Government hacking and the digital insecurity industry

In July, the international community received with shock the revelations that journalists, activists and opposition politicians from several countries had their smartphones invaded by governments using spyware. Pegasus, as the tool used is known, is provided by the Israeli company NSO Group to intelligence agencies, law enforcement agencies and military bodies around the world, allegedly for the sole purpose of fighting terrorists and other criminals. In practice, however, the journalistic investigation showed that the software was widely used for other purposes, such as political surveillance and repression.

As with Edward Snowden’s 2013 revelations about massive US government surveillance programs, the Pegasus affair has had considerable political repercussions. Among others, it shed light on the threat to human rights posed by interactions between governments willing to expand their surveillance capabilities and companies whose business model is based on the commercial exploitation of the insecurity of our devices. Today’s post discusses these risks, examining the implications of what happened for the debate on the institutionalization of government hacking in Brazil.

Understanding the Pegasus affair

Pegasus is a malware capable of compromising most mobile devices with Android and iOS operating systems. The infection of the targeted smartphone can occur through a victim’s simple click on a suspicious link. Alternatively, it can be done without any action from the user – a mechanism known as “zero click” -, being carried out by network transmission that requires only physical proximity and knowledge of the victim’s telephone number.

Once the target has been compromised, the attacker gains full access to the device’s information, including text messages, emails, passwords, photos, videos, audio, search history and location history. Additionally, the attacker becomes able to activate the target’s camera, microphone and geolocation remotely and without warning, as well as to intercept calls and messages in real time.

Although Pegasus’s existence was already publicly known, recent revelations have shed light on the potential extent of the tool’s abuse. The investigation, which has been conducted by an international consortium of 17 press vehicles in partnership with the NGOs Forbidden Stories and Amnesty International, revealed the existence of a list of more than 50,000 telephone numbers of individuals considered to be “people of interest” by governments interested in the tool.

The investigation identified the owners of at least 1,000 of the numbers on the list, which included 14 heads of state, more than 180 journalists and more than 600 politicians and government officials. Other potential surveillance targets included activists, lawyers, business executives, teachers, academic researchers, judges and physicians. In addition, 67 suspected compromised devices underwent a forensic analysis conducted by  Amnesty International’s Security Lab, which found evidence of tampering in 37 of them. The total number of compromised devices is unknown.

NSO Group, the provider of the app, denied the allegations, claiming it had nothing to do with the list and calling the number in it “exaggerated.” Additionally, it stated that it does not have access to data on its customers’ targets and does not operate the technology that it sells.

The revelations provoked multiple and immediate reactions. In a press release, Apple condemned cyber attacks against journalists and human rights activists. Amazon Web Services, the company’s cloud services platform, blocked NSO Group accounts. The United Nations High Commissioner for Human Rights called the event “extremely alarming”, suggesting that governments regulate the distribution, use and export of private surveillance technology.

As these reactions show, the affair has raised a broader debate about the feedback relationships between state vigilantism and the commercial exploitation of technological insecurity. In the next section, I briefly examine some of the causes and implications of these connections.

Government hacking and insecurity as a business

Since Snowden, we have known that the cooperation of companies such as Microsoft, Google, Facebook and Apple was fundamental to the execution of the massive surveillance programs carried out by various governments. The Snowden episode and other scandals, such as the Cambridge Analytica affair, have fostered a transformation in public discourse on privacy and security over the past decade. As part of this movement, the pressure for more privacy and security in the goods and services offered by Big Tech grew, such as the diffusion of strong cryptography to protect information.

Faced with a scenario in which more digital security entails an alleged reduction in the state’s capacity to access the contents of private communications and devices, governments increasingly resort to alternatives provided by companies specialized in breaking this security, compromising devices and systems.

The notorious public dispute between Apple and the FBI in 2016 illustrates this dynamic: allegedly unable to access the contents of an iPhone used by a terrorist and faced with Apple’s refusal to reduce the security of its operating system, the FBI turned to Cellebrite to unlock it. Like the NSO Group, Cellebrite is known for selling technology aimed at breaking the security of mobile devices to various governments for the purpose of extracting and analyzing data.

Exploitation of security breaches by authorities for intelligence or criminal prosecution purposes is generally referred to as government hacking or lawful hacking. These practices may involve technology produced by the government itself or, as the Pegasus case has shown to be frequent, tools sold by companies such as the NSO Group and Cellebrite.

The risks of government hacking to human rights have been highlighted by the international community for some time. In 2018, David Kaye, then UN Special Rapporteur for the promotion of freedom of expression, warned of a worrying trend toward legalizing these practices by countries in vague and ambiguous legal texts, which grant authorities enormous powers with minimal external oversight.

As an example of the harmful potential of these practices, Kaye notes that US law has already allowed the FBI, for example, to obtain a court order to hack 8700 devices in 120 countries or territories. For these reasons, the rapporteur called in 2019 for an immediate moratorium on the purchase, sale and transfer of these technologies until human rights concerns have been remedied by regulatory frameworks.

This position echoes criticism from other actors, which gained new impetus in the Pegasus case. Snowden, for example, has been advocating a global ban on spyware trading, an activity that characterizes what he calls an “insecurity industry.” He compares this trade to the sale of nuclear weapons, something against which there is no defense, and to an “infection industry” that does not produce security, only insecurity. In his words:

“The entirety of this Industry’s business involves cooking up new kinds of infections that will bypass the very latest digital vaccines—AKA security updates—and then selling them to countries that occupy the red-hot intersection of a Venn Diagram between “desperately craves the tools of oppression” and “sorely lacks the sophistication to produce them domestically.”

The insecurity industry meets Brazilian techno-authoritarianism

In Brazil, government hacking is already part of the everyday reality of criminal investigations. There are many reports of the use of Cellebrite technology in investigations and national police operations. In May 2021, an attempt by Rio councilor Carlos Bolsonaro to interfere in a bid for the purchase of Pegasus by the Ministry of Justice became public. After the scandal, a negotiation for the potential acquisition of the program by the task force of Operation Car Wash in 2018 was also publicized.

If the use of this type of resource is already alarming in the absence of a national criminal procedural law that disciplines the matter in a robust manner, attempts to change the current legal framework seem to aggravate the problem. The reform of the Brazilian Code of Criminal Procedure, the subject of more than a decade of debate, attracted national and international criticism from digital rights activists for containing provisions that, if approved, would seriously violate human rights, including with regard to government hacking.

The draft proposal that has been the basis for discussions in the Chamber of Deputies would authorize, in its art. 304, two hypotheses of government hacking as a means of gathering evidence: the “remote collection, conducted covertly or not, of data at rest accessed from a distance”, and the “collection by forced access of a computer system or data networks”. In the first case, one can easily imagine the use of spy software, such as Pegasus. In the second, the technology sold by Cellebrite comes to mind.

 As me and researcher Pedro Amaral have previously argued, this wording amounts to a generic authorization for the Brazilian State to make use of extraordinarily harmful tools without any specific limits or safeguards. It is almost as if the text sought to exemplify the problem of vague and ambiguous writing denounced by David Kaye.

But, beyond that, it is necessary to consider the current political and legal context that the country is facing: a context of fragility of democratic institutions, of gradual and progressive suppression of freedom of expression and of increasing technological use for the implementation of authoritarian measures. In short, a context of techno authoritarianism. Such is the diagnosis of reports produced by organizations such as Artigo 19, Data Privacy Brazil and the Freedom and the Center for the analysis of liberty and authoritarianism.

In this landscape, the legalization of a generic government hacking prerogative becomes even more pernicious, as the risk of abuse is not merely that inherent to the use of these tools by authorities in any country. On the contrary, elements that make up the current Brazilian situation offer very concrete indication that, if government hacking is regulated in this way, the question will not be whether the technology will be abused, but when.

Conclusion

The existence of an industry which has its business model based entirely on exploiting security vulnerabilities in our digital devices represents a profound democratic risk to be recognized by our policy makers. If the tools offered by these companies are a fertile ground for authoritarian practices and vigilant governments, they in consequence represent an unacceptable threat to the fundamental rights of citizens.

As Snowden warns, there is simply no defense against the weapons such companies produce. Consequently, the development of solutions involves a double political confrontation: on the one hand, it is necessary to establish strict limits on the government’s capacities to acquire and use these resources; on the other hand, it is necessary to put a restraint on the commercial exploitation of digital insecurity, whether through a ban or a moratorium, as has been called for by the UN special rapporteurs and by Snowden.

If we can learn anything from the Pegasus case, it’s that the risks of these solutions are not potentially materializing abstractions, they are already materializing daily. Considering this fact and the impossibility of individual defense against such weapons, it remains for us to demand agile, severe and collective remedies against such problems.

The views and opinions expressed in this blogpost are those of the author. 
Illustration by Freepik Stories.