We Saw NSO's Covid-19 Software in Action, and Privacy Experts Are Worried

A number of surveillance tech companies are pivoting to tracking coronavirus-infected citizens. Experts are worried that they are just trying exploit a crisis to expand their questionable businesses.
April 2, 2020, 12:00pm
People walk in a New York City park during the coronavirus pandemic.
Image: Noam Galai/Getty Images

The rapidly spreading coronavirus has infected more than 900,000 and killed more than 45,000 people all over the world. This unprecedented crisis is also giving a chance to governments, and their technology providers, to ramp up mass surveillance.

In the spirit of never letting a good crisis go to waste, several companies around the world— some already notorious and some less public—are pitching and developing surveillance tools to help governments track citizens with the goal of stopping the spread of coronavirus. For critics, however, this is an unnecessary escalation justified by a tragic health crisis.

The infamous spyware maker from Israel NSO Group, and Cy4Gate, a company that sells surveillance tools from Italy, are actively pitching surveillance tools to contain the virus to their own governments and others around the world, Motherboard has learned.

Their systems are essentially mass surveillance tools that would help governments and health authorities keep track of the movements of every citizen, and who they get in contact with. The goal of this contact tracing method is to track the spread of the coronavirus and help governments make better decisions to counter it, such as quarantining certain areas, informing people they may have been infected, or administering tests.

Two weeks ago, Bloomberg reported that NSO Group developed a new product to track the spread of coronavirus. Now, Motherboard obtained more details about how the product—codenamed Fleming—actually works.

A person familiar with NSO Group spoke to Motherboard at length about the product, giving a walkthrough of its features, and showing off a demo of the system in real time.

Do you know of other companies offering spy tech to fight coronavirus? You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, OTR chat at lorenzofb@jabber.ccc.de, or email lorenzofb@vice.com

The spyware company has adapted the user interface and analytical tool that they already had developed to be used alongside its powerful malware known as Pegasus, which can hack into mobile phones and extract data like photos, messages, and phone calls, from them. NSO is not collecting location data from phones. It only provides the software to governments, which then get the location data from telecom companies and ingest it within the software, according to the source.

Cellphone carriers in several countries, such as Italy, Germany, Austria, as well as Spain, France, Belgium and the UK, are already sharing customers’ locations with their respective governments in an effort to track the spread of the virus.

Fleming displays the data on what looks like an intuitive user interface that lets analysts track where people go, who they meet, for how long, and where. All this data is displayed on heat maps that can be filtered depending on what the analyst wants to know. For example, analysts can filter the movements of a certain patient by their last location or whether they visited any meeting places like public squares or office buildings. With the goal of protecting people’s privacy, the tool tracks citizens by assigning them random IDs, which the government—when needed—can de-anonymize, the source explained.

NSO Fleming

A screenshot of NSO’s product to track coronavirus patients.

Researchers who have studied and exposed several cases where NSO Group’s customers abused its products to spy on activists and journalists are skeptical that governments should be adopting such an invasive surveillance product, made by a company known to have worked with governments that routinely abuse human rights. .

“This is an extremely cynical attempt from a notorious spyware company to branch out into mass surveillance,” said John Scott-Railton, a senior researcher at the Citizen Lab, part of the Munk School at the University of Toronto. “Every citizen of the world wants to go back to normal as soon as possible. The gold rush to surveillance technology could easily mean that there is a normal expectation of privacy that we will have a hard time going back to.”

Moreover, experts say it’s unclear if systems like these can really make a difference on the ground.

“What happens if we trace people with no ability to help them,” Elizabeth M. Renieris, a Fellow at Harvard's Berkman Klein Center for Internet & Society, wrote in a blog post discussing the risks of using invasive surveillance technology to fight the pandemic. “What if it just doesn't work in some contexts? We especially have to ask these questions where some experimental methods of contact tracing are being entrusted to large for-profit tech companies.”

On Monday, Israel's Defense Minister Naftali Bennett tweeted that the Israeli government is working on "world-leading" AI system that will give every citizen a grade between 1 and 10 to determine how likely they are to spread the coronavirus and if they need to be tested, but that it hasn’t gotten all the necessary approvals yet. On Tuesday, Israeli news outlet Calcalist reported that Bennet was referring to NSO’s solution. Bennet also said that he is pushing to let countries around the world also use the system. He also tweeted a picture of the system, which appears to be the same one the source demoed to Motherboard

An NSO spokesperson declined to comment.

NSO Fleming 2

A screenshot of NSO’s product to track coronavirus patients.

In Italy, one of the hardest-hit countries with around 13,000 deaths due to the coronavirus, a company is pitching a system that uses an app that would track a user’s location via GPS, cellphone tower data, and Bluetooth. The Rome-based company, called Cy4Gate, called it Human Interaction Tracking System or HITS. Cy4Gate is ready to offer the system for free to Italian authorities, and pitched it publicly on Twitter last week.

“It allows the collection, fusion, correlation, processing, analysis and visualization of data that for us are the raw material on a target,” Eugenio Santagata, Cy4Gate’s CEO, told Motherboard. “[The target is] the encounter between two subjects who are positive [to coronavirus] in a certain time at a certain place.”

People will voluntarily give consent to being part of the system by downloading the app and enabling it to track their location. And Cy4Gate will anonymize the data and only the governmental agency will be able to de-anonymize it, according to Santagata.

Cy4Gate HITS

A screenshot of Cy4Gate’s HITS system, based on made-up data.

Last week, the italian government made a call for companies to pitch their technologies to monitor the spread of coronavirus. The Ministry of Innovation is now evaluating the proposals.

Other than Israel and Italy, other countries have already made extensive use of surveillance technology to fight the coronavirus. In China, the government forces every citizen to install an app that displays whether they are healthy or not, in order to decide whether to allow them to travel. In Taiwan, authorities track citizens so closely that one of them got a visit from the government when his battery ran out and he left his phone off for less than an hour.

“A patrol was dispatched to check my whereabouts,” Milo Hsieh, a student living in Taiwan wrote on the BBC website. “A text was sent notifying that the government had lost track of me, and warned me of potential arrest if I had broken quarantine.”

In South Korea, the government is collecting not only location data but also camera footage and credit card purchases. The government of Singapore has published personal information about coronavirus patients to warn others who may have been near them.

In the US, advertising companies have been the ones to share location information with government agencies, according to The Wall Street Journal.

The coronavirus crisis is far from over, but some are worried the surveillance governments and companies are put in place will never go away.

“Long after the last community transmitted case of this pandemic, my fear is that these surveillance mechanisms that are being pitched by unscrupulous companies like NSO will stay on our networks and continue to track our phones,” Scott-Railton said in a phone call. “This is one dystopian outcome that we can prevent.”

Subscribe to our new cybersecurity podcast, CYBER.