Blacklisting the Merchants of Spyware

In a modest effort to disrupt the global spyware market, the United States announced last week that four entities had been added to its blacklist.  On November 3, the US Department of Commerce revealed that it would be adding Israel-based companies NSO Group and Candiru to its entity list “based on evidence that these entities developed and supplied spyware to foreign governments that used these tools to maliciously target government officials, journalists, business people, activists, academics, and embassy workers.”

Russian company Positive Technologies and the Singapore-based Computer Security Initiative Consultancy also made the list “based on a determination that they traffic in cyber tools used to gain unauthorized access to information systems, threatening the privacy and security of individuals and organizations worldwide.”

The move had a measure of approval in Congress. “The entity listing signals that the US government is ready to take strong action to stop US exports and investors from engaging with such companies,” came the approving remarks in a joint statement from Democrat House Representatives Tom Malinowski, Anna Eshoo and Joaquin Castro.

This offers mild comfort to students of the private surveillance industry, who have shown it to be governed by traditional capitalist incentive rather than firm political ideology.  Steven Feldstein of the Carnegie Endowment’s Democracy, Conflict, and Governance Program observes how such entities have actually thrived in liberal democratic states.  “Relevant companies, such as Cellebrite, FinFisher, Blue Coat, Hacking Team, Cyberpoint, L3 Technologies, Verint, and NSO group, are headquartered in the most democratic countries in the world, including the United States, Italy, France, Germany, and Israel.”

The relationship between Digital China and Austin-based Oracle shows how talk about democracy and such ideals are fairly meaningless in such transactions.  Digital China is credited with aiding the PRC develop a surveillance state; software and data analytics company Oracle, despite pledging to “uphold and respect human rights for all people” was still happy to count Digital China a global “partner of the year” in 2018.  Its software products have been used to aid police in Liaoning province to do, among other things, gather details on financial records, travel information, social media and surveillance camera footage.  What’s bad for human rights is very good for business.

In its indignant response to the Commerce Department’s blacklisting, NSO wished to point out to US authorities how its own “technologies support US national security interests and policies by preventing terrorism and crime, and thus we will advocate for this decision to be reversed.”  Portraying itself as a card-carrying member of the human rights fraternity, the company claimed to have “the world’s most rigorous compliance and human rights programs that are based [on] the American values we deeply share”.  Previous contracts with governments had been terminated because they had “misused our products.”

As NSO has shown on numerous previous occasions, such strident assertions rarely match the record.  In July, an investigation known as the Pegasus Project, an initiative of 17 media organisations and groups, reported how 50,000 phone numbers had appeared on a list of hackable targets that had interested a number of governments.  The spyware used in question was Pegasus, that most disturbingly appealing of creations by NSO designed to infect the phone in question and turn it into a surveillance tool for the relevant user.

The range of targets was skin crawlingly impressive: human rights activists, business executives, journalists, politicians and government officials.  None of this was new to those who have kept an eye on the exploits of the Israeli concern. Its sale of Pegasus has seen it feature in lawsuits from private citizens and companies such as WhatsApp keen to rein in its insidious practices.

Despite denying any connection, the company will be forever associated with providing the tools to one of its clients, the Kingdom of Saudi Arabia, to monitor calls made by Saudi journalist Jamal Khashoggi and a fellow dissident scribbler, Omar Abdulaziz.  In October 2018, Khashoggi was carved to oblivion on the premises of the Saudi consulate in Istanbul by a hit squad with prints stretching back to Crown Prince Mohammed bin Salman.  In a legal suit against NSO, lawyers for Abdulaziz argue that the hacking of his phone “contributed in a significant manner to the decision to murder Mr Khashoggi.”  To date, the vicious, petulant modernist royal remains at large, feted by governments the world over as a reformer.

While NSO has hogged the rude limelight on the international spyware market, that other Israeli-based concern, Candiru, has been a rolling hit with government clients.  Their products are also tailored to infecting and monitoring iPhones, Androids, Macs, PCs, and, discomfortingly enough, cloud accounts.

Those behind this company evidently have a distasteful sense of humour; the original candiru of Amazon River fame is, goes one account in the Journal of Travel Medicine, “known as a little fish keen on entering the nether regions of people urinating in the Amazon River.”  Equipped with spikes, the fish invades and fastens itself within penis, vagina or rectum, making it a gruesome challenge to remove.  However colourful the imaginative accounts of the Candiru’s exploits are – William S. Burroughs’ Naked Lunch is merely one – the Israeli version is far more sinister and deserves consternated worry.

In July this year, the Citizen Lab based at the University of Toronto identified over 750 websites that had been influenced by the use of Candiru spyware.  “We found many domains masquerading as advocacy organizations such as Amnesty International, the Black Lives Matter movement, as well as media companies, and other civil-society themed entities.”  The company, founded in 2014, maintains an opaque operations and recruitment structure, reputedly drawing expertise from the Israeli Defence Forces Unit 8200, responsible for code encryption and gathering signals intelligence.

Within two years of its founding, the company had raked in $30 million in sales, establishing a slew of clients across Europe, states across the former Soviet Union, the Persian Gulf, Asia and Latin America.  A labour dispute between a former senior employee and the company shed some light on the company’s activities, with one document, signed by an unnamed vice president, noting the offering of a “high-end cyber intelligence platform dedicated to infiltrate PC computers, networks, mobile handsets, by using explosions and disseminations operations.”

NSO Group’s reputation, and credentials, are now impossible to ignore.  The Israeli government, which grants the export licenses that enable the likes of NSO and Candiru to operate, is splitting hairs.  “NSO is a private company,” insists Israel’s Foreign Minister Yair Lapid, “it is not a governmental project and therefore even if it is designated, it has nothing to do with the policies of the Israeli government.”  In his view, no other country had “such strict rules according to cyber warfare” and “imposing those rules more than Israel and we will continue to do so.”

No Israeli government is likely to entirely abandon companies that make annual sales of $1 billion in the business of offensive cyber.  The efforts by governments the world over to attack encrypted communications while trampling human rights on route have become unrelenting.  In that quest, it matters little whether you are a citizen journalist, a master criminal, or a terrorist.  Those deploying the spyware rarely make such distinctions.

Binoy Kampmark was a Commonwealth Scholar at Selwyn College, Cambridge. He lectures at RMIT University, Melbourne. Email: bkampmark@gmail.com. Read other articles by Binoy.