Spyware trade grows amid claims activists, Amazon boss targeted

Edinburgh

THE alleged theft of data from the iPhone X used by billionaire Jeff Bezos has cast an unflattering light on the swiftly growing and highly secretive cottage industry of software developers specialising in digital surveillance.

NSO Group and Hacking Team are among the most well-known surveillance companies. Both have sold tools to law enforcement agencies that are used to covertly infect targeted mobile phones and computers with spyware, which can record calls, harvest text messages, take photographs using the device's in-built camera and record audio using its microphone.

But many more companies, some of them not as well known to the public, are selling similar technology across the globe, as part of an industry that isn't well understood and often subject to minimal regulation or oversight. The hack of Mr Bezos's phone has renewed calls from some officials for a moratorium on sales until more rigorous global controls are enacted.

"This industry seems to just keep growing," said Eric Kind, director of AWO, a London-based data rights law firm and consulting agency. "Ten years ago, there were just a few companies. Now, there are 20 or more, aggressively pitching their stuff at trade shows around the world." Spyware developers have maintained that they sell their technology to law enforcement and intelligence agencies to help nab criminals and terrorists. But as the surveillance trade has grown, it has been repeatedly criticised because its technology has been used to target activists, journalists and most recently, Mr Bezos, the world's richest person.

Last week, it was revealed that the mobile phone of the Amazon chief executive officer was allegedly compromised by spyware sent to him from a WhatsApp account belonging to Mohammed bin Salman, the crown prince of Saudi Arabia. The Saudi embassy has denied the allegation.

While investigators haven't identified the spyware that they suspect was used on Mr Bezos's iPhone, they cited NSO Group and Hacking Team as developing malware capable of such an attack. NSO has denied involvement, as has Memento Labs, which acquired Hacking Team last year.

"Companies and governments make the argument that they need spyware tools in order to address counterterrorism and other kinds of violent crime," David Kaye, the United Nations (UN) special rapporteur on freedom of opinion and expression, said last week in an interview. "But the problem is you have no legal framework to ensure that when you sell and transfer the technology, it is actually used for those legitimate purposes and that it is used according to basic rule-of-law standards, such as surveillance only according to warrants issued by a court."

Mr Kaye and another UN expert, Agnes Callamard, the special rapporteur on summary executions and extrajudicial killings, said last week that the allegations involving Mr Bezos's phone were "a concrete example of the harm that results from the unconstrained marketing, sale and use of spyware". Mr Kaye described the current spyware trade as a "free for all" and, along with Ms Callamard, called for a moratorium on the global sale and transfer of private surveillance technology.

Rory Byrne, co-founder of Security First, an organisation that provides digital security advice to journalists and human rights activists, said he expected to see an uptick in episodes involving spyware as the technology spreads.

"The truth is, it's becoming easier and easier for governments to build the capability themselves or to just buy it off the shelf," he said.

Only a few countries - including the UK, Germany, Austria and Italy - have any kind of legal framework governing hacking by law enforcement, said Ilia Siatitsa, legal officer and director of the government programme at Privacy International. In 2016, a new law in the UK expanded and defined how police and spies in the country could hack devices, which it termed "equipment interference". The tactic must be approved either by a senior police chief or a government minister and then, in most cases, additionally authorised by a current or former High Court judge, known as a judicial commissioner.

In the US, the Federal Bureau of Investigation (FBI) has since the late-1990s been using forms of spyware to gather information on electronic communication. The FBI has since obtained expanded powers to hack computers across the US, as long as it has obtained a search warrant from a judge to use the method.

In most countries, however, "there is not a clear picture of what governments are permitted by law to do" in terms of hacking, said Ms Siatitsa. "The fact is that we don't even know which governments are engaging in this. It's very problematic. It goes against the international human rights framework, which requires that if there's interference with our privacy, it must be explicitly provided for by law."

Demand for the technology has increased among law enforcement agencies, which have turned to hacking as a method of spying on encrypted messages sent using popular apps such as WhatsApp, Signal and Telegram, Mr Kind said. But other factors have made the technology appealing too. Hacking allows law enforcement and intelligence agencies to maintain constant surveillance on targets who frequently travel internationally, he explained.

"Hacking tools allow you to get access to all the communications on a device no matter where the target is in the world, no matter what platform they are using or who they are communicating with," Mr Kind said. "That's why hacking is so attractive to governments. It's a single tool that they can use to get access to all communications on your phone at one easy point of access."

Italy's GR Sistemi is among the companies that have marketed surveillance technology, offering government agencies a spyware system named "Dark Eagle". Company marketing brochures, which were published by Privacy International, say the technology could be used to hack phones and computers, providing "full interception of Skype and other encrypted communication software". The Dark Eagle system can covertly capture images from a person's webcam, record sent and received email, capture instant messenger conversations and monitor web traffic, according to the company's documents. The firm didn't respond to a message seeking comment.

Israel's Wintego Systems Ltd has offered its customers a spy tool that it claims can intercept Wi-Fi traffic, steal their login credentials to their accounts, and extract "years of archived email, contacts, messages, calendars, and more", according to company documents.

In 2012, Bloomberg News reported that a prominent human rights activist in Bahrain was targeted with spyware traced to the company FinFisher. In 2014, WikiLeaks used leaked documents to identify FinFisher sales worth US$52 million to countries including Qatar, Bahrain, Pakistan, Vietnam, Nigeria, Singapore and Bangladesh. FinFisher has previously said its technology is necessary in the fight against terrorism and serious organised crime.

In recent years, some spyware developers have come under fire because their products have been sold to authoritarian governments whose security agencies have used the technology to target political opponents and critics. BLOOMBERG