Blacklisting the merchants of spyware

Citizen Lab based at the University of Toronto identified more than 750 websites that had been influenced by the use of Candiru spyware. Image: TBIT/Pixabay

In a modest effort to disrupt the global spyware market, the United States announced last week that four entities had been added to its blacklist. 

The US Department of Commerce on November 3 that it would be adding Israeli-based companies NSO Group and Candiru to its entity list “based on evidence that these entities developed and supplied spyware to foreign governments that used these tools to maliciously target government officials, journalists, businesspeople, activists, academics and embassy workers”.

Russian company Positive Technologies and the Singapore-based Computer Security Initiative Consultancy also made the list “based on a determination that they traffic in cyber tools used to gain unauthorized access to information systems, threatening the privacy and security of individuals and organizations worldwide”.

The move had a measure of approval in Congress. “The entity listing signals that the US government is ready to take strong action to stop US exports and investors from engaging with such companies,” came the in a joint statement from House Democrats Tom Malinowski, Anna Eshoo and Joaquin Castro.

This offers mild comfort to students of the private surveillance industry, who have shown it to be governed by traditional capitalist incentive rather than firm political ideology. Steven Feldstein of the Carnegie Endowment’s Democracy, Conflict, and Governance Program how such entities have actually thrived in liberal democratic states. “Relevant companies, such as Cellebrite, Fin Fisher, Blue Coat, Hacking Team, Cyberpoint, L3 Technologies, Verint, and NSO group, are headquartered in the most democratic countries in the world, including the United States, Italy, France, Germany, and Israel.”

The Digital China and Austin-based Oracle shows how talk about democracy and such ideals are fairly meaningless in such transactions. Digital China is credited with aiding China to develop a surveillance state; software and data analytics company Oracle, despite pledging to “uphold and respect human rights for all people” was still happy to count Digital China a global “partner of the year” in 2018. Its software products to aid police in Liaoning province to do, among other things, gather details on financial records, travel information, social media and surveillance camera footage. What’s bad for human rights is very good for business.

NSO

In its indignant response to the Commerce department’s blacklisting, NSO how its own “technologies support US national security interests and policies by preventing terrorism and crime”, and thus would “advocate for this decision to be reversed”.  Portraying itself as a card-carrying member of the human rights fraternity, the company claimed to have “the world’s most rigorous compliance and human rights programs that are based [on] the American values we deeply share”.  Previous contracts with governments had been terminated because they had “misused our products”.

As NSO has shown on numerous occasions, such strident assertions rarely match the record.  In July, an investigation known as the , an initiative of 17 media organisations and groups, reported how 50,000 phone numbers had appeared on a list of hackable targets that had interested a number of governments. The spyware used in question was Pegasus, an NSO creation designed to infect the phone in question and turn it into a surveillance tool for the relevant user.

The range of targets included: human rights activists, business executives, journalists, politicians and government officials. None of this was new to those who have kept an eye on the exploits of the Israeli concern. Its sale of Pegasus has seen it feature from private citizens and companies, such as WhatsApp, keen to rein in its insidious practices. 

Despite denying any connection, the company will be forever associated with providing the tools to one of its clients, the Kingdom of Saudi Arabia, made by Saudi journalist Jamal Khashoggi and a fellow dissident, Omar Abdulaziz.

Khashoggi was carved to oblivion on the premises of the Saudi consulate in Istanbul, in October 2018, by a hit squad with prints stretching back to Crown Prince Mohammed bin Salman. In a legal suit against NSO, lawyers for Abdulaziz that the hacking of his phone “contributed in a significant manner to the decision to murder Mr Khashoggi”. To date, the vicious, petulant modernist royal remains at large, feted by governments the world over as a reformer.

Candiru

While NSO has hogged the limelight on the international spyware market, that other Israeli-based concern, Candiru, has been a hit with government clients. Their products to infecting and monitoring iPhones, Androids, Macs, PCs and cloud accounts.

Those behind this company evidently have a distasteful sense of humour; the original candiru of Amazon River fame is, goes in the Journal of Travel Medicine, “known as a little fish keen on entering the nether regions of people urinating in the Amazon River.” Equipped with spikes, the fish invades and fastens itself within the penis, vagina or rectum, making it a gruesome challenge to remove. However colourful the imaginative accounts of the candiru’s exploits are — William S Burroughs’ Naked Lunch is merely one — the Israeli version is far more sinister and deserves consternated worry.

In July this year, the Citizen Lab based at the University of Toronto more than 750 websites that had been influenced by the use of Candiru spyware. “We found many domains masquerading as advocacy organizations such as Amnesty International, the Black Lives Matter movement, as well as media companies, and other civil-society themed entities.”

The company, founded in 2014, maintains an opaque operations and recruitment structure, reputedly drawing expertise from the Israeli Defence Forces Unit 8200, responsible for code encryption and gathering signals intelligence.

Within two years of its founding, the company in US$30 million in sales, establishing a slew of clients across Europe, states across the former Soviet Union, the Persian Gulf, Asia and Latin America. A labour dispute between a former senior employee and the company shed some light on the company’s activities, , signed by an unnamed vice president, noting the offering of a “high-end cyber intelligence platform dedicated to infiltrate PC computers, networks, mobile handsets, by using explosions and disseminations operations”.

NSO Group’s reputation, and credentials, are now impossible to ignore. The Israeli government, which grants the export licenses that enable the likes of NSO and Candiru to operate, is splitting hairs. “NSO is a private company,” Israel’s Foreign Minister Yair Lapid, “it is not a governmental project and therefore even if it is designated, it has nothing to do with the policies of the Israeli government.” In his view, no other country had “such strict rules according to cyber warfare” and was “imposing those rules more than Israel” and would “continue to do so”.

No Israeli government is likely to entirely abandon companies that make in the business of offensive cyber. The efforts by governments the world over to attack encrypted communications while trampling human rights en route have become unrelenting. In that quest, it matters little whether you are a citizen journalist, a master criminal, or a terrorist. Those deploying the spyware rarely make such distinctions.

[Binoy Kampmark lectures at RMITUniversity. Email: .]