Early this week, it was revealed that Apple is initiating legal proceedings against NSO Group, the notorious Israeli surveillance company behind the Pegasus spyware scandal. The American tech company has taken issue with the weaponisation of its products against activists, journalists and human rights workers using Apple devices. The “highly sophisticated cyber-surveillance machinery,” Apple asserts, “invites routine and flagrant abuse.”
NSO have been making headlines for years, a recurring name in stories covering the monitoring and repression of civilians by states across the globe. They develop and sell surveillance technology to governments and police forces, who have directed its use towards their own civilians and foreign nationals. The Pegasus programme was discovered in 2016, after a failed installation led to an investigation exposing the invasive spyware.
“Mercenary spyware firms like NSO Group have facilitated some of the world’s worst human rights abuses and acts of transnational repression, while enriching themselves and their investors” – Ron Deibert, director of the Citizen Lab at the University of Toronto
This year, in July, the NSO made headlines again after a three month long collaborative investigation, involving Amnesty International, and “more than 80 reporters from 17 media organizations in 10 countries.” The collective effort was dubbed “The Pegasus Project.”
The investigation was initiated and co-ordinated by French non-profit Forbidden Stories, an organisation publishing the reports of journalists who fear reprisal if their identity is revealed. Forbidden Stories had obtained a “leak of more than 50,000 phone numbers selected for surveillance by the customers of the Israeli company NSO Group.”
The reporters, assisted by Amnesty’s cyber-security division, “met with victims from all over the world whose phone numbers appeared in the data,” and were “able to confirm an infection or attempted infection with NSO Group’s spyware in 85% of cases, or 37 in total.” The research was confirmed by Citizen Lab, a Canadian research group based in the University of Toronto.
The company itself has been around for a decade, formed by ex-Israeli spies, trained in the IDF. All sales by the group are approved by the Israeli Defense Ministry, arguably making the state of Israel complicit in the plethora of abuses enacted by NSO’s clients. In fact, according to The Pegasus Project, “Insiders disclosed the important role played by the Israeli Ministry of Defense when it came to picking NSO Group’s clients.”
Why the surveillance software is so dangerous
Mexico began using an early version of the software in 2011. By 2016, when the software was discovered, it was shown to be able to capture all of the available data on the phone it had infected, as well as being able to intercept communications. In 2019, WhatsApp, the Facebook owned messaging app developer, revealed that it had been exploited by NSO, and its users had been spied on. 1400 phones had been compromised.
The programme works by exploiting “zero-day” vulnerabilities, which are weaknesses in the security of software unbeknownst to the developers. They are hence difficult to defend against.
Another reason the programme is so dangerous is that, whilst in 2016 it relied on the victim clicking a malicious link, it now operates on a “zero-click” basis, requiring no action from the victim at all. This means that the programme can gain entry through an answered WhatsApp call, or even a “imessage.”
Apple, in their lawsuit, cites evidence that between February and September 2021, Pegasus was deployed into Apple devices by NSO through an exploit called “ForcedEntry,” using the “zero-click” feature described above.
Apple released an urgent update in September attempting to protect its users against further surveillance from NSO. However tech experts warn that the cyber security efforts cannot always withstand the dedicated state-supported assault against privacy that groups like NSO represent. Apple has described itself as having been forced into a “digital arms race” by NSO.
Challenges from America – the government and tech corporations, including Facebook, Google and Microsoft, take action against NSO
On the 3rd of November, the Biden administration attempted to protect its citizens against a “national security threat” by blacklisting NSO group as well as another Israeli surveillance company, Candiru. The companies are added to an “Entity List,” meaning that trade to those bodies is restricted, becoming subject to “specific license requirements.”
The move has provided a well-needed roadblock against the spyware-suppliers, who the government say are proliferating “tools of repression.” Importantly, American security firms can no longer sell them information on computer vulnerabilities, without government approval, which is unlikely to be granted.
Related articles: UK Palestine-Israel Debate Leaves Much Unanswered | BLM and BDS: A Relationship of Resistance
Earlier this month Facebook was also given permission to pursue legal proceedings against NSO group. The surveillance company failed to convince an Appeals court in San Francisco that it should be awarded “conduct-based immunity,” a legal protection afforded to a “”State official in the discharge of his or her functions.”
They were attempting to argue that since their technology is used by foreign spy agencies and law enforcement, the company should be treated as a state official.
The Appeal Court Judge was unimpressed with the line of argument, stating that “Whatever NSO’s government customers do with its technology and services does not render NSO an ‘agency or instrumentality of a foreign state.'”
Facebook’s legal challenge against NSO was met with support from a number of major tech groups, including Microsoft and Google. Late last year, the companies filed an amicus brief, a legal document offering expert insight to the court, detailing the “dangerous” implications of allowing NSO’s activity to flourish.
The amicus briefing argued that there was a “substantial reason to doubt” the NSO’s assertion that their activity was beneficial, and that foreign governments were investing in tech produced by groups like NSO in order “to spy on human rights activists, journalists, and others, including U.S. citizens.”
Facilitating the suppression and surveillance of legitimate voices under the guise of anti-terrorism
NSO has repeatedly claimed that its software is designed to target “terrorists” and “criminals.” The fact that the software has been used so often to target and endanger civilians acting entirely within the law however seems to suggest, at best, a willful naivety on behalf of the developers selling the software to countries like Mexico, where journalists are routinely murdered.
This claim ignores the way in which these labels can be retrofitted onto individuals and groups who have been affected by the software, in order to justify surveillance on people who have already been designated as targets.
A recent example was reported in October, when Citizen Lab, commended by Apple as one of the key organisations defending the privacy of civilians, confirmed the veracity of research undertaken by Front Line Defenders. FLD discovered that 6 phones, belonging to members of 6 different Palestinian Civil Society groups, had been infected by the Pegasus software.
Three days after the discovery, on the 19th of October, the Israeli Government issued an executive order, declaring the six human rights groups “terrorist organisations.” The designation was widely condemned by human rights groups including Amnesty International and Human Rights Watch, as well as experts at the UN.
The UN High Commissioner for Human Rights said that Israel had committed an “unjustified attack on Palestinian civil society,” and that “The organizations concerned are some of the most reputable human rights and humanitarian groups in the occupied Palestinian territory and for decades have worked closely with the UN.”
The statement of condemnation drew attention to the “extremely vague or unsubstantiated” reasons used to justify the designation. This exposes the dangerous elasticity of the word “terrorist,” and makes clear the unreliability of NSO’s assertion that lawful civilians should not fear the application of the software.
Moving forward
Apple has pledged $10 000 000, plus any damages awarded if the case against the NSO is successful, towards “organisations pursuing cyber-surveillance research and advocacy.” They have also promised to provide Citizen Lab with “pro-bono technical, threat intelligence, and engineering assistance.” Apple has begun alerting users who may have been targeted by the software, in order to warn them of the threat.
The move, regardless of the case outcome, is a step in the right direction, and a win for smaller projects like Citizen Lab that have attempted to hold the line against increasingly stealthy and invasive state-sponsored digital threats.
Several Thai activists received email from @Apple, notifying that they are being targeted by state-sponsored attackers. One of the activists is Dechathorn Bamrungmuang or HOCKHACKER of Rap Against Dictatorship. https://t.co/8eYKbowTwC
Photo courtesy of HOCKHACKER #infosec pic.twitter.com/EoySEKEWfm
— Ryn J. (@Ryn_writes) November 24, 2021
Editor’s Note: The opinions expressed here by Impakter.com columnists are their own, not those of Impakter.com. — In the Featured Photo: Iphone security vulnerabilities were targeted by NSO group. Featured Photo Credit: 25fps.
