NOTE: My latest piece on Israeli mass surveillance during the Covid19 epidemic was published by Jacobin here. Later today (Sunday), I will be interviewed by KPFK’s Middle East in Focus on the issues raised in the article. And this coming Friday, May 1st, I’ll participate in a video conference hosted by Portland OR’s KBOO radio. The panel will also include two Palestinian doctors from Israel and Gaza. We will be discussing the impact of the epidemic in Palestine and related issues. Watch this space and my social media accounts for further details including registering.
In the midst of every crisis and tragedy, there are hucksters looking to make a buck, or in the case of NSO Group, a billion. The executives of the company wouldn’t put it that way, of course. They’d say they were taking advantage of an opportunity the pandemic presented to them. They’re simply filling a need and trying to do it quicker and better than their competitors.
In a recent post, I noted an Israeli news report that NSO was marketing a “civilian” version of its blockbuster hacking product, Pegasus, to a dozen or more countries. The new version is designed to use a national database to track citizens and their proximity to Covid19 victims in order to protect the populace from spread of the virus. The new product has been touted by Israel’s defense minister, Naftali Bennet, who suggested installing it to monitor Israeli Covid19 victims. His Knesset colleagues promptly dismissed the suggestion.
Earlier this month, NSO went on a publicity binge in which they promoted the new product, inaptly called “Fleming” (Ian Fleming is probably turning over in his grave, his estate should demand royalties) to a gaggle of technology journalists. NBC Nightly News aired a segment last night (at 16:20 in this video). A number of reporters were rightly skeptical about the claims made by its promoters and the potential privacy violations its use entailed. But the most damning appraisal of all came from John-Scott Railton, the senior forensic researcher of Citizen Lab, who himself has been stalked by NSO in a case reported here.
This bit of promotional copy from the company’s website sent my skepticism meter through the roof:
The technology anonymizes all data inputted by the operator, which adds an additional layer of privacy and security.
NSO is a company built on the premise of targeting and exposing the identities of what it calls “targets.” How could anyone trust it to anonymize data it collects. Not to mention that data analysts have proven that it is relatively easy to deanonymize such data.
Railton uses NSO’s own promotional materials to evaluate the accuracy and reliability of Fleming and finds it sorely wanting. Among other things, he notes that the geo-location accuracy is pitiful and would potentially scoop up thousands of individuals who not only did not come into contact with a victim, but didn’t even come close to one: “…The location data that NSO is rolling with is probably super imprecise. Carrier location data is mad inaccurate…”
Be sure to read not just this individual tweet but his entire thread:
Here’s a sample plotting of individuals within the 20-meter geo-location sphere of a victim. You can see what a mess it would be using Fleming to identify them via this method of contact tracing:
Let’s get concrete. Imagine all of these people are in sort of a similar area, each rocking 20 meter spatial error or worse. What on earth do you actually do if one of them tests positive for #COVID19? pic.twitter.com/bBVOPzAyR3— John Scott-Railton (@jsrailton) April 26, 2020
Any national health authority which buys Fleming risks flooding itself with false data, imprecise contact-tracing, and implementing a dragnet that snares tens, if not hundreds of thousands of unwitting citizens. The goal of this technology should be to improve the precision of Covid19 tracking, and pinpoint victims and those in close proximity. Instead, this product is a civil liberty nightmare waiting to happen.
A technology ethicist wrote this, quoting Israeli historian Yuval Harari:
Yuval Noah Harari argues that the choice between health and privacy is, in fact, a false one. He emphasizes the critical role of trust in achieving compliance and co-operation, and says that public faith is not built through the deployment of authoritarian surveillance technologies, but by encouraging the populace to use personal tech to evaluate their own health in a way that informs responsible personal choices.
When people are told the scientific facts, and when people trust public authorities to tell them these facts, citizens can do the right thing even without a Big Brother watching over their shoulders. A self-motivated and well-informed population is usually far more powerful and effective than a policed, ignorant population.
NSO’s Legal Woes
Yesterday, Whatsapp attorneys offered a blockbuster legal filing in their lawsuit against NSO Group. Previously, the Israeli company had claimed that they should not be sued in U.S. courts because it is not a U.S. company and none of its customers are U.S. citizens. It made a further claim that Whatsapp was suing the wrong party, because it had no control over what its clients did with its hacking tools once they installed them on their own computer systems.
I’d always distrusted that argument in my previous pieces I’ve published on NSO. It would be easy for it to track the activities of its clients and uses they made of Pegasus. But of course, or so I thought, they deliberately would not do so because of precisely this potential liability for the misdeeds of the client. Boy, did it turn out I was wrong: the new filing reveals that NSO contracted with a U.S. data server company, QuadraNet, to run Pegasus for the client who attacked Whatsapp. And the data that was stolen was stored on that company’s servers. Caught ya red-handed, didn’t they?
A total of 1,400 Whatsapp customers were hacked. The new filing reveals that over 700 of these attacks originated from the IP addresses of QuadraNet. Three others originated from Amazon AWS servers. NSO’s hacks were totally Made in the USA; and destroys that defense.
Further, the revelation shows that NSO did far more than sell the clients Pegasus and wash its hands of how the product was used. In fact, NSO orchestrated the attacks itself using servers it had contracted.
No one has definitively identified who was NSO’s client. But it seems more than likely it was Saudi Arabia and its Crown Prince Mohammed bin Salman (MBS). The victims were likely Saudi dissidents and any party deemed hostile to Saudi Arabia. MBS is the very same man responsible for murdering Saudi dissident journalist, Jamal Khashoggi; and hacking the cell phone of Jeff Bezos (again using the same Whatsapp vulnerability exploited in the attacks on the other 1,400 users). I’m certain that the company’s lawyers are keeping exposure of NSO’s client’s identity under wraps for the appropriate moment when its revelation will create maximum damaging impact.
If there is any country seriously considering buying Fleming, they ought to do some due diligence before they regret what they’ve done. Don’t forget that NSO has been named one of the twenty most dangerous digital predators in the world. Not the sort of company you’d want to bring home to meet your mama.