Instead of being astonished by the ease with which an Israeli firm’s software can hijack ‘secure’ devices, we need to put in place laws governing how all actors can use this personal data.
An iPhone in front of NSO Group's headquarters in Herzliya, Israel, August 28, 2016.Jack Guez, AFP
“There is something intimate and insidious about a telephone,” observed former CIA officer William Johnson, in his 1987 monograph on the spy trade. “No matter how careful I am when using the telephone, I cannot help giving away information of value to somebody investigating me.”
If you want to put this to the test, try setting up a meeting with someone without using any words that could allow a third party to work out where or when it will take place, or the subject to be discussed.
Today’s spies are just as quick to acknowledge that phones — and especially smartphones — are not secure. These devices leak revealing personal information to anyone who takes an interest, and yet outside the intelligence community the news of the latest vulnerability is met with an amnesic surprise.
The most recent example was the discovery of Pegasus — malware developed by an Israeli company that, when installed by a user who unwittingly clicks on a link in a seemingly innocent text message, can in effect hijack the user’s iPhone or iPad. It can transmit all data stored on the device, from passwords, photos, calendars and address books to text messages, voice calls and the location of the device itself. In addition, it can commandeer the gadget’s microphone and camera, turning the user into a virtual spy.
These capabilities were revealed after Ahmed Mansoor, a human-rights activist from the United Arab Emirates, forwarded a suspicious text message containing a link to Citizen Lab. Researchers at the internet watchdog, which is based at the University of Toronto’s Munk School of Global Affairs, clicked on the link, studied the effects of the malware and notified Apple, which quickly released a security patch update for iOS, the operating system for the company’s mobile devices.
Pegasus is certainly one of the most complete hacking tools to come to the public’s attention. Any one of its capabilities are highly revealing; being able to build a map of someone’s location for example will quickly reveal their daily routine, friends, work, where their children go to school and much more. Combined, Pegasus’s capabilities would leave little personal information undiscovered if used against an unsuspecting target.
But it is naïve to think that Pegasus is unique in its invasiveness or sophistication, and equally naïve to think that such abilities are restricted to a handful of nation states. The company responsible for Pegasus is Israel’s NSO Group, set up by former members of Israel’s security services, and partly owned by an American private equity firm, Francisco Partners, with offices in London.
NSO Group has not been very discriminating with its customers. Pegasus is believed to have been sold to the governments of Yemen, Saudi Arabia, Uzbekistan, Mexico and other states. Yemeni intelligence officers demonstrated remarkable bravado in showing journalists that they can access their communications. The point is that this one tool has been supplied widely to some countries on the opposite end of armed conflicts, and there is evidence that it has been used by other cybersecurity companies. And there are many comparable tools.
The history of communications technology has developed along two consistent lines. Technologies have become more sophisticated, and have become steadily smaller and more user friendly. The phone itself is a case in point, from landline to mobile to smartphone, ever more powerful and convenient. There is every reason to think hacking tools will follow a similar trend, with less and less need for users to manually crack into a system, or to understand the underlying coding.
This poses some unpleasant problems that need to be faced. We often discuss the importance of privacy, but phones are neither private nor secure and the ability to access the treasure trove of personal information that they hold is going to become easier, and doable by a far broader range of actors. Moreover it is inconceivable that people are in consequence going to stop holding large volumes of personal information on smart devices. It is, quite simply, too convenient, and while some may fall victim to criminal hacking, for the majority the risk will have been worth it.
The public response to hacks tends to be a mixture of outrage, surprise, and an expectation that their devices are secured. Pegasus shows that we should be asking more fundamental questions. The first is that if these tools are going to be used by law enforcement — using location data from phones, for example, to link a suspect to a crime scene — we need very clear laws and oversight of how this data is accessed by police, what information should be available and what procedures should allow officers to access devices that alongside relevant evidence contain personal information that is not germane to the case, but cannot be readily distinguished from other data. There are some precedents for answering these questions.
There are far fewer precedents when we come to consider who should be allowed to manufacture and sell powerful tools like Pegasus, and to whom. If they are the weapons of cyberwarfare, should they be monitored with comparable rigor to arms? Should the use of such tools require licensing of the vendor, and proof of compliance?
Of particular relevance to Mansoor and other activists targeted by repressive states, is the question of public attitudes toward hacked information. There is a widespread acceptance that hacked information is the concealed truth made public. With the modern craze for mass data leaks little work is done to verify that the data has not been subtly tampered with.
But as was recently demonstrated in Russia, hackers manipulated records from the Open Society Foundation to try to link George Soros and Russian anticorruption activist Alexei Navalny. The fabrication was only noticed because two hacking groups independently released discrepant versions of the same material. To put this in the context of mobile devices, suppose a hacker were able to enter an iPhone and change the location data, placing someone at the scene of a crime when they were not. It is hard to imagine a jury, representative of the current pervasive attitude, seriously doubting the veracity of such evidence.
It is easy to look ahead and see a dystopian future, dominated by surveillance, public and private. Trying to counter these trends individually is a sure path to paranoia. But if we can get the frameworks surrounding the use of these powerful tools right, if we have those difficult conversations now, then we can hope to transform them from a sinister threat to another transformative step in the advance of technology.
Originaly published by Haaretz.
Jack Merlin Watling
Jack is a journalist and historian. He formerly worked as planning editor at NewsFixed, and has contributed to Foreign Policy, Reuters, the Guardian, Vice, the Herald Group and the New Statesman.