View profile

Can Spyware Be Stopped?

Dispatches from our founder
This Week
Hello, friends,
You may not believe me when I say this, but every year, spies and cops from governments around the world gather at a secretive trade show known as the “Wiretappers Ball.” There they buy spyware, surveillance software and hacking tools they use in spycraft and often on their own citizens.
I first encountered the market for off-the-shelf surveillance software in 2011, when my team at The Wall Street Journal obtained the marketing brochures for companies exhibiting their wares at the roving trade show in Washington, D.C. 
We compiled more than 200 documents in a Surveillance Catalog that showcased the hacking tools that enable governments to break into people’s computers and cellphones, and “massive intercept” gear that can gather all internet communications in a country. 
And the software being peddled has only gotten more invasive since then. The poster child of this new hacking-for-hire industry is an Israeli firm called NSO Group, which was found last year to have distributed an alarming new type of spyware called Pegasus that could infect a user’s phone without any action taken by the user. 
Previously, to infect a user’s phone with spyware, a company would need to trick a user into clicking on a malicious link or downloading a malicious file. This so-called “zero-click” spyware was even creepier. Apple immediately issued a patch to fix the flaw that Pegasus was exploiting and sued NSO Group, but there is no doubt that the emergence of the zero-click has ratcheted up the surveillance arms race.
To understand the spyware landscape and what can be done about it, I turned this week to the world’s best spyware hunter, Ron Deibert, director of the Citizen Lab at the Munk School of Global Affairs and Public Policy at the University of Toronto. Citizen Lab is the leading forensic research lab investigating and identifying new strains of spyware, including Pegasus.
Deibert has overseen and been a contributing author to more than 120 research reports covering cyber espionage, commercial spyware, internet censorship, and human rights. He is the author of several books, including “Reset: Reclaiming the Internet for Civil Society,” and won the 2021 Shaughnessy Cohen Prize for Political Writing.
My interview with Deibert is below, edited for brevity and clarity.
Ron Deibert
Ron Deibert
Angwin: Could you start at the very beginning, with the origin story of Citizen Lab?
Deibert: I’m a political scientist, and my area of expertise, when I did my Ph.D., was information technology and international security. Around 1999 or 2000, I was contacted by the Ford Foundation—actually it was Anthony Romero, who was a program officer at the time—and they were looking to “field build,” as they call it, in precisely this area. So I put together a proposal for the Citizen Lab. 
I had this idea for some time of creating a kind of watchdog that would be based in the university that would appropriate methods from computer science and engineering. I knew we could gather data directly from the internet in a way that would uncover threats to human rights. 
Originally, it was mostly focused on internet censorship, but I was also interested in surveillance, which I thought would be a much more difficult challenge. But the idea from the very beginning was to have this university-based, evidence-based research watchdog and to employ a mixture of methods. 
Angwin: This was before a lot of people were thinking about these issues. What sparked your interest in it? What were you seeing in the world that made you think this was needed?
Deibert: During my time as a graduate student, I was contracted by the Canadian Foreign Affairs Department to do a couple of studies for a very obscure unit (that no longer exists) within Foreign Affairs called the Verification Research Unit. The purpose of this unit was to do research and information gathering around how to verify arms control accords. Governments were using these very advanced technologies to monitor each other. 
I had this really formative experience as part of a study I was doing on potential use of commercial satellite imagery for arms control around a potential nuclear test ban. I spent some time with a group of scientific experts who were seismologists, chemists, people who had set up things like underwater sniffing technologies and imagery analysts. It was this really impressive collection of people with different skill sets and expertise, all focused on this one topic, which was to prevent governments from cheating on arms control. 
And at the time, it just hit me like a gong: Why isn’t there a similar capacity in civil society to watch governments and watch private companies? 
Angwin: Doing this type of work, I imagine you face certain threats, technical and legal?
Deibert: The technical risks are omnipresent. But that would be, in many respects, the least of our concerns, because it’s hard to protect yourself entirely. What really concerns me are the physical risks, the threats that we’ve faced when my staff were targeted in a Black Cube [a private Israeli investigative company known for its messy operations and public scandals] operation.
This was a big experience for us after we did one of our very important NSO-related reports on the hacking of a Saudi permanent resident in Canada, Omar Abdulaziz, who was a close confidant of Jamal Khashoggi. Our report was published Oct. 1; the next day Khashoggi was executed. Shortly thereafter, my staff were the targets of a clandestine operation to try to gather incriminating information. 
We organized with the Associated Press a counter sting at a Manhattan restaurant and exposed the operation and outed the person behind that one part of it, a person who used to work for the Mossad and works for Black Cube. 
It turns out that at the same time, Black Cube was also going after Ronan Farrow. If you watch Ronan Farrow’s HBO series, the last episode is all about the targeting of Citizen Lab.
Angwin: Can you tell me about the Pegasus discovery?
Deibert: We started investigating cyber espionage over a decade ago, and we began to realize around 2011 that there was a commercial market for kind of off-the-shelf NSA tools from companies that would provide government clients with the ability to undertake surveillance. 
We were mostly concerned with offensive actions like hacking into devices, which was really growing after the Arab Spring and as a by-product of the growth of end-to-end encryption. As end-to-end encryption has spread, the value of being able to have visibility over networks diminished, and the industry responded by saying, well, we’ll get inside of the device. Once you’re inside the device, then you can see everything. 
We started investigating these companies, and when we first crossed paths with NSO Group, it was when we discovered that a company called DarkMatter was using the NSO Group’s espionage tool Pegasus to try to get in the phone of a human rights defender named Ahmed Mansoor. Mansoor sent us the links, and we captured Pegasus.
Angwin: What does Pegasus do?
Deibert: I describe it as the nuclear version of spyware. It is the big bomb; there is no defense against it.
It enables government clients to hack into a device and gather all of this information, virtually anything, turn on the camera, turn on the audio capture, track geolocation, read text messages, even those that are encrypted. 
Last fall, we captured a new version of Pegasus from a Saudi activist’s phone that was hacked, and it was a zero-click, zero-day. Zero click requires no interaction on the part of the target; you just target the device, and you can take it over. 
(A zero-day is a vulnerability in Apple software that Apple didn’t know about. So we did a responsible security disclosure to Apple, and they issued a security patch back in September.) 
And one thing people don’t talk about is the prospect of using spyware to plant falsely incriminating data on someone’s mobile phone. So you’d suddenly end up with horrible thing X here on your own phone, and you don’t know it’s there. 
The spyware is also engineered to evade forensics. That’s notable because it’s actually very hard even for us to pinpoint on somebody’s device, if they’ve been hacked. This is extremely dangerous, powerfully invasive technology that right now operates without any international regulation whatsoever.
Angwin: The U.S. government took some action, right?
Deibert: Yeah. The U.S. Department of Commerce put NSO Group, Candiru, and two other hack-for-hire firms on the designated “Entity List,” which means that Americans can’t do business with them and vice versa. That had a profound effect on NSO’s bottom line. Moody’s downgraded them. [NSO Group told The Jerusalem Post that their technology does support the U.S.‘s national interest and will act in order to reverse this decision.]
These companies are very lucrative. They’re owned by private equity funds, so one of the remedies, we think, is to go after their bottom line.
Angwin: Do you think tech companies have any responsibility for releasing products with security vulnerabilities? 
Deibert: I definitely think they do. Fortunately, we’ve seen companies trying to protect their users, and they’re being responsible when it comes to litigating this stuff. WhatsApp is in the process of suing NSO Group in California over the exploitation of WhatsApp’s video protocol, and Apple is doing the same thing. [NSO Group lost its challenge to get the WhatsApp lawsuit dismissed and told Fortune, in response to questions about the lawsuits, that its technologies have saved thousands of lives.]
But the reality is, the digital ecosystem is invasive by design. It’s insecure and poorly regulated. Those things together make it a ripe environment for the type of exploitation that we see. It’s remarkable how convenient it is to have the entire technological environment oriented around vacuuming up data. I think it is very important to clean up some of the bottom-feeder companies that orbit around location tracking data, which I see as a horrible, poorly regulated cesspool. There are so many companies that take advantage of that location tracking marketplace to do business for government clients.
Angwin: In your essay, “Protecting Society from Surveillance Spyware,” you propose some solutions, can you describe them?
Deibert: The Commerce Department designation is a good start. It’s a good example of how existing authorities could be used to punish these terrible companies that are just routinely and serially causing harm worldwide. I mean, what do you make of a company that sells repeatedly to Rwanda or Saudi Arabia? And the technology is used in connection with death squads and executions? There has to be some consequence. 
I think you start with governments saying, “Citizens in our country will not do business with this company.” So you put them on a deny list. That won’t solve the problem, but it will help. 
Second, I think we could pass legislation that would make it easier for victims of this type of surveillance to sue, both the companies and the foreign governments that are behind it. If you begin to wrap these companies up in court, and the cases result in significant financial damages, then it’ll begin to scare the industry overall.
I also think we need export controls. The Israeli Ministry of Defense actually does export controls but the worst possible type: They basically rubber-stamp and actually go even further and use Pegasus sales as a component of their strategic foreign policy. That needs to change. If the Israeli authorities had very strict human rights due diligence mechanisms that required these companies to follow certain rules, not sell to governments that are going to abuse it, that would also help. 
Quite a few people have advocated that there should be a worldwide moratorium or ban on this technology. I get where they’re coming from. But I think it’s not practical. Most governments have a horse in this race, and it’s highly unlikely you’ll get agreement on such a thing. But if they are going to contract with espionage companies, they could easily build in procurement rules that say we will only purchase from companies that follow certain protocols.
Lastly, we need some oversight over security agencies. The United States should have clear, transparent documents that are available to the public and researchers saying here’s who we contract from, here’s how much we spent, etc. 
All of this wouldn’t solve the problem overnight. 
As always, thanks for reading.
Julia Angwin
The Markup
Additional Hello World research by Eve Zelickson.
From The Markup
Family Safety App Touting Digital Security Leaves Its Own Users’ Sensitive Data at Risk
A Network of Fake Test Answer Sites Is Trying to Incriminate Students
Data Provided by Amazon Workers Offers Rare Glimpse into COVID Cases in California Warehouses
P.S. For more from Julia Angwin and Hello World, look here. To receive the latest from our Citizen Browser project, sign up here, and so you can keep up on all the news from The Markup, sign up here, and we’ll email you every time we publish about the ways powerful actors are using technology to change society, usually two to three times a week.
Support The Markup
This email doesn't track you when you open it or click on any links. To learn more read our Privacy Policy.
In order to unsubscribe, click here.
If you were forwarded this newsletter and you like it, you can subscribe here.
The Markup - The Markup P.O. Box 1103 N.Y., N.Y. 10159