The use of spyware massively undermines trust in digital privacy. Are major platforms aware of this, and can or do they and, above all, their users want to take legal action against it?
The General Data Protection Regulation at least makes it possible to hold companies accountable for breaches of data protection and privacy. But what about in the case of mercenary spy programs used by police forces or intelligence agencies? Do companies even cooperate with security authorities in the use of Pegasus & Co?
Security chiefs from tech giants Microsoft, Google and Meta are calling for higher thresholds for the use of mercenary spyware like Pegasus and for strengthening human rights, privacy and transparency.
Such standards already apply to critical infrastructure providers and online businesses, said Kaja Ciglic, Senior Director of Digital Diplomacy at Microsoft. Malware producers must also adhere to them, she added.
EU member states should therefore not invest in companies that develop such software. In addition, laws would have to be enacted to improve privacy. Industry, on the other hand, should be encouraged to invest in technologies to protect digital communications. Ciglic advocates more research on cybersecurity and vulnerabilities. Governments need to develop processes for this, he said. There are too few good experts against such attacks, he said, and combating them is a matter for „elite groups.“ The major vendors must cooperate closely to combat mercenary spyware. In the next 10 years Microsoft wants to invest $20 billion in the security of its systems, money also flows to better cooperation with users and their awareness.
With the use of malware, everyone who uses Windows is at risk. Microsoft therefore does not participate in the use of malware on the company’s platforms, according to Ciglic. If attacks are discovered, they are countered immediately. Not all vulnerabilities can be fixed immediately, however. These would be worked through regardless of origin. Often, multiple exploits are used for one attack. Microsoft does not immediately inform about all attacks or the affected vulnerabilities, because they have to be closed first. Afterwards, however, everything would be disclosed.
Charley Snyder, Head of Cybersecurity Policy at Google, wants states to consider measures that actively or passively prevent investment in the spy industry. Reporting requirements for vendors operating out of EU member states are possible, he said. Deployments of mercenary spyware should only be allowed if there are adequate controls or transparency. Victims of attacks could receive compensation, according to Snyder.
The EU should use its position on the international stage to gain more support for transparency and controls, according to Snyder. Even if there are legal permissions for the use of Pegasus & Co, mercenary spyware contributes to societal harm. Democratic governments also fund such an industry, governments would have to weigh that in their deliberations. The EU should rather invest in privacy policies. There needs to be more transparency on exploit hoarding.
Governments and the industry need to join forces to prevent vendors from spreading. Collaboration against such attacks is difficult with industry, but works well with Citizen Lab or companies like Microsoft. Google also works closely with governments on IT security, including CERTs and civil society. To Snyder’s knowledge, Google has had no contact with NSO Group.
Snyder counts more than 30 surveillance software vendors worldwide, such as NSO and Candiru. This industry appears to be thriving, he said. Many providers work with sophisticated methods, sometimes using multiple Zerodays when their systems are attacked. In Project Zero, Google discovered one of the most sophisticated systems that works with zero click malware for iPhone and Android systems. Snyder describes this as a weapon against which there is no defense. Commercial vendors today can develop and deploy tools that were previously only open to governments.
The spyware use may sometimes be legal, but the hacking is often used illegally by governments. This poses a threat to the entire Internet, he said. The Shadow Broker leak had been followed by a worst-case scenario; the publication of the attack tools led to numerous ransomware attacks. Vulnerabilities that have become known must therefore be closed immediately. This sometimes happens automatically at Google, but sometimes only with cooperating users. Tens of thousands of them had already received notifications. A Chrome Notebook has never been successfully attacked.
Sometimes a security update can exclude entire „classes“ of threats. In the vast majority of cases, info about closed vulnerabilities and attacked locations, if states, are published. Google has also received threats because of this, but Snyder can’t elaborate
Google is trying to identify „high-risk users“ and offer them special tools. The „defense“ is done in several stages and starts with hardware, operating system and software. Since then, no case has come to light in which these users have been successfully attacked as part of this program, he said. Google plans to spend $10 billion on „cyber security skilling“ over the next five years.
David Agranovich, Director of Security Policy at Facebook-owned Meta, echoed his colleagues that governments should discourage investment in spy companies directly or through other measures. The companies‘ narrative that their products are only for protection must be countered, he said. Manufacturers must be forced to do the same due diligence required of others, he said. It must be known who is buying the products and how they are being used. Their purchases would have to be limited. There need to be standards for disclosing vulnerabilities, and the risks that come from this need to be known. However, there would be „reprisals“ from the markets if one proceeded in this way.
Until now, the production of such tools has been the responsibility of governments, but now the business is expanding to private companies that can no longer be controlled. Above all, he said, there needs to be an awareness of services that can be rented out. People willing to pay for it hire companies to hack a Facebook account. Not only is the monitoring capability sold, but the customer is also given a clean slate in that attacks are supposed to be untraceable. One such evasion mechanism involved reconnaissance by gathering info about the target, then providing technology (engagement), and finally siphoning off the information (exploitation). Meta had discovered 50,000 victims on its platforms worldwide; including opposition, human rights activists, activists, journalists. NSO allegedly only wants to pursue terrorist activities, but Meta has not found that to be the case.
Meta is constantly looking for attack tools with „investigative teams“ and trying to take them off the net, he said. The company also works with defenders such as Amnesty International. Vulnerabilities are quickly fixed, he said. Meta also provides a helpline; it focuses on building relationships with victims. When attacks are discovered, the company shares information with the governments and IT security agencies involved. Agranovich had just been „in Europe“ to do so, he said. However, he said, 20,000 attempts at government attacks have also been detected in the last two years. Meta has no „direct contacts“ with the NSO Group.
Ross Anderson of Cambridge University sees mercenary spyware as another attempt by governments and intelligence agencies to breach the security of digital communications. In the last 30 years, there have been repeated attempts of this kind, led by the USA, explained the researcher, who specializes in information security and encryption. These cryptowars began in 1993 and were only ended by the EU Commissioner for Industrial Policy, Information Technology and Telecommunications, Martin Bangemann.
As an example, Anderson cites the Bullrun project, which became known as a result of the Snowden publications and was aimed, among other things, at standardizing surveillance. This had been spearheaded by the U.S. and the NSA, respectively. As a further example, the researcher cites a case from 2010, when the British company Sophos was asked by an NGO to stop exporting interception technology to Syria. The British intelligence center GCHQ resisted this, because of course they wanted their software to continue to run there, and this should not have been undermined by sales from Israel or Ukraine. As in the USA, intelligence had dominated over human rights.
The Cryptowars had caused considerable collateral damage. Other governments wanted to follow suit, especially after weapons like Stuxnet became known. President Obama had set up an „NSA Review Group“ after the Snowden disclosures, and it had adopted all the recommendations except the one calling for defense in digital space to precede attack.
Meanwhile, he said, U.S. agencies are the largest customers of cyber weapons manufacturers. The U.S. also leads the stockpilers of exploits, according to the report. Time and again, he said, the tools built from them have been „lost.“ Android phones are no more difficult to hack than iPhones, he said; Android is based on Linux, an attack is more difficult because of 1-2 things, but many Android devices are not sufficiently patched.
Anderson points to EU Directive 2019/771 on certain contractual aspects of the sale of goods, which says all goods from cars to home apps to toys must be patched. This would have to be applied to exploits. Best practices would have to be found with industry. The „cyber weapons trade“ must be regulated. Existing control regimes must be used and improved. The EU could regulate that all export licenses for mercenary spyware must be published. Victims must be able to take legal action against cyber arms dealers; Anderson knows of at least one such case. In the UK, however, this is problematic, he said, because of the high costs incurred in the event of inferiority.
There should be no mercenary spyware on citizens‘ phones. Only in particularly serious cases would the state be allowed to resort to the harshest means.
Patricia Egger from Proton AG points out that any tool that is developed for legitimate use can also be used illegally. If a vulnerability is found for one person’s phone, it will also work on other phones. Zeroklick attacks in particular leave hardly any way out for the target. This cannot be prevented technically, at best through legislation. Experts could perhaps protect us better against malware. But there can never be perfect security; this is a reality of life. There is no crystal ball to tell if spyware is on your device. VPN can also be compromised. Pegasus did not come as a surprise, she said.
Egger calls for democratizing protection from attacks. Privacy by default companies need to be supported, rather than regulated. If technology for attacks is widely available, technology for defense must also be widespread. If there is to be perfect security, however, the business model behind it must be discussed. Encryption, for example, must protect the sender and the recipient; the keys should only be held by the recipient if possible (as with ProtonMail). Even if it wanted to, Proton could not do any business with user data, because it does not have it. Users are also willing to pay for this.
Egger could not answer whether ProtonMail is a protection against Pegasus. Perhaps such encryption does not help against Pegasus, but that does not make it useless, but suitable for other situations.
See here the stream of today‘s hearing.