As you might have noticed, this newsletter was dormant for the last 6 months. Not only was I too occupied with the subject of this edition, but I lacked any stimulation to write. After a dozen years spent in cybersecurity, of which a decade for civil society, I felt empty of arguments. Not because all problems I have been concerned with vanished, not at all, but because anything I could write or speak at a conference about I felt could only sound like a broken record.
The few of us invested in these issues have spent years repeating ad nauseam how journalists and activists are particularly vulnerable to cyberattacks, and how inadequate the defenses at their disposal are in light of the adversaries they face. We warned again and again how the commodification of surveillance was paving the way to systemic abuse. Very few listened, most were just indifferent. Every new report, every new case, felt so inconsequential that I started questioning whether insisting on them was serving anything other than our own egos.
Then the opportunity came to challenge it all over again.
Months of complex and painstaking investigations led to the discovery of dozens of targets of unlawful surveillance, and leads to countless more. The Pegasus Project, launched publicly a couple of weeks ago, shed light on the use of Pegasus, the spyware sold by the dominant surveillance vendor NSO Group. My team at Amnesty International, the Security Lab, acted as a technical partner to 16 news organisations in a joint effort to once and for all change the faulty narrative around targeted surveillance.
Companies like NSO would have you think tools like Pegasus are critical to protecting us all from terrorism and organised crime, and the occasional abuse is only anecdotal. This fiction is the product of the secrets and lies of a murky industry which grew too powerful and unregulated. The Pegasus Project reveals a much darker reality.
It’s not about one, it’s about many. It’s not only about Omar Radi or Ahmed Mansoor, it’s about anyone who dares to speak up against authoritarian rule. It’s not about exceptions, it’s about the norm. It’s not about this or that security advice, it’s about the failures of an entire ecosystem.
The dimension of the problem gets lost between headlines and Twitter salon commentary. As I previously stated to the press, our nearly mechanized discovery of new compromised devices on a daily basis made me feel like a plague doctor in the 1300s: essentially useless other than for keeping the death count. On nearly every iPhone we analyzed which had data from the relevant time frame we found forensic traces of infection. And despite my fair share of experience dealing with individuals with infected devices, this project took a mental toll as well. Being the bearer of bad news to dozens of journalists and activists who relied on their devices and apps to keep family, friends, colleagues and sources safe sucked.
“I am sorry, your phone seems to have been infected until… minutes ago.”
“Yes, it’s very possible your conversations have been recorded…“
“Yes, sadly those through encrypted messaging apps might have been as well…“
“I can suggest you some mitigations, but unfortunately there’s not much we can do to prevent future attacks like this…“
I’ve had to repeat myself like that so often, and in such rapid succession, that I eventually started scripting my answers.
It was hard to witness their sudden fear, the instinctive feeling of violation, and the worry for who else might have been put at risk because of this spyware. Being unable to help them prevent this from happening again was even worse. We found some compromised again just days after the first discovery; others who decided to ditch their phones, and hours after initial setup the replacements were already infected too.
I hope the Pegasus Project is a wake-up call not only to how destructive the surveillance industry has become, but to how inadequate available protections are. The presumption that only very high profile individuals face threats of this caliber is a myth quickly busted by the numerous cases we found targeted for shockingly banal reasons. It’s an excuse vendors can no longer leverage to avoid investing the resources to appropriately secure consumer technology. Smartphones are a lifeline to so many.
Without any doubt fixing this or that vulnerability won’t stop NSO and others from finding more 0days to add to their piles. Instead, Apple, Google, Microsoft and the likes need to recognise the critical roles they play in the economics of this market of industrialized insecurity. They need to invest more in shutting down attack vectors, complicate exploit delivery, and detect malicious behavior. If they do not yet have teams dedicated to investigating and disrupting targeted threats to civil society, it’s about time they assemble one. It shouldn’t take a handful of researchers out of Amnesty International or Citizen Lab for these cases to come to light. Especially considering we work with no telemetry, no privileged access, no insight in systems internals, but only the very little diagnostic data the devices provide.
It wasn’t thanks to any dark wizardry NSO kept secret, but because of the difficulty to audit mobile devices why Pegasus for so long enjoyed an undeserved reputation of being undetectable, and why for so long technologists gave up even trying to check activists’ phones. My team tried to change that by publishing our methodology and by releasing our tools, and will continue working with technologists, journalists and activists to reclaim agency over our devices. However, collecting forensic evidence is harder than it should be. While we developed a decent process for iPhones, we still wander in the dark on most Android devices. Manufacturers ought to explore more opportunities to enable users to securely gather more diagnostic information useful to validate the integrity of their devices and identify potential traces of compromise. What we have now is not enough.
It’s important to understand the needs of at-risk individuals extend those of most common end users. While the latter wants the least possible friction, it is critical for the former to be informed: an attack, if targeted, might be an important canary in the coalmine prompting the need for increased caution. Cyberattacks do not happen in a vacuum for those risking their lives or the lives of others, and better device observability might help save one.
So, what now?
The Pegasus Project revelations must be a stark line in the sand, and from here on things need to change.
The tech sector needs to take a hard look, and reach down in its deep pockets to find the money necessary to unfuck this situation. It’s a hard task, but surely one the world’s biggest corporates can take on, right? Perhaps next fall, instead of a phone with obnoxious amounts of cameras and pixels, I would welcome a more affordable, accessible, and secure device we could have some confidence in.
All at the same time, governments need to provide remedy to those who have been unjustly targeted, and accountability to those who conducted and facilitated these attacks. Surveillance companies can no longer buddy up to their national security apparatus and get away with arming repressive states around the world. Their flaunted goodwill and commitment to human rights are a sham. Stop them, before their damage will be irreparable.
To conclude, the entire surveillance industry needs to be called into question, and its unregulated market be reigned in. While a global moratorium on the sale of spyware seemed utopic before, now it feels necessary to buy us some time until appropriate policy and technological changes are developed to address this chaos.