Sep 20, 2018

When governments turn spyware on citizens

Protesters in Cairo use cell phones to photograph a tear gas container in 2011. Photo: Karimphoto via Getty Images

A new report shows that a military contractor has likely sold spyware to repressive regimes. But the study's authors and other experts differ on how to stop the problem.

The big picture: That study, released Tuesday by the University of Toronto's Citizen Lab, found that 36 surveillance networks used commercial militarized spyware made by the Israeli NSO Group.

  • Many countries operated more than one network, and six of the suspected countries — including Bahrain, Kazakhstan and Saudi Arabia — had histories of using spyware to target dissidents, journalists and other civil targets.
  • Some uses veered toward the petty: One cluster of infections hit supporters of a soft drink tax in Mexico.

NSO is far from the only spyware maker that sells its tools to countries that might be repressive.

  • It happens often enough that companies follow the same script. “They say, ‘We only sell to law enforcement. We’re self-regulating,'" says Bill Marczak, the author of the Citizen Lab report. "But if this wasn’t being used to target civil society, it would never cross our desks.”

We can't get rid of the industry altogether. Lots of countries use commercial spyware for legitimate purposes. The study's list includes the U.S. and Canada, and the new U.S. strategy for military cybersecurity released earlier this week calls for more use of "off-the-shelf" hacking tools.

Citizen Lab's solution: regulation. “The best step to keep the tools in line would be a process of export controls with humanitarian restrictions rather than just defense and national security ones,” says Marczak.

Yes, but: The security industry is still stinging from the last time a powerful group of countries tried to do just that.

  • The nations of the Wassenaar Arrangement, an arms export pact that includes the U.S., EU and others, tried to use that agreement to slow the spread of commercial malware to repressive regimes in 2013.
  • The move was ultimately a disaster. Poor definitions in the agreement inadvertently applied limits not just to spying tools, but to research into spying tools, security testing software and other products that might need to replicate something bad to accomplish something good. Researchers — and Congress — rebelled.

Katie Moussouris, a cybersecurity expert brought in by the State Department to renegotiate the Wassenaar Arrangement, says, "We’ve already seen for 20 years that export controls on software have been hard to do with surgical precision."

  • Moussouris, the CEO of Luta Security, says better alternatives might include sanctions against misbehaving countries or intervention under the military's new cyber strategy.

The bottom line: There are no easy fixes.

  • "Stopping humanitarian abuses is something I think we as human beings typically support," says Moussouris. But there isn't any consensus on how to do that, safely, given the lessons learned the last time nations tried.

Go deeper

Coronavirus updates: Market ends worst week since financial crisis

Data: The Center for Systems Science and Engineering at Johns Hopkins, the CDC, and China's Health Ministry. Note: China numbers are for the mainland only and U.S. numbers include repatriated citizens.

The stock market ended its worst week since the financial crisis, prompting the Fed to release a statement. Meanwhile, the WHO warned that countries are losing their chance to contain the novel coronavirus and raised its global risk assessment to "very high" Friday.

The big picture: COVID-19 has killed more than 2,860 people and infected more than 84,000 others in over 60 countries and territories outside the epicenter in mainland China. The number of new cases reported outside China now exceed those inside the country.

Go deeperArrowUpdated 9 hours ago - Health

California coronavirus: Latest case has no recent history of international travel

Gov. Gavin Newsom. Photo: Kevork Djansezian/Getty Images

A new case of the novel coronavirus in California was announced on Friday after Gov. Gavin Newsom said Thursday that 33 people had tested positive for the virus, noting the risk to the public remains low.

What's new: An adult woman with chronic health conditions in Santa Clara County who "did not recently travel overseas" or come into contact with anyone known to be ill was confirmed to have contracted the coronavirus on Friday by CDC and California Department of Public Health officials.

Go deeperArrowUpdated 10 hours ago - Health

Big video game conference delayed amid coronavirus concerns

Photo: GDC

Next month's Game Developers Conference in San Francisco became the latest tech event to be cancelled or postponed amid growing concerns over the spread of the novel coronavirus.

The big picture: A growing number of events are being scrapped, including Mobile World Congress and Facebook's F8 developer conference. Some, like the giant SXSW event in Austin, insist they are moving forward.