Following the recent revelations about the NSO Group’s Pegasus spyware, the world was seemingly blown away by the sheer scale of the Israeli company’s surveillance capabilities. However, Pegasus is just a small part of a much more pervading problem spreading across the globe. And it will only get worse before it gets better.
The fact that governments spy on people is hardly surprising. For most of history, both autocratic regimes and democratic states have been employing armies of government agents dedicated to keeping an eye on those they deemed as potentially subversive.
But in the past decade, things have changed. As we became digital natives, smartphones and computers have, in turn, become integral, almost inescapable parts of our lives.
At the same time, new types of digital tools have entered the market, made by private companies and marketed to governments as cutting-edge spyware with mouth-watering surveillance and hacking capabilities.
These new off-the-shelf applications could turn our devices into one-stop-shops for intelligence agencies to peer into our private lives. All without having to use cumbersome mass surveillance programs, tap into telecom networks, or obtain the necessary paperwork like warrants and subpoenas.
Pioneered by outfits like Italy-based Hacking Team and Germany-based FinFisher in the 2000s and 2010s, targeted surveillance tools are now made by dozens of companies that originate from a broad spectrum of countries.
Targeted digital surveillance, once a difficult undertaking, has become almost effortless. And with the increasing demand for this type of software from state actors, the unregulated private spyware market is now experiencing an unprecedented boom, even as the global outrage about Pegasus spyware continues to make waves in the media.
Callum Duncan, director of Sencode Cyber Security, argues that over the past seven to ten years, private surveillance has become a massive industry, which is still unburdened by regulation.
“With the advent of companies that have started buying zero-day exploits from hackers at high prices, companies have been given a stream of endless zero-days which can be used wherever they like on whatever software they like,” says Duncan.
“It used to be that huge amounts of research and development went into creating these exploits. But now that they can be bought, private surveillance companies have been able to expand their capabilities and reach dramatically.”
And it seems that the NSO Group and its ilk, bankrolled by private equity funds that have “no liability for human rights abuses by portfolio companies,” will only keep accelerating their production.
An endemic problem
According to the global database of commercial spyware, private surveillance tools are being made by dozens of companies and used by at least 65 governments worldwide, including Poland, Italy, Spain, and the US.
With use cases ranging from spying on politicians by anti-corruption agencies in Poland to compiling databases of LGBT citizens and religious minorities in Indonesia, commercial spyware companies are now being deployed by states as private intelligence agencies.
While most autocratic regimes use these powerful tools to sidestep their lack of technological know-how, democracies tend to employ private companies in order to circumvent their own laws that prohibit warrantless surveillance by their state security apparatus.
“There are companies with access to a lot more peoples' data than the NSO Group. Social media platforms like Weibo or Wechat are working with the Chinese government to censor and highlight individuals who should be targeted before the government even knows about them,” Callum Duncan told CyberNews.
At the same time, Duncan believes that even though democratic governments have the infrastructure in place to engage in covert surveillance, contracting private actors allows these countries to let private spies do their dirty work by spying on citizens without due process.
“Much of the '14 Eyes' countries have little use for companies like the NSO group as they can use their own spying infrastructure or can leverage each other to circumvent the country's laws. But this almost certainly doesn't stop countries from using private surveillance companies in order to remove attribution from them,” says Duncan.
“Intelligence services would hate to get caught, so using a company that gives them deniability is a massive boost.”Callum Duncan
Lords of cyberwar
Due to their unique technological know-how, the states that host spyware companies tend to treat them akin to arms manufacturers and see their products as strategic assets that they can export in exchange for money, resources, or diplomatic leverage.
As such, Callum Duncan doesn’t believe that companies like the NSO Group will be hit with severe penalties because they are too valuable to the countries that use them. On the other hand, the recent revelations may spur a new market for anti-spyware products that could help users counteract these private surveillance tools.
“As with all things in security and privacy, it will be an arms race. Defensive companies will now most likely work with high profile targets and set up honeypots and red herrings in order to capture these surveillance companies in the act,” says Duncan.
“This will allow them to develop counters and fixes for whatever exploits these surveillance companies are using. However, because these companies act almost exclusively with specific targets and not a wide range of people, their actions will be hard to detect.”
Meanwhile, Stel Valavanis argues that robust vulnerability disclosure regulation could help starve private spies out of zero-day exploits that they use to infiltrate their victims’ devices.
“I'd go as far as to say that researchers finding vulnerabilities are required to disclose them. Let it develop into an industry, and overnight, it will eliminate the legal spyware-for-purchase industry who rely on vulnerabilities they discover or acquire,” says Valavanis.
No such thing as bad publicity?
Sadly, even getting caught red-handed may not necessarily result in anything more substantial than a proverbial slap on the wrist for companies like the NSO Group.
As the past decade has shown, the public has grown increasingly desensitized to perennial reports and revelations about shocking incidents of targeted (and largely illegal) surveillance tools used against journalists, activists, and dissidents by both institutional and private actors. And, according to Callum Duncan, the Pegasus scandal seems to be no exception.
“The publicity that these companies have received is most likely the best thing that's ever happened for them. Their profits will only increase, and over time, the news cycle will move on and with it the pressure to change,” Callum Duncan told CyberNews.
Meanwhile, Stel Valavanis, founder and CEO of onShore Security, is more optimistic about shining a light on the abuses perpetrated by the private surveillance industry. “Pegasus has been in the news for several years. Getting on the radar now is only the result of documented implications of this questionable practice,” says Valavanis.
“It's still illegal to export encryption technology out of the USA (it’s classified as munitions), but the effect is nil and spyware is far more dangerous. At least now, some heads are turning and realizing that we need regulation and certainly cooperation between governments and the private sector.”
More from CyberNews:
Subscribe to our newsletter