What are the current trends associated with commercial spyware?
Used for both military and civil purposes, dual use cyber-surveillance technology, often referred to as “spyware,” is software that works through non-consensual infection of a user’s device to monitor their activity and collect data, all while remaining undetected. Government actors commonly use this software to facilitate targeted surveillance on individuals to “fight terrorism,” but in reality, it is being infamously used against dissenting civilians and politicians, posing a threat to the safety of these individuals. One notorious spyware product used by governments is the ‘Pegasus Spyware,’ developed and sold by the Israeli NSO Group Technologies (NSO) company. Founded in 2009 NSO is an acronym of its founders (Niv Carmi, Shalev Hulio and Omri Lavie) began as a technology start-up headed by Shalev and Omri, two entrepreneurial high school friends. Niv, a former Mossad operative (a member of Israel's National Intelligence Agency), was later brought on to market the group's technology within the military intelligence community. NSO only sells its surveillance software to government law-enforcement and intelligence agencies globally and its exports are governed by the Israeli Ministry of Defence.
NSO introduced Pegasus to the global market in 2011 and the Mexican authorities were one of the few governments to publicly announce its purchase in 2012, whereas European investigators were secretly using Pegasus in the prevention of terrorist schemes and organized crime. Surreptitiously, more governments were reportedly striking deals with NSO, such as Saudi Arabia, United Arab Emirates and Morocco. The spyware technology has become increasingly powerful as governments are using this software under the guise of state security permitting them to spy on individuals without warrant thus, bypassing privacy and anti-hacking laws that usually protect individuals living in democracies. NSO and its spyware have consistently been criticized for facilitating human rights violations. Most recently, they made headlines for allegedly undermining the security of technology companies and the safety of their infrastructure, according to multiple lawsuits launched against NSO by companies including WhatsApp (owned by Meta) and Apple.
Little is publicly known about how spyware firms operate, mainly because most deal exclusively with governments within secretive public-private transactions. The ongoing lawsuits by these companies against NSO will further expose the opaque and problematic business models of such surveillance technology firms. The business model at hand refers to NSO’s strategies for profitability, including how the firm develops its products, the services it provides, and its trade plans.
How does it work?
Originally, NSO was able to carry out a cyberattack on the phone of the targeted person by transmitting malicious spyware code through a WhatsApp call; the targeted person did not even have to answer the call. After WhatsApp fixed the vulnerabilities which allowed this exploit in 2019, NSO developed a ‘zero-click’ technique called ‘Frocedentry,’ where the Pegasus hacking software can turn a device into a 24-hour surveillance device. The governments and law-enforcement agencies that deploy such spyware have access to the victim’s personal data and can control the camera and microphone to gather any information on the targeted person. NSO argues that its spyware services are created to “help government agencies prevent and investigate terrorism and crime…[aiming]…to save thousands of lives”. However, this technology not only undermines internationally recognized human rights, including freedom of expression, freedom of opinion and the right to privacy, but it also poses a threat to the voice of journalists and human rights activists that represent civilians’ opinions against governmental interests. It doesn’t end there; NSO’s product development also depends on its encroachment onto the property of other technology companies to weaken the pillars of their security and undermine the safety of their products and services.
What does the business model look like?
Amnesty International recognizes that the business model of surveillance-technology firms “relies on the ongoing discovery and exploitation of vulnerabilities in widely used third-party digital operating systems.” This business model is aimed at assaulting users’ right to privacy when monetizing data about civilians. Surveillance-technology firms like NSO grow and profit by continuously undermining the products of other technology manufacturers such as iOS, Windows, and commonly used messaging services. These attacks not only create less secure products for the users of technology companies but also generate costs for these technology manufacturers when they have to improve their infrastructure or remedy reputational damage, reassure investors, etc... In other words, the operation of NSO surveillance products rests on compromising other companies’ efficacy and public standing. The ongoing WhatsApp Inc. v NSO Group Technologies Limited and Apple Inc. v NSO Group Technologies Limited lawsuits are examples of how companies are attempting to fight back against the harms caused by spyware firms and help ensure the safety of their users and products. These lawsuits provide insight into the strategies used by NSO, revealing their vectors of attack and how they profit from the targeted surveillance of political oppositions.
-
WhatsApp v NSO
In their 2019 lawsuit against NSO, WhatsApp sought an injunction before the U.S. Ninth Circuit Court to block NSO’s access to Meta’s platforms and servers and sought to recover damages from NSO for allegedly targeting around 1,400 users of its messaging services. WhatsApp’s claims against NSO included fraud and abuse of its Meta servers and products, breach of contract, and wrongful trespass on Meta’s property. WhatsApp alleged that NSO violated its user agreement terms when it relied its Spyware operation on vulnerabilities found in WhatsApp’s security infrastructure. In their lawsuit, WhatsApp also claimed that NSO committed wrongful trespass when it transmitted harmful software through WhatsApp’s platform to gain unauthorized access to user information.
An Amicus Curiae brief was prepared by international non-governmental and non-profit organizations, like Amnesty International and Access Now, who have been closely monitoring NSO’s operations and fighting for the protection of digital human rights. These organizations filed the brief to draw the court’s attention to the international law and human rights concerns that weigh against NSO’s defence in this lawsuit. The brief highlighted NSO’s lack of consideration for The United Nations Guiding Principles on Business and Human Rights (UNGPs). These non-state watchdog organizations criticized NSO for prioritizing profits from governments over the detrimental effects on human rights and the stability of other third-party technology companies in its cost-benefit analysis. According to Amnesty International, the firm displayed a lack of regard for business policies and processes that ensure human rights obligations, a lack of active engagement in performing human rights due diligence, and a failure to implement remedies when its business dealings or relationships contributed to adverse impacts.
-
Apple v NSO
In November of 2021, Apple filed a lawsuit against NSO to hold it accountable for the surveillance and targeting of Apple users by seeking damages and a permanent injunction to ban NSO from using any Apple software services or devices. This complaint revealed new ways through which the NSO could infect victims’ devices, developed by NSO as a response to the improvements made to WhatsApp’s security infrastructure. Apple characterizes these cyberattacks as a threat to Apple’s self-professed reputation of making “the most secure mobile devices on the market” and a threat to the safety of its products as well as the customer’s trust in the company.
NSO has been aiming to dismiss the lawsuits entirely by appealing to the US supreme court, claiming that the lower courts have failed to recognize the firm as a ‘foreign government agent’ entitled to foreign sovereign immunity from lawsuits in the U.S. This argument is unlikely to succeed, according to pundits. However, if the court were to accept NSO’s claims that it is a “foreign government agent,” the precedent would enable further concealment of NSO’s business dealings, foreign governments’ abusive applications of NSO’s spyware technology, and the firm’s technological toolkit.
What are the revelations from the lawsuits?
These lawsuits will give exclusive access into the opaque business model of spyware surveillance companies, giving the public a better understanding of their operations and corporate governance. Consequently, the findings from these cases could be used to investigate and potentially ban different surveillance companies with similar business models according to a standardized set of criteria. Although the US has already banned trade with NSO, the US department of commerce should extend the decision to a wider range of spyware firms with similar business models. Accordingly, US bans on similar spyware firms could lead to these businesses struggling to operate without access to the American market.
Governmental restrictions on the sale and use of spyware in the U.S. could spark a chain reaction, leading more countries or transnational bodies to implement bans. The U.S. would not be the first country to call for greater restrictions on the commercial trade of cyber-surveillance technologies. On April 13th, 2022, Costa Rica became the first country to call for a global moratorium on spyware technology. This is “an invitation for other states to publicly reject dangerous technology.” These moratoriums could apply to the sale, transfer and use of such technology and be critical of firms that invest in or adopt a business model similar to NSO’s.
The lawsuits against NSO are shedding a light on the how spyware firms operate, highlighting their reliance on an intrusive and unethical basis of conducting operations. These findings will provide actors with the legitimate grounds to call for the ban on surveillance corporations with similar business models, to diminish the scale of their business processes, and protect the welfare of both civilians and companies.