By Jessica Corbett, staff writer at CommonDreams. Originally published at CommonDreams
The United Nations human rights chief and American whistleblower Edward Snowden on Monday joined the wide range of public figures demanding urgent action after reporting that Pegasus hacking spyware, sold by the Israeli firm NSO Group, has been used to facilitate human rights violations worldwide, including to target activists, journalists, and politicians.
Their comments came in response to the Pegasus Project. Over 80 journalists from 17 media organizations across 10 countries conducted an investigation into the leak of 50,000 phone numbers of potential targets of authoritarian governments. The effort was coordinated by Paris-based Forbidden Stories, with the technical support of Amnesty International.
U.N. High Commissioner for Human Rights Michelle Bachelet, in a statement, said that the revelations “are extremely alarming, and seem to confirm some of the worst fears about the potential misuse of surveillance technology to illegally undermine people’s human rights.”
Bachelet highlighted that her office has previously raised concerns about the dangers of authorities using surveillance tools to hack phones and computers; emphasized the “indispensable role” that journalists and human rights defenders play in society; and pointed out that use of spyware has been linked to their arrest, intimidation, and even deaths.
#Pegasus: Revelations about the widespread use of software to spy on journalists, human rights defenders & others are extremely alarming. See statement by @UNHumanRights Chief @mbachelet: https://t.co/v6moMj4v6W pic.twitter.com/vyRxLX4jyq
— UN Human Rights (@UNHumanRights) July 19, 2021
“I would like to remind all states that surveillance measures can only be justified in narrowly defined circumstances, with a legitimate goal,” Bachelet said. “And they must be both necessary and proportionate to that goal.”
The use of tools like Pegasus “can only ever be justified in the context of investigations into serious crimes and grave security threats,” she continued. “If the recent allegations about the use of Pegasus are even partly true, then that red line has been crossed again and again with total impunity.”
Noting that governments have a responsibility to not only stop their own rights abuses but also to protect individuals from privacy violations, the U.N. official suggested that “one key step to effectively prevent abuse of surveillance technology is for states to require by law that the companies involved meet their human rights responsibilities, are much more transparent in relation to the design and use of their products, and put in place more effective accountability mechanisms.”
NEW: The Israeli firm NSO Group sells spyware to repressive governments that often use it to target activists, political opponents, and reporters.
In a new joint investigation, we uncovered new victims around the world.
This is the #PegasusProject. 1/https://t.co/3JPViIKH7m
— Organized Crime and Corruption Reporting Project (@OCCRP) July 18, 2021
“These reports also confirm the urgent need to better regulate the sale, transfer, and use of surveillance technology and ensure strict oversight and authorization,” Bachelet said. “Without human rights-compliant regulatory frameworks there are simply too many risks that these tools will be abused to intimidate critics and silence dissent.”
“Governments should immediately cease their own use of surveillance technologies in ways that violate human rights,” she added, “and should take concrete actions to protect against such invasions of privacy by regulating the distribution, use, and export of surveillance technology created by others.”
Snowden went even further than Bachelet. In a video interview with The Guardian, the whistleblower—who has lived in Russia with asylum protections since leaking classified materials on U.S. government mass surveillance in 2013—called for outlawing for-profit malware developers.
There are certain industries, certain sectors, from which there is no protection. We don’t allow a commercial market in nuclear weapons. If you want to protect yourself you have to change the game, and the way we do that is by ending this trade.https://t.co/JfUiEJ8ipx
— Edward Snowden (@Snowden) July 19, 2021
This is an industry that should not exist,” Snowden told the newspaper, which is part of the consortium that conducted the investigation. “The NSO Group is only one company of many—and if one company smells this bad, what’s happening with all the others?”
In a series of statements to The Guardian and other media outlets responding to the investigation, the NSO Group said that it “firmly denies false claims made in your report, many of which are uncorroborated theories that raise serious doubts about the reliability of your sources, as well as the basis of your story.”
Snowden, meanwhile, said that “what the Pegasus Project reveals is the NSO Group is really representative of a new malware market, where this is a for-profit business… The only reason NSO is doing this is not to save the world, it’s to make money.”
Pointing out that “if they find a way to hack one iPhone, they’ve found a way to hack all of them,” Snowden warned that the danger will only grow as long as the international spyware trade is allowed to exist and encouraged collective action to impose a global ban.
“Inaction is no longer an option,” he said. “If you don’t do anything to stop the sale of this technology, it’s not just going to be 50,000 targets. It’s going to be 50 million targets, and it’s going to happen much more quickly than any of us expect.”
While thousands of iPhones and Google Android phones were listed as potential targets for Pegasus spyware, Amnesty International was only able to confirm that Apple products were infected, because of Android’s operating system, the group explained in a statement Monday.
“Apple prides itself on its security and privacy features, but NSO Group has ripped these apart,” said Danna Ingleton, deputy director of Amnesty Tech. “Our forensic analysis has uncovered irrefutable evidence that through iMessage zero-click attacks, NSO’s spyware has successfully infected iPhone 11 and iPhone 12 models.”
BREAKING: Thousands of iPhones have potentially been compromised. Our forensic analysis has uncovered irrefutable evidence that through iMessage zero-click attacks, NSO’s spyware has successfully infected iPhone 11 and iPhone 12 models.#PegasusProjecthttps://t.co/QN5XY90dKY
— Amnesty International (@amnesty) July 19, 2021
“Thousands of iPhones have potentially been compromised,” she warned. “This is a global concern—anyone and everyone is at risk, and even technology giants like Apple are ill-equipped to deal with the massive scale of surveillance at hand.”
According to Ingleton: “NSO Group can no longer hide behind the claim that its spyware is only used to fight crime. There is overwhelming evidence that NSO spyware is being systematically used for repression and other human rights violations. NSO Group must immediately stop selling its equipment to governments with a track record of abusing human rights.”
“These findings show that the surveillance industry is out of control,” she added. “States must immediately implement a global moratorium on the export, sale, and use of surveillance equipment until a human rights-compliant regulatory framework is in place.”
until a human rights-compliant regulatory framework is in place.
Who appoints this committee? Biden? Biden via a tiny tiny twist of the arm of the UN? A little phone call when it crosses his mind?
Or, would that be actually neutral; like a committe to bar Biden from social media for the crime of “misinformation” regarding COVID-19 such as the claim that everyone vaccinated can go back to normal (no masks, no constraints about places of mass indoor gatherings – not to mention mass outdoor gatherings) as long as they are vaccinated? Of course Biden has not given any definition of “misinformation” but if “killing people” by false information about the safety of going back to normal if one has the jabs is an example of “misinformation”, then Biden is guilty and therefore a killer of people and should be removed from not only facebook, but all social media, not that that is a particularly severe punishment for killing “some folks” as Biden’s mentor might put it, with – of course – one notable exception.
This is a pretty important story this and it is a veritable pot of crabs in the shake out. One minor example is how the French are opening up an investigation upon finding out the Pegasus software was used by Morocco to spy on French journalists. This program went everywhere and Israel was at the heart of it all selling it to all and sundry. The government at the very least must have given this company a nod when a clients list was submitted. If they wanted to stay in business that is. And then something unusual happened.
The headline news today was that the US, UK, EU, and NATO claiming that China was behind the Microsoft hack from a few months ago. You know. The one that was claimed to be the work of the Russians at the time. The US Justice Department said that they had an indictment for four Chinese guys and published their faces. They are literally accusing China of everything that Israel was found to be doing and I don’t know about you but it is almost like this story is being used to push the news about Israel’s Pegasus software off the front pages.
This is an article about two people with part of the story each. Snowden knows quite a lot about the detail of the technology and collection methods, but little about the politics involved. Bachelet is clearly a nice person, but knows little about the technology or the world in which it is used.
Let’s recapitulate. Signals intelligence, as it’s often called, has been around for generations, and it’s an accepted and understood method of intelligence gathering against other governments, and is also done for commercial reasons. This is one of those situations where “everybody does it” is a fair assessment, which is why, even if it were feasible to stop it, nobody would want to do so. Countries which don’t have the capability themselves can and do obtain information from others. In addition, domestic intelligence agencies in most countries have powers to intercept communications within the country. Historically, this was used above all against foreign espionage, but more recently against domestic terrorist threats. As Bachelet recognises, this is entirely legitimate. A number of attacks in Europe have been stopped because of these capabilities, and a number that actually took place might have been if certain laws were different. But that’s another issue. Again, this is a well-known and understood capability. Any competent government can listen into your telephone calls, track your whereabouts, or listen to conversations when you think the phone is switched off. This has been going on for generations, and requires no advanced technology: in most countries, the limitations on its use are legal rather than technological. You should never, ever, assume that anything you say or do on your phone is private.
But Pegasus, if I understand correctly, is none of the above. It seems to be a tool to break into phones remotely, without leaving a trace, and steal all the information on them. This would obviously include photos and your taste in music, but these days also probably your documents. Given that government people with official phones seldom go around with sensitive documents on them, it seems to me that its main use is against non-state targets: terrorist and militia groups certainly (it seems that Hezbollah was a target, unsurprisingly), but even more journalists, political opponents, dissidents and and human rights activists.
So what can be done? Not a lot, I think, until the perfect security system can be devised on phones, and at the moment all the pressure is the other way: to weaken controls on what can be installed. The problem is the nature of the technology. Classically, exports of weapons could be and were controlled and licensed by states, and require an end-user certificate, and most countries have central government bodies that coordinate the process. This is one example. Sometimes there are agreed international rules, eg within the EU, as well as sanctions regimes. But here, we dealing with technology rather than objects, which have serial numbers and can in principle be traced. There are regimes to control the spread of technologies: for example the Missile Technology Control Regime, which tries to do what it says, and the Australia Group , which tries to control the spread of chemical and biological warfare technologies. The problem is that all these regimes are voluntary. The other problem is that, whilst the major powers of the world support controls on NBC exports, because it’s in their interests, they are only going to support controls on these kinds of weapons, if they think they constitute a danger to them. The other other problem is that by definition, it’s almost impossible to be sure who the final “end user” of software will ultimately be. It’s also effectively impossible to control its use, since after all one person’s terrorist is another person’s freedom fighter etc etc. (Would you regard the use of this technology by the Nicaraguan government against Guaido as legitimate or not, for example? )
> What can be done?
Use a dumb phone. They’re not looking so dumb, are they?
Also, nothing embarassing (blackmail material) or financial on your phone.
If you want to take intimate pictures, buy a camera.
I fear not. Dumb phones are easier to crack. The only protection is to have nothing of any importance on your phone.
I was thinking about it for some time, and you know, the closest analogue I can think of this kind of crap is, landmines and biological weapons.
They’re not as individually devastating as either, but consider — when these tools are sold in a market, they damage us collectively. It’s not about just cracking smartphones, or, as Lambert suggests, dumbphones — which, may I remind everyone, have software platforms even less visible and accountable than mobile operating systems, and are aa equally compromised — as these devices are computers, we’re talking servers and network equipment as well.
There’s a reason we ban biological weapons and landmines — the impact isn’t just on the poor schmuck who loses a limb or dies because of a plague attack, it’s the medical systems that then are overwhelmed. The impact is, down the line, the medical devices, supply chains and essential services we and the people we care about.
Opsec won’t save you — not from the state actors, and then the criminal gangs who adopt these tools, and eventually down to the idiots who hold grandma’s medical records for a measly 20K USD because they bought a product of the darkweb. Step one would be to delegitimise the sale of these tools and exploits. Step two is to, finally, refocus governmental and organisational efforts to harden our systems against threats like these.
Because yeah, you wanna be safe? You’re not going to just need to work on your individual opsec, but also on the opsec of everyone related or linked to you.
It would be interesting if next time somone pushes back at a subpoena for info, under penalty of perjury the TLA has to say that the info can’t be got any other way.
Just like FBI folded at the last minute before the court date when Apple fought an order to extract data from a phone.
IMHO, LE can easily get what they want, but not in a way that is either admissable as evidence or has methods that LE are happy to expose. Hence the push to make the data grabs legal by default, while avoiding any judgements that say otherwise.
UK, without a constitution, will lead this dive to the gutter where the governed effectively lose any rights to report on and criticise the governers.