Meet Cory Doctorow. He’s spent his entire career writing science fiction that warns us about the future. It’s won him the Prometheus award 3 times, more than past winners Gorge Orwell, Robert Heinlein, and Neal Stephenson. And Doctorow puts his money where his pen is. He’s also a digital rights activist, actively working with the Electronic Frontier Foundation to prevent the futures he writes about. His latest book, Attack Surface, is written from the perspective of Masha Maximov, a hacker working for a digital mercenary spy agency for hire – used by the US government to spy on its own citizens, and by dictators wanting to clamp down on revolutionaries abroad. And while the book is science fiction, the science within it is fact. Almost all the technologies Doctorow writes about are actively being used against us today. So how do we as citizens of a surveillance society not lose hope about the future?
Meet the World’s Worst Digital Mercenaries for Hire
by Amber Healy
NSO Group, an Israel-based spyware company, presents itself as a champion of protection, claiming to have interceded to prevent all manner of awful crime, from bombings and pedophile rings to gun violence, suicide bombers and car bombs, while also helping find kidnapped children and pulled victims out of the wreckage of collapsed buildings.
“Our products help licensed government intelligence and law-enforcement agencies lawfully address the most dangerous issues in today’s world,” according to NSO’s website.
All of that may be well and true, but the company is also linked with some less than heroic acts.
In August 2022, the company won one of the biggest prizes at the annual Pwnie Awards, a cybersecurity conference, for its efforts to help its customers gain access to the iPhones of certain sensitive people, including political dissidents and journalists. The ceremony itself is a bit of an inside joke, and maybe that’s why no one from NSO arrived at the event to pick up their award, a glass trophy shaped like a pony.
This particular hack, known among those in the know as Forced Entry, didn’t need any kind of permission or acknowledgment or knowledge from the victim. No contact was needed. It’s perfectly clandestine. “Security researchers praised the technical sophistication of the exploit, calling it ‘mind bending,’ a bug that ‘goes into “holy smokes, what?!” area,’ with ‘several truly beautiful aspects’ and ‘absolutely stunning,’” according to Vice.
NSO’s biggest selling and main product is a program called Pegasus, described by Toronto’s Citizen Lab as “a targeted surveillance tool sold to governments to access and extract information from specific mobile devices. It is the subject of several lawsuits concerning the alleged targeting of journalists, activists and human rights defenders.”
In December 2020, CitizenLab released a report alleging an NSO-affiliated surveillance firm, Circles, “sold surveillance technology to countries with a history of leveraging digital technology for human rights abuses.” The report details how Circles sells to customers a technology allowing the purchaser to “exploit weaknesses” in the international mobile phone communication network to break into phones and obtain information from them, all with just a telephone number. The report’s authors warn the tool can be utilized not only without the victim knowing anything has happened, but also without the assistance of a telecom company, “potentially allowing repressive government surveillance agencies to track targets across borders. Clients of the firm, which has said it only sells to nation-states, are considered to include Mexico, Morocco, Thailand and the United Arab Emirates.”
The NSO responded to this report, at first distancing itself from Circles, then praising both companies’ “commitment to ethical businesses” and noting that both companies “adhere to strict laws and regulations in every market in which they operate.” Two sentences later, however, NSO accuses CitizenLab of having a “predetermined agenda” and says the report is based on “inaccurate assumptions and without a full command of the facts.” The old non-denial denial.
So what, the average person might think. Those who dislike or distrust the media or think people should stay in line with their government might even shrug and say anyone who takes it upon themselves to be nosy and meddle in other people’s business deserves to have their phone hacked. They might go so far as to say, y’know what, it’s good to spy on people who might do governments and people harm — so what if that means any cell phone that someone wanted to hack could be broken into and monitored without the slightest indication anything happened.
But what about the family of someone who was brutally murdered and dismembered just for doing his job?
In 2021, nearly two years after the horrific death of journalist Jamal Khashoggi, the Washington Post published an investigation saying Pegasus spyware was found on the phone of his widow, Hanan Elatr.
According to the Post, the spyware was installed on Elatr’s phone after she was driven to a detention center at the edge of Dubai. Eltar was working as a flight attendant at the time and was driven, blindfolded and in handcuffs, to an interrogation area. Security agents took her two phones, laptop and passwords and, while questioning her about Khashoggi, one typed a short file extension into her phone’s browser. It took 72 seconds, just a little more than a minute, and the phone received Pegasus; within the next 40 second, 27 status reports were sent as the software was installed. CitizenLab found the evidence of the spyware on her phone.
This all took place months before Khashoggi was killed.
But when asked about the program found on her phone, NSO has repeatedly denied that Pegasus was used to attack or track either Khashoggi or Eltar.
“We checked and she was not a target,” NSO Group CEO Shalev Hulio said last year. “There are no traces of Pegasus on (Eltar’s) phone because she was not a target.” Another official from NSO denied that Khashoggi was a target at the time of his death.
But in defending the company and saying Eltar was not a subject, NSO’s attorney Thomas Clare said the premise of CitizenLab’s reporting and investigation was flawed because Pegasus is installed remotely and there would be no need for a person to manually download it onto a phone.
In materials filed in a lawsuit against NSO filed by communications tool WhatsApp, NSO’s own marketing documents state that, “When physical access to the device is an option, the Pegasus agent can be manually injected and installed in less than five minutes.” Clare also argued that using SMS messages to send links that install Pegasus attacks on phones would be prevented from being utilized six times in 18 days. Instead, a systems operator might choose to send an email or text message, coercing or tricking the intended target to open the file, “although the target clicked the link they will not be aware that software is being installed on their device.”
There’s more. According to reporting from Ars Technica, an Israeli woman, in February 2019, offered the son of Uganda’s president, and the person responsible for his security, the ability to hack any phone in the world through purchasing Pegasus. The technology is a known entity in the Middle East and many “dictators and autocratic regimes had been paying tens of millions for it for years,” but this was the moment the NSO is said to have crossed a line for US diplomats and Apple alike, leading to the company to be blacklisted by the commerce department.
Shalev Hulio, NSO’s top boss, went to Uganda to formalize the deal a few months later and provided a demonstration, resulting in a contract for $10-20 million, but when someone used Pegasus to hack, or attempt to hack, the phones of 11 American diplomats and embassy employees in Uganda, it led to a firestorm that ultimately forced Hulio to resign in August.
“Last night, following an inquiry we received alleging Ugandan phone numbers used by US government officials were hacked, we immediately shut down all the customers potentially relevant to this case, due to the severity of the allegations, and even before we began the investigation,” NSO said. “The termination took place despite the fact that there is no indication the phones were targeted by NSO’s technology. The claims of all involved parties specifically mentioned there is no indication, let alone proof, that it was NSO’s tools that were used by these customers,” adding that Pegasus tools are “incapable” of being installed on phones with numbers from the United States. “This case doesn’t involve US phone numbers, and the company had no way to know who the persons monitored by our customers were.”
The 11 targets were using State Department email addresses, all of which utilized Apple logins, State Department officials told Ars Technica.
NSO is now exclusively targeting NATO member countries as business partners.
It’s these kinds of techniques that have digital privacy activists worried. If major international companies that sell this type of spyware to government agencies and actors believe themselves to be the good guys, when they’re implicated — directly or indirectly — in horrific crimes, are they actually the good guys, or are they criminal double-agents in disguise?