Spyware company introduces unprecedented human rights policy

U of T’s Citizen Lab researcher likens NSO Group’s reforms to “tokenism”

Spyware company introduces unprecedented human rights policy

Controversial Israel-based spyware company, NSO Group, has introduced a new human rights policy to complement its business practices — an unparalleled measure for the global spyware industry.

While NSO Group says the policy “embeds relevant human rights protections throughout [its] business and governance systems,” critics, including Amnesty International and U of T’s The Citizen Lab at the Munk School, have argued otherwise.

NSO Group’s track record

NSO Group is a cyber-intelligence company that sells technologies for monitoring communications of various targets. Earlier this year, it was partially acquired by Novalpina Capital LLP, a private equity fund based out of the United Kingdom.

According to its website, NSO maintains that it sells its technology to governments because “terrorists, drug traffickers, pedophiles, and other criminals have access to advanced technology and are harder to monitor, track, and capture than ever before.”

However, the company has also faced backlash for its practices. Research conducted at U of T’s Citizen Lab — an interdisciplinary research organization exploring digital surveillance, censorship, and cyberattacks — has discovered that NSO Group’s spyware, Pegasus, was used to target activists, journalists, and members of civil society in countries such as Mexico, Saudi Arabia, and the United Arab Emirates.

Most recently, in May, reports surfaced that NSO software was used to allegedly spy on a lawyer through a vulnerability in WhatsApp. The lawyer — who remains anonymous due to fears for their safety — was involved in a civil lawsuit against NSO.

In June, David Kaye, the United Nations’ Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, called for a freeze on selling and using spyware until “human rights-compliant regulatory frameworks are in place.”

In his announcement, Kaye said, “The private surveillance industry is a free-for-all.”

Following Kaye’s call, researchers at Citizen Lab released a statement about the harmful consequences of the commercial spyware industry.

“In light of the concerns raised by the Special Rapporteur reports, companies like Novalpina Capital LLP… must take responsibility for the harms caused by the surveillance technology manufactured and sold by NSO Group,” wrote the researchers.

“Such a step would mean respecting international human rights treaties and, as a starting point, complying with the moratorium demanded by the Special Rapporteurs.”

A new policy

NSO Group’s new policy, announced on September 10, is intended to align the company’s practices with the United Nations Guiding Principles on Business and Human Rights. The aim is to help the company identify possible risks for human rights abuses and work to prevent misuse of its products.

When the company announced the new policy, co-founder and CEO of NSO Group Shalev Hulio said that the policy “publicly affirms our unequivocal respect for human rights and our commitment to mitigate the risk of misuse.”

“With this new Human Rights Policy and governance framework, we are proud to further enhance our compliance system to such a degree that we will become the first company in the cyber industry to be aligned with the Guiding Principles,” he added.

Alongside the human rights policy, NSO also announced a new External Whistleblower Policy and three new senior advisors.

The advisors — United States Governor Tom Ridge, former French Ambassador to the United States Gèrard Araud, and former Assistant Secretary at the United States’ Department of Homeland Security Juliette Kayyem — are set to support the company in its partnerships with governments.

The response

In the wake of the policy announcement, advocates and researchers have grappled with the question: can spyware and human rights work in tandem?

In an email to The Varsity, Citizen Lab Senior Legal Advisor Siena Anstis wrote that the policy “does not inspire confidence.”

“It’s easy to put words to paper, but we still have no real information on how the company will be transparent regarding its business practices or what types of oversight and accountability structures are in place to ensure real implementation of the ‘human rights policy,’” Anstis wrote.

“Without transparency or accountability, the policy is meaningless.”

When asked if NSO’s human rights policy would spark similar policies in the industry, Anstis wrote that “it’s hard to predict whether other companies in this industry are going to follow suit.”

However, she noted that “it certainly wouldn’t be challenging for other spyware companies to engage in the same level of tokenism.”

In a public proclamation, Deputy Director of Amnesty Technology Danna Ingleton also criticized NSO Group in response to the policy.

“The company needs to demonstrate [that this reformed policy] is more than an attempt to whitewash its tarnished reputation,” she said. “It doesn’t get to pick and choose when it should respect human rights — all companies have this responsibility anyway.”

Ingleton called for more government regulation for the spyware industry.

“Governments also need to act,” she said. “There needs to be tougher legal requirements on respecting human rights for the spyware industry, which time and time again has trampled on the rights to privacy, freedom of opinion and expression.”

Anstis further advocated for tightened regulation in the spyware industry.

“In addition to pushing for reform,” she said, “the public should be calling for more transparency on when and how their governments deploy this technology and the safeguards in place to ensure it is not abused.”

Disclosure: Kaitlyn Simpson previously served as Volume 139 Managing Online Editor of The Varsity, and currently serves on the Board of Directors of Varsity Publications Inc.

Flaw in WhatsApp exploited to target human rights lawyer, finds Citizen Lab

Lawyer has been embroiled in lawsuit against NSO Group, controversial Israeli technology firm

Flaw in WhatsApp exploited to target human rights lawyer, finds Citizen Lab

On May 12, a London-based human rights lawyer received peculiar video calls on his WhatsApp account while visiting Sweden.

Concerned by receiving the calls at such odd times in the morning, he reached out to cyber specialists at U of T’s Citizen Lab to investigate.

The Citizen Lab is a multidisciplinary research institute located at the Munk School for Global Affairs and Public Policy. The lab explores issues related to cybersecurity, surveillance, and digital censorship.

The lawyer, who remains anonymous due to fears of retaliation for speaking out, suspects potential foul play given his involvement with a civil lawsuit against NSO Group, an Israeli technology firm.

Foreign governments, including Saudi Arabia, Mexico, and the United Arab Emirates, have allegedly used NSO Group’s products to spy on journalists and political dissidents, including a critic of Saudi Arabia living in Canada.

According to reports from the Financial Times, the spyware targeting the lawyer’s phone had digital characteristics typical of NSO Group products.

Citizen Lab Senior Researchers John Scott-Railton and Bill Marczak led the investigative team that discovered WhatsApp’s vulnerability.

In an interview with The Varsity, Scott-Railton said he “observed a case where it looked like there was an attempt to target that lawyer’s phone with this novel attack, which would have happened over WhatsApp through a missed call.”

By exploiting the app’s vulnerability, NSO Group’s Pegasus spyware could enter a target’s iPhone or Android device through WhatsApp’s call function. The malicious code could then extract private information such as text messages and call histories, regardless of whether a target answers the call or not. The spyware can also collect new data by turning on the device’s camera or microphone.


WhatsApp’s response

WhatsApp engineers worked to patch the vulnerability as quickly as possible once they became aware of the susceptibility in the software. When finished, their company urged its 1.5 billion users to update their apps.

“WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices,” WhatsApp said in a public statement.  

The social network also informed the United States Department of Justice officials and issued a Common Vulnerabilities and Exposures notice to inform cybersecurity experts.

Scott-Railton praised WhatsApp for acting swiftly after discovering the vulnerability. “The way that WhatsApp has responded to this has been, I think, quite positive,” he said, noting how WhatsApp contacted a number of human rights organizations, which are common targets of the Pegasus spyware, before publicly announcing the security vulnerability.

According to Scott-Railton, this was an “unprecedented” move by a social media company and signals that it “felt there was something very wrong that had been done… and they didn’t like what they saw.”

It is unclear how many people were targeted or impacted by the vulnerability. However, based on WhatsApp’s comments, Scott-Railton said it seems like “there was a problem… [which was] much larger” than the attack on the human rights lawyer alone.

NSO Group promises reform

NSO Group maintains that it partners with governments to assist with law enforcement efforts and prevent criminal activity such as terrorism.

In response to reports that its software was targeting the human rights lawyer, NSO Group said that it “would not, or could not, use its technology in its own right to target any person or organization, including this individual.”

Earlier this year, NSO Group was partially acquired by the UK-based private equity fund Novalpina Capital. When Novalpina took over, it promised to reform the company in light of recent reports of suspected abuse.  

When the acquisition occurred, Novalpina was hoping to “establish a new benchmark for transparency and respect for human rights in full compliance with the [United Nations] Guiding Principal,” said Stephen Peel, co-founder of the fund.

Scott-Railton believes that “if indeed this was NSO, it suggests that this public story about human rights abuse may not [match up] with other things that we’ve observed.”

A bigger picture

Citizen Lab has been involved in multiple investigations tracking companies that sell spyware. Earlier this year, Citizen Lab itself had been targeted by undercover agents — masked as “socially conscious investors” — for its research on NSO Group.

Scott-Railton believes this case points to a larger trend of companies selling spyware to target individuals. “I think in the long run, we won’t really understand the digital risks and challenges that we all face until we see cases where harm happens to individuals,” he said.

“It’s very disconcerting to someone who has WhatsApp on their phones when they hear that there’s some company out there that’s selling a technology to basically use that as a way onto their phones, without any interaction,” Scott-Railton said.

“It’s almost unpreventable.”

Disclosure: Kaitlyn Simpson previously served as Volume 139 Managing Online Editor of The Varsity, and currently serves on the Board of Directors of Varsity Publications Inc.

Editor’s Note (September 28, 12:17 pm): This article has been updated to reflect the author’s former and current affiliations with The Varsity.

The spy in the cell phone

What is the NSO Group’s infamous Pegasus spyware, and how can activists protect themselves?

The spy in the cell phone

On October 1, U of T’s Citizen Lab published a report titled “The Kingdom Came to Canada.” It details how McGill University student and Saudi human rights activist Omar Abdulaziz was cyberstalked by Saudi Arabian-linked agents.

The next day, journalist Jamal Khashoggi, Abdulaziz’s mentor, walked into the Saudi consulate in Istanbul and never walked out. Two months later, Citizen Lab scientists were targeted by undercover agents seeking information on their personal lives and current research. It reads like a Hollywood political thriller — only here, everyone involved is unfortunately real.

The software Pegasus is at the heart of the conspiracy. The spyware suite is produced and marketed by Israeli cyberarms firm NSO Group Technologies. It first came under media scrutiny in 2016, following the use of the software against Emirati activist Ahmed Mansoor.

Pegasus is capable of collecting private data — from phone logs to text messages — stored on a targeted cell phone. It can also actively trigger input devices, like a phone’s camera or microphone, which allows the recording of any activity in range of the device. All of this can be performed without the knowledge of the victim.

This is made possible by exploiting “zero-day” vulnerabilities in the device software. These are vulnerabilities previously unknown to the device vendors.

In their original 2016 report on the NSO Group’s spyware, Citizen Lab observed Pegasus gain access to an iPhone 5 through a disguised JavaScript download.

The downloaded data then employs a memory corruption vulnerability in WebKit, the framework Apple’s Safari browser is built on, to execute its function within Safari.

This code then accessed the iPhone’s kernel — the core of iOS — through another memory corruption vulnerability. In an uncontrolled scenario, this would allow unauthorized programs to run without the user’s knowledge.

In contrast to the sophistication of its software, Pegasus’ method of initial phone infection is identical to common “phishing” schemes. Exploit links — which masquerade as benign hyperlinks — are texted to the target which, upon being opened, prompt the JavaScript download.

This deception can take many forms; the Pegasus operator who targeted Abdulaziz, for example, impersonated news organizations by employing domain names like kingdom-news.com or arabworld.biz.

As documented in a September 2018 report “Hide and Seek,” Citizen Lab was able to trace a Pegasus operator by activating a known Pegasus link and observing the ensuing behaviour of the link and linked server.

By searching for similar patterns of hyperlink behaviour, the researchers identified 1,091 IP addresses and 1,014 domain names associated with Pegasus. Then, by using a categorizing technique known as Athena, they were then able to identify the IP addresses of 36 Pegasus operators.

Citizen Lab was able to trace the Pegasus operators to 45 countries by locating domain names of Pegasus servers using the infected devices. Different internet service providers (ISPs) in different locations use different domain name systems, which were matched up to the domain names the infected devices searched for.

These operators were then assigned names based on their activity of interest. For example, Abdulaziz’s cyberstalker was named “KINGDOM” due to its Saudi-centred activity.

“Based on the methodology outlined in Hide and Seek, we could observe infections ‘checking in’ at the [ISP] level, but nothing more in terms of granular detail,” explained Dr. Ronald Deibert, Director of Citizen Lab and a Professor in the Department of Political Science, in an email to The Varsity. This lack of detail means that there is insufficient evidence to concretely tie KINGDOM to a specific individual or the Saudi government.

Regarding reports of possible misuses of Pegasus, NSO Group said, “Contrary to statements made by [Citizen Lab], our product is licensed to government and law enforcement agencies for the sole purpose of investigating and preventing crime and terror.”

In response, Citizen Lab clarified that it has not levelled any accusation against NSO Group’s intentions, but that research “continues to demonstrate some highly concerning real-world examples of the abuse of NSO Group technology in practice.”

To journalists, activists, and other individuals at risk of running afoul of a Pegasus operator, Deibert recommends using Citizen Lab’s Security Planner, as well as reading the Electronic Frontier Foundation’s Surveillance Self-Defense Guide. “This type of targeted espionage against civil society is a growing crisis of democracy,” said Deibert.

“The market for commercial spyware is largely unregulated, and prone to abuse.” Deibert emphasized that this is a new age of digital insecurity, based on the fact that our portable devices are always on, which offers an easy point of intrusion to any individual’s private life.


Researchers at U of T’s Citizen Lab targeted by undercover agents about spyware studies

Questioned about studies on spyware used on friends of murdered journalist Jamal Khashoggi

Researchers at U of T’s Citizen Lab targeted by undercover agents about spyware studies

Undercover agents have been questioning U of T Citizen Lab researchers in recent months about their study of an Israeli spyware that was used on murdered Washington Post journalist Jamal Khashoggi’s friends, reported The Associated Press.

Agents have approached researchers twice in the past two months claiming to be “socially conscious investors” interested in partnerships. During meetings set up after online contact, the agents questioned the researchers about their personal lives and work regarding the NSO Group, a surveillance technology firm based in Israel that has sold a clandestine software called “Pegasus” to governments seeking to spy on iPhones.

The Associated Press reported that Bahr Abdul Razzak, a Citizen Lab researcher, was approached in December by an investigator who called himself Gary Bowman.

Bowman’s questions to Razzak included, “Do you pray?”, “Why do you write only about NSO?”, and “Do you hate Israel?”. Another Citizen Lab researcher, John Scott-Railton, was later approached on January 9 and was asked similar questions.

The Associated Press was not able to reach either of the agents, nor is there any evidence that they are linked to the NSO, which has stated that it is not involved.

Citizen Lab’s research into the NSO Group is part of its larger initiative on tracking “nation state spyware,” said senior research fellow Bill Marczak on CNN in October.

The lab concluded with “high confidence” that Omar Abdulaziz, a close friend of Khashoggi and fellow Saudi dissident, had been under surveillance using the Pegasus software. Abdulaziz lives in Quebec.

“When a government buys Pegasus,” said Marczak, “What they do is they can send a text message to someone’s phone containing a link, and if they convince the person to click on that link in the text message, then the phone becomes infected and the government can see anything on the phone — including pictures, contacts, listening into calls, watching text messages, and even turning on the camera and microphone.”

Citizen Lab is a Munk School of Global Affairs laboratory that studies human rights issues using computer science and social sciences techniques.

Alleged sexual assault comes to light at the Citizen Lab

2014 incident illuminated by letter from director, perpetrator fired

Alleged sexual assault comes to light at the Citizen Lab

An alleged sexual assault that coincided with a Citizen Lab event in 2014 was revealed in an open letter from Director Ronald Deibert, posted the Citizen Lab website last week. The alleged assaulter, Morgan Marquis-Boire, has been removed from his position as a security researcher and technical advisor with the lab.

According to the letter, posted on October 13, Marquis-Boire allegedly sexually assaulted another individual during the Citizen Lab-hosted Cyber Dialogue conference in March 2014.

In the letter, Deibert says Marquis-Boire requested to resign from the Citizen Lab’s technical advisory group in September, shortly before the accuser approached Deibert to inform him of the alleged sexual assault. Following this encounter, Deibert terminated Marquis-Boire’s position at the Citizen Lab.

Marquis-Boire also held positions at First Look Media, Electronic Frontier Foundation (EFF) and the Freedom of the Press Foundation. EFF has revoked affiliation with him following the sexual assault allegations.

Marquis-Boire did not respond to The Varsity’s attempts to contact him.

Deibert writes that he broached the possibility of pursuing legal action or going public with the unnamed individual, both of which the individual declined at the time. However, after a second consultation with the original party, Deibert wrote that he felt it was his “responsibility to make a public statement on behalf of the Citizen Lab.”

In the letter, Deibert states the Citizen Lab stands “behind survivors of sexual assault in all its forms, [supports] those who come forward to share their experiences, and [is] committed to creating safer spaces in our community.”

The letter indicates that the Citizen Lab incorporated a Code of Conduct in July 2017 to “clearly articulate what constitutes inappropriate behavior at events we organize.”

The Citizen Lab declined to comment beyond the scope of the letter. Similarly, U of T’s media relations did not directly address the alleged sexual assault, explaining to The Varsity that they were first made aware of the incident via Deibert’s letter on October 13.

In an interview for The Varsity regarding sexual violence policy at U of T, Executive Director, Personal Safety, High Risk and Sexual Violence Prevention & Support Terry McQuaid said, “We know that sexual violence is a broader societal issue, and universities are no different, they’re grappling with this issue as well.”

Deibert also alluded to the management of and attitudes toward sexual violence at the Citizen Lab in his letter. “We will continue to monitor the situation closely, are committed to ongoing internal dialogue, and aim to be responsive to feedback from our community,” Deibert writes. “This incident highlights that there is much work to be done to counter a toxic culture of sexual discrimination, harassment, and violence in many areas of the tech community, and we are fully committed to that fight.”

Focused on global security research and development, the Citizen Lab is based out of the Munk School of Global Affairs at U of T. The Citizen Lab has hosted the Cyber Dialogue conference annually since 2011. The conference invites private and public voices to discuss cyberspace security and governance.

Editor’s Note (October 23): A previous version of this article incorrectly stated that the alleged sexual assault occurred at the Citizen Lab event. In fact, the alleged sexual assault coincided with the Citizen Lab event. 

A year at the Citizen Lab

The lab’s major research in 2017 looks at spyware and cybersecurity around the world

A year at the Citizen Lab

The Citizen Lab, a University of Toronto institute based out of the Munk School of Global Affairs, has been making headlines this past year due to the rise of increasingly complex cybersecurity issues in countries such as the United Arab Emirates (UAE), China, and Mexico. The lab, which investigates both domestic and foreign affairs, aims to ensure that cybersecurity issues overseas do not taint the comparatively secure hold Canadians have on their own rights.

Canada, however, is not immune from the tempting prospect of spying on its own citizens. A Citizen Lab report by Christopher Parsons and Tamir Israel explains how various legislative initiatives were proposed by the government to allow warrantless disclosure of digital identifiers, such as IP addresses, for national security reasons.

The authors reject the principle upon which the proposals were founded –  primarily, the idea that you have nothing to fear if you have nothing to hide. Their research indicates that online privacy from the government actively allows users to honestly explore and express ideas without fear of consequence.

Another concern within this realm is the use of spyware. Cyber warfare companies that sell government-exclusive spyware have become infamous for selling their products to human rights abusers. This spyware is often used to quell government dissent and freedom of expression.

Ron Deibert, the director of the Citizen Lab, says that concerns like these require serious accountability. On his blog, he describes the mission of the Citizen Lab as using “mixed methods research to highlight digital security issues that arise out of human rights concerns, and then […] try to mitigate the problem.”

The following review details some of the Citizen Lab’s major findings over the course of the past year, and explains how these findings relate to, and shed light on, issues concerning cyberspace.


Abuse of Spyware by the UAE

One regime that regularly targets its citizens with spyware is the UAE. The Citizen Lab broke the story of Ahmed Mansoor, an internationally recognized human rights advocate who was targeted by multiple government hacking attempts. One suspicious SMS link that Mansoor received on his iPhone 6 was sent to Citizen Lab researchers to test its source. It was discovered as belonging to a company called NSO Group, an Israel-based cyber warfare company that specializes in a government-exclusive spyware product called Pegasus.

Had Mansoor clicked on the link, it would have activated a ‘zero-day’ exploit and jailbroken his phone, installing spyware without his knowledge. Once installed, it would have logged all his calls and messages, relaying them back to the spyware’s customer.

The value of zero-days is that they give software developers zero days to patch the malware before it becomes active. In other words, it is an unknown vulnerability that has high value when used successfully against dissident voices, which Mansoor clearly represented in the UAE. The Citizen Lab’s response was to report the iOS vulnerability directly to Apple, which patched it immediately with a software update.


Liu Xiaobo and Chinese censorship

Online censorship is another strategy the Citizen Lab frequently finds to be effectively used in suppressing populations. In July, The New York Times published an article on the death of Liu Xiaobo, a Chinese dissident who won a Nobel prize while in jail for his activist work. Immediately following his death, Citizen Lab research discovered “a ‘significant shift’ in censorship techniques” in China; this included blocking keywords relating to his name in direct messaging applications.

Notably, WeChat, one of the main platforms censored by the Chinese government, did not indicate to users when certain messages were blocked. The Citizen Lab also uncovered that the degree of censorship varied depending on whether a WeChat account was linked to mainland China or outside of the country. China holds a tight rein on its internet companies, penalizing all who fail to censor ‘sensitive’ content.

Censorship is a broad weapon to use against civilians; however, as seen with Mansoor, targeting through spyware like Pegasus is far more effective when attempting to portray the illusion of freedom. NSO Group is an interesting company: alongside Pegasus, it was virtually unknown to the public sphere until Hacking Team, NSO’s competitor, had sensitive information leaked about the companies.

Citizen Lab research identified various themes that NSO operators used to bait its targets into clicking on its exploit links; these included fake news, taunts, and threats.

However, the Citizen Lab’s largest case study of civilian targeting in the last year came not from the UAE or China, but from Mexico.


NSO and the Targeting of Mexican Civil Society

Mexico, an admitted customer of NSO, has allegedly used its spyware to target vast swaths of civil society. These have included scientists, journalists, politicians, foreign investigators, and non-governmental organizations (NGOs). This blatant assault on freedom of expression allows a corrupt government to act with impunity and must be condemned on democratic grounds.

In Theory, Pegasus, as with all government-exclusive spyware, is meant to aid law enforcement in fighting criminal enterprise and terrorism. However, when Citizen Lab was contacted by Access Now, an organization committed to defending digital rights, they stumbled onto the first of many instances in which civilians were improperly targeted with NSO spyware.

Scientists: In Mexico, an obesity epidemic prompted the government to introduce a “soda tax” to pursue healthier alternatives. The implementation of the tax lead to a decrease in obesity. The fast food industry, displeased with the negative effects on their profit margins, soon began placing political pressure on the Mexican government, with companies such as Coca-Cola begging the President to oppose the tax.

Soon after, supporters of the soda tax began a campaign to promote it. Some of the scientists involved in the campaign started receiving suspicious SMS links aiming to disrupt their campaign. Citizen Lab research determined that they were analogous to the messages Ahmed Mansoor received in the UAE, concluding they were NSO infiltration attempts.

Journalists: Even before the wide availability of spyware, Mexico was considered one of the most dangerous places in the world for journalists to work. Some estimates place half of the acts of intimidation and violence against journalists from government agencies.

One way freedom of the press has been suppressed is through digital surveillance that hinders the ability of journalists to investigate instances of corruption against their own government. Eleven Mexican journalists were targeted with NSO exploit links.

One of the most heavily targeted investigative journalists that the Citizen Lab found in the NSO targeting campaign was Carmen Aristegui, who, alongside her son Emilio, was sent SMS exploit links. The intensive targeting campaign happened to coincide with the investigation of Mexican President Enrique Peña Nieto’s “Casa Blanca” scandal.

The Casa Blanca scandal was a defining moment of Peña Nieto’s tenure, centred upon the purchase of a mansion by his wife that was interpreted as being paid for with taxpayers’ money. The breaking of Aristegui’s story battered the President’s credibility, which led to Aristegui’s employer, Noticias MVS, firing her and her team for publishing the story.

Other journalists were then targeted after they found evidence of government involvement in suspicious events, such as massacres, disappearances, and mysterious murders. Though the Citizen Lab discovered many of the same NSO targeting techniques in Mexico as in the UAE, the tactics used in Mexico were far more extreme.

Mexican governmental deceptions also included fake AMBER alerts and set an alarming precedent by impersonating the United States Embassy, claiming that clicking on a link would help their visa status. The latter was used against Emilio Aristegui, a minor, while he was on US soil to gain information about his mother.

Politicians: In an effort to control the Mexican population, the operators of Pegasus likely broke US law and certainly broke diplomatic norms. Interestingly, Citizen Lab researchers never came across NSO operators targeting Peña Nieto’s party, but they did target high-ranking opposition politicians. The leaders of the National Action Party (PAN), which includes the President of the Mexican Senate, received exploit links while anti-corruption legislation was being discussed by the government.

Foreign Investigators: In 2014, 43 students disappeared while on route to Mexico City in what has since been dubbed the Iguala Mass Disappearance. Due to the relatively nonchalant reaction the Mexican authorities had concerning the incident, a group of foreign, independent experts came in to investigate the details of the case to ensure that the government was not involved.

The investigators were soon targeted with NSO infection attempts after casting doubt about the degree of government involvement in the disappearance. Citizen Lab research believes, through circumstantial evidence, that the Office of the Prosecutor (PGR) was one of the government branches responsible for the infiltration attempts in an effort to control the official narrative.

Non-governmental organizations: The final case that the Citizen Lab investigated regarding targeting Mexican civil society involved Claudio González, the director of Mexicanos Contra la Corrupción y la Impunidad (MCCI). MCCI is an anti-corruption organization whose director was targeted with NSO infection attempts while he was investigating government corruption and advocating for anti-corruption legislation. According to the Citizen Lab, this is the 22nd known target of spyware abuse in Mexico.

The Citizen Lab found that a pattern has emerged in Mexico demonstrating that a new weapon is being used against anti-corruption advocates: targeting via government-exclusive spyware. It appears that those who question official government narratives are liable to be targeted by NSO spyware. As Deibert puts it, “Should it come as any surprise that these powerful surveillance technologies would end up being deployed against those who aim to expose corrupt Mexican officials?”

Though no direct links of NSO abuse have been attributed to the Mexican government, it is known that government agencies possess the spyware and have the ability to use it. The circumstantial evidence gathered through the help of the Citizen Lab strongly indicates that unless a massive breach in security has occurred, a nation at peace should not allow its own citizens to be harassed in such a manner.

NSO Group, has not ensured that its spyware will not target civilians. Selling to states that have reputations for human rights abuses clearly demonstrates a lack of consideration for freedom and security.

Although the Israel-based group was recently courted by the US company Blackstone Group for a 40 per cent stake in NSO, the failure of the deal is thought to have resulted from an awareness campaign by groups such as Citizen Lab.


The lessons of the UAE, China, and Mexico clearly demonstrate the potential for abuse when countries without strong accountability measures are given incredibly powerful weapons.

Such weapons bring into question a citizen’s freedom — whether it be of speech, expression, or thought — even in a country that claims to be a liberal democracy. “Freedom of speech is the antithesis to one-party rule,” Deibert writes, “[Authoritarian censorship] underscores why careful evidence-based research is so essential to the progress of human rights.”

U of T senior research fellow named Forbes’ Top 30 Under 30

Claudio Guarnieri on his win in enterprise technology

U of T senior research fellow named Forbes’ Top 30 Under 30

Every year, Forbes magazine recognizes 600 individuals under the age of 30 who are changing the world at the forefront of their sector. In the latest installment of the Top 30 Under 30, Claudio Guarnieri, senior research fellow at the University of Toronto, earned a spot in the Enterprise Technology sector.

Aside from his position at the Citizen Lab at U of T, Guarnieri is the creator of open-source malware analysis tools Cuckoo Sandbox, Viper, and malwr.com. This year marks Guarnieri’s second nomination for the award, having been previously nominated in the law and policy sector. Guarnieri told The Varsity that he was surprised to win in the field of enterprise technology, as his work does not relate directly to enterprise. He views the win, however, as recognition from mainstream media for the work of the Citizen Lab and its impact beyond its direct sphere of influence. Guarnieri is a graduate from the University of Milan and is a remote senior research fellow with the Citizen Lab, housed at the Munk School of Global Affairs.

The Citizen Lab uses interdisciplinary research and skills to make international information publicly available, with recent reports focusing on Iraq information controls, China’s Great Cannon, and Vimeo blocks in Indonesia. “I focus on investigating and reporting on targeted digital attacks against activists, dissidents, and journalists around the world. The Citizen Lab is [an] inter-disciplinary laboratory that bridges technical research with political analysis,” said Guarnieri on his work.  “[The Citizen Lab] is a very unique place where people with very diverse backgrounds come together to produce some of the most outstanding and revealing research projects in technical and internet policy communities.” Guarnieri works in this capacity alongside Morgan Marquis-Boire, John Scott Railton, and Bill Marczak to spearhead initiatives that expose information about the commercial spyware market.

Citizen Lab director Ron Deibert said that “Claudio is an extraordinary researcher and a very gifted malware analyst with a strong commitment to human rights. This mix of characteristics is exactly what we aim to attract at the Citizen Lab.” When asked what the future holds for him, Guarnieri said that he intends to “keep fighting the fight, exposing oppression and oppressors, and making it more costly for them to hinder social change through digital means.”

The rigorous selection process for the Top 30 Under 30 begins with open online nominations on both social media and the Forbes website, in which over 15,000 individuals were nominated this year. Of the nominees, 600 earn top spots in the competition’s 20 different categories. Upon making it to the final round, contestants are interviewed by a judging panel comprised of Forbes reporters and experts in various fields, including Ta-Nehisi Coates and Sarah Jessica Parker, who make the final decision.

“Trust no one”

The Citizen Lab’s Ronald Deibert and the biggest machine ever built

“Trust no one”

Spanning a series of glass-doored rooms in the spire of the Munk School of Global Affairs’ location at the former Dominion Meteorological Building, Ron Deibert’s Citizen Lab bears a tongue-in-cheek resemblance to images of Jeremy Bentham’s Panopticon. The irony is not lost on Deibert; as he is quick to remind us that the building is at least architecturally, if not practically, an observatory.

As the culture wars rage against a backdrop of classified information leaks — brought to light courtesy of the Internet and insiders-turned-whistle-blowers — the work done by Deibert and his lab ranks among the most important currently conducted at the University of Toronto.

The hothouse

The Citizen Lab, according to its website, is a “‘hothouse’ that combines political  science, sociology, computer science, engineering, and graphic design.” This Swiss Army knife of a research group has tasked itself with the tall order of monitoring, analyzing, and ultimately, affecting how political power is exercised in cyber-space.  The nature of the lab’s work is multifaceted and draws from a variety of resources. Their goal is to redefine “interdisciplinary” research, which as far as Deibert is concerned, is largely misappropriated as an educational buzzword. “I see what we’re doing as ‘field building’” Deibert suggests. “There is a problem, in my opinion, with the way that universities are structured around disciplinary silos, and you often hear a lot about interdisciplinary research, but usually that means little more than there is an office with a sociologist next to a computer scientist. But here, there is truly interdisciplinary research going on; the way we approach the topics, the methods we employ, it’s all a mixture, it’s like alchemy,” he says.

Risky business

This kind of work does not come without risk; we need look no further than Edward Snowden’s forced relocation to Moscow, or the subsequent maltreatment of the journalists who abetted him, to see that. Deibert perceives the risks of the Citizen Lab’s work fitting into two categories; the first of which is what Deibert terms the “obvious physical risks that we face that have to do with the fact that we are pulling back thick drapes around agencies who would rather stay behind those curtains.”  These investigations, says Deibert, are a particularly “dangerous thing when you’re dealing with some nasty countries.”

The second category is legal liability. On that note, Deibert’s primary concern is focused on the companies that are the subject of the lab’s research. He sees Canada as being a particularly “plaintive friendly environment” for defamation and libel suits, which only reinforces the importance of making sure the work is as “rigorous, transparent, and peer reviewed as possible.” 

That looming threat of litigation was realized in the aftermath of the lab’s report on the breach of an Italian company called Hacking Team.

Hacking Team first drew the Citizen Lab’s interest as a developer of “offensive security” technologies. Earlier this year, hackers breached the firm’s protective measures and released a trove of documents that confirmed suspicions about how the firm produced software and sold it “to several governments with repressive human rights records, such as Ethiopia.” This software was being used to spy on journalists in, “Sudan, Saudi Arabia, Kazakhstan, and more,” Deibert explains. “All of [Hacking Team’s] corporate data was put on the public domain after the breach, and in the correspondences of the company executives they actually contracted a company to silence us through litigation. They actually say, ‘how do we shut the Citizen Lab down?’” 


Much of the reporting the Citizen Lab does is on “nasty countries,” at least insofar as freedom of information is considered. Some of the most recent reports — “almost all of [which]” are available on the lab’s website — bear titles such as “Iraq Information Controls Update: Analyzing Internet Filtering and Mobile Apps,” “China’s Great Cannon,” and “The Blocking of Vimeo in Indonesia.”

Deibert states that the Citizen Lab takes the safety of their researchers, many of whom are working abroad and in conflict areas, very seriously. “We have a whole protocol that we think through very carefully that deals with security in risky environments,” he says. In order to manage that risk, the lab contracts the services of Morgan Marquis-Boire, one of their fellows.

Marquis-Boire, a former Google security researcher, hacker, and journalist, is the director of security at First Look Media and publisher of The Intercept, the post-Snowden online home of journalists Glenn Greenwald and Laura Poitras. Marquis-Boire’s added value is significant, considering that he was the one who “actually came up with the protocol of how to actually secure the [Snowden documents].”

It is no surprise that Marquis-Boire found a place for himself at the Citizen Lab, or that he and Deibert became acquainted; after all, Deibert is a member of a very exclusive club with access to the complete Canadian archive of the Snowden leaks. Regarding the responsibility that accompanies that access, Deibert distinguishes between two considerations, although he is quick to qualify that they “aren’t ranked.”  He adds, “so you’re thinking of the public interest, first and foremost, so, what in here is critical for the public to know and needs to be in the public domain?” Deibert continues, “then, secondly… is there information in here, that if it were published, would put somebody’s life at risk, or do harm?”  Upon further consideration, he concludes that “around protection of the source, Edward Snowden put out certain obligations to the journalists and that extends to the people who consult on it, how to treat the material and report on it.” 


Among the chief concerns of those who study the Internet is the relative lag in consumer awareness. Deibert points out that, “for most people, the beginning and end of their experience is their screen in front of them, when in fact it is just the tip of the iceberg, and really the interesting stuff, especially from a perspective of how power is exercised and how freedom and liberty are protected, happens beneath the surface in the kind of bowels of it all. There is a subterranean realm to the machine.” For those as involved and as knowledgeable as Deibert and his peers, opportunities to edify the public are everywhere. Aside from the mundane drudgery of digging up information on everything from South Korean mobile applications to wearable technology, Deibert sees the education of a train of undergraduates, post-doctoral fellows, and other researchers, as being “critical” to the work.

Interestingly, Deibert and his peers sometimes find themselves at odds with the institution that houses and facilitates them. He famously refuses to use Blackboard in his teaching, favouring an embedded forum on the Citizen Lab’s website, a choice that follows a personal aversion to proprietary software. “I try to avoid it,” he says.

Those criticisms extend to the sharing of private data, whether it belongs to students or faculty, in a variety of other veins. “I think it would be good for the University of Toronto to issue a transparency report. Only one other university in the world has done that. How often does law enforcement come here and ask for data on faculty or students?” Deibert seems conflicted about whether people should generally be optimistic about the Internet, or if a healthier cynicism than we currently exhibit is warranted. He explains: “the way I look at this machine is that we’ve created, this wonderful thing that can be terrific for lots of goals we have, you know, throughout history, goals that we’ve had as a species, this wonderful mechanism of information storage and exchange, but we haven’t thought through all the downsides to it and the unintended consequences to it are getting more and more serious, on multiple levels.” What really worries him is the observation that “most people in my conversations are completely oblivious to it and don’t really care.” When asked if he had anything in particular that he wanted to share, Deibert offered the following tidbit: “Trust no one.”