NOTE: My latest piece on Israeli mass surveillance during the Covid19 epidemic was published by Jacobin here. Later today (Sunday), I will be interviewed by KPFK’s Middle East in Focus on the issues raised in the article. And this coming Friday, May 1st, I’ll participate in a video conference hosted by Portland OR’s KBOO radio. The panel will also include two Palestinian doctors from Israel and Gaza. We will be discussing the impact of the epidemic in Palestine and related issues. Watch this space and my social media accounts for further details including registering.
In the midst of every crisis and tragedy, there are hucksters looking to make a buck, or in the case of NSO Group, a billion. The executives of the company wouldn’t put it that way, of course. They’d say they were taking advantage of an opportunity the pandemic presented to them. They’re simply filling a need and trying to do it quicker and better than their competitors.
In a recent post, I noted an Israeli news report that NSO was marketing a “civilian” version of its blockbuster hacking product, Pegasus, to a dozen or more countries. The new version is designed to use a national database to track citizens and their proximity to Covid19 victims in order to protect the populace from spread of the virus. The new product has been touted by Israel’s defense minister, Naftali Bennet, who suggested installing it to monitor Israeli Covid19 victims. His Knesset colleagues promptly dismissed the suggestion.
Earlier this month, NSO went on a publicity binge in which they promoted the new product, inaptly called “Fleming” (Ian Fleming is probably turning over in his grave, his estate should demand royalties) to a gaggle of technology journalists. NBC Nightly News aired a segment last night (at 16:20 in this video). A number of reporters were rightly skeptical about the claims made by its promoters and the potential privacy violations its use entailed. But the most damning appraisal of all came from John-Scott Railton, the senior forensic researcher of Citizen Lab, who himself has been stalked by NSO in a case reported here.
This bit of promotional copy from the company’s website sent my skepticism meter through the roof:
The technology anonymizes all data inputted by the operator, which adds an additional layer of privacy and security.
NSO is a company built on the premise of targeting and exposing the identities of what it calls “targets.” How could anyone trust it to anonymize data it collects. Not to mention that data analysts have proven that it is relatively easy to deanonymize such data.
Railton uses NSO’s own promotional materials to evaluate the accuracy and reliability of Fleming and finds it sorely wanting. Among other things, he notes that the geo-location accuracy is pitiful and would potentially scoop up thousands of individuals who not only did not come into contact with a victim, but didn’t even come close to one: “…The location data that NSO is rolling with is probably super imprecise. Carrier location data is mad inaccurate…”
Be sure to read not just this individual tweet but his entire thread:
Dang! Notorious spyware company NSO Group is marketing #COVID19 tracking in US, according to @NBCNightlyNews. Time to go CSI on screenshots of the product. THREAD pic.twitter.com/R6AnEC8Urw— John Scott-Railton (@jsrailton) April 25, 2020
Here’s a sample plotting of individuals within the 20-meter geo-location sphere of a victim. You can see what a mess it would be using Fleming to identify them via this method of contact tracing:
Let’s get concrete. Imagine all of these people are in sort of a similar area, each rocking 20 meter spatial error or worse. What on earth do you actually do if one of them tests positive for #COVID19? pic.twitter.com/bBVOPzAyR3— John Scott-Railton (@jsrailton) April 26, 2020
Any national health authority which buys Fleming risks flooding itself with false data, imprecise contact-tracing, and implementing a dragnet that snares tens, if not hundreds of thousands of unwitting citizens. The goal of this technology should be to improve the precision of Covid19 tracking, and pinpoint victims and those in close proximity. Instead, this product is a civil liberty nightmare waiting to happen.
A technology ethicist wrote this, quoting Israeli historian Yuval Harari:
Yuval Noah Harari argues that the choice between health and privacy is, in fact, a false one. He emphasizes the critical role of trust in achieving compliance and co-operation, and says that public faith is not built through the deployment of authoritarian surveillance technologies, but by encouraging the populace to use personal tech to evaluate their own health in a way that informs responsible personal choices.
When people are told the scientific facts, and when people trust public authorities to tell them these facts, citizens can do the right thing even without a Big Brother watching over their shoulders. A self-motivated and well-informed population is usually far more powerful and effective than a policed, ignorant population.
NSO’s Legal Woes
Yesterday, Whatsapp attorneys offered a blockbuster legal filing in their lawsuit against NSO Group. Previously, the Israeli company had claimed that they should not be sued in U.S. courts because it is not a U.S. company and none of its customers are U.S. citizens. It made a further claim that Whatsapp was suing the wrong party, because it had no control over what its clients did with its hacking tools once they installed them on their own computer systems.
I’d always distrusted that argument in my previous pieces I’ve published on NSO. It would be easy for it to track the activities of its clients and uses they made of Pegasus. But of course, or so I thought, they deliberately would not do so because of precisely this potential liability for the misdeeds of the client. Boy, did it turn out I was wrong: the new filing reveals that NSO contracted with a U.S. data server company, QuadraNet, to run Pegasus for the client who attacked Whatsapp. And the data that was stolen was stored on that company’s servers. Caught ya red-handed, didn’t they?
A total of 1,400 Whatsapp customers were hacked. The new filing reveals that over 700 of these attacks originated from the IP addresses of QuadraNet. Three others originated from Amazon AWS servers. NSO’s hacks were totally Made in the USA; and destroys that defense.
Further, the revelation shows that NSO did far more than sell the clients Pegasus and wash its hands of how the product was used. In fact, NSO orchestrated the attacks itself using servers it had contracted.
No one has definitively identified who was NSO’s client. But it seems more than likely it was Saudi Arabia and its Crown Prince Mohammed bin Salman (MBS). The victims were likely Saudi dissidents and any party deemed hostile to Saudi Arabia. MBS is the very same man responsible for murdering Saudi dissident journalist, Jamal Khashoggi; and hacking the cell phone of Jeff Bezos (again using the same Whatsapp vulnerability exploited in the attacks on the other 1,400 users). I’m certain that the company’s lawyers are keeping exposure of NSO’s client’s identity under wraps for the appropriate moment when its revelation will create maximum damaging impact.
If there is any country seriously considering buying Fleming, they ought to do some due diligence before they regret what they’ve done. Don’t forget that NSO has been named one of the twenty most dangerous digital predators in the world. Not the sort of company you’d want to bring home to meet your mama.
Jaap Hamburger says
Serious stuff, very serious, but your final words made me laugh out loudly!
carmel yativ says
Any serious post would at least mentions the potential life-saving. You failed to do so.
Richard Silverstein says
@ carmel yativ: Yes, there is “potential” to save lives. THere is also even more potential to ruin lives, to drag people before police and health officials accusing them of having a disease they don’t have and placing them in detention or quarantine. Not to mention that NSO’s products have been used to kill people. So I don’t harbor any illusions that the company’s goal here is to save lives. Its goal is to make money, plain and simple. IT will do so if it kills people or if it saves people. IT’s of very little difference to them.
N. Dayan says
Hey someone is got to put up lawyers and losses that Facebook and WhatsApp will extract after they proved these shysters where working illegally in the US
As a regular ponzi scheme they’ll try to sell the next bestest gadgets when we all know they belong in jail like maddof
The High Court of Israel has ruled that the Shin Bet cannot tap into coronavirus patients’ phones.
Richard Silverstein says
@ Lemontree: No, the Supreme Curt did not say the Shin Bet cannot hack Covid19 victims’ phones. It said the Knesset must pass legislation permitting this. Which of course it will do.
Jaap Hamburger says
@Carmel Yativ. Silverstein mentioned the potential life saving of course, even in NSO-terms: “…here are hucksters looking to make a buck, or in the case of NSO Group, a billion. The executives of the company wouldn’t put it that way, of course. They’d say they were taking advantage of an opportunity the pandemic presented to them. They’re simply filling a need and trying to do it quicker and better than their competitors.”
It’s indeed all about saving the life, of the company.
More than 1 million Australians download tracing app within hours, despite privacy fears.
Richard Silverstein says
@ Lemonade: How are Australia and Israel different? Let me count the ways:
So you see the difference between a real democracy and Israel?
N. Dayan says
someone please explain to me IN WHAT UNIVERSE IS ISRAEL A DEMOCRACY
someone please explain to me WHAT IS THE DIFFERENCE BETWEEN BIBI AND ERDOGAN AND IRAN’S MULLA
why are we all wasting our hopes and dreams and monies to pretend we are making A DIFFERENCE
another nail in today’s haaretz IKEA GAVE MILLIONS TO LITZMAN GESHER TO BE ALLOWED TO OPEN BEFORE ALL . and now he wants to run the ILA TO GHETTOIZE NON RELIGIOUS WHILST DERI DOES THE SAME FROM THE MINISTER OF INTERIOR .
the current crop of leadership whether political business or union have cemented the old UGLY JEW
we are all stained to say J’ACCUSE won’t do it anymore it is an ingrained trait to seek expand and improve the worst in humanity, why? RELIGION? MONEY? what is it
NSO is merely a pixel in a 75 inch tv panel , do you see the entire panel or is it too much light