Playing whack-a-mole with spyware isn’t going to work

Caitlin Thompson

 

News that journalists and activists from Hungary to El Salvador had been hacked by Pegasus spyware was a rude awakening. The uproar was international. The Biden administration blacklisted NSO Group, the Israeli firm that sells Pegasus. Journalists in Hungary are suing their government for allegedly targeting them. Apple is suing NSO Group for allegedly violating its user terms and services agreement. Meta, formerly Facebook, blacklisted NSO Group and several other hacking-for-hire companies.

Pegasus illustrates the need to address the international proliferation of spyware. In a market that’s highly unregulated, this won’t be as simple as punishing companies here and there. 

While NSO Group deals with backlash, other companies are happy to fill authoritarians’ need for tools that will allow them to monitor and track people.

“The problem is the industry and the lack of control regulation of the industry,” said Etienne Maynier, a technologist at Amnesty International. 

So long as there isn’t a framework to ensure other companies can’t follow in NSO Group’s footsteps and sell their tools to authoritarians, “we can only expect this abuse will continue,” he added. 

Take, for example, another Israeli firm QuaDream, which sells some of the most sophisticated spyware available and exploited the same flaw in Apple devices. Like Pegasus, QuaDream relies on zero-click exploits that enable attackers to crack phones without requiring the device’s owner to open a malicious link. QuaDream is also courting similar clients to NSO Group, like Saudi Arabia, Mexico and Singapore. 

Like Pegasus, QuaDream’s REIGN spyware grants full access to the phone’s messages, photos, contacts and cameras. The spyware can also activate a devices’ cameras and microphones and record calls in real time. 

But unlike NSO Group, QuaDream hasn’t faced the same level of international scrutiny, and it hasn’t been sanctioned, blacklisted or sued. Whack-a-mole style regulation will inevitably miss companies. 

It’s tricky to crack down on companies in such an opaque industry. “The spyware market is very secretive, and often we discover things when they’re already done,” said Maynier. 

Even if you know the company’s name, what do you do next? The spyware industry is diverse. Tools range from Pegasus-like exploitation software to companies that sell hacking-for-hire services. The same type of regulation won’t work for every situation.

For example, BellTroX, a New Delhi-based hacking-for-hire firm, profiles individuals and targets them with customized phishing campaigns. Export controls will be important for reigning in Pegasus or QuaDream, but they won’t be as effective for companies like BellTroX that are selling a service, rather than a product, explained Maynier. 

One option might be holding BellTroX liable and taking legal action against the company. 

Piecemeal regulations won’t stop spyware from being used in authoritarian countries. Blacklisting NSO Group in the U.S. or forbidding French phone numbers from being targeted does nothing to prevent spyware from being used in Saudi Arabia.

“We have to solve the problem for everyone, otherwise it won’t work,” said Maynier. 

There is a bright side though. Because of the Pegasus Project, there’s more attention to the spyware industry overall. The next step is figuring out what to do about it.

Any approach to regulating spyware will be multifaceted, said Maynier. In addition to export controls and lawsuits by companies like Apple, the solution will involve agreements on the national, regional and international level.

“Right now, we need a short term solution to stop this abuse,” said Maynier. In the long term, the solution will be much more complicated. 

Masho Lomashvili contributed additional reporting.

IN OTHER GLOBAL NEWS: 

In Italy, a driver born in Ghana or Laos may pay over $1,000 more for car insurance than a driver born in Milan. There’s a clear pattern of bias in the algorithms that calculate insurance prices, according to a study by researchers at the Universities of Padua, Udine, and Carnegie Mellon. Italy knew there was a problem in 2012, when authorities tried to encourage insurance companies to stop including birthplace or citizenship in the risk models used to calculate premiums. Clearly it didn’t work. 

Gig workers in Turkey are striking, amid the lira’s dire crash. Food delivery workers from various companies are pushing for wage increases, but so far, many have been offered minimal increases of a couple hundred dollars. The economy is in rough shape, with inflation near 50%. Turkey’s Information Technologies and Communication Authority plans to take steps to require food delivery companies to hire more gig workers as actual employees.

Surveillance with a side of fries: McDonald’s settled a $50 million class action lawsuit over its use of biometrics. Employees sued under Illinois’ Biometric Information Privacy Act (BIPA), arguing that the company required them to use a smart clock-in system that gathered biometric data without their informed consent. This is only one of the BIPA lawsuits facing McDonald’s. The other has to do with collecting recordings of customers’ voices at drive-thrus.

WHAT WE ARE READING

  • The Record profiled the man suing the government over its use of facial recognition in India’s Telangana state. The region’s capital, Hyderabad, is one of the most heavily surveilled cities in the world.
  • A teenager in Russia was sentenced to five years in prison for planning to blow up a virtual version of the offices of the FSB, the state security services. Not in real life. In the video game Minecraft.