For several years now, the murky world of cybermercenaries has allowed astonishing attacks against political leaders, civil liberties, companies and private institutions. Exploiting weaknesses in the code (the pillars of the technological age) they build digital weapons to turn everyday devices such as mobile phones, computers and even televisions into espionage tools.
The potential first became apparent in 2019, when WhatsApp sued what was then a little-known Israeli company called NSO Group, for creating spy software called Pegasus, which at the time allowed it to spy on 1,400 people, including They met human rights defenders, politicians and judges. and heads of state.
That lawsuit put the dark industry (and NSO Group’s global infamy) in the spotlight.
What they do is not new: Nation-states, like the United States, have had the ability to spy on citizens, as Edward Snowden’s revelations showed us in 2013. But it is one thing that a government, especially one based on in institutional and legal checks and balances, exercise that power. It is another thing for a private company, which ultimately responds to a desire for profit, to do it.
The result is human rights abuses and the weakening of democracies. To take just one example, the University of Toronto’s Citizen Lab identified “a network of computers and more than a thousand web addresses used to send Pegasus spyware to the phones of targets in 45 countries,” a Washington Post report found. Among them were at least 65 people related to Catalan independence, as well as Spanish politicians, including the prime minister.
There is currently an outcry against these types of companies, especially in the Western world. On March 30, 2023, Australia, Canada, Costa Rica, Denmark, France, New Zealand, Norway, Sweden, Switzerland, the United Kingdom, and the United States issued a joint statement recognizing “the threat posed by the misuse of commercial spyware.” ” and calling for “strict national and international controls on the proliferation and use of such technology.”
On February 6, the US government announced it would impose a visa ban on those involved in the commercial spyware industry, including its users, operators and investors, in perhaps the strongest deterrent yet. .
A day later, Google released a report, one of the most comprehensive assessments of the industry yet, showing how there is now a threat to societies at large.
Quote The report: “Compared to other cyber threats, spyware is used against a small number of targets. However, the use of high-risk targets has a profound impact on society. “Governments often abuse spyware for purposes contrary to a free society, including targeting dissidents, journalists, human rights defenders, and opposition party politicians,” the company stated.
The report also covers insights that describe the scale and sophistication of the industry and the scope of its implications.
For example, a company called Intellexa created a surveillance system that was used in Indonesia and Madagascar for political purposes in April 2023. The services of the same company were used in September of that year against an Egyptian opposition politician who had announced his intention to run for president. Presidential elections in Egypt, the report adds.
Then there is the scale of the industry. In an interview in March 2023, the head of a cyber threat intelligence unit, Dmitry Volkov, CEO of the cyber threat intelligence company Group-IB, told me about how there is a cybercrime underworld that deals of information, credentials and codes that can be used. to hack systems.
The Google report adds how such a supply chain also feeds the spyware industry: “While CSVs (commercial spyware vendors) may have their own internal employees working on vulnerability research and development of exploits, they also complement them by purchasing bugs and exploits from third parties. parties.”
The industry is also significantly lucrative. An Intellexa spyware solution to hack up to 10 devices at a time (including training local staff) is estimated to cost €8 million a year in 2021, according to leaked documents and NYT reports.
For a democracy like India, where there have been credible allegations of spyware like Pegasus being used against politicians, activists, journalists and lawyers, such abuse can cause lasting damage to a rules-based order.
Until the Internet, remote surveillance was a matter of wiretapping. In India, the Supreme Court in the 1996 case PUCL vs Union of India The case established safeguards that, in essence, assigned an oversight mechanism: wiretapping orders could only be given by an officer of a certain designation, records would need to be maintained, a review committee was to examine all interceptions ordered and any material that was not necessary to rule out the purpose of the interception.
In December, India passed the Telecom Act 2023, introducing a mechanism that has been criticized by undo some of these safeguards. At the very least, the Bill will allow the Union government to set traffic rules later (rather than through an Act of Parliament).
Therefore, the law leaves ample room for a tool like Pegasus to be used against Indians without the State having any obligation of disclosure and responsible use.
Aligning yourself with a black box surveillance paradigm is dangerous. At the very least, it goes against the ruling on the right to privacy (puttaswamy judgment) of the Supreme Court. That ruling established that Indians have a fundamental right to privacy, and whenever this right is circumvented, it must meet three tests: it must be enabled through an Act of Parliament, it must be necessary for a purpose, and it must be proportionate to the objective. .
A technological precedent is also being set. It is true that black hat hackers (who break into systems for subversive or lucrative purposes) have existed for decades. But never before has that taken the form of an organized industry, with hiring of coders and considerable salary packages.
No digital device or network is impenetrable; Creating an ecosystem that benefits from such vulnerability has implications not only for technology and technology companies, but, as the Google report highlighted, for society at large.
Once that paradigm is normalized as legitimate business activity, everyone (including private companies and senior government officials) will be vulnerable.
Binayak Dasgupta, Page 1 Editor of Hindustan Times, looks at the emerging challenges of technology and what society, laws and technology itself can do about them.