Explaining Spyware, and How Governments Can Use It for Intimidation

(Bloomberg) -- In the hands of law enforcement and intelligence agencies, spyware can track criminals and terrorists. In the hands of repressive governments, it can be a tool of intimidation and retribution against activists, journalists and business executives. A particularly sophisticated version produced by Israeli software maker NSO Group Ltd., which can surreptitiously bug a target phone without any misstep by its owner, has sharpened concerns over who’s spying on whom, and for what purpose. It’s one front in a broader debate about the use of new technologies -- facial recognition and predictive policing analytics being two other examples -- by those entrusted with the power of the state.

1. What is spyware?

It’s a type of malware -- malicious software designed to infect devices without the user’s consent -- that secretly extracts information such as internet browsing history or private communications. One of the more benign, if annoying, forms of spyware is the tracking cookie. As you browse websites, your device accumulates cookies, which inform digital advertisers about what types of pop-up ads to feed you. In its most sophisticated and pernicious forms, spyware can extract emails, phone calls and text messages and even turn on your phone’s microphone, secretly record and take pictures with the camera. 

2. How does it get on devices? 

So-called phishing scams are a common method to distribute the less benign versions of spyware, tricking the user of a computer or smartphone into clicking an innocent-seeming link that unleashes malicious software. What sounded alarms about NSO’s Pegasus software is its capability to infect a smartphone without any overt act on the user’s end. That’s known as a zero-click attack.

3. Is this legal? 

NSO, which exports software under the auspices of Israel’s defense ministry, insists it licenses Pegasus to law enforcement and intelligence agencies of sovereign states for the purpose of collecting data “from the mobile devices of specific suspected major criminals.” Amnesty International has urged the Israeli government to revoke NSO’s export licenses on the grounds that “there is parallel use of the tool against civil society that is in clear violation of international human rights law.” Some countries do regulate use of spyware. The U.K., Germany, Austria and Italy are among those that have laws governing hacking by law enforcement. A judicial warrant is required in the U.S. in most circumstances.

4. Who uses spyware? 

The “increasingly authoritarian” governments of India, Mexico, Azerbaijan, Morocco, Saudi Arabia and Hungary have been NSO clients, and some of them selected “journalists, human rights defenders, political opponents, businesspeople and even heads of state as targets of this invasive technology,” according to a July 2021 report by a Paris-based investigative journalism organization called Forbidden Stories. Amnesty International, which provided technical support to the investigation, named Bahrain, Kazakhstan, Rwanda, Togo and the United Arab Emirates as additional NSO clients identified by Forbidden Stories and its media partners. Separately, the Committee to Protect Journalists, drawing on work by the University of Toronto’s cyber-research unit Citizen Lab and Amnesty International, said Pegasus and spyware from three other companies -- Cyberbit Solutions of Israel, Hacking Team of Italy and FinFisher of Germany -- were used to target 38 journalists, commentators or their associates by state actors since 2011.

5. What do the software makers say? 

NSO said the Forbidden Stories report “is full of wrong assumptions and uncorroborated theories.” It says its products have been used to thwart terrorist attacks and dismantle drug-trafficking rings. Bloomberg News reported in December that NSO was exploring options including shutting its Pegasus unit and selling the entire company. As for the three companies (or their successors) named in the Citizen Lab report, they said their software was designed specifically for use by law enforcement and intelligence agencies. 

6. What do other tech companies say? 

Following publication of the Forbidden Stories investigation, Apple Inc. condemned “cyberattacks against journalists, human rights activists and others seeking to make the world a better place” and urged customers to download a software update that makes iPhones less vulnerable to zero-click attacks. In November it sued NSO for allegedly abusing Apple products. In a similar lawsuit filed in 2019 and still wending its way through U.S. courts, Meta Platforms Inc., then called Facebook, accused NSO of illegally using the WhatsApp messaging service as a delivery mechanism for spyware. Microsoft, Google and Cisco Systems signed a brief in support of Facebook in that ongoing case.

The Reference Shelf

• The Committee to Protect Journalists report, “Spyware and Press Freedom.”
• NSO Group’s 2021 Transparency and Responsibility Report.
• Bloomberg’s story on NSO mulling a shutdown of the Pegasus unit.

©2021 Bloomberg L.P.