The Electronic Frontier Foundation (EFF) is sounding the alarm about state-sponsored malware and surveillance programs. The warning comes after a damning report on the NSO Group, which has sold surveillance software to multiple governments. That software has then been found installed on consumer smartphones, which suggests that governments are using the tech to monitor citizens (both at home and abroad) without the knowledge of those people.
Such practices would be an obvious violation of privacy and civil rights. It is also quite dangerous for those whose professional actions oppose international governments in any way, such as journalists, activists, and NGO workers. NSO’s software gives the user access to everything on a victim’s phone, including chat records and location data. That information may have led directly to the deaths of journalists like Mexico’s Cecilio Pineda-Birto, who released a report on possible corruption and then was shot dead at a car wash several hours later. NSO had previously flagged his number as one that would be interesting to its customers.
The problem, according to the EFF, is that many governments seem to be more invested in preserving their own surveillance access than they are in protecting the rights of their citizens. As a result, they are hesitant to prioritize software updates that would close security loopholes, or to pursue policies that would encourage safer design. The result is a population that is vulnerable to both public and private threats, since a phone that is deliberately left vulnerable to state malware is also likely to be vulnerable to common cybercriminals. The device itself cannot tell whether the infection comes from the state, or some other intruder.
Unfortunately, companies and governments that engage in such actions have not yet faced any meaningful consequences. South Africa and Germany have banned the practice of dragnet communications surveillance, but some software – including the software peddled by NSO – may be legal in some situations, as long as it is used in a necessary and proportionate manner.
Governments simply haven’t made much effort to enforce that clause, or to hold the companies that violate it to account. With that in mind, the EFF is calling for stronger device security, insofar as stronger devices will be more resistant to all forms of malware. That means that manufacturers would have to lock some of the backdoors that law enforcement and intelligence agencies have tried to prop open to fuel their own surveillance activities.
In the meantime, the EFF calls on the US and the EU to put pressure on regimes that use malware to oppress their citizens, and on the countries that allow companies like NSO to operate unimpeded (NSO itself is headquartered in Israel, as are Cellebrite and Candiru/Saitu). It also argues that the companies themselves should be named and shamed if they knowingly sell invasive surveillance tools to governments that use them for anti-democratic ends.
The EFF wants lawmakers to pass legislation that gives the victims of state surveillance the ability to seek legal redress from the governments and companies that violate their civil liberties. It then called for a moratorium on the government use of surveillance tech, though it acknowledged that governments were unlikely to commit to such a request.