Spyware company introduces unprecedented human rights policy

U of T’s Citizen Lab researcher likens NSO Group’s reforms to “tokenism”

Spyware company introduces unprecedented human rights policy

Controversial Israel-based spyware company, NSO Group, has introduced a new human rights policy to complement its business practices — an unparalleled measure for the global spyware industry.

While NSO Group says the policy “embeds relevant human rights protections throughout [its] business and governance systems,” critics, including Amnesty International and U of T’s The Citizen Lab at the Munk School, have argued otherwise.

NSO Group’s track record

NSO Group is a cyber-intelligence company that sells technologies for monitoring communications of various targets. Earlier this year, it was partially acquired by Novalpina Capital LLP, a private equity fund based out of the United Kingdom.

According to its website, NSO maintains that it sells its technology to governments because “terrorists, drug traffickers, pedophiles, and other criminals have access to advanced technology and are harder to monitor, track, and capture than ever before.”

However, the company has also faced backlash for its practices. Research conducted at U of T’s Citizen Lab — an interdisciplinary research organization exploring digital surveillance, censorship, and cyberattacks — has discovered that NSO Group’s spyware, Pegasus, was used to target activists, journalists, and members of civil society in countries such as Mexico, Saudi Arabia, and the United Arab Emirates.

Most recently, in May, reports surfaced that NSO software was used to allegedly spy on a lawyer through a vulnerability in WhatsApp. The lawyer — who remains anonymous due to fears for their safety — was involved in a civil lawsuit against NSO.

In June, David Kaye, the United Nations’ Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, called for a freeze on selling and using spyware until “human rights-compliant regulatory frameworks are in place.”

In his announcement, Kaye said, “The private surveillance industry is a free-for-all.”

Following Kaye’s call, researchers at Citizen Lab released a statement about the harmful consequences of the commercial spyware industry.

“In light of the concerns raised by the Special Rapporteur reports, companies like Novalpina Capital LLP… must take responsibility for the harms caused by the surveillance technology manufactured and sold by NSO Group,” wrote the researchers.

“Such a step would mean respecting international human rights treaties and, as a starting point, complying with the moratorium demanded by the Special Rapporteurs.”

A new policy

NSO Group’s new policy, announced on September 10, is intended to align the company’s practices with the United Nations Guiding Principles on Business and Human Rights. The aim is to help the company identify possible risks for human rights abuses and work to prevent misuse of its products.

When the company announced the new policy, co-founder and CEO of NSO Group Shalev Hulio said that the policy “publicly affirms our unequivocal respect for human rights and our commitment to mitigate the risk of misuse.”

“With this new Human Rights Policy and governance framework, we are proud to further enhance our compliance system to such a degree that we will become the first company in the cyber industry to be aligned with the Guiding Principles,” he added.

Alongside the human rights policy, NSO also announced a new External Whistleblower Policy and three new senior advisors.

The advisors — United States Governor Tom Ridge, former French Ambassador to the United States Gèrard Araud, and former Assistant Secretary at the United States’ Department of Homeland Security Juliette Kayyem — are set to support the company in its partnerships with governments.

The response

In the wake of the policy announcement, advocates and researchers have grappled with the question: can spyware and human rights work in tandem?

In an email to The Varsity, Citizen Lab Senior Legal Advisor Siena Anstis wrote that the policy “does not inspire confidence.”

“It’s easy to put words to paper, but we still have no real information on how the company will be transparent regarding its business practices or what types of oversight and accountability structures are in place to ensure real implementation of the ‘human rights policy,’” Anstis wrote.

“Without transparency or accountability, the policy is meaningless.”

When asked if NSO’s human rights policy would spark similar policies in the industry, Anstis wrote that “it’s hard to predict whether other companies in this industry are going to follow suit.”

However, she noted that “it certainly wouldn’t be challenging for other spyware companies to engage in the same level of tokenism.”

In a public proclamation, Deputy Director of Amnesty Technology Danna Ingleton also criticized NSO Group in response to the policy.

“The company needs to demonstrate [that this reformed policy] is more than an attempt to whitewash its tarnished reputation,” she said. “It doesn’t get to pick and choose when it should respect human rights — all companies have this responsibility anyway.”

Ingleton called for more government regulation for the spyware industry.

“Governments also need to act,” she said. “There needs to be tougher legal requirements on respecting human rights for the spyware industry, which time and time again has trampled on the rights to privacy, freedom of opinion and expression.”

Anstis further advocated for tightened regulation in the spyware industry.

“In addition to pushing for reform,” she said, “the public should be calling for more transparency on when and how their governments deploy this technology and the safeguards in place to ensure it is not abused.”

Disclosure: Kaitlyn Simpson previously served as Volume 139 Managing Online Editor of The Varsity, and currently serves on the Board of Directors of Varsity Publications Inc.

Modern computer processors have severe security flaws

Malicious exploits Meltdown and Spectre could abuse speculative execution to steal data

Modern computer processors have severe security flaws

Two bombshell research papers recently revealed a pair of crippling security flaws, called Meltdown and Spectre, that are present in practically every modern computer processor running today.

Meltdown affects almost all manufactured Intel chips and some Arm chips, whereas Spectre likely affects all major brands: Intel, AMD, and Arm. Intel and AMD chips are used in personal computers, while Arm chips are used in smartphones. As a result, most devices are vulnerable.

Both flaws abuse an advanced processor feature known as speculative execution. As your device runs an application, it also looks ahead at decision points in the code, guesses which direction the application is likely to follow, and runs the code preemptively. Modern processors are surprisingly good at guessing in which direction the application will go.

If the application follows the predicted path, valuable processor time is saved, as the results will have already been computed. If not, the results are discarded.

The speculative execution feature does not have an effect on the outcome of an application’s task if it follows a different path than predicted. However, the application can detect that it took slightly longer to perform certain instructions.

From this information, the nature and content of data in a device’s memory can be deduced. For example, JavaScript in your browser could steal saved passwords using this method.

This has implications for institutions like U of T. “If an attacker successfully gets malware on a U of T device, that malware could use these vulnerabilities to steal passwords or keys being used on that device,” said David Lie, a software security expert and professor in the Department of Electrical and Computer Engineering.

The studies’ researchers actually discovered the flaws last year and privately told large technology firms to start preparing for software patches before the release of their findings.

Fortunately, software companies are now rolling out security updates at the operating system (OS) level, which users are highly advised to install in order to protect against these vulnerabilities. Meltdown is reasonably simple to patch in software, although Spectre is much more difficult.

Unfortunately, these OS patches come at the cost of performance. Most programs will be hit with a slight slowdown, with the theoretical worst-case scenario being a 50 per cent reduction. Operations such as disk access may be significantly affected as well.

Older processors, unfortunately, do not have the ability to selectively disable features as specifically as recent models. “There is collateral damage as the patches have to disable… features that are [not at risk] to ensure that the vulnerable features are also disabled,” said Lie. Therefore, older processors will see a more significant slowdown as a result.

U of T’s Enterprise Infrastructure Solutions (EIS), which operates the campus network backbone, also manages servers for cloud computing. EIS informed its users via email that it has “actively taken steps to secure our cloud services.” Most of their servers have already been patched, although “customers will also need to update the OS as soon as possible.”

Aside from certain technology firms, it appears that no other organizations were warned ahead of time. “There was no advance knowledge besides the public release of the information,” said Michael Wiseman, Acting Director of Information Security at U of T.

According to Wiseman, U of T will be following all recommended procedures to fix the security flaws, including installing patches.

While the world is now aware of these vulnerabilities, and organizations are taking the steps to fix them, there remains a lingering fear. Since researchers have been aware of Meltdown and Spectre since last year but only released this information in 2018, it is possible that malicious exploits have taken advantage of these flaws already.

Lie dispelled these fears, noting that although the vulnerabilities are powerful, exploiting them is not easy, nor could it be done quickly. “If an attacker has several vulnerabilities they could use, Meltdown or Spectre may not be the first one they reach for unless the other vulnerabilities have been patched.”

Wiseman agreed, noting that the sophistication of Meltdown and Spectre suggests that it is unlikely that an attack involving these vulnerabilities has occurred as of yet.

“Now that the information is out, we all have to be a bit more concerned,” said Wiseman.