There is a sector operating within the democratic world that makes millions developing tools that help authoritarian governments better surveil dissidents and journalists. This is the private spyware industry. And few governments have developed the regulatory framework necessary to control this growing threat to civil society.
Take the industry’s most well-known, and notorious, company as an example: the Israel-based NSO Group. Israel has used the opportunity to do business with NSO Group as a diplomatic outreach tool, including for the Gulf monarchies that used to consider it an enemy.
Its Pegasus software is a highly-sophisticated surveillance tool that identifies security vulnerabilities in software and implants spyware on a target’s phone. Then, once infected, Pegasus operators can harvest passwords, record calls, monitor the phone’s camera, plant data, and more.
Pegasus used to require a target to click on an infected link. However, the company has now developed zero-click attacks, meaning it can install its software without any user suspicion.
And for a fee, they’ll infect the phones your government wants infected, too.
This technology has some benefits. For example, it can be a helpful tool to gather evidence against serious criminals or terrorists. But its abuse by authoritarian governments cannot be justified.
Saudi Arabia, for instance, used Pegasus in 2018 to hack the phone of Canadian permanent resident and Saudi dissident Omar Abdulaziz. Abdulaziz was in close contact with fellow dissident Jamal Khashoggi before Khashoggi’s murder at the Saudi embassy in Turkey in 2018. The information in their text message exchanges may have contributed to Saudi knowledge of Khashoggi’s travel plans.
The Kingdom even hacked Khashoggi’s family and Jeff Bezos1“It’s alleged that the compromised message was sent from the personal WhatsApp account of the crown prince of Saudi Arabia, Mohammed bin Salman (often known as MBS). Forensic analysts working for FTI Consulting concluded that once the phone was infected, the attackers were able to siphon ‘large amounts’ of data from the device and had access until the start of 2019.” https://archive.ph/20210720134138/https:/www.wired.co.uk/article/jeff-bezos-phone-hack-mbs-saudi-arabia#selection-457.26-461.148 with Pegasus following the assassination due to coverage of the incident in the Washington Post.
Rwanda’s dictatorial government has used Pegasus to spy on over 3,000 opposition figures, journalists, and critics of the Kagame regime.2“Pegasus appears to have been particularly useful in allowing the Rwandan government to attempt to silence political dissent outside of the country’s borders.” https://www.brookings.edu/techstream/how-digital-espionage-tools-exacerbate-authoritarianism-across-africa/ The deployment of the technology has been linked to several killings, both in Rwanda and in Mexico.
The United Arab Emirates uses it to monitor dissidents outside the country. So does Morocco. Ugandan operators used it to hack U.S. embassy officials. Early in 2022, Poland’s government was embarrassed by revelations that it had used the software to monitor members of opposition parties.
Even heads of state, including France’s Emmanuel Macron, have faced hacking attempts by Pegasus operators. So have hundreds of journalists.3“An attack on a journalist could expose a reporter’s confidential sources as well as allowing NSO’s government client to read their chat messages, harvest their address book, listen to their calls, track their precise movements and even record their conversations by activating the device’s microphone.” https://www.brookings.edu/techstream/how-digital-espionage-tools-exacerbate-authoritarianism-across-africa/
The risks posed by these hacking technologies are unprecedented. Authoritarian governments have never before had access to such easy tools to surveil, intimidate, and blackmail dissidents far from their borders.
The world knows what it knows about the workings of NSO Group—and its victims—thanks to the investigations of organizations like Amnesty International, Forbidden Stories, and the University of Toronto’s Citizen Lab.
However, the private spyware industry is much larger than just NSO Group. Israel is home to many of these firms because of links between the private sector and the country’s elite cybersecurity forces. Firms include Candiru, Cellebrite, Circles, or Germany’s FinFisher.
Formerly, the Italian company HackingTeam sold its data infiltration services to the governments of Egypt, Russia, Turkey, and more—until the Italian government stepped in with an export ban.
Other firms operate in the shadows, without public websites or even buildings displaying a logo.
So, what can be done in Canada about the growing risks to civil society posed by these organizations? The United States has recently blacklisted NSO Group and Candiru, meaning that American companies can no longer do business with, or sell technology to, either entity. The Government of Canada could take a similar step.
Canada could also strengthen its export control regime to ensure that the technologies made here at home do not support repression in authoritarian states. The Citizen Lab, for example, recommends that Canada implement greater transparency requirements so that Canadians know who is exporting dual-use technologies, where they’re going, and why an export permit was granted.4“The European Union recently increased transparency requirements on EU states in the context of dual-use exports.106 Doing so enables ongoing monitoring by civil society of the surveillance capacity of countries of export and the proliferation of dual-use surveillance technologies globally. https://citizenlab.ca/wp-content/uploads/2022/03/Report151-dtr_022822.pdf
Because although Canada does not host the private spyware industry on its soil, other technologies developed in Canada have been used by repressive governments abroad. One such example is Netsweeper, an internet filtering service.
Canadian journalism schools and newsrooms should also think deeply about how they can implement more digital security training, particularly for those journalists doing foreign reporting.
Ultimately, however, the power to control the operations of the private spyware industry does not lie with Canada. If the government takes action on the first two points, it, while necessary, will do little to slow down the spread of these technologies around the globe.
Instead, Canada could lend its voice to efforts to strengthen and harmonize export control regimes for surveillance technologies among democratic states, focusing on human rights. Using its diplomatic connections, Canada could try to raise this a priority in its international negotiations.
It’s a big ask, given Canada’s limited diplomatic pull. But as the Western world is increasingly aligned in response to Russia’s invasion of Ukraine, the time for a coordinated stand against enabling authoritarianism is now.
