Spyware companies claim to sell their wares only to governments fighting crime and terrorism but it is all too easy for these tools to be used by repressive regimes to attack human rights.
It started with a phone call via WhatsApp. The recipient, who might be a journalist, human rights activist, or politician, wouldn’t even need to pick up. Even an unanswered call would install a rogue piece of software, called Pegasus, on their device. From then on, Pegasus would control the device entirely. It could track the device’s location, collect all communications sent and received, take over the camera and microphone and more besides.
WhatsApp alleges that 1,400 of its users were targeted in this way and in 2019 sued NSO Group Technologies, the Israeli company that makes Pegasus. Companies like NSO Group, known as private-sector offensive actors (PSOAs), are accused of being digital mercenaries whose business model depends on selling cyber surveillance and hacking tools.
“There are both human rights and security concerns to be addressed, including the proliferation which is widespread and leads to a lack of control and oversight of the most aggressive technological systems,” said Marietje Schaake, President of the CyberPeace Institute.
Last December, other technology firms, including Microsoft, Google, Cisco and LinkedIn, added their support to WhatsApp’s case in the form of an amicus brief. Human rights organisations, including Amnesty International and Access Now also filed amicus briefs.
“NSO’s WhatsApp hacking has enormous human costs,” said Natalia Krapiva, Tech Legal Counsel at Access Now. “The attack invaded the victims’ privacy, damaged their reputation, and continues to endanger their work and livelihoods.
A secretive sector
NSO Group’s software can target Apple iOS devices – iPhones and iPads – as well as Google Android phones and tablets. And its makers don’t just exploit WhatsApp; they attack various operating systems and application flaws to get Pegasus onto target devices.
Though NSO Group is one of the most widely-known PSOAs, it is not the only company offering this sort of technology. Anglo-German Gamma Group, Italy’s Memento Labs (formerly known as Hacking Team), DarkMatter in the UAE, and Cyprus-based Intellexa are among those in a sector estimated to be worth in excess of $12 billion, and each offers powerful tools.
Interviewing Intellexa CEO Tal Dilian in 2019, Forbes magazine wrote: “Alongside Android hacking tools, there’s tech that can recognise your face wherever you travel, listen in on your calls, and locate all the phones in an entire country within minutes.”
The companies are secretive, with many operating under different names across territories and using a web of shell companies to make tracking their activities difficult. In rare public pronouncements they argue that they sell only to governments and only for legitimate law enforcement activity. NSO Group, for example, says its tools are designed to “combat terror and crime” but evidence suggests that the software can be used by repressive regimes and even fall into criminal hands through corruption.
Spyware tools linked to murder
In February 2021, Amnesty International, which has driven much of the campaigning on this topic, reported that human rights activists in Vietnam had been targeted by spyware attributed to an unknown organisation that investigators have codenamed ‘Ocean Lotus’.
Other investigations have linked Gamma Group’s FinSpy to efforts by the Bahraini government to monitor activists and identified on servers belonging to Turkmenistan, one of the world’s most repressive countries. DarkMatter was said to be behind a WhatsApp-style messaging app of its own, ToTok, which was actually a spying tool.
Pegasus appears to have been used in planning the murder of journalist and Saudi Arabian dissident Jamal Khashoggi, in spying efforts directed at 36 phones belonging to Al Jazeera journalists, and in the targeting of human rights lawyers investigating prosecutors’ handling of killings in Mexico.
The Citizen Lab, based at the Munk School of Global Affairs and Public Policy in Toronto, Canada, is among the leading research organisations in this field. They have examined misuse of tools like Pegasus and concluded: “There is no reason to believe NSO Group takes its responsibility to respect human rights seriously.”
These can be used by repressive regimes but they can also be sold to countries that are law-abiding at the time, only for a change of leadership that changes the character of the government. It’s also possible for them to fall into the wrong hands, through cyber attacks or corrupt officials in governments that have bought them.
In a response to the UN Working Group on the Use of Mercenaries, The Citizen Lab said it had identified 25 governments that were likely to be customers of Circles, an NSO Group affiliate, and said these included directorates of intelligence and security services, police, armies and navies.
Unlike governments, private companies are subject to fewer controls when it comes to creating offensive cyber weapons. In fact, NSO Group is seeking immunity from legal action on the basis that its clients are sovereign states. This business model itself is a threat to cyberpeace. We need greater scrutiny of the laws surrounding this technology and consider greater regulation to protect people.
The existence of commercially available hacking, intrusion and exfiltration systems is a threat to the safety and stability of cyberspace. Those tools are used to target vulnerable populations such as but not limited to human rights defenders, journalists, and dissidents with the aim to cause harm. An uncontrolled escalation of the production and use of these technologies represents a threat to cyberspace and all individuals connected to it.
The WhatsApp legal case has shed more light on a secretive sector, but civil society organisations must work together to highlight this problem more systematically and collaborate on solutions to ensure that companies like NSO Group do not operate with immunity in the shadows. Impunity of hacking, intrusion and exfiltration companies requires immediate actions for preventing harm and for safeguarding cyberpeace and a stable, safe and secure cyberspace.
© Copyright: The concepts and information contained in this document are the property of the CyberPeace Institute, an independent non-governmental organization headquartered in Geneva, unless indicated otherwise from time to time throughout the document. This document may be reproduced, in whole or in part, provided that the CyberPeace Institute is referenced as author and copyright holder.