For years, civil society groups, security researchers, and human rights organizations have been fighting against and warning about the use of commercial spyware to target activists, journalists, dissidents and other vulnerable groups, with limited success. Now, those organizations are asking the United States intelligence community to step in and wield its considerable power to take away the tools mercenary spyware vendors supply to state actors and other customers.
Companies such as NSO Group and Candiru that sell commercial spyware advertise their wares as means to keep tabs on suspected terrorists or criminals and often claim that they do not sell to repressive regimes and control their systems tightly. But researchers and activists have found many examples of these tools being used by governments and private organizations to target dissidents, journalists, and others. Researchers at the Citizen Lab at the University of Toronto’s Munk School have documented the abuses of tools such as NSO Group’s Pegasus for many years, including the targeting of politicians in Catalonia, Poland, Thailand, and elsewhere in recent years.
In a hearing on Wednesday, researchers from Citizen Lab and Google detailed the extent of the use and abuse of these tools for members of the House Select Committee on Intelligence, and said that the companies’ claims of controlling their tools ring false.
“The facts don’t bear this out. Abuse has been a feature of this technology since day one,” John Scott-Railton, a senior researcher at Citizen Lab, said during the hearing. “It is inevitable that nonstate actors will get their hands on these capabilities and cause immeasurable harm.”
That harm was on clear display during the testimony of Carine Kanimba, a U.S. citizen who was born in Rwanda and was targeted by NSO Group’s Pegasus spyware last year. Kanimba’s adoptive father, a permanent U.S. resident and vocal activist for democracy in Rwanda, was kidnapped in Dubai and rendered back to Rwanda, where he was sentenced to 25 years in prison. Forensic analysis of Kanimba’s phone in the months after her father’s kidnapping revealed the presence of Pegaus.
“The reports show that the spyware triggered into operation as I walked with my mother into a meeting with the Belgian Minister of Foreign Affairs. It was active during calls with the US Presidential Envoy for Hostage Affairs team and the U.S. State Department, as well as when speaking with US human rights groups. This surveillance is illegal under U.S. law and allowed the Rwandan government to always stay a step ahead as we fought to keep our father alive and secure his release,” she said in her testimony.
The use of these tools is no secret, and the federal government has taken action recently to limit their use, specifically in the U.S. In November 2021, the Department of Commerce placed NSO Group and Candiru, two prominent Israeli spyware vendors, on the Entity ListRe, effectively prohibiting American companies from doing business with them. And security researchers regularly expose the tools spyware vendors sell, as well as the exploits and vulnerabilities they use. In order to remain effective against modern devices such as iPhones and Android phones, spyware vendors need access to zero day vulnerabilities and exploits, bugs and techniques that have not yet been disclosed publicly. Many vendors have their own teams of internal researchers who look for new vulnerabilities and develop exploits for them, but they also will buy new bugs from outside researchers.
This supply of zero days and exploits is what keeps the trains running for spyware vendors, and Scott-Railton and Shane Huntley, director of Google’s Threat Analysis Group, which tracks state actors and other high-level attackers, said that the efforts of private researchers to limit that supply and its effectiveness can only go so far.
“Taking them on has to be a team sport. We all have our own visibility into this but we do not have some of the capabilities that the intelligence community has and the things they’re authorized to do,” Huntley said.
“There is very good cooperation in this community, and there needs to be, because each of us sees some part of the picture. We can’t let the adversaries take advantage of any disconnection. We have a common enemy here. This is not a competition.”
“If the U.S. intelligence community identified these zero days–and it could–and submitted them to the big tech companies, you could burn their houses down.”