The Growing Global Spyware Industry Must Be Reined In

Relatively inexpensive commercial software can remotely infiltrate the most intimate spaces of a target’s digital life to steal their information and secrets.

March 27, 2023
Pandora Artwork - Web resolution
Illustration by Paul Lachine.

In July 2021, journalists, activists and dissidents the world over were reminded of how their communication devices can be turned against them. Eight years after American whistle-blower Edward Snowden leaked the National Security Agency files, exposing mass surveillance programs being run at the time by the US government, the Pegasus Project revealed the stunning ways spyware tools had evolved and spread since then.

No longer must state security agencies sift through broad metadata dragnets to monitor persons of interest. Instead, relatively cheap commercial software programs can remotely infiltrate the most intimate spaces of a target’s digital life to steal their information and secrets, all while marking their exact location.

Authorities routinely insist these tools are only used to apprehend criminals and terrorists. But the ease with which perceived adversaries can be covertly tracked outside legal due process is inflating definitions of who qualifies as a malign actor worth watching. Increasingly lumped into that category are journalists, human rights advocates and opposition groups, lawyers, environmentalists, academics and businesspeople. Even the family members of VIPs and heads of state are not immune.

The fragmented, slow-footed response by law makers to the Pegasus Project’s revelations continues to enable the opaque commercial hacking software industry to reach almost unimaginable levels of sophistication.

The NSO Group Rises Again?

The development of the Pegasus software that triggered the investigation into its use began in 2011 by an Israeli cyber surveillance company, the NSO Group. By 2021, after a decade of iterations, Pegasus could be implanted on a target’s Apple or Android device without requiring any phishing attempts or errant action by the device’s owner — what’s known as zero-click capability. At this point, most user privacy and security backstops are instantly bypassed, including some encryption protections. Pegasus operators gain full control to download images and files, eavesdrop on calls, change settings, activate audio and video recording functions, access messaging and email accounts, collect passwords and authentication keys, turn on Global Positioning System location tracking, and more.

The NSO Group has always denied any wrongdoing. The company says its products are meant solely for law enforcement and counterterrorism purposes and that it has no control over hidden intentions of end-users. It also has a policy of not disclosing who its customers are.

However, an investigation into Pegasus was sparked in 2021 when a French non-profit media network, Forbidden Stories, and rights organization Amnesty International were sent a leaked file of tens of thousands of records of phone numbers that had at one time or another been chosen for surveillance by some of the NSO Group’s dozens of suspected government clients, including several advanced democracies. More than 80 journalists from 17 media organizations partnered with Forbidden Stories and Amnesty International to analyze the records. Their findings suggested Pegasus was being used to hack into devices at a prolific rate — and had allegedly targeted approximately 50,000 victims across at least 50 countries.

Nearly a third of these alleged victims were in Mexico, where democracy is being carefully eroded by left-wing authoritarian populist President Andrés Manuel López Obrador. Last October, documents obtained by hackers showed how, under López Obrador’s watch, Mexico’s military has relied extensively on Pegasus to track individuals investigating extrajudicial killings and other abuses carried out by the state’s armed forces.

Other countries confirmed by digital forensics to be using the software include Azerbaijan, Hungary, India, Kazakhstan, Morocco, Poland, Rwanda, Saudi Arabia, Togo and the United Arab Emirates. Government agencies in Germany, Israel and Spain have admitted to acquiring Pegasus as well. In the United States, the Federal Bureau of Investigation purchased it for research and testing purposes, but claims the software was never actually deployed — although the US Drug Enforcement Administration has been permitted use of another Israeli-made product, called Graphite, to pursue drug cartels.

Since the release of the Pegasus Project findings, eight countries and the European Union have launched judicial and parliamentary probes into its use. The NSO Group itself has been hit by multiple lawsuits, including from Apple and Meta-owned encrypted messaging platform WhatsApp. In January, the US Supreme Court struck down a petition by NSO Group to have WhatsApp’s complaint dismissed.

NSO Group’s co-founder and former CEO, Shalev Hulio, resigned in August 2022 after the company was blacklisted by the United States and had accumulated nearly half a billion dollars of debt. Under Hulio’s watch, the company also failed that year to pivot toward servicing the North Atlantic Treaty Organization (NATO) military alliance via an agreement to have American defence contractor L3Harris purchase the NSO Group’s collection of surveillance technology. The deal was blocked by the Biden administration on the basis of national security concerns — mainly that America’s rivals would find a way to acquire those tools from other NATO member countries.

And yet, in his first public comments since taking the helm of the company in 2022, CEO Yaron Shohat (he was previously chief operating officer) defended the NSO Group’s products as vital to public safety. Shohat also hinted that the company had crawled back from the brink of insolvency and is now attracting new customers.

Part of this revival is reportedly due to the return to power of Israeli Prime Minister Benjamin Netanyahu. Already Israel’s longest-serving leader, Netanyahu was re-elected in November 2022 and has formed what critics say is the most extreme right-wing government in the country’s history. Prior to his previous term’s ending in 2021, Netanyahu leaned on the NSO Group and its surveillance technology as a lever of diplomacy to build ties with Persian Gulf countries, in hopes of dampening regional support for Palestinian statehood. Meanwhile, Gulf monarchies are still haunted by the Arab Spring uprisings that caught neighbouring dictatorships off guard. They can be expected to seek out any means that might pre-empt similar pro-democracy movements from forming within their borders.

Targets are diverse, from pro-democracy protestors in Thailand and Catalan members of the European Parliament, to prosecutors in Argentina, investigative journalists in El Salvador and US embassy officials in Uganda.

A Sprawling Global Ecosystem of Surveillance for Hire

In July 2022, one year after the release of the Pegasus Project findings, Amnesty International warned that “the lack of a global moratorium on the sale of spyware is allowing the surveillance industry to continue unchecked.” This appears to still be the case.

A database compiled by researchers at the Carnegie Endowment for International Peace think tank indicates governments in at least 75 countries — nearly 40 percent of all nations globally — have acquired commercial spyware within the past decade. In comments to The New York Times toward the end of 2022, Steven Feldstein, one of the Carnegie researchers who created the database, offered a sobering assessment: “The penalties against NSO and its ilk are important. But in reality, other vendors are stepping in. And there’s no sign it’s going away.”

Spyware and other services akin to Pegasus have been marketed by rival companies such as the Hacking Team. Formerly based in Italy, it in the mid-2010s sold “lawful intercept” products to security agencies and subnational governments in 41 countries. Likewise, from 2014 to 2022, German firm FinFisher sold its potent FinSpy software to the increasingly repressive government of Türkiye, as well as to Angola, Bulgaria, Nigeria and South Africa. Both companies have since collapsed under the weight of, respectively, scandal and criminal complaints. The European Center for Constitutional and Human Rights, a non-profit legal organization, has accused other cybersecurity software companies on the continent of enabling state spy services to commit crimes against humanity in Bahrain and Syria.

Further, the revolving door between veterans of Israel’s military and intelligence branches and its domestic tech sector is constantly generating new surveillance start-ups.

Aside from the NSO Group, there is Intellexa and its constellation of associated vendors; its “intelligence solutions” include Predator software. In December 2021, researchers from the Citizen Lab at the University of Toronto documented Predator as having been used by customers in Armenia, Greece, Indonesia, Madagascar, Oman and Serbia. In one instance, a phone belonging to an exiled Egyptian politician analyzed by the Citizen Lab was found to be doubly infected by both Pegasus and Predator software — the programs being run by two different government clients at the same time. Citizen Lab’s analysis also cites a 2021 report by Facebook’s parent company Meta, which claims Predator software has been deployed against victims in Côte d’Ivoire, Vietnam, the Philippines and Germany.

These companies have competition from Cognyte, founded in 2020, which describes itself as “a market leader in investigative analytics software.” The company was recently revealed to have secured a deal to supply Myanmar’s state-backed telecommunications firm with spyware one month before the current military junta launched its coup in February 2021. Also based in Israel is Candiru, which was blacklisted by the US government in November 2021 at the same time as NSO Group. A statement by the US Commerce Department announcing the measures also mentions Positive Technologies based in Russia, and Computer Security Initiative Consultancy (or COSEINC) located in Singapore.

A cybersecurity and open-source intelligence company known as S2T Unlocking Cyberspace, whose products are known to have been used by Colombia’s military, also had, or have, offices in Singapore as well. It’s suspected that the same software was sold to the main intelligence agency of Bangladesh, whose government was censured last year by experts from the United Nations Office of the High Commissioner for Human Rights, over abuses related to the purging of political opposition.

Indeed, the proliferation of these technologies and the demand for them by government and non-government clients alike have given rise to a mercenary spyware industry worth an estimated US$12 billion per year. Targets are diverse, from pro-democracy protestors in Thailand and Catalan members of the European Parliament, to prosecutors in Argentina, investigative journalists in El Salvador and US embassy officials in Uganda — among countless others. In a recent article, Ron Deibert, director of the Citizen Lab, noted that both advanced and more rudimentary forms of spyware are being weaponized worldwide to “systematically degrade liberal democratic practices and institutions.” One frequent method is for operators to infiltrate opposition movements during pre-election periods.

The upshot is that spreading spyware is having a profound chilling effect on press freedoms and civil society across the globe. Surveillance-for-hire offerings are enhancing the scope of authoritarian efforts to apply transnational repression — which US-based democracy watchdog group Freedom House defines as “governments reaching across borders to silence dissent among diasporas and exiles, including through assassinations, illegal deportations, abductions, digital threats, Interpol abuse, and family intimidation.”

But similar to ethical dilemmas around lethal autonomous weapons, efforts to regulate invasive hacking software are fragmented and lack urgency.

This partly comes down to autocracies prizing their newfound capacity for social control. China and Iran, for example, have already developed their own state-pioneered spyware, which they are surely promoting to their allies. Dozens of countries in the Global South are already participating in Beijing’s Digital Silk Road initiative, whereby Chinese tech firms provide everything from telecommunications and artificial intelligence systems to cloud-computing, e-commerce infrastructure, population surveillance and the wiring of smart cities.

Elsewhere, new algorithmic programs used for catching welfare fraud and the rise of workplace surveillance tech, which stems from an increase in remote employment, are shifting some mainstream opinions in favour of using technology to micromanage individuals’ behaviour. While advocating for the supposed economic value of emergent brain-reading technology, Duke University law professor Nita Farahany told an audience at the World Economic Forum in Davos, Switzerland, in January that “surveillance for productivity is part of what has become the norm in the workplace — and maybe with good reason.”

And similarly to how private-sector advances in AI may spur development of lethal autonomous weapons, advances in commercial workplace surveillance are bound to spur innovation within the spyware industry.

American intelligence expert Amy Zegart has highlighted the challenges in regulating these dual-use technologies — tools that have both civilian and security applications. “They are far more likely to be invented in the private sector,” she points out, “where they are funded by foreign investors, developed by a multinational workforce, and sold to global customers in private and public sectors alike.” This business model is generating tremendous future risks, Zegart argues, since “start-up founders are inventing capabilities that can be used by enemies they can’t foresee with consequences they can’t control.”

Reining in Cutting-Edge Spyware

In much of the world there remains a pervasive social myth that state surveillance has no impact on their lives. “If you’re not doing anything wrong, you have nothing to worry about,” goes conventional wisdom.

However, journalists Laurent Richard and Sandrine Rigaurd — two leaders of Forbidden Stories, the French non-profit media network that coordinated the Pegasus Project — have cautioned that “invasive surveillance of journalists and activists is not simply an attack on those individuals; it is a way to deprive millions of citizens of independent information about their own governments.”

At a time when countries are being faced by multiple intersecting crises and online spaces are rife with digital propaganda, democracies require a bedrock of facts if they are to function. This foundation includes the ability for journalists, citizens — including elected representatives — and opposition groups to question official narratives and publish information that governments may find uncomfortable, without the fear of repressive digital backlash from the state.

Civil liberties groups in Europe are now calling for an EU-wide ban on spyware. The government of Greece became the first of the bloc’s member countries to do so after media reports in August 2022 revealed that select opposition members of Parliament, as well as members of Cabinet and journalists, had discovered spyware on their devices, allegedly put there by Greece’s National Intelligence Service. In December, Greek law makers passed new legislation that stipulates a minimum two-year prison sentence for citizens caught using, selling or distributing spyware.

A month earlier, the Biden administration confirmed in a letter to two members of Congress that it had “mobilized an unprecedented government-wide effort to counter the proliferation and misuse of…commercial spyware.” The letter also points to the White House’s most recent National Security Strategy, released in October 2022, which vows the United States “will work to counter the exploitation of Americans’ sensitive data and illegitimate uses of technology, including commercial spyware and surveillance technology, and…will stand against digital authoritarianism.”

Yet critics have tempered expectations for these pledges by voicing concern over how the Biden administration in February asked Congress to renew Section 702, a 2008 amendment to the US Foreign Intelligence Surveillance Act that allows for warrantless surveillance of US citizens and foreigners overseas, for broadly defined counterterrorism purposes.

All this points to spyware as another technology being developed at a greater speed and scale than bureaucracy and parliaments can grapple with. Anyone currently concerned about being targeted by spyware is thus left to use existing tools and techniques to safeguard their devices.

Organizations such as Citizen Lab and Amnesty International’s Security Lab are playing a crucial role in helping to document the existence and capabilities of cutting-edge hacking tools and to alert possible victims. In the absence of a unified state response or global moratorium on spyware, entities such as these should receive, at the very least, more funding and support. Media investigations are also proving invaluable in unmasking commercial operations aiming to profit from the stealthy manipulation of democratic processes.

In Greek mythology, Pegasus is a white, winged deity in the shape of a horse, who teams up with the hero Bellerophon to slay the monster Chimera. Later, Pegasus betrays Zeus by trying to reach Mount Olympus, and is struck down for it. In the same way, the spyware industry initially established itself as a unique way to counter malicious activity. But clearly, this innovation has betrayed its original purpose. It should be brought back to earth.

The opinions expressed in this article/multimedia are those of the author(s) and do not necessarily reflect the views of CIGI or its Board of Directors.

About the Author

Kyle Hiebert is a researcher and analyst formerly based in Cape Town and Johannesburg, South Africa, as deputy editor of the Africa Conflict Monitor.