Spyware company introduces unprecedented human rights policy

U of T’s Citizen Lab researcher likens NSO Group’s reforms to “tokenism”

Spyware company introduces unprecedented human rights policy

Controversial Israel-based spyware company, NSO Group, has introduced a new human rights policy to complement its business practices — an unparalleled measure for the global spyware industry.

While NSO Group says the policy “embeds relevant human rights protections throughout [its] business and governance systems,” critics, including Amnesty International and U of T’s The Citizen Lab at the Munk School, have argued otherwise.

NSO Group’s track record

NSO Group is a cyber-intelligence company that sells technologies for monitoring communications of various targets. Earlier this year, it was partially acquired by Novalpina Capital LLP, a private equity fund based out of the United Kingdom.

According to its website, NSO maintains that it sells its technology to governments because “terrorists, drug traffickers, pedophiles, and other criminals have access to advanced technology and are harder to monitor, track, and capture than ever before.”

However, the company has also faced backlash for its practices. Research conducted at U of T’s Citizen Lab — an interdisciplinary research organization exploring digital surveillance, censorship, and cyberattacks — has discovered that NSO Group’s spyware, Pegasus, was used to target activists, journalists, and members of civil society in countries such as Mexico, Saudi Arabia, and the United Arab Emirates.

Most recently, in May, reports surfaced that NSO software was used to allegedly spy on a lawyer through a vulnerability in WhatsApp. The lawyer — who remains anonymous due to fears for their safety — was involved in a civil lawsuit against NSO.

In June, David Kaye, the United Nations’ Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, called for a freeze on selling and using spyware until “human rights-compliant regulatory frameworks are in place.”

In his announcement, Kaye said, “The private surveillance industry is a free-for-all.”

Following Kaye’s call, researchers at Citizen Lab released a statement about the harmful consequences of the commercial spyware industry.

“In light of the concerns raised by the Special Rapporteur reports, companies like Novalpina Capital LLP… must take responsibility for the harms caused by the surveillance technology manufactured and sold by NSO Group,” wrote the researchers.

“Such a step would mean respecting international human rights treaties and, as a starting point, complying with the moratorium demanded by the Special Rapporteurs.”

A new policy

NSO Group’s new policy, announced on September 10, is intended to align the company’s practices with the United Nations Guiding Principles on Business and Human Rights. The aim is to help the company identify possible risks for human rights abuses and work to prevent misuse of its products.

When the company announced the new policy, co-founder and CEO of NSO Group Shalev Hulio said that the policy “publicly affirms our unequivocal respect for human rights and our commitment to mitigate the risk of misuse.”

“With this new Human Rights Policy and governance framework, we are proud to further enhance our compliance system to such a degree that we will become the first company in the cyber industry to be aligned with the Guiding Principles,” he added.

Alongside the human rights policy, NSO also announced a new External Whistleblower Policy and three new senior advisors.

The advisors — United States Governor Tom Ridge, former French Ambassador to the United States Gèrard Araud, and former Assistant Secretary at the United States’ Department of Homeland Security Juliette Kayyem — are set to support the company in its partnerships with governments.

The response

In the wake of the policy announcement, advocates and researchers have grappled with the question: can spyware and human rights work in tandem?

In an email to The Varsity, Citizen Lab Senior Legal Advisor Siena Anstis wrote that the policy “does not inspire confidence.”

“It’s easy to put words to paper, but we still have no real information on how the company will be transparent regarding its business practices or what types of oversight and accountability structures are in place to ensure real implementation of the ‘human rights policy,’” Anstis wrote.

“Without transparency or accountability, the policy is meaningless.”

When asked if NSO’s human rights policy would spark similar policies in the industry, Anstis wrote that “it’s hard to predict whether other companies in this industry are going to follow suit.”

However, she noted that “it certainly wouldn’t be challenging for other spyware companies to engage in the same level of tokenism.”

In a public proclamation, Deputy Director of Amnesty Technology Danna Ingleton also criticized NSO Group in response to the policy.

“The company needs to demonstrate [that this reformed policy] is more than an attempt to whitewash its tarnished reputation,” she said. “It doesn’t get to pick and choose when it should respect human rights — all companies have this responsibility anyway.”

Ingleton called for more government regulation for the spyware industry.

“Governments also need to act,” she said. “There needs to be tougher legal requirements on respecting human rights for the spyware industry, which time and time again has trampled on the rights to privacy, freedom of opinion and expression.”

Anstis further advocated for tightened regulation in the spyware industry.

“In addition to pushing for reform,” she said, “the public should be calling for more transparency on when and how their governments deploy this technology and the safeguards in place to ensure it is not abused.”

Disclosure: Kaitlyn Simpson previously served as Volume 139 Managing Online Editor of The Varsity, and currently serves on the Board of Directors of Varsity Publications Inc.

Flaw in WhatsApp exploited to target human rights lawyer, finds Citizen Lab

Lawyer has been embroiled in lawsuit against NSO Group, controversial Israeli technology firm

Flaw in WhatsApp exploited to target human rights lawyer, finds Citizen Lab

On May 12, a London-based human rights lawyer received peculiar video calls on his WhatsApp account while visiting Sweden.

Concerned by receiving the calls at such odd times in the morning, he reached out to cyber specialists at U of T’s Citizen Lab to investigate.

The Citizen Lab is a multidisciplinary research institute located at the Munk School for Global Affairs and Public Policy. The lab explores issues related to cybersecurity, surveillance, and digital censorship.

The lawyer, who remains anonymous due to fears of retaliation for speaking out, suspects potential foul play given his involvement with a civil lawsuit against NSO Group, an Israeli technology firm.

Foreign governments, including Saudi Arabia, Mexico, and the United Arab Emirates, have allegedly used NSO Group’s products to spy on journalists and political dissidents, including a critic of Saudi Arabia living in Canada.

According to reports from the Financial Times, the spyware targeting the lawyer’s phone had digital characteristics typical of NSO Group products.

Citizen Lab Senior Researchers John Scott-Railton and Bill Marczak led the investigative team that discovered WhatsApp’s vulnerability.

In an interview with The Varsity, Scott-Railton said he “observed a case where it looked like there was an attempt to target that lawyer’s phone with this novel attack, which would have happened over WhatsApp through a missed call.”

By exploiting the app’s vulnerability, NSO Group’s Pegasus spyware could enter a target’s iPhone or Android device through WhatsApp’s call function. The malicious code could then extract private information such as text messages and call histories, regardless of whether a target answers the call or not. The spyware can also collect new data by turning on the device’s camera or microphone.

 

WhatsApp’s response

WhatsApp engineers worked to patch the vulnerability as quickly as possible once they became aware of the susceptibility in the software. When finished, their company urged its 1.5 billion users to update their apps.

“WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices,” WhatsApp said in a public statement.  

The social network also informed the United States Department of Justice officials and issued a Common Vulnerabilities and Exposures notice to inform cybersecurity experts.

Scott-Railton praised WhatsApp for acting swiftly after discovering the vulnerability. “The way that WhatsApp has responded to this has been, I think, quite positive,” he said, noting how WhatsApp contacted a number of human rights organizations, which are common targets of the Pegasus spyware, before publicly announcing the security vulnerability.

According to Scott-Railton, this was an “unprecedented” move by a social media company and signals that it “felt there was something very wrong that had been done… and they didn’t like what they saw.”

It is unclear how many people were targeted or impacted by the vulnerability. However, based on WhatsApp’s comments, Scott-Railton said it seems like “there was a problem… [which was] much larger” than the attack on the human rights lawyer alone.

NSO Group promises reform

NSO Group maintains that it partners with governments to assist with law enforcement efforts and prevent criminal activity such as terrorism.

In response to reports that its software was targeting the human rights lawyer, NSO Group said that it “would not, or could not, use its technology in its own right to target any person or organization, including this individual.”

Earlier this year, NSO Group was partially acquired by the UK-based private equity fund Novalpina Capital. When Novalpina took over, it promised to reform the company in light of recent reports of suspected abuse.  

When the acquisition occurred, Novalpina was hoping to “establish a new benchmark for transparency and respect for human rights in full compliance with the [United Nations] Guiding Principal,” said Stephen Peel, co-founder of the fund.

Scott-Railton believes that “if indeed this was NSO, it suggests that this public story about human rights abuse may not [match up] with other things that we’ve observed.”

A bigger picture

Citizen Lab has been involved in multiple investigations tracking companies that sell spyware. Earlier this year, Citizen Lab itself had been targeted by undercover agents — masked as “socially conscious investors” — for its research on NSO Group.

Scott-Railton believes this case points to a larger trend of companies selling spyware to target individuals. “I think in the long run, we won’t really understand the digital risks and challenges that we all face until we see cases where harm happens to individuals,” he said.

“It’s very disconcerting to someone who has WhatsApp on their phones when they hear that there’s some company out there that’s selling a technology to basically use that as a way onto their phones, without any interaction,” Scott-Railton said.

“It’s almost unpreventable.”

Disclosure: Kaitlyn Simpson previously served as Volume 139 Managing Online Editor of The Varsity, and currently serves on the Board of Directors of Varsity Publications Inc.

Editor’s Note (September 28, 12:17 pm): This article has been updated to reflect the author’s former and current affiliations with The Varsity.

Two large phishing attacks hit U of T in June

Attacks described as “sophisticated” and “malicious”

Two large phishing attacks hit U of T in June

A large University of Toronto department became the victim of a sophisticated phishing attack on June 4 in which the scammer supposedly impersonated the department chair and asked students to buy and scan pre-scratched iTunes gift cards.

The attack was sophisticated enough that the targets were not able to detect it, as it didn’t have the mistakes or inconsistencies of a typical phishing email.

Just over two weeks later, another large phishing attack was carried out on university employees, this one described by U of T’s Information Technology Services website as “malicious.

In broken English, the attacker said that he had gained access to the victims’ webcams and had recorded videos of them watching pornographic material. He threatened to release the footage if the victims refused to pay him in Bitcoin.

U of T declined to provide further information on the attack, although Mike Wiseman, Acting Director of Information Security, told The Varsity that the attackers “were trying to obtain money by fraudulent means.” The university would not divulge how many people were involved, whether anyone had lost money or gave out sensitive information, or what direct action the school was taking in response.

“With phishing, the attacker will have motives to get something out of the phishing attack,” said Wiseman.[They] may be looking for login credentials, they may be looking for a way to collect money, and in this case they were trying to do the latter.

U of T has set up a website in order for students to be more informed about data safety and phishing attacks. Security Matters keeps a list of reported attacks on record, allows students to report on incidents, and has a calendar of events around the importance of data safety.  

Wiseman advises students to be cautious when clicking on links or giving up personal information online.

“Try to take some action in your mind before doing things like clicking these links or attachments, in order to validate what you are about to do,” he said. “I would say if you can’t validate, if you feel uncomfortable, if you feel concerned about what you’re looking at, then don’t do anything, don’t click the link, don’t take the action that the message is trying to get you to do.”