On October 2, 2018, Jamal Khashoggi, a Saudi journalist and critic of the kingdom's government, visited his consulate in Istanbul to secure the necessary documents for his next wedding. He didn't leave alive. After initially denying responsibility, the Saudi government admitted that Khashoggi was killed in a "dishonest operation".
Two months later, Omar Abdulaziz, another Saudi dissident, filed a lawsuit in Israel against NSO Group, an Israeli software company. Abdulaziz claims that the NSO Group had licensed Pegasus, a smartphone-spying spyware, to the Saudi government, which used it to spy on it – and through it Khashoggi. The NSO Group denies that its software was used against Khashoggi. In October, WhatsApp, a Facebook-owned encrypted messaging company, also sued the company, saying its software had been used to hack about 1,400 of its users. WhatsApp says it has asked the US Department of Justice to open an investigation. The NSO Group disputes WhatsApp's allegations "in the strongest possible terms". On November 26, several NSO Group employees filed a lawsuit against Facebook, claiming that the social media giant unfairly blocked their private accounts.
Receive our daily newsletter
Update your inbox and receive our Daily Editor and Shipment Choices.
The flood of lawsuits drew attention to a little-known corner of the cybersecurity industry. Most cyber security companies focus on defending customers from hackers and malware. But some, including NSO Group, as well as Gamma Group (an Anglo-German company) and Hacking Team (an Italian company that merged with another company to create Memento Labs in April), sell software to help governments access online data about people of interest. Business seems to be fast.
The opaque nature of the “intrusion software” market means that the work of trying to compile numbers is primarily up to academics and NGOs. The unusually sincere NSO Group says its revenue in 2018 was $ 250 million. In February, Novalpina Capital, a privately held British company, bought a majority stake in the company. The implicit valuation of the deal allegedly put the company in the “unicorn” startup club worth more than $ 1 billion. Most NSO Group competitors are much smaller, says John Scott-Railton, a researcher at the University of Toronto's Munk School of Government. Danna Ingleton of Amnesty International, a human rights group, estimates the market is worth at least several billion dollars.
It is understandable that companies reveal the identity of their customers. But in 2015, a widely reported data breach seemed to reveal a list of Hacking Team customers. The list included a Saudi intelligence agency and the Sudanese government of Omar al-Bashir, as well as the FBI, the Malaysian Anti-Corruption Commission and the state government of Bayelsa, a province of Nigeria. Memento Labs did not respond to requests for comment.
The industry has been around for some time, but Scott-Railton says documents leaked in 2013 by Edward Snowden, an American spy – who lifted the lid on US electronic surveillance capabilities – have given a big boost. "Other states have said," How did we get something like this? " "The leaks also led Western technology companies to encrypt more web traffic and instant messaging, making existing forms of espionage even more difficult." Some private companies now offer governments that do not have the knowledge to breach these defenses the tools to do so. Many are made up of ancient western ghosts. According to a leaked New York Times list of employees, DarkMatter, based in the United Arab Emirates, hired several people who worked for the National Security Agency, the United States' leading signal intelligence organization. DarkMatter has not responded to requests for comment.
Gray coats and hats
Most companies say it helps law enforcement fight terrorism, drug smuggling or other crimes. At a conference in November, Shiri Dolev, president of the NSO Group, complained about his company's coverage. She argued that services like WhatsApp are used by some "as a vehicle for terrorism and crime," and software like Pegasus is vital. The company insists that its products "are not a tool to be armed against human rights activists or dissidents." In September, it announced a new human rights policy based on UN guidelines; considers it the first company in the industry to do so. Even before that, says a spokeswoman, the company has turned down about $ 100 million in business for ethical reasons over the past three years.
In theory, hacking software exports are controlled by the same laws that regulate gun sales. In practice, most observers think these restrictions have little bite. David Kaye, UN Special Rapporteur on freedom of opinion and expression, described the spyware market as "out of control" and "unexplained". State use of industry products to target political opponents, journalists, and others seems common, says Ingleton.
Previous processes have failed, she adds, in part because of their international high-tech nature. Courts must first be convinced that the perpetrators have suffered an injury, that the injury can be traced back to the defendant and that the court can correct it. Even if this "position" can be established, it is difficult to obtain evidence. "And yet, it may be difficult for some judges to understand what is being presented," she says. In a recent case in America, "Mr. Kidane", a pseudonym American with ties to Ethiopia, alleged that the Ethiopian government was spying on him and his family using FinSpy, one of Gamma Group's products. A judge dismissed the case on the grounds that the alleged espionage did not occur entirely within the borders of America. The Gamma Group did not respond to requests for comment.
However, all recent advertising has increased the pressure on businesses. In November, Ron Wyden, a US Senator, called for an investigation into whether NSO Group products had been used against US citizens. Kaye wants a moratorium on exports until stricter laws can be drafted. And WhatsApp's processes mark a climb for the big tech companies that want to protect their users' data.
Serious repression remains unlikely, thinks Edin Omanovic of Privacy International, another NGO, due in part to the official track record of many employees at these companies. "Enforcement has always been a problem in the gun industry," he says. Until that changes, eavesdropper software vendors can expect to thrive. ■