the
manufacturer thought you'd like.

As for ML, I think it's unlikely to destroy your shoot if you stick to the
basics like the focusing and exposure tools (I forget what it actually offers
tbh). RAW and more experimental features are probably a bad idea on anything
serious, but then so is using a consumer Canon camera.

~~~
anigbrowl
Agreed with everything, but bear in mind that producers are basically business
managers; they're not that interested in the technical arguments but in
minimizing their liability towards investors if things go bad on a project.
Every producer I've ever worked with has been very conservative about
innovating on workflow or depending on anything too non-standard because they
don't want to be held hostage to any individual crew member, and workflow
problems have killed many a project in post-production.

------
chaz6
This is already possible on Samsung NX series cameras
[https://sites.google.com/site/nxcryptophotography/](https://sites.google.com/site/nxcryptophotography/)

------
tombrossman
Interesting discussion of this idea on the Stack Exchange photo site (from
2013): [https://photo.stackexchange.com/questions/33902/do-any-
dslrs...](https://photo.stackexchange.com/questions/33902/do-any-dslrs-offer-
in-camera-file-encryption)

------
rlpb
Free Software extensions for cameras such as Magic Lantern
[http://www.magiclantern.fm/](http://www.magiclantern.fm/) exist. I wonder if
it's possible to add encryption support there, before images are written to
the SD card?

~~~
Joeboy
Maybe, but I think the cameras are already working at full tilt just to encode
the file. Also I don't think you can run ML on anything professional, and
Canon's consumer range are increasingly poor value for video.

~~~
dom0
They'd have to add at least an AES engine to the chips, but that's really not
a big factor in terms of transistors or power usage. (Although, if they're
using some ARM cores somewhere, they _probably_ already have one or two of
these lying around).

~~~
Joeboy
We're talking about Magic Lantern, which is a third party firmware hack that's
not supported by Canon, so they can't do anything to the hardware. I suppose
it _is_ possible the processor accidentally supports some encryption
primitive(s).

------
kfreds
I'm developing a solution to this problem.

Longer version: Since I last posted about this on HN (check my comment
history), I put the project on ice, and then started it again a year ago.

Follow @ZifraTech on Twitter for more information. Our website (zifra.tech) is
not up yet.

~~~
notyourwork
Its nice that you are promoting your project but instead of a clickbait title
to encourage traffic to your site it would be helpful to add a few details
here as to what the project is.

~~~
kfreds
Fair enough :)

The product looks and feels like a memory card, and identifies as such to a
laptop, camera, dictaphone, or other device.

The biggest functional difference is that all files written to the card are
automatically encrypted on-the-fly. Files written during the same session can
be read back by the host device (decrypted on-the-fly). As soon as the card is
removed from the host, or the power is turned off, all files are hidden and
unreadable until decrypted by a private key, which is intended to be stored
elsewhere, for instance the user's laptop.

The crypto primitives used are Curve25519 and ChaCha20.

------
mobitar
If you're starting a new startup, it's now honestly unacceptable to not have
encryption come standard.

I'm building an open standard for encryption and ownership of notes. Would
love any feedback/help.

See [https://standardnotes.org](https://standardnotes.org) for the full spec.
Or follow along @standardnotes on Twitter.

If you'd like to contribute, ping me.

~~~
nawtacawp
"Encryption keys are generated by stretching the user's input password using
PBKDF2. The resulting 512 bit key is then split in two - the first half is
sent to the server as the user's password, and the second half is saved
locally as the user's master encryption key. This way, the server can never
calculate the encryption key."

Can you link to the class on your github for this?

~~~
mobitar
It's handled by the client: [https://github.com/neeto-project/neeto-web-
client/blob/maste...](https://github.com/neeto-project/neeto-web-
client/blob/master/app/assets/javascripts/app/services/helpers/crypto.js#L29)

I'm transitioning from using a standard of 3000 iterations of PBKDF2 to a
variable amount per user (CryptoJS can't handle more than 3000, WebCrypto can,
not universal yet though)

------
attilak
Well with many cameras people usually record 4k video to an external device,
connected to the video output of the camera anyway (like Atomos Shogun).
Adding an encryption to this external device might be a better approach.

And also as mentioned before, just recording to an encrypted macbook or any
other laptop might also work already, just the size might be a problem.

------
tn13
Sounds like a bad bad idea to me. When authorities realize that you have
outwitted them they are going to beat you up, torture you or simply kill you.
In countries like Pakistan, Turkey, India or China you body might later be
found floating in some gutter somewhere. A better idea would be to simply hand
over the camera to cops and save your skin.

There are two strategies of surrender when a defeat in imminent.

Political surrender: You fight till your last breath and make it difficult for
the other party to win.

Military surrender: When defeat is imminent it makes sense to surrender
without a fight and cut need-less losses.

I think journalists when confronted with a certain defeat must embrace second
type of surrender instead of first.

~~~
brokenmachine
The whole point is to use technological means so the situation is not "certain
defeat".

There have been many great options presented in these comments for
hiding/exfiltrating/locking the data.

------
chris_overseas
Magic Lantern has had some support for this for a while now:
[http://www.magiclantern.fm/forum/index.php?topic=10279.0](http://www.magiclantern.fm/forum/index.php?topic=10279.0)

~~~
Joeboy
It's mentioned in the article and elsewhere in this thread. It looks to be
just for stills, as well as being "old, experimental, somewhat faffy, and a
bit buggy" according to another poster here.

------
ARothfusz
I wonder if, while they're adding encryption, they could also add user-
controllable DRM. That way when you post a photo or video, you can specify the
rights of (and prices for) those who download it. One of the things that's
always felt evil about DRM to me is that it currently only protects the big
guys. What if DRM could protect (and pay) everyone who creates content? So we
have no more of this: [https://www.theguardian.com/media/2009/jun/11/smith-
family-p...](https://www.theguardian.com/media/2009/jun/11/smith-family-photo-
czech-advertisement)

~~~
sowbug
That's not really DRM. At best it's DRE (digital rights expression, a term I
just made up). DRM controls the computer showing the content.

The problem with the idea is that it works only if every single photo/video
player in the world agrees to respect the metadata in the file, _in spite of
the wishes of the owner of the computer running the player_. Be careful what
you ask for.

In theory, adding a copyright notice to EXIF is just as effective -- though
everything is already legally copyrighted the moment it's fixed in a medium,
regardless of notice. So you already have what you're asking for, and you can
see how well it's working.

See also RFC 3514.

~~~
tormeh
That's a strawman. The classic DRM solution is to create a new format with
some secret knowledge required to play it. Only players that respect the
metadata are given the secret required to support the codec.

------
mahyarm
If you want to circumvent the adblock blocker, just disable js for their
webpage. uMatrix is a useful extension for that.

------
zczc
The solution already exists: there are Android-based cameras like Samsung
Galaxy NX which can use encrypted camera apps for Android with nice sensor and
lenses.

~~~
mayaa
professions seldom use cameras other than main Japanese brands.

------
bluesign
I think with custom firmware on camera[1] it can be possible, although would
be hard.

Also there is an option for custom firmware on SD card [2] but probably kills
the speed too much.

[1]
[http://chdk.wikia.com/wiki/CHDK_in_Brief](http://chdk.wikia.com/wiki/CHDK_in_Brief)
[2] [http://hackaday.com/2013/12/29/hacking-sd-card-flash-
memory-...](http://hackaday.com/2013/12/29/hacking-sd-card-flash-memory-
controllers/)

------
pjc50
Next week: NSA Demands Back Door To Encrypted Cameras.

Ironically I think the best way of getting this actually built would be to
sell it as in-camera DRM. The requirement - no viewing without authorization -
is almost identical.

This kind of thing is a very tricky use case, because suddenly the camera is a
safety-critical device. That is, if people are relying on their software to
encrypt images, they may take photos that if revealed to the wrong people at
the wrong time may get them killed.

------
squarefoot
They should also provide a way to upload the media in a safe place while
keeping some non trivial photos previously tagged as innocuous on a visible
partition so that there is some form of plausible deniability. An empty memory
card would immediately raise alerts, as probably would do one containing
nothing but kitten images.

------
wtk
To piggyback this topic - I think cameras should feature an equivalent of
iCloud lock. These are things worth thousands of dollars, and are dead easy to
sell on once stolen. I would sign a petition that would convince camera makers
to add a theft protection like above. Am I missing something here? The same
should go for expensive lenses that should have a coded list of bodies they
are permitted to work with.

~~~
3pt14159
My friend went to Washington DC for a vacation and got mugged with a gun. The
muggers made her enter her iCloud password (which she was having trouble
remembering) so they could turn off the "find my iPhone" feature so they could
sell the iPhone. When she stumbled for the second time, one of the two guys
said "let's just shoot her and get out of here" the implication being that by
the time the cops had come they would have offloaded the iPhone to someone
else.

Thankfully she entered it correctly the third time, but it kinda changed my
opinion on remote bricking. I don't want someone to want to kill me just so
they can make $400 before I can brick the device.

~~~
wtk
In such scenario you should be able to have a secondary password. Once you
type it in, your phone unlocks but is also getting flagged (should look
exactly like normal unlock). I know it would be scarry thing when you're at
gunpoint..

~~~
3pt14159
The whole experience is just too real for me. Fuck up your password = death.
I'd rather just have my thumbprint or something I can't screw up unlock it
easily.

------
alrs
Canon cameras already have ethernet ports. I'd much rather the camera support
iSCSI so that I can mount a network block device and save to that. I wouldn't
trust any consumer electronics crypto support.

The form factor of an embedded Linux box with an Ethernet port, an SSD, and a
hardware power switch would be pretty tiny. It could be done in the shape of
an autowinder.

------
zdw
What's the point of encrypting a video data stream if it's going to local
storage that could be destroyed or taken by someone else, effectively
depriving whoever shot the video of the footage?

Making encryption happen in the camera seems like solving the wrong problem -
you really want to exfiltrate to secondary, offsite storage at high speed in a
secure manner.

~~~
vidarh
Sometimes not being caught having the video is more important than for the
video to survive. E.g. you might lose the story but keep your life.

------
rbcgerard
Seems like it would also make it really hard to view your photos - i.e. What
happens to that little screen on the camera?

~~~
peterbonney
Not necessarily - my iPhone is encrypted by default and yet still manages to
show me a photo after I take it. Just like an encrypted phone (or any
encrypted device), an encrypted camera would simply have to have a
locked/unlocked state.

~~~
rbcgerard
True, but password entry on a camera seems like a cumbersome process
(especially for a strong password), and a bio-metric lock doesn't seem very
useful in the situation where you are in custody with your camera.

Edit: maybe the solution is a "panic button" assumes everything is fine until
you press it, at which point it locks everything down until its opened by some
much more cumbersome means

~~~
peterbonney
Yes, something like that is one plausible solution - people who care can e.g.
map one of the function keys on their dSLR to perform this task, and no one
else will be affected.

------
alabamamike
I've seen self encrypting SSDs, and I'm wondering why SD Cards with hardware
encryption aren't already available. Is there a technical limitation that
would render it impossible to build a storage card that has the ability to
encrypt/decrypt data transparently to the device it is installed in?

------
iansowinski
I think some kind of hidden, backup card slot would be also great feature for
a number of photojournalists

~~~
mayaa
When may tear the camera down to find a hidden SD card, it's even harder to
explain your innocence.

------
cbhl
Why don't these filmmakers just use an iPhone to shoot their documentaries
instead?

~~~
darrelld
iPhones have come a long way and can stand in for a DSLR in some cases, but
not every filmmaker will be able to use an iPhone for their artistic vision

------
jijji
most of the android/ios devices that are out there have had this capability
for many years. Typical resolutions of 16 - 41 megapixel are common today. Why
not use these cameras?

~~~
vorpalhex
There's a huge difference in quality between a $200 smartphone and a $6,000
high end DSLR camera.

~~~
jpablo
Not just image quality. But just very diferentes capabilities, like super
telephoto lenses, ultra wide, instant focus, accurate focus tracking, easy
manual exposure, external flash sync and the list goes on and on.

