spyware – Techdirt (original) (raw)
Apple Dumps Suit Against NSO Group After Israeli Government Walks Off With A Bunch Of The Company’s Files
from the friends-in-the-highest-places dept
Well, it worked. We’ll have to see how this plays out in the lawsuit WhatsApp brought against NSO Group, but it has managed to shed one litigant thanks to intervention from the home team: the Israeli government.
In July, documents obtained by Distributed Denial of Secrets (DDoS) revealed the desperate measures NSO Group deployed to avoid having to turn over internal information during discovery in multiple lawsuits, including one filed by Apple. Knowing that discovery was inevitable, NSO met with Israeli government officials and asked them to secure a blocking order from the nation’s courts to prevent having to comply with discovery requests.
The government secured these orders and went to work shortly after WhatsApp served NSO with its discovery requests. According to the paperwork, the government needed to seize a bunch of the company’s internal documents for “national security” reasons, speculating disingenuously and wildly that turning over any information about NSO’s Pegasus phone-hacking malware would make the nation itself less secure.
Shortly thereafter, the Israeli government engaged in a performative raid of NSO’s offices to seize anything NSO felt might be disadvantageous in these lawsuits. WhatsApp is still in the litigation game, hoping to obtain anything the Israeli government hasn’t already seized that might relate to its claims of unauthorized access by NSO customers deploying Pegasus malware via the company’s US servers.
Apple, however, has decided it’s not going to spend any more money or time trying to win a rigged game, as Joseph Menn reports for the Washington Post.
Apple asked a court Friday to dismiss its three-year-old hacking lawsuit against spyware pioneer NSO Group, arguing that it might never be able to get the most critical files about NSO’s Pegasus surveillance tool and that its own disclosures could aid NSO and its increasing number of rivals.
[…]
“While Apple takes no position on the truth or falsity of the Guardian Story described above, its existence presents cause for concern about the potential for Apple to obtain the discovery it needs,” the iPhone maker wrote in its filing Friday. Israeli officials have not disputed the authenticity of the documents but have denied interfering in the U.S. litigation.
As for that last sentence, that’s a dodge. Of course the Israeli government interfered with this litigation. That it didn’t actually insert itself directly into either of these bases doesn’t change the fact that the raid it performed because NSO Group asked it to means the company no longer has the documents sought by US litigants in its possession.
The more surprising assertion is Apple’s: that part of its reason for dropping the lawsuit is to avoid having to turn over any of its own stuff in response to discovery requests. But the rationale is very much an Apple thing: the company feels giving more information to NSO — especially in open court — will just be used to facilitate the creation of new hacking tools for NSO (or its competitors) to use against Apple’s customers.
That’s more of a concern for Apple, which is seeking to protect an entire operating system. WhatsApp’s concerns are more limited. While it too would probably prefer any information it hands over in court not be used against it by malware merchants, it only has to worry about a single service, rather than the underlying infrastructure (so to speak) shared by dozens of Apple products.
Discovery is underway in the WhatsApp case, so hopefully we’ll be seeing some interesting developments there soon. But given what’s happened here, NSO and its Israel-based competitors have some really interesting (and disturbing) options when it comes to thwarting lawsuits over the constant abuse of its Pegasus malware.
Filed Under: israel, lawsuit, malware, pegasus, spyware, surveillance
Companies: apple, nso group
NSO Group Asked Israeli Government To Help It Hide Malware Docs From WhatsApp
from the surely-something-only-an-honest-company-would-do dept
Before the news had broken that NSO Group’s clients were utilizing its powerful spyware to target journalists, dissidents, activists, religious leaders, opposition party members, and anyone else that might have irritated the autocrats and human rights abusers that made up a disproportionate percentage of its customer list, NSO was sued by Meta and WhatsApp.
That lawsuit alleged NSO Group had illegally accessed and utilized WhatsApp’s software and servers to distribute malware to surveillance targets. It’s a problematic lawsuit — one that seeks to see the CFAA (which has been abused perpetually since its inception) read as outlawing any access that might violate terms of service, including access that simply allowed NSO software to reach targets using WhatsApp.
NSO has since tried multiple times to have the lawsuit thrown out. One of its more creative efforts tried to portray NSO Group as nothing more than a stand-in for the governments it sold to. By portraying itself this way, NSO hoped to invoke sovereign immunity. That argument was rejected by two consecutive levels of the judiciary. NSO would have been better served by sticking to its first argument: that it could not be held directly accountable for actions performed by its customers, especially since that’s pretty much the only argument it’s left with at this point in time.
Having failed to get the lawsuit dismissed, the litigation moved forward. Finally, it reached a point NSO hoped it never would: discovery. Earlier this year, the court ordered NSO to turn over a bunch of info, including the source code of the malware that traveled through Meta’s servers to infect WhatsApp users.
The source code has yet to be delivered to the court and WhatsApp. It may never get there. As Harry Davies and Stephanie Kirchgaessner report for The Guardian, NSO Group called on a higher power to help it dodge its courtroom obligations:
Israeli officials seized documents about Pegasus spyware from its manufacturer, NSO Group, in an effort to prevent the company from being able to comply with demands made by WhatsApp in a US court to hand over information about the invasive technology.
Documents suggest the seizures were part of an unusual legal manoeuvre created by Israel to block the disclosure of information about Pegasus, which the government believed would cause “serious diplomatic and security damage” to the country.
Neat! And it comes with a form of plausible deniability built in: the Israeli government could claim it seized this information as part of its own investigation of NSO Group. Of course, that investigation is already closed and it wasn’t publicly announced until long after NSO was in (international) hot water. The government concluded it did nothing wrong when it used NSO spyware. It didn’t have much to say about NSO itself, although it did (very belatedly) limit the countries NSO could sell to.
But this is just a weird form of regulatory capture. NSO Group was formed by former Israeli intelligence officers. For years, Israel’s government helped broker deals for NSO with nearby nations, engaging in a malware-powered form of diplomacy.
The last thing NSO wanted was for this lawsuit to move to the point where it might need to start producing documents. The outstanding order for code production posed a threat to NSO’s secrecy, even if there’s almost zero chance it would be denied any request to seal these documents. With NSO being mostly former government employees and the Israel government being composed of current government employees, NSO asked and received. With this move, a sovereign that is not party to this lawsuit has done what NSO couldn’t on its own: prevent an American entity from obtaining its source code.
The origin of this information isn’t NSO or the Israeli government. It’s the product of leaks and hacking. And it shows NSO knew this reckoning was coming, long before it became somewhat of a household name following the leak of targeting data. This appears to have happened not long after WhatsApp filed its lawsuit against NSO in late 2019.
Israel’s hidden intervention in the case can be revealed after a consortium of media organisations led by the Paris-based non-profit Forbidden Stories, and including the Guardian and Israeli media partners, obtained a copy of a secret court order relating to the 2020 seizure of NSO’s internal files.
Details of the seizures and Israel’s contacts with NSO regarding the WhatsApp case are laid bare in a separate cache of emails and documents reviewed by the Guardian. They originate from a hack of data from Israel’s ministry of justice obtained by the transparency group Distributed Denial of Secrets and shared with Forbidden Stories.
According to the documents, NSO first approached the Israeli government in the early months of 2020, asking for a “blocking order” that would hopefully prevent it from having to hand over anything to WhatsApp. When WhatsApp served its discovery request in June 2020, NSO Group and government officials met to “discuss issues related to disclosure.” After some back-and-forth between NSO’s legal reps and government officials, the government performed a perfunctory raid of NSO offices for the sole purpose of leaving it with almost nothing to turn over in response to the US court order.
Three days later, in mid-July 2020, Israel made a significant but secret intervention. At an urgent meeting with NSO, Israeli officials presented the company with an order issued by a Tel Aviv court granting the government powers to execute a search warrant at its office, access its internal computer systems and seize files.
This subterfuge appears to have worked, at least so far. According to WhatsApp’s lawyers, NSO has only turned over 17 pages of documents in response to its discovery requests. Obviously, none of these documents are responsive to the court order demanding NSO turn over its software to WhatsApp.
On the surface, it might not look any more unusual than, say, the Justice Department filing a motion to keep documents from being produced by one of its contractors in the interest of public safety, operational secrecy, or whatever other excuse it might use. But it’s nowhere near comparable. NSO Group never informed the US court that these documents had been seized. And it appears its lawyers — some of which are US-based — never informed the court it was seeking the assistance of the Israeli government to keep these documents from being produced.
It will certainly be interesting to see how the court responds to these revelations. However, sanctions can’t make NSO Group turn over information now in the hands of its own personal Jesus: the Israeli government. And it’s unlikely any US court has the power to pierce the sovereign immunity that controls this action, no matter how transparent the self-interest.
Filed Under: distributed denial of secrets, israel, lawsuit, malware, pegasus, privacy, source code, spyware, surveillance
Companies: nso group, whatsapp
NSO Malware Discovered On The Phones Of Critics Of Putin And His Allies
from the NSO-may-be-down-but-its-software-is-still-running dept
Here’s yet more unsurprising news about Israeli malware developer NSO Group and its preferred customers. More phones infected by NSO’s flagship Pegasus malware have been discovered by Citizen Lab researchers. And yet again those targeted are journalists, critics, dissidents, and opposition leaders.
The latest investigation identifies seven additional Russian and Belarusian-speaking members of civil society and journalists living outside of Belarus and Russia who were targeted and/or infected with Pegasus spyware. Many of the targets publicly criticized the Russian government, including Russia’s invasion of Ukraine. These individuals, most of whom are currently living in exile, have faced intense threats from Russian and/or Belarusian state security services.
Even though the company is on the ropes, the software it sold to a variety of authoritarians and autocrats still exists. And it can still be used to target people these power-hungry governments don’t like.
What could possibly be the point of infecting phones owned by dissidents, journalists, and critics with malware pitched as a solution to violent crime and international terrorism? The entities NSO sold to have repeatedly made it clear they’ll spend millions on software for the sole reason of engaging in petty revenge operations. That’s because the governments in control of this spyware are too thin-skinned to deal with the normal downsides of being in the government business: criticism, dissent, and the rise of opposition leaders who stand for everything these governments don’t stand for.
While the revenge may be petty, the outcomes are far from trivial. Turning a phone into an active tracking device that also allows governments to eavesdrop on conversations and intercept communications means it is that much easier to locate the people you want to silence. As Citizen Lab points out, the retaliation against critics of Putin and his eastern European buddies is severe, ranging from travel bans to arrests. And there’s always the possibility that operatives will just try to kill critics — something Russian operatives have done multiple times.
While the news may be unsurprising, it’s helping keep NSO’s name in the news. The longer that lasts, the less chance there is that it will be able to slip back under the radar and continue business as usual.
It also provides another set of rebuttals to NSO’s multiple defenses of its products, sales tactics, and choice of customers. When the leak of NSO malware targets first occurred, the company claimed the list was bogus. And even if it was a list of targets, it was only a list of potential targets and not representative of how its customers deployed its products.
That list was full of journalists, critics, dissidents, opposition leaders, religious leaders, human rights advocates, and lawyers engaged in litigation against governments. That was the list the NSO Group claimed meant nothing. It was just a list and couldn’t be tied to NSO, its customers, or the people targeted by its customers.
Literally everything uncovered since that leak has shown the opposite to be the case: NSO’s customers directly or indirectly (by asking other governments to do their dirty work) target exactly the sort of people contained in this list. The malware NSO claims is a powerful tool that allows governments to track dangerous criminals and international terrorists is also just a way for governments to silence critics, eliminate inconvenient human obstacles, and otherwise ensure the narrative remains theirs alone. The deterrent effect of these actions is obvious.
NSO cannot claim to have clean hands. While it’s true it cannot prevent customers from abusive deployments of its malware, it could have refused sales to known human rights abusers. It’s not like this is news at this point. The first reports of NSO’s sales to miscreants like the Saudi government occurred more than a half-decade ago.
It’s not like a lot of the governments NSO sold to just recently started engaging in massive amounts of human rights violations. Every one of these questionable customers had been in the oppression business for years, if not for the entirety of their existence.
NSO has nowhere to go as long as these investigations and this sort of reporting continues. As long as the light remains bright enough, the shadows will be too small to hide in. So while this latest news may just be more of the same, it’s still essential.
Filed Under: activists, belarus, governments, israel, journalists, malware, oppression, russia, spyware, surveillance
Companies: nso group
NSO Group Continues To Use The Lawsuit Filed Against It By WhatsApp To Harass Canadian Security Researchers
from the if-you-can't-beat-'em,-fuck-with-'em dept
Israeli malware manufacturer NSO Group spent years making good money selling to bad people. Its only concern for the longest time was how long it would take nearby autocrats and totalitarians to start targeting Israeli citizens.
To be fair, the Israeli government shares at least some of the blame. Surrounded by entities that would love to see it erased from the earth, the government helped broker deals with unfriendly countries — a perverse form of diplomacy that allowed some of its worst enemies to gain access to extremely powerful spyware.
NSO is no longer the local darling in Israel. In fact, none of its competitors are either. The country achieved terminal embarrassment velocity following the leak of documents that appeared to show many of NSO’s customers were abusing access to its Pegasus spyware to target journalists, dissidents, human rights lawyers, political opponents, and even the occasional ex-wife and her lawyer.
NSO has also been sued multiple times. The first tech firm to sue NSO was WhatsApp. Backed by Meta, WhatsApp took NSO to court for using WhatsApp’s US-based servers to deliver malware packages to users targeted by NSO’s absolute shitlist of customers.
Some of what WhatsApp observed might have been due to the FBI taking a bespoke version of NSO’s Pegasus for a spin before deciding it would be pretty much impossible to use it without doing a ton of damage to the Fourth Amendment.
This lawsuit has not gone well for NSO. It invoked a variety of defenses, including sovereign immunity, reasoning that it was a stand-in for the governments it sold to. And, as such, it was entitled to the same immunity often granted foreign governments by US courts.
This tactic didn’t work. Not only did multiple courts (district, appellate, the Top Court in the Land) reject NSO immunity overtures, but the original court handling this lawsuit ordered the company to turn over its code to WhatsApp. And that order meant all the code, not just the stuff involving NSO’s flagship spyware, Pegasus.
Far from the nation’s courts, Canadians have been giving NSO (and its competitors) fits for years. Citizen Lab — a group of Canadian malware researchers linked to the University of Toronto — has been examining NSO’s malware for years. More importantly, it’s been detecting infections and allowing those targeted by NSO spyware to rid themselves of these infections. In every case, Citizen Lab has exposed the targeting of the usual people: dissidents, opposition leaders, journalists, lawyers, diplomats, etc. The company continues to pretend this malware is sold to target the most dangerous criminals despite all evidence to the contrary.
With NSO now being asked to turn over its source code, it has decided to drag a non-party into the mix by going after Citizen Lab repeatedly during this lawsuit. (This is something its financial backers did years before NSO was a defendant in multiple lawsuits and an international pariah.)
As Shawn Musgrave reports for The Intercept, NSO appears to be engaged in a campaign of harassment against Citizen Lab… presumably because it has run out of believable defenses and/or solid litigation strategies.
FOR YEARS, CYBERSECURITY researchers at Citizen Lab have monitored Israeli spyware firm NSO Group and its banner product, Pegasus. In 2019, Citizen Lab reported finding dozens of cases in which Pegasus was used to target the phones of journalists and human rights defenders via a WhatsApp security vulnerability.
Now NSO, which is blacklisted by the U.S. government for selling spyware to repressive regimes, is trying to use a lawsuit over the WhatsApp exploit to learn “how Citizen Lab conducted its analysis.”
[…]
With the lawsuit now moving forward, NSO is trying a different tactic: demanding repeatedly that Citizen Lab, which is based in Canada, hand over every single document about its Pegasus investigation. A judge denied NSO’s latest attempt to get access to Citizen Lab’s materials last week.
While it’s good to see a court shut down this obvious attempt to turn Citizen Lab into a co-litigant, the fact remains that Citizen Lab has never been a party to this lawsuit. This is nothing more than NSO attempting to obtain information it has no legal reason to request, possibly because it’s still aching from being ordered to turn over its own information: i.e, its source code.
It also may be even more petty than the previous hypothetical: it may be trying to get Citizen Lab to burn up some of its limited resources fighting stupid requests for stuff Citizen Lab should even be asking for, much less expecting a judge to sign off on.
Whatever it is, it certainly isn’t good litigation. This reeks of desperation. These are the acts of litigant that has run out of options. NSO is just flailing, hoping to drag down a non-party with it as it heads towards a seemingly-inevitable loss.
And this certainly isn’t a winning strategy. It’s not even capable of maintaining the miserable status quo NSO Group is currently mired in. Citizen Lab (obviously) refused these demands for information (justifiably!) and the judge handling the case has made it clear there’s almost zero chance of NSO being able to drag anything out of this particular thorn in its side.
Citizen Lab opposed NSO’s demands on numerous grounds, particularly given “NSO’s animosity” toward its research.
In the latest order, Hamilton concluded that NSO’s demand was “plainly overbroad.” She left open the possibility for NSO to try again, but only if it can point to evidence that specific individuals that Citizen Lab categorized as “civil society” targets were actually involved in “criminal/terrorist activity.”
lol at that last sentence. Does anyone think anyone, much less an aggrieved NSO Group, has any evidence Citizen Lab is involved in “criminal/terrorist activity?” All it has done is expose abuse of malware sold by NSO Group to governments with long histories of corruption and/or human rights abuses.
NSO is just going to keep on losing. Reap/sow. Lie down with dogs. The foreseeable consequences of actions. Etc. Etc. Etc. Citizen Lab will keep performing its important work. And, with any luck, NSO will soon collapse under the weight of its hubris. Hope the (temporary) shekels were worth it.
Filed Under: canada, discovery, harassment, source code, spyware, surveillance
Companies: citizen lab, meta, nso group, whatsapp
Student Journalists Convince School To Ditch Its Spyware, But School Only Agrees To Not Spy On Its Journalists
from the we-respect-some-rights-for-some-people dept
Schools have always kept tabs on students using school-issued devices. Prior to the pandemic, this had mostly been limited to filtering software that prevents students from accessing content schools don’t approve of. Of course, this has also kept students from accessing content that might be useful to them personally (self-harm prevention, LGBTQ+ content) or scholastically (because Wikipedia is public [school] enemy #1).
Once the pandemic hit, most schools relied on remote access by students. That’s where spying on students really ramped up. Fully convinced most students would cheat on schoolwork and tests if given the chance, far more intrusive spyware was deployed — including options that provided test proctors with access to laptop cameras to ensure students were not cheating when engaging remotely with tests or other schoolwork.
Never before had schools had access to students’ living spaces. But now they have this access. And even with the end of remote learning, schools are reluctant to scale back their use of always-on tech that gives administrators access to students’ off-campus web use.
Four student journalists at Lawrence High School in Kansas have managed to convince their school to walk back some of its intrusion. Since they did all the heavy lifting, I’ll turn it over to the students: Zana Kennedy, Delaney Haase, Arabella Gipp, and Avery Sloyer.
Journalism editors asked USD 497 school board members serving on the district’s policy committee today to better protect student journalism and overall student privacy rights.
Students suggested policy changes relating to First Amendment free press protections, Fourth Amendment protections against unreasonable searches and copyright. The meeting follows a recent initiative by four editors to disband the use of Gaggle, AI-driven student surveillance software, for journalism students in USD 497. On Friday, the students also raised additional concerns about Gaggle’s broader use and said change was needed to protect students from future technology shifts.
Gaggle is as popular with schools as it is problematic. Here’s how Gaggle operates, despite what school districts and the company’s own press releases might say about its capabilities:
One associate principal I spoke to for this story says his district would receive “Questionable Content” email alerts from Gaggle about pornographic photos and profanities from students’ text messages. But the students weren’t texting on their school-issued Chromebooks**. When administrators investigated, they learned that while teens were home, they would charge their phones by connecting them to their laptops via USB cables. The teens would then proceed to have what they believed to be private conversations via text, in some cases exchanging nude photos with significant others—all of which the Gaggle software running on the Chromebook could detect.** Now the school advises students not to plug their personal devices into their school-issued laptops.
That’s from Wired’s April 2023 report on school spyware. By this point, most students in the nation had already returned to their schools. Very few were still engaged in remote learning, but that fact didn’t stop schools from continuing to deploy spyware first intended to be used for remote monitoring due to pandemic-related school closures.
The good news is these student journalists managed to free themselves from these intrusions by citing state laws that increased protections for students, journalists, and this particular combination of both.
Current policy already mentions many provisions of the Kansas Student Publications Act. But students sought to include references to the Kansas Shield Law as well as the federal Privacy Protection Act of 1980 — both of which protect the reporting process from government monitoring.
Thanks to the student journalists’ tenacity, the school backed down and agreed to remove the spyware from the devices used by these students.
[T]he four seniors who led the charge — Morgan Salisbury, Maya Smith, Jack Tell and Natasha Torkzaban — refused to be quiet about it.
“I think all four of us are unapologetically loud when it comes to situations like this,” Torkzaban said.
Last week, after five months of sometimes-tense negotiations, the district agreed to remove student journalists from the surveillance program.
And while that works out well for the student journalists, it doesn’t do much to protect the rest of the student body from spyware. Fortunately for their classmates, the journalists aren’t solely interested in ridding themselves from school-based surveillance.
[T]he journalists want assurances that the rest of the students, and future students, won’t be subjected to unwarranted intrusions.
So, now the question is why the school didn’t immediately agree to strip this malware from all school-issued devices. That’s also the question being asked in an op-ed written by the Kansas Reflector’s opinion editor, Clay Wirestone.
Listen, I understand why district officials and parents want guardrails for students’ online activities while in school. That makes sense. We don’t want them looking up porn or making threats in class.
But that’s not what Gaggle promised, or what Unified School District 497 spokeswoman Julie Boyle told Smith. Both justified privacy violations with high-minded rhetoric about protecting students’ mental health. I’m sorry, but count me skeptical that clunky AI and adults making less than three dollars above the federal minimum wage have made a serious difference in the well-being of Lawrence children.
Instead, what you might expect to happen indeed happened: False red flags, uncomfortable meetings with administrators and clear-cut violations of student rights.
It’s easy to see why Gaggle wouldn’t want this to happen. Its contract with this single Kansas school district is worth about $163,000 a year. And, unfortunately, it’s also easy to see why school officials would be reluctant to stop spying on students. After all, if something bad does happen and no spyware has been deployed, officials might be criticized for not doing all they can to prevent bad things from happening, even if it’s extremely unclear Gaggle’s spyware is capable of preventing these sorts of things from occurring.
One school administrator suggested school violence — like far too common school shootings — justified always-on surveillance. Others simply repeated the talking points about “student mental health,” apparently incapable (or unwilling) to recognize virtually peering over students’ shoulders isn’t actually all that helpful when it comes to addressing difficult issues students routinely face.
As Wirestone points out in his op-ed, there are far better ways to deal with these issues — none of which involve omnipresent surveillance of students’ web activity:
I would suggest that surveilling young people electronically, intercepting their communications and leaving hard calls to computers does more harm than good. Teens will learn they can’t trust the people around them. Building relationships and listening to those same young people might take time, but at least it can be done honestly. Rather than seizing on spyware, adults should consider addressing climate change, the cost of living, affordable college and other measures. That might give young people something to look forward to, rather than anticipate with mounting dread.
As it stands now, the school has only agreed to drop this surveillance of student journalists because it might violate state law. Rather than do the right thing and treat all students as equally deserving of privacy, the school has chosen to do the bare minimum. To paraphrase Futurama’s Hermes Conrad, the school has pretty much promised that “it will respect students’ rights to extent that the law requires.”
But clearing this extremely low bar doesn’t help the rest of the district’s students and it doesn’t make this school district any better than any other entity deploying the same sort of spyware because it has decided to turn over student oversight to third party algorithms. Instead, it just makes it the single district that can’t be sued for violating the rights of student journalists under Kansas state law. That’s nothing to be proud of.
Filed Under: kansas, lawrence, lawrence high school, privacy, spyware, students, surveillance
Companies: gagggle
Details Emerge Of Facebook’s Long History Of Spying On Encrypted User Communications Across Different Apps And Service
from the privacy-violations-are-only-bad-when-somebody-else-does-it dept
Fri, Mar 29th 2024 05:24am - Karl Bode
Last week you’ll recall that after a closed-door intelligence briefing, some members of Congress leaked word to Axios that they were “shocked” by various TikTok behaviors.
Upon closer inspection, most of the stuff TikTok had been up to wasn’t at all different from the behaviors of a wide variety of foreign and domestic telecoms, app makers, tech companies, and data brokers, all happily exploiting the fact that the U.S. is too corrupt to pass a modern internet privacy law.
One of the things Congress was surprisingly “shocked” about was the fact that TikTok sometimes monitored the behavior of users while they used other apps. But here too, a long line of companies do this including data brokers, fixed line and wireless telecoms, and app makers. Your every last behavior online is tracked and monetized, often with little oversight and even less transparency.
Case in point: in 2018 we wrote about how Facebook got busted offering a “privacy protecting VPN” dubbed Onavo that was basically just spyware designed to track user behavior on other platforms. The app got kicked off of app stores after it was revealed that Facebook was paying teenagers to install the app so they could spy on them and gain insight into competitors.
This week a federal court in California released new information on that effort unveiled during discovery as part of a lawsuit between consumers and Meta, Facebook’s parent company.
The documents outline a project started in 2016 dubbed “Project Ghostbusters,” which involved “intercepting and decrypting” encrypted app traffic from users of Snapchat, and eventually users of YouTube and Amazon. The project, built at the direct request of CEO Mark Zuckerberg, basically involved creating a massive “man in the middle attack” (MITM) to spy on users at scale:
“After Zuckerberg’s email, the Onavo team took on the project and a month later proposed a solution: so-called kits that can be installed on iOS and Android that intercept traffic for specific subdomains, ‘allowing us to read what would otherwise be encrypted traffic so we can measure in-app usage,’ read an email from July 2016. “This is a ‘man-in-the-middle’ approach.”
Given the traffic between Snapchat users and servers was encrypted, it required that Facebook effectively develop spyware capable of accessing this data before it was encrypted and transmitted over the internet. Enter Onavo, a VPN company Facebook had acquired in 2013, then decided to lobotomize and turn into glorified spyware without making that clear to users.
From the documents, what is very clear is that Facebook executives at the time (like infrastructure engineering boss Jay Parikh and then head of security engineering Pedro Canahuati) knew that the project was a very bad idea:
“I can’t think of a good argument for why this is okay. No security person is ever comfortable with this, no matter what consent we get from the general public. The general public just doesn’t know how this stuff works.”
Fast forward to 2020, when Facebook users Sarah Grabert and Maximilian Klein filed a class action lawsuit against Facebook for spying on users and lying about it. And here we are; maybe Facebook will see accountability, maybe not. It’s a dice roll in a country that doesn’t take consumer privacy seriously.
Of course in years since, data surveillance and monetization has expanded into a massive and barely regulated international coagulation of telecoms, app makers, data brokers, hardware vendors, and tech companies that hoover up an absolute ocean of personal data about your every movement, click, and brain fart, fail to secure it, then sell access to any nitwit with two nickels to rub together.
All under the pretense that this is ok because the data is “anonymized” (a meaningless term). And despite a rotating parade of quite dangerous scandals, the congressional response has been to do jack fucking shit. Unless, of course, we’re talking about a popular Chinese app that Facebook lobbyists want kicked out of the country because it’s been a competitive pain in their ass.
At some point, whether it’s a scandal involving mass fatalities or the embarrassing leak of the sensitive data or the rich and powerful (or hey, maybe both simultaneously!), there will be a scandal that makes all previous privacy scandals look like a summer picnic. At which point maybe Congress will be jostled from its corrupt slumber. Maybe.
Filed Under: data brokers, onavo, privacy, privacy law, project ghostbusters, security, spyware, surveillance, telecom, tiktok ban
Companies: facebook, meta, tiktok
As Sanctions Continue, Malware Purveyors Starting To Worry It Won’t Be As Easy To Sell Spyware To Bad People
from the mfers-out-there-griping-about-the-crops-they-planted dept
NSO Group rang the bell. Despite all of its ex-intelligence service expertise and backing from its government, it can’t un-ring it. What’s done is done. And the repercussions just keep on coming, paying back NSO for years of selling powerful phone exploits to some of the worst people on earth.
NSO got sanctioned, along with another Israeli malware merchant, Candiru, by the US Commerce Department following weeks of negative press initiated by the leak of document allegedly listing entities targeted by NSO spyware. The list included journalists, activists, human rights lawyers, religious leaders, dissidents, and opposition leaders. What was pitched (at least publicly) as a way to combat crime and terrorism was instead being abused by powerful people to keep tabs on people they didn’t like.
NSO and Candiru weren’t the only ones hit with sanctions. Following a spyware-targeting executive order issued by President Biden, the blacklist was expanded, bringing in the State Department to add known abusers of phone exploits, as well as their friends and families, to the “keep out” list.
Earlier this month, the Treasury Department entered the arena, dropping sanctions on yet another spyware firm with Israeli ties, Intellexa. This was on top of sanctions handed down by the State Department last year, which put both of Dillian’s companies — Intellexa and Cytrox — on the Department’s “entity list.”
Cytrox’s flagship product is Predator, which has also been discovered infecting phones belonging to journalists, activists, and dissidents. Predator was at the center of a scandal in Greece, where multiple sanctioned exploit developers were implicated. But it was Cytrox’s exploit that was linked to the year-long surveillance of a US citizen by the Greek government.
But the latest sanctions affect more than just Intellexa. It also targets those running the company, ensuring they can’t just rebrand or form another company to get out from under the Treasury Department’s edict.
Under the sanctions, Americans and people who do business with the U.S. are forbidden from transacting with Intellexa, its founder and architect Tal Dilian, employee Sara Hamou and four companies affiliated with Intellexa.
These sanctions, combined with the ones levied recently following Biden’s executive order, now have other malware purveyors worried they won’t be able to sell malware to bad people as easily as they used to. Lorenzo Franceschi-Bicchierai’s report for TechCrunch quotes several perturbed (but anonymous) malware purveyors who have probably developed very strong feelings about NSO and other competitors over the past couple of years.
The first two people quoted do their best to distance themselves from the likes of Cytrox/Intellexa and their apparently careless founder, pointing out that Dillian “moves like an elephant in a crystal shop” and was willing to sell to anyone “willing to pay.” Both of the anonymous sources have already gotten out of the phone exploit business, perhaps sensing the “human rights exploiters” market had been fully exploited.
The third person quoted by TechCrunch suggests that if exploit sellers can’t learn from this string of cautionary tales, they probably can’t be taught.
According to a third person working in the spyware industry, the sanctions against Dilian and his business associate Hamou should make the whole market have a moment of reflection.
“If I had to come back to work actively in this industry, and I couldn’t find an exclusive customer that is extremely trustworthy, [sanctions] would be a risk,” the third person said. “A company, however serious, can never be 100% sure about how its customers act, and the political developments that can embroil them.”
Of course, no one quoted in this article has any skin in the game. They’ve all gotten out of this particularly sordid business. Those that remain may figure they can outlast the current storm. Or maybe they just figure they’ll still be able to get away with selling to human rights abusers by tightening up internal security a bit.
What’s clear is that there will always be a market for phone exploits. And chances are, the entities interested in abusing these powerful tools will be willing to pay a premium for them. Greed and lax regulation have allowed several companies to get rich by helping autocrats become even more awful. There’s no permanent solution to this problem, but for now, what has been done to this point at least appears to be having some sort of deterrent effect.
Filed Under: sanctions, spyware, state department, surveillance
Companies: candiru, cytrox, intellaxa, nso group
NSO Group Ordered To Turn Over Spyware Code To WhatsApp
from the UNDERSEAL.EXE dept
The time has come to pay the discovery piper for NSO Group. The phone exploit firm formed by former Israeli spies was supported unilaterally by the Israeli government as it courted human rights abusers and autocrats. The Israeli government apparently felt selling powerful phone exploits to its enemies got caught with its third-party pants down when numerous news agencies exposed just how often NSO’s customers abused its powerful spyware to target journalists, activists, lawyers, dissidents, religious leaders, and anyone else who annoyed its customers.
NSO Group has been sued multiple times. One of the first lawsuits filed in the US featured Meta (formerly Facebook) as a plaintiff, suing on behalf of WhatsApp, its encrypted communications acquisition. NSO tried multiple times to escape this lawsuit. It claimed it was a private sector equivalent of a government agency and, therefore, should be protected by sovereign immunity. This argument was rejected, leaving NSO with the option of arguing its actions (or, rather, the actions of its customers, which it claimed it couldn’t control) weren’t subject to US law.
That other argument might have worked if NSO Group’s customers weren’t using WhatsApp’s US-based servers to deliver malware payloads. Once something like this happens, US law comes into play and, without the protective cover of sovereign immunity, NSO Group must continue to respond to lawsuits filed by US tech companies.
Everything NSO tried in hopes of earning an early exit from US lawsuits was aimed at preventing the very thing that’s happening now. NSO and its (few remaining) backers can probably survive an expensive settlement. What the company is unlikely to survive is a (possibly) public outing of its malware code.
As Stephanie Kirchgaessner reports for The Guardian, NSO has been ordered to turn over the source code for pretty much all of its malware to Meta/WhatsApp.
NSO Group, the maker of one the world’s most sophisticated cyber weapons, has been ordered by a US court to hand its code for Pegasus and other spyware products to WhatsApp as part of the company’s ongoing litigation.
[…]
In reaching her decision, Hamilton considered a plea by NSO to excuse it of all its discovery obligations in the case due to “various US and Israeli restrictions”.
Ultimately, however, [Judge Phyllis Hamilton] sided with WhatsApp in ordering the company to produce “all relevant spyware” for a period of one year before and after the two weeks in which WhatsApp users were allegedly attacked: from 29 April 2018 to 10 May 2020. NSO must also give WhatsApp information “concerning the full functionality of the relevant spyware”.
WhatsApp already has a pretty good idea how NSO Group malware operates. It has already managed to detect actual deployments via its servers. The irony here, of course, is that the incidents that most likely exposed NSO’s exploitation of WhatsApp servers were trial runs of a US-oriented version of NSO’s Pegasus phone exploit by the FBI. (The FBI ultimately decided it couldn’t deploy this malware constitutionally.) A months-long investigation by the FBI into the “mysterious” NSO purchase by a supposedly “unknown” government agency ultimately revealed that it was the FBI itself shelling out bucks for malware it couldn’t deploy without violating the Constitution.
The order [PDF] issued by Judge Hamilton makes it clear NSO has to hand over more than just its Pegasus code to WhatsApp.
As to category (1), as stated at the hearing, the court adopts plaintiffs’ definition of “all relevant spyware” as set forth in their motion: “any NSO spyware targeting or directed at Whatsapp servers, or using Whatsapp in any way to access Target Devices.” As also stated at the hearing, defendants have not identified a basis for limiting its production to the Pegasus program, or to any particular single operating system.
[…]
As to the timeframe of documents that must be produced, the court concludes that, at this stage of the case, the Richmark factors weigh in favor of production for “all relevant spyware” for a period of one year before the alleged attack to one year after the alleged attack; in other words, from April 29, 2018 to May 10, 2020. If, after reviewing the relevant spyware from that timeframe, plaintiffs are able to provide evidence that any attack lasted beyond that timeframe, plaintiffs may seek further discovery at that time.
hahahahaaaaaaaaaa
We can be sure NSO’s lawyers are now busy crafting extremely restrictive proposed protective orders to prevent WhatsApp/Meta for making this information available to the public via court filings, blogs posts, transparency reports, or any other options this company has at its disposal.
I imagine these motions (along with other efforts to seal docket entries) will be granted, since NSO has continually claimed its customers use its malware to target high-value targets like suspected terrorists and other violent criminals. But this court remains free to weigh NSO’s CYA statements against the brutal reality: that its malware is often used to target people governments don’t like, rather than the “terrorists” and “violent criminals” governments claim they’re interested in apprehending.
Equally amusing is the fact that the same court has denied NSO’s demands for any communications between WhatsApp/Meta and Toronto’s Citizen Lab that were initiated following the filing of this lawsuit. It’s easy to see why NSO would love access to these communications, considering Citizen Lab has constantly and continually exposed abusive NSO malware deployments over the past several years while also publishing whatever exploit code it’s been able to extract during these investigations.
But, as the court notes, NSO has already undercut its own argument for additional discovery on its end by attempting to move the goalposts to cover only perceived misuses against “civil society” by its customers. This attempt to obtain further communications is backed only by NSO’s perception of the tone of WhatsApp’s lawsuit, rather than its listed causes for action — allegations that cover not only “abusive” deployments of malware but also “legitimate” deployments that, nonetheless, occurred without the platform’s permission and definitely violated WhatsApp’s terms of service.
So, the lawsuit will move forward. And it’s NSO that obligated to start explaining itself — not just to Meta/WhatsApp, but the court itself. Now that there’s source code on the line, NSO Group might start examining it other options, the most likely of which would be paying WhatsApp a considerable sum of money while promising not to use the company’s US servers to deploy malware. Most entities, at worst, have to deal with the consequences often expressed as having to lay in a bed that they’ve made. But NSO’s actions exceed this idiom. NSO, for all intents and purposes, shat the bed before making it, which makes lying it it feel that much worse.
Filed Under: malware, pegasus, source code, spyware, surveillance
Companies: meta, nso group, whatsapp
State Dept. Expands NSO Group-Targeting Ban To Include Anyone Who Misuses Commercial Malware
from the NSO-inadvertently-making-the-world-a-better-place dept
Well, NSO Group really made a mess of this for everyone. Ever since the devastating leak showing its customers routinely targeted journalists, government critics, dissidents, and human rights activists (you know, rather than the violent criminals and terrorists they said they’d use the spyware to track), things have gone from bad to worse to career-ending for the Israeli malware purveyor.
NSO had always been controversial, given its predilection for selling powerful phone exploits to some of the worst governments in the world. But it had managed to remain profitable and un-sanctioned for years, despite its willingness to get in bed with whatever autocrat would have it.
That all changed following the leak… which was then followed by a never-ending stream of negative press. Investigations into the company were initiated by several world governments, including NSO’s own, which also took the unprecedented step of limiting who the company could sell to.
NSO and one of its Israeli-based competitors, Candiru, also found themselves on the receiving end of a US State Department blacklisting late in 2021. The stated reason for this ban? NSO and Candiru were considered a threat to US national security.
The ERC determined that NSO Group and Candiru be added to the Entity List based on § 744.11(b) of the EAR: Entities for which there is reasonable cause to believe, based on specific and articulated facts, that the entity has been involved, is involved, or poses a significant risk of being or becoming involved in activities that are contrary to the national security or foreign policy interests of the United States and those acting on behalf of such entities. Specifically, investigative information has shown that the Israeli companies NSO Group and Candiru developed and supplied spyware to foreign governments that used this tool to maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers.
Being Candiru or NSO Group is its own problem. With the latest move by the US State Department (prompted by two years of reports of abusive targeting), certain users of these companies’ spyware are no longer welcome in the United States.
This visa restriction policy is pursuant to Section 212 (a)(3)(C) of the Immigration and National Act, and allows the Department of State to implement visa restrictions for (1) individuals believed to have been involved in the misuse of commercial spyware, to target, arbitrarily or unlawfully surveil, harass, suppress, or intimidate individuals including journalists, activists, other persons perceived to be dissidents for their work, members of marginalized communities or vulnerable populations, or the family members of these targeted individuals; (2) individuals believed to facilitate or derive financial benefit from the misuse of commercial spyware described in prong (1) above, including but not limited to developing, directing, or operationally controlling companies that furnish technologies such as commercial spyware to governments, or those acting on behalf of governments, that engage in activities as described in prong (1) above; and (3) the immediate family members of individuals subject to the restrictions in prongs (1) and (2) above. For purposes of this policy, “immediate family members” include spouses and children of any age.
Malware abusers and their families: that’s potentially a whole lot of people who will have a bit more trouble traveling to or staying in the Land of the Free. And it’s all due to NSO Group and its unwillingness to keep its products out of the hands of serial human rights abusers. The company may state otherwise when approached for comment, but none of this would have happened if it hadn’t decided it was somehow OK to cash checks from autocrats.
Of course, while the policy is certainly tough enough, it’s difficult to see it being a particularly effective deterrent. People who like abusing human rights (and targeting dissidents, activists, journalists, etc.) aren’t going to stop doing it just because of some visa complications. On top of that, it’s extremely difficult to identify who exactly is behind malicious spyware deployments. In most cases, an educated guess will only point in a government’s direction. It’s almost impossible to pinpoint the origin of malware attacks because that’s pretty much the point of these products: to be undetectable and un-attributable if discovered.
Still, it’s the thought that counts, especially when the thought is now part of US foreign policy. And while it’s unlikely to make the worst governments in the world behave better, it might make malware purveyors think twice before handing out spyware to governments likely to abuse it. No company wants to be the one forced to answer uncomfortable questions poised by angry governments, especially when it knows the answers involve governments that aren’t above murdering and dismembering people who’ve displeased them.
Filed Under: entity list, malware, restricted visas, spyware, state departnment, surveillance
Companies: candiru, nso group
India’s Government Goes After Apple For Notifying Journalists, Dissidents Of Phone Hacking Attempts
from the overplaying-its-hand-a-bit dept
Israeli malware developer NSO Group found itself the subject of international headlines a couple of years ago. Not the good kind either. A leaked document apparently showed who was being targeted by the company’s cell phone exploits — a long, disturbing list that contained journalists, lawyers, activists, dissidents, religious leaders, and plenty of politicians.
The months following that initial leak have been even less kind to NSO. To be fair, NSO deserved every bit of this backlash since it had spent several years courting the business of some of the most abusive governments in the world.
NSO is pretty much out of the malware business at the moment, but even if it chooses to get back at it, it will be an extremely uphill battle. It’s been sanctioned, sued, and the subject of multiple investigations by governments apparently shocked to discover they themselves have been maliciously deploying malicious software.
India is one of several countries to open an investigation into NSO and possible use of its phone exploits. This investigation was actually opened by the nation’s top court, which has already been told by the Modi government that it’s not interested in cooperating with the Supreme Court’s inquiry. And the government still wants surveillance tech to (presumably) abuse. But, for the moment, it’s not interested in purchasing it from NSO Group.
Factoring into this latest news is a move Apple made after these revelations about NSO. It sued NSO towards the end of 2021 — a lawsuit that came with a new notification program attached. Apple stated it would notify any users it suspected to be targeted by state-sponsored hacking attempts. It made good on this promise almost immediately, notifying a Polish prosecutor that their phone had been subjected to hacking attempts. Many more notifications soon followed, with the company notifying victims in Thailand, El Salvador, and Uganda.
All of that has added up to this: the government of India being super-pissed Apple is letting people know state-sponsored hackers are trying to access their devices. Gerry Shih and Joseph Menn, reporting for the Washington Post, have the details:
A day after Apple warned independent Indian journalists and opposition party politicians in October that government hackers may have tried to break into their iPhones, officials under Prime Minister Narendra Modi promptly took action — against Apple.
Officials from the ruling Bharatiya Janata Party (BJP) publicly questioned whether the Silicon Valley company’s internal threat algorithms were faulty and announced an investigation into the security of Apple devices.
Understandably, it’s embarrassing getting caught doing the sorts of things people already suspect you of doing. But rather than say something useful — like the government will be looking into this to see if this is a misuse of the tech — the Modi government chose to accuse Apple of being incompetent and place it under investigation instead.
According to anonymous Modi administration officials, the government is placing a ton of pressure on Apple’s India reps to come up with an alternative to the notification program and/or the notifications themselves. Apparently, the government believes the notifications are having a negative “political impact.” Again, rather than alter its tactics, it’s pressuring Apple India reps to alter theirs. They’re seeking alternative wording that might suggest the Modi government has a better reason for hacking phones than simply to spy on people who aren’t fans of Modi or his administration.
That’s going to be a tough sell. The facts speak for themselves.
Many of the more than 20 people who received Apple’s warnings at the end of October have been publicly critical of Modi or his longtime ally, Gautam Adani, an Indian energy and infrastructure tycoon.
Things look even worse when you take a look at which journalists were apparently targeted by state-sponsored hacking:
Of the journalists who received notifications, two stood out: Anand Mangnale and Ravi Nair of the Organized Crime and Corruption Reporting Project, a nonprofit alliance of dozens of independent, investigative newsrooms from around the world.
If the Modi administration wanted to draw attention away from its abusive tactics and alleged corruption, it couldn’t have picked a worse way to do it. Thanks to Apple’s notification program, the entire world now has a clearer picture of how (and why) the Indian government deploys phone exploits. And the malware detected on Mangnale’s phone was none other than NSO Group’s flagship product: Pegasus.
NSO did respond to requests for comment from the Washington Post, but as usual, its contribution to the discussion was less than useful. Once again, NSO stressed it only sells to governments and only for the purposes of combating terrorism and “major crimes.” But this part of the statement is even more useless than the usual stuff NSO says when yet another report shows even more abusive deployments of its spyware.
“The company’s policies and contracts provide mechanisms to avoid targeting of journalists, lawyers and human rights defenders or political dissidents that are not involved in terror or serious crimes.”
“Provide” all the “mechanisms” you want, but it doesn’t actually prevent anyone from targeting the kind of people who shouldn’t be targeted by governments that bought malware and agreed to use it to fight terrorism and “major crime.” The correct response would be to terminate contracts and refuse to sell to governments caught abusing the tech. The incorrect response would be… well, pretty much everything NSO has done since the leak blew the lid off its plausible deniability.
It’s pretty easy to tell a powerful foreign government to fuck off from Cupertino, California. But things are far less simple for those having to deal with Indian government officials face-to-face. The Apple reps located in India appear to have been intimidated into at least some level of cooperation with the government’s preferred narrative.
Apple India soon sent out emails observing that it could have made mistakes and that “detecting such attacks relies on threat intelligence signals that are often imperfect and incomplete.”
But that appears to be the end of the concessions being made by Apple India. And Apple, for its part, flew an outside rep to India to meet with the government in an effort to disabuse it of its (clearly false) notions that Apple hacking warnings are generally just the result of incompetence by Apple’s security team.
For now, it appears the Modi administration believes it has won this match. Pressure to alter notifications has eased a bit as the government’s narrative is continually pushed by politicians who insist the notices were nothing but mistakes or, as one legislator put it, “fake” (as in news). The Indian government can try to enjoy this non-victory, but it’s still losing the long game. India’s citizens already know they can’t trust this government. This is just more evidence indicating the distrust is genuine and earned.
Filed Under: bjp, india, journalism, journalists, malware, narendra modi, notifications, spyware, state sponsored hacking, surveillance
Companies: apple