It’s Amateur Hour in the World of Spyware and Victims Will Pay the Price

The Weakest Link is Motherboard's third, annual theme week dedicated to the future of hacking and cybersecurity. Follow along here.

Listen to Motherboard’s new hacking podcast, CYBER, here.

The rise of usable, frictionless encryption has brought us to a point where users can be fairly certain that their Signal or WhatsApp messages are not being collected, subpoenaed, or wiretapped by cops armed with a warrant or message interception technology.

However, cops and spies still need to do their job and go after the “bad guys,” who might be using the same apps. When passive surveillance is impossible, they use active surveillance, which means hacking a target's cellphone or computer, and reading the messages directly off the device (rather than intercepting them in transit or getting them from a third party like Google, Apple, or telecom company.) By hacking devices, law enforcement can often see everything that’s done on them, which can make them more powerful for evidence-gathering than simply capturing messages from a specific app or provider.

This type of government hacking in not inherently evil, especially in cases where law enforcement goes through the process of getting a warrant. In fact, it’s probably necessary to track down some tech savvy criminals. While there aren’t many documented cases of police forces using malware to get around encryption, in 1999 the FBI used a hacking tool that logged his keystrokes to get evidence against a Philadelphia mob boss who used PGP. More recently, the feds booby-trapped a video with malware to catch a man accused of making bomb threats and sexually exploiting children. The man was using the anonymizing software Tor.

But as tech-enabled privacy becomes easier, the need to break it has created a lucrative market of hacking-as-a-service for police and intelligence agencies that has attracted some ruthless, morally questionable, and often incompetent spyware companies. It’s undeniable that we need some of these technologies for targeted investigations into terrorism, organized crime, and child exploitation, but if spyware-enabled targeted attacks become so commoditized that they can be deployed on a large swath of the population, then they can become tools to spy on more than just a few suspected criminals.

The problem is that the world of “lawful intercept” (that’s the euphemism used by governments and companies that live in that world) is lightly regulated. In general these are the rules: if a spyware company wants to sell to a foreign country, it may or may not need to get an “export license” granting it permission from its own government to sell their exploits to other countries. Companies based in, the United Kingdom, Europe, and other countries part of an international arrangement have to get this type of licenses.

Even when companies follow export regulations, those regulations can be effectively meaningless. For example, the Italian spyware maker Hacking Team used to have a generic export license from the Italian government that allowed it to sell pretty much anywhere without having to ask for permission for each sale, no matter which country it wanted to do business with.

That’s why Hacking Team was allowed to consider selling malware to Muammar Gaddafi’s Libya. The company has sold hacking tools to Sudan, Ethiopia, and Bangladesh, all of which are countries that Human Rights Watch and others international organizations say have perpetuated human rights abuses. (At the time of the sale, Sudan was actually blacklisted by the United Nations and Hacking Team should have been forbidden from selling to the country.)

Another Italian spyware company, as well as a German one, ended up selling surveillance gear to Bashar al-Assad’s Syria. Israel-based NSO Group has received licenses to sell to Arab countries such as the United Arab Emirates, which allegedly used NSO’s malware to target a well-known human rights activist. These companies’ business practices and willingness to do business with autocratic regimes put innocent victims targeted by those regimes in danger.

Even where there are strict regulations, many companies have a well-documented history of trying to skirt these regulations with shady techniques such as using subsidiaries and shell companies, more typical of weapons dealers than tech companies.

The companies’ have never effectively self-regulated, either. Hacking Team and NSO Group, for example, have long said that they comply with their local laws, and, on top of that, they claimed to do their own due diligence on their potential customers to assess the risks of their technology being used to target vulnerable communities. But governments like Ethiopia, Panama, the UAE, Egypt, and Mexico—countries with documented human rights abuses enabled by spyware—have recorded purchases of surveillance technology from two or even three different Western companies.

The widespread and largely unregulated proliferation of this malware is how surveillance gear mysteriously disappears after an election, an innocent bodyguard ends up held hostage for almost two years in an African country where slavery is still legal, autocratic governments repeatedly try to hack human rights defenders, and sketchy businessmen recycle malware designed to track loved ones and try to sell it to questionable governments around the world.

The combination of these factors and the promise of big profits has encouraged a new wave of relatively small companies to enter the lucrative market of “lawful intercept.” Some of these companies are either amateurs or outright scammers, and have made mistakes that exposed themselves, clients, and the people their clients were trying to spy on. Moreover, we already have evidence that some of this government-grade spyware has trickled down to consumers, some of which has been used by domestic abusers to spy on their partners.

In practice, innocent people will pay the price for these companies’ incompetence and their willingness to do business with autocratic regimes.

Spyware companies will say they will regulate themselves, but they can’t do it properly. Governments will probably never be able to stop all abuses or attempts to circumvent well-intended but hard to enforce regulations. Transparency can be a solution. Citizen Lab, a digital rights watchdog at the University of Toronto's Munk School of Global Affairs, has been leading this effort by carefully and methodically documenting abuses. But the jury is still out on what actual, practical, impact these reports have on the industry. After all, despite several reports documenting abuses, and getting hacked themselves, FinFisher, Hacking Team and NSO Group are still alive and well.

The stories documented in these reports are not always an easy sell for the media. Most of these real world cases of people getting hacked and spied on aren’t flashy, with nothing technically complex or interesting to them. Moreover, the victims are often people of color living in far away countries—communities that Western readers tend to care less about.

We want to help change that. We want to highlight the social costs and dangers of this sometimes murky industry.

We want to know more about who is providing spyware to questionable governments with a history of going after dissidents, journalists, and human rights defenders. We’ve been covering these stories for years, and we don’t want to stop. In fact, we want to cover this world even more.

If you have any tips on where we should be looking, please get in touch. If you used to work in the industry and left because of ethical reasons, please get in touch. If you have a brochure from a spyware vendor, please get in touch. It doesn’t matter if the company is unknown or a country we don't typically associate as a major player in the cyber security world, we want to hear about it. In fact, most abuses are likely happening precisely far away from the sometimes more attentive eyes of governments like the United States or the United Kingdom. No tip is too insignificant, no suggestion is too trivial. We will protect your identity if necessary.

Get six of our favorite Motherboard stories every day by signing up for our newsletter.