Showing posts with label Pegasus. Show all posts
Showing posts with label Pegasus. Show all posts

Wednesday, July 28, 2021

Regulating the Global Spyware Market Won’t Be Easy Emily Taylor (JR 239 ET 01)

Regulating the Global Spyware Market Won’t Be Easy Emily Taylor | Tuesday, July 27, 2021

                                                         

 Like picking up a rock in the garden, the NSO Pegasus spyware scandal exposes a repulsive world teaming with life in the muck and mire—so much so that it is tempting to put the stone back in place and pretend that world doesn’t exist. There are many layers to the story: the human cost, the murky ethics of selling powerful spy tools to states with poor human rights records, and the complexities of trying to regulate the global market for such software. They all point to a challenge that will be with us for some time, despite the popular outrage the scandal has caused. The stories of the human cost are awful. Take Cecilio Pineda Birto, a Mexican journalist who wrote about corruption (http://theguardian.com/news/2021/jul/18/revealed-murdered-journalist-number-selected-mexico-nso-client-cecilio-pineda-birto) and whose phone number appears on a leaked list of 50,000 numbers that is reportedly a master list of phones targeted by NSO Group’s clients using Pegasus software. Pineda was shot dead as he waited for his car to be washed. He was 38 years old. Reading about his death, it’s impossible not to wonder whether the NSO Pegasus tool’s ability to track a target’s location, or turn on a smartphone’s camera and microphone to film and eavesdrop on them, played a part in helping his killers to track him down. And who was the customer? Was it the Mexican state, or a drug cartel? Could the answer have been both? Pineda’s murder is just one of many stories, from Morocco’s intelligence agency spying on French President Emmanuel Macron, to Saudi Arabia, the United Arab Emirates, Azerbaijan and other governments allegedly using NSO’s technology to target human rights lawyers, activists and journalists (http://washingtonpost.com/investigations/interactive/2021/nso-spyware-pegasus-cellphones/)—citizens and non-citizens alike, at home and abroad. That authoritarian states use surveillance technologies to spy on those who seek to expose their corruption and rights abuses is outrageous, but regrettably, it is nothing new. This privatized, opaque and global market for spyware, in which multibillion-dollar firms like Israel’s NSO work with intelligence agencies and governments all over the world, regardless of their human rights records, is the “bugs under the rock” moment (/) 28/07/2021 There Are No Easy Answers to the NSO Pegasus Software Scandal https://www.worldpoliticsreview.com/articles/29835/there-are-no-easy-answers-to-the-nso-pegasus-software-scandal 2/5 revealed by the Pegasus scandal. The surveillance technologies in question do have legitimate law enforcement uses, for instance to track terrorist groups or organized crime. But there appear to be few, if any, effective checks and balances to ensure that such powerful tools are not used for the purposes of repression. NSO is not the only actor implicated in the broader repercussions of this scandal. Other vendors sell spyware, and those sales are subject to export licenses granted by states—in this case, Israel. Last year, in a little reported development, a Tel Aviv court refused an application supported by Amnesty International to revoke NSO’s export license (https://www.amnesty.org/en/latest/news/2020/07/israel-court-notorious-spyware-firm-nso/) due to past abuses of its software by states like Saudi Arabia, the UAE, Morocco and Mexico. Much like the international arms trade, the market for spyware is a global one, and private actors are key suppliers to many governments. Marietje Schaake, a former European parliamentarian and the current president of the Cyber Peace Institute, has long campaigned against the export of “dual use” technologies, or goods, software and technology that can be used for both civilian and military applications, of which Pegasus is one example. She points out that private contractors such as NSO are often based in democracies such as Israel, yet sell spyware to regimes that are well known for violating human rights at their most basic level. In an interview with Tech Policy Press, Schaake condemned NSO’s response to allegations of abuse of the Pegasus spyware (https://techpolicy.press/the-sunday-show-surveillance-and-the-future-of-tech/) by authoritarian regimes as hypocritical “nonsense.” Speaking to me over the weekend, Schaake warned of another risk associated with the free trade in intelligence grade technologies: “It puts authoritarian regimes on a fast track to achieving competing capacity to that of democratic societies.” Much like the international arms trade, the market for spyware is a global one, and private actors are key suppliers to many governments. Western firms sell arms not only to NATO allies but also to friendly countries, such as Saudi Arabia, with well-documented records of repression and human rights abuses. These countries often have legitimate reasons for purchasing those weapons or spyware, as well as illegitimate, repressive ones. It is fair to question whether vendors should be the the arbiters of whether their state customers are lying to them about the intended use of these purchases. Campaigners against these surveillance tools have long pressed for updating the rules governing export controls on dual-use technologies, which are covered by the non-binding Wassenaar Arrangement, to include spyware. In May 2021, the European Parliament and European Council adopted a regulation to modernize the European Union’s system for the control of exports, brokering, technical assistance, transit and transfer of dual-use items (https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2021:206:FULL&from=EN). The regulation introduces 28/07/2021 There Are No Easy Answers to the NSO Pegasus Software Scandal https://www.worldpoliticsreview.com/articles/29835/there-are-no-easy-answers-to-the-nso-pegasus-software-scandal 3/5 due diligence obligations for producers of such goods and puts greater responsibility on those companies to address the risks to international security posed by the dual-use items they sell. Of course, export controls would not have prevented the import of Pegasus software by Hungarian Prime Minister Viktor Orban (https://www.theguardian.com/news/2021/jul/18/viktor-orban-using-nso-spyware-in-assault-on-media-data-suggests), allegedly to spy on Hungarian investigative journalists. Edward Snowden has called for a ban on the global market for spyware (https://www.theguardian.com/news/video/2021/jul/19/edward-snowden-spyware-industry-should-not-exist-video), but he is a bit light on details for how such a ban should be enacted, given that the technology already exists out there and there are plenty of willing buyers. A United Nations report authored by David Kaye in 2019 similarly called for a moratorium on the global sales of spyware until more robust human rights protections are put in place (https://www.worldpoliticsreview.com/articles/28016/can-a-u-n-report-help-rein-in-expansive-and-abusive-digital-surveillance), but it generated little follow-up. I asked Sir David Omand, the former head of the British signals intelligence agency GCHQ and author of “How Spies Think,” what could be done to reduce the risks of abuse in future. Omand told me that reaching a universally accepted international agreement on spying and software would be “next to impossible.” But he does think that improvements in national requirements for due diligence prior to the sale and export of such technology could help, and that some well-established objective criteria could be used to navigate the decision-making process. “It is legitimate to sell tools for law enforcement or national security to countries that have in place protections for individual privacy rights, including transparent law, an independent judiciary, proper regulation and independent oversight,” he explained. The strength or weakness of such constraints will guide an assessment on the likelihood of future abuse. “Without such controls,” he added, “verification of how the technology is being used is problematic.” Change could also come from an unexpected source. Some Big Tech companies are using their deep pockets to mount legal challenges, threatening to hit NSO where it hurts most—in the wallet. WhatsApp is currently suing NSO for its alleged hacking of WhatsApp’s end-to-end encrypted chat app back in 2019. Even if the challenge fails, the litigation process is likely to shine some disinfecting sunlight on the murky world of surveillance tech. Unlike governments, tech companies are unlikely to also be potential or actual customers of NSO. What’s more, the spyware manufacturer is making some tech companies look bad. Alleged weaknesses in the security of Apple’s iPhone have received a lot of airtime over the past week. That’s bound to irritate a company that has made a major selling point of its commitment to user privacy and security. Apple did not join in a statement that several tech companies, including Microsoft and Cisco, filed in support of WhatsApp’s suit (https://www.business-humanrights.org/en/latest-news/how-does-apple-technology-hold-up-against-nso-spyware/) stating that NSO’s actions make technology less safe for everyone. Perhaps in the future it ay hange its ind  https://www.worldpoliticsreview.com/articles/29835/there-are-no-easy-answers-to-the-nso-pegasus-software-scandal