Private companies are producing and selling spyware that Google experts claim is equivalent to spyware produced by nation states. This private spyware can be purchased by anyone and used against anyone.
This means that nearly any phone, laptop or social media account can be successfully and expeditiously hacked by anyone willing to purchase and activate the software. Why are we allowing this to happen? Can anything be done to stop it?
The work of spyware companies re-entered the news last week when Google warned that Israeli company NSO Group’s product called ForcedEntry is one of the world’s most technically sophisticated exploits. John Scott-Railton, senior researcher at Citizen Lab was quoted by Ars Technica saying, “This is on par with serious nation-state capabilities. It's really sophisticated stuff, and when it's wielded by an all-gas, no-brakes autocrat, it's totally terrifying. And it just makes you wonder what else is out there being used right now that is just waiting to be discovered. If this is the kind of threat civil society is facing, it is truly an emergency.”
NSO Group’s spyware has been implicated in the Saudi government’s pre-murder surveillance of Washington Post Journalist Jamal Khashoggi (See today's Washington Post article) and its pre-arrest surveillance of dissident woman’s rights advocate Loujain al-Hathloul. Al-Hathloul, following her release from Saudi custody, has sued three former American contractors for hacking her cell phone. These contractors haven’t spoken publically about their work for the Saudis, but they admitted in September to providing computer hacking technology to the UAE.
Victims of this private spyware are not all dissidents from dictatorships. Earlier this month, the U.S. discovered that the phones of 11 American Embassy employees in Uganda were hacked by NSO Group’s Pegasus spyware. Apple had notified the embassy officials about the attack. The Times reports that “NSO is one of several companies that make money by finding operating system vulnerabilities and selling tools that can exploit them. NSO [is] not accused of maliciously hacking into phones [itself], but of selling tools to clients despite knowing that they would be used in malicious attacks.”
Why is no one stopping NSO Group from producing and selling these tools? Where are the police in this situation?
In some ways, we live in a world without law enforcement. The FBI, for example, only has jurisdiction to investigate certain kinds of activities, undertaken by certain kinds of people, in certain kinds of places. The internet, on the other hand, allows nearly any person sitting in any country to attack people all around the world. These attacks can be words, they can be electronic attacks that infiltrate or delete computer data, or they can be attacks that start electronically and bring down power systems, hospitals or nuclear reactors. Attackers can evade justice by physically locating in places that won’t investigate or prosecute them.
The same is clearly true for spyware creators. NSO Group is in Israel, has ties with the Mossad and Israeli military, and is protected by the Israeli government. Its Pegasus Spyware is classified as a weapon by the Israeli government and can’t be exported without government permission. Cytrox – whose spyware was recently banned from the Meta platforms – is a North Macedonian spyware manufacturer. Four Israeli spyware companies were also banned, Cobwebs, Cognyte, Black Cube and Bluehawk, as well an Indian company named BellTrox and a Chinese-based spyware maker. All of these headquarter locations are beyond the reach of Western law enforcement agencies.
Attackers can evade justice by physically locating in places that won’t investigate or prosecute them. The same is clearly true for spyware creators.