Friday Digest #11: Spyware Revelations & Reforms
Hi, it’s Sam. It’s been almost three years since The Pegasus Project revealed the widespread abuse of commercial spyware technology, but the industry is still making headlines today. And not for the right reasons.
Thanks to the incredible work of Citizen Lab, Access Now, Amnesty Tech and many others, it’s now widely known that this highly invasive technology is being misused —targeting journalists, politicians and human rights defenders around the world.
And yet, efforts to curb the industry have so far been relatively haphazard, leaving significant opportunities for the companies and governments responsible to continue to abuse the technology.
This week, I want to take a look at some of the most recent spyware scandals and assess recent efforts at rein in this unregulated and dangerous industry.
As ever, please get in touch at samuel@top10vpn.com if you have any comments or suggestions for future editions.
Last week, Access Now and Citizen Lab published a new report identifying the misuse of spyware in Jordan. Their forensic investigation showed NSO Group’s Pegasus spyware had been used to spy on dozens of journalists, human rights lawyers, and activists in the country between 2019 and 2023.
Not to be confused with stalkerware — the creepy technology used to covertly monitor family members and partners etc — commercial spyware is highly sophisticated technology that can take complete control of a target’s phone, accessing everything from their camera to password-protected files.
It can be delivered through a variety of means, from sophisticated spear phishing campaigns to exploiting 0-day vulnerabilities, meaning a target doesn’t even have to click on a link.
Given the ongoing reduction in press freedoms in Jordan, the revelations once again show how this invasive technology can be used for deeply anti-democratic purposes, despite NSO Group’s claim that its technology is designed to catch criminals and terrorists.
“The targeted surveillance of individuals violates their right to privacy, freedom of expression, association, and peaceful assembly. It also creates a chilling effect, forcing individuals to self-censor and cease their activism or journalistic work, for fear of reprisal.” Access Now
Unfortunately, journalists and human rights defenders in Jordan are far from alone in being targeted. In the last few years, targets of spyware have been identified in India, Spain, Mexico and Ethiopia, to name just a few.
And while the NSO Group has faced sustained media scrutiny in recent years, they are just one of several companies developing similar technology. In a report published this week by Google’s Threat Analysis Group and Jigsaw, researchers said they were tracking around 40 distinct commercial spyware vendors.
Perhaps the most revealing finding of the report is that “the private sector is now responsible for a significant portion of the most sophisticated tools we detect.” In other words, it’s no longer governments that can lay claim to having access to the most advanced and invasive spyware capabilities.
This, in turn, lowers the barrier of entry for authoritarian governments looking to monitor journalists and other civil society members as they don’t have to spend the money, time and resources on having to develop the capabilities in-house.
Although spyware only affects a small (but growing) number of people, the researchers at Google rightly argue that “its wider impact ripples across society by contributing to growing threats to free speech, the free press and the integrity of elections worldwide.”
Clearly, urgent action is required. And in recent years, governments and some companies have started to take note, initiating measures aimed at diminishing the industry's influence.
This week, the US government announced it would deny visas to anyone who is involved in the misuse of commercial spyware globally. Access Now said it was a “positive, albeit limited, step to address spyware abuse,” and called on authorities to implement Magnitsky sanctions against known spyware developers.
Meanwhile, the UK hosted the first global conference to tackle the misuse of commercial spyware, urging governments and businesses to develop safeguards and oversight. The conference, attended by representatives from over 35 nations along with tech leaders and human rights defenders, saw the launch of a new international agreement, dubbed the “Pall Mall Process”.
The declaration has some interesting and controversial signatories, including Google, Meta and BAE — all of which have faced accusations of invading our digital privacy — and some important absences, including the Israeli government.
Despite these limitations, it’s still a positive step that shows a galvanizing effort to rein in this highly secretive and uniquely threatening industry. But the road ahead remains uncertain, demanding continued vigilance and collaborative efforts to navigate the complex interplay of technology, privacy, and security.
More on This Story
Threat Analysis Group: Buying Spying: How the commercial surveillance industry works and what can be done about it
Access Now: New spyware attacks exposed: civil society targeted in Jordan
The Record: Israeli government absent from London spyware conference and pledge
Reuters: Britain, France lead 35 nation agreement on controlling spyware, mercenary hackers
UK Government: The Pall Mall Process: tackling the proliferation and irresponsible use of commercial cyber intrusion capabilities
In Other News
Al Jazeera: ‘Inherently undemocratic’: Pakistan suspends mobile services on voting day
Pakistan suspended mobile services nationwide on election day, a measure criticized as "inherently undemocratic" by Netblocks. The government cited security concerns for the suspension. The outage was also observed by Cloudflare Radar.
Bleeping Computer: No, 3 million electric toothbrushes were not used in a DDoS attack
The story about 3 million electric toothbrushes being used in a DDoS attack was (unsurprisingly) found to be a hypothetical scenario, not an actual event. Fortinet, the cybersecurity firm mentioned, clarified to BleepingComputer that the scenario was meant as an illustration during an interview and not based on any real incident or research from their labs.
Ad Exchanger: What Do We Say to Emily? The Human Cost Of Advertising Data Abuse
The ethical implications and human costs associated with the misuse of advertising data can be severe. This article highlights a case where a consumer received an ad for cremation services after recieving chemotherapy, which was linked to data sold by a broker. It also covers Publicis' $350M settlement for marketing opioids, demonstrating the industry's failure to prevent harm and the need for greater responsibility and self-restraint in using sensitive data.
Citizen Lab: PAPERWALL
The Citizen Lab uncovered a network of at least 123 websites, operating from China, masquerading as local news outlets across 30 countries and promoting pro-Beijing content under the guise of commercial press releases.
Foreign Affairs: Why China Can’t Export Its Model of Surveillance
The article emphasizes the role of China’s vast network of informants and spies in the country’s surveillance apparatus. It argues that this model, deeply intertwined with China's unique political and social structure, is not easily exportable to other countries, which may lack the organizational depth and societal control to replicate it.
Reuters: Kremlin: Russia has made no decision on blanket VPN ban
Kremlin spokesperson Dmitry Peskov stated that Russia has not made a decision regarding a comprehensive ban on Virtual Private Networks (VPNs). Despite increased VPN demand in Russia following internet restrictions and the blocking of some VPN services by the Russian communications watchdog Roskomnadzor, there's speculation about a potential ban on prominent VPNs starting March.
TechCrunch: Stalkerware apps PhoneSpector and Highster appear shut down after NY settlement
The stalkerware apps PhoneSpector and Highster have been shut down following a settlement with the state over accusations of illegal spyware promotion. Their owner agreed to pay $410,000 in penalties for advertising and promoting the spyware for secret surveillance in New York state.
TechCrunch: Remote access giant AnyDesk resets passwords and revokes certificates after hack
After a cyberattack compromised its production systems, AnyDesk implemented a security lockdown that lasted nearly a week. During the lockdown, it reset all customer passwords and revoked security-related certificates. The company said there's no evidence of end-user systems being affected and has urged users to update to the latest version of the software.
The Hacker News: Google Starts Blocking Sideloading of Potentially Dangerous Android Apps in Singapore
Google has initiated a pilot program in Singapore aimed at preventing the sideloading of apps that misuse Android permissions by analyzing and automatically blocking the installation of such apps from non-Play Store sources. This move is part of Google's broader efforts to combat mobile fraud, while also enhancing fraud protection measures for users.
Turquoise Roof: Weaponising Big Data: Decoding China’s Digital Surveillance in Tibet
The report reveals the intensification of digital surveillance in Tibet by the Chinese government, highlighting the mandatory installation of the 'National Anti-Fraud Centre' app on smartphones as a key component of a broader surveillance network. The platform, along with other advanced technologies like AI, facial recognition, and DNA surveillance, represents a shift towards a governance model that prioritizes state control and suppression over individual freedoms.