Stories

When governments turn spyware on citizens

Protestor holding up a canister of tear gas
Protesters in Cairo use cell phones to photograph a tear gas container in 2011. Photo: Karimphoto via Getty Images

A new report shows that a military contractor has likely sold spyware to repressive regimes. But the study's authors and other experts differ on how to stop the problem.

The big picture: That study, released Tuesday by the University of Toronto's Citizen Lab, found that 36 surveillance networks used commercial militarized spyware made by the Israeli NSO Group.

  • Many countries operated more than one network, and six of the suspected countries — including Bahrain, Kazakhstan and Saudi Arabia — had histories of using spyware to target dissidents, journalists and other civil targets.
  • Some uses veered toward the petty: One cluster of infections hit supporters of a soft drink tax in Mexico.

NSO is far from the only spyware maker that sells its tools to countries that might be repressive.

  • It happens often enough that companies follow the same script. “They say, ‘We only sell to law enforcement. We’re self-regulating,'" says Bill Marczak, the author of the Citizen Lab report. "But if this wasn’t being used to target civil society, it would never cross our desks.”

We can't get rid of the industry altogether. Lots of countries use commercial spyware for legitimate purposes. The study's list includes the U.S. and Canada, and the new U.S. strategy for military cybersecurity released earlier this week calls for more use of "off-the-shelf" hacking tools.

Citizen Lab's solution: regulation. “The best step to keep the tools in line would be a process of export controls with humanitarian restrictions rather than just defense and national security ones,” says Marczak.

Yes, but: The security industry is still stinging from the last time a powerful group of countries tried to do just that.

  • The nations of the Wassenaar Arrangement, an arms export pact that includes the U.S., EU and others, tried to use that agreement to slow the spread of commercial malware to repressive regimes in 2013.
  • The move was ultimately a disaster. Poor definitions in the agreement inadvertently applied limits not just to spying tools, but to research into spying tools, security testing software and other products that might need to replicate something bad to accomplish something good. Researchers — and Congress — rebelled.

Katie Moussouris, a cybersecurity expert brought in by the State Department to renegotiate the Wassenaar Arrangement, says, "We’ve already seen for 20 years that export controls on software have been hard to do with surgical precision."

  • Moussouris, the CEO of Luta Security, says better alternatives might include sanctions against misbehaving countries or intervention under the military's new cyber strategy.

The bottom line: There are no easy fixes.

  • "Stopping humanitarian abuses is something I think we as human beings typically support," says Moussouris. But there isn't any consensus on how to do that, safely, given the lessons learned the last time nations tried.