S1: Nicole Pearl Roth is a reporter for The New York Times who covers cybersecurity. She’s been on the beat for about a decade and a few years ago she started reporting on commercial spyware digital tools that enable a company or government to track a person without their knowledge. Then one day she got a phone call. It was a source asking if he could come over to her house and show or something. It was something about a spyware company called the NSO group.
S2: And he showed up at my house and he actually halfway through the interview opened up his laptop and said take some pictures of my screen print them out and delete these pictures off your phone. And then he left. Whoa.
S3: And what he had shared with me was an internal marketing pitch by NSO that basically detailed just how invasive their spyware was how much it cost what it could do what it could do was basically use someone’s phone to monitor all their activity calls texts keystrokes everything the stuff you’re telling me sounds like it’s from an espionage thriller The like source coming to your house with the list on their computer. What was your reaction at the moment. Were you thinking like this is bananas.
S4: When you’re covering cybersecurity for as long as I have nothing as bananas. That after you left I did walk out of my home office walk into the kitchen and just.
S5: Make eye contact with my husband just said something like you won’t believe what just happened.
S2: It occurred to me then that this was NSA I was in a class of its own and no one had ever heard of them.
S6: If no one had ever heard of them then it’s much more likely that you’ve heard of them.
S7: Now Facebook is suing an Israeli cyber surveillance firm for allegedly hacking uses of its encrypted messaging service WhatsApp NSO is in the news because it’s being sued by WhatsApp.
S6: It’s the first time a tech company has filed a lawsuit against a private spyware company WhatsApp claims that NSO was using its technology to spy on activists journalists and human rights workers who were communicating over WhatsApp their phones were recording everything. Today on the show NSO and the world of commercial spyware I’m Lizzie O’Leary and this is what next TBD a show about technology power and how the future will be determined. Stay with us.
S3: So let’s talk about the WhatsApp hack. They were hacked in May of this year and they’re saying that fourteen hundred devices were affected by the hack. So if you were one of these people and someone you know who was using WhatsApp What did you see when someone was trying to get into your phone so you would have just gotten a call from someone on WhatsApp probably from an unknown number.
S2: Now I get missed calls all the time on WhatsApp and on my phone and I don’t really think twice about them unless they’re from really strange or a number. So in this case a lot of the targets received a call and even if they didn’t pick up the phone and this is probably the scariest part even if they didn’t pick up the phone just the fact that they had received a missed call was the exact way that NSA spyware was exploiting what’s up software to download itself onto your phone. So really all you needed to get was a missed call and NSO had successfully embedded into your phone in most of these cases.
S3: I think that’s so shocking to hear because it seems like something that almost wouldn’t be possible.
S4: How did it work. So they exploited a vulnerability in WhatsApp software. And I couldn’t tell you the exact mechanics of how it worked but once it was on the phone it could basically capture every keystroke every password every phone call every message it could even turn your phone into a recording device and record noises and everything. Your camera caught and send it back to their client servers which are usually governments.
S3: So this is all of your communications even your grocery list to your spouse. I mean everything is accessible.
S1: Everything was accessible after the hacks WhatsApp and a group out of the University of Toronto called Citizen Lab took a closer look at what happened. They wanted to know if any one group in particular was affected.
S2: Among the fourteen hundred people that WhatsApp incidents in lab discovered had been targeted. They found this subset of about 100 people which included journalists dissidents religious leaders prominent female leaders activists.
S8: And that’s where we’ve started playing the onion back further to learn that once again NSA spyware is being abused by governments all over the world to basically monitor their critics and journalists.
S9: Well let’s talk a little bit about NSO and how they came to occupy this space.
S3: Tell me a little bit about their background and who their customers are.
S10: They were started about 2010 right around the time I actually started covering cybersecurity by two guys who used to belong to Israel’s famed unit eighty two hundred which is sort of Israel’s version of the NSA. And they came up with a company after they left unit 80 200 that allowed phone companies to remotely diagnose problems on people’s phones from afar.
S11: So they started selling this to the telecoms but very quickly word got out to governments that their software was capable of remotely accessing people’s phones. And they started getting approached by various governments looking to apply this technology to surveillance and law enforcement.
S1: One of those governments one of NSA was first customers was the United Arab Emirates in 2016. Nicole was reporting on how the country was using NSA as technology.
S12: And there we discovered NSA spyware on the phone of a man named Ahmed Mansoor.
S13: Hello ladies and gentlemen.
S12: My name is missing from United Arab Emirates a man Mansoor was a vocal proponent of voting rights in the UAE and a critic of some of the more authoritarian elements of the ruling family’s governance.
S14: People are placed in solitary confinement for months without access to the outside world. They are subjected to physical and psychological torture to force confession.
S15: They are used later and he was tracked using NSA spyware.
S16: And when I interviewed him last he told a story about he had been basically goons had showed up in places that they only would have known where he was if they were inside his phone.
S14: I had been attacked twice within one week by some unknown individuals of the university and they confiscated his passport.
S15: They tracked his wife and family and used threatened numerous times and he is in jail now and sits in solitary confinement and his health is really deteriorating and he’s been on hunger strikes off and on for the last two years so this is what happens when you’re tracked by NSA spyware and the government has caused not only track you but to try to uncover any reason to really keep close tabs on you or even imprison you.
S3: And on that Mansoor is case one thing I’m curious about is NSO has said this product is marketed for lawful use by governments with good human rights track records. But the examples that you’re telling me certainly seem to contradict that.
S17: That’s right. And they seem to do a lot of talking about what they do upfront to vet these governments. They claim that they have a committee in place composed of human rights lawyers and other representatives that they look at government rankings of human rights based on rankings put out there by the World Bank and other global bodies and that they won’t sell to governments that fall below a certain bar on human rights track records. That said we caught their spyware being used by the UAE which does not necessarily have the best track record on human rights. And in that case Ahmad Mansoor as is case study one. And then there’s the question of what happens when someone like me comes around and discovers that their spyware is on the phone of a journalist or a human rights activist or an amen Mansoor. What did they do then.
S18: And one of the more disturbing things we’ve discovered in our reporting is there is no kill switch. There’s no way for them to just cut off a customer who is completely abused their spyware for surveillance.
S3: So it’s just out there and they can’t do anything about it.
S18: Now they claim they cannot do anything about it and except to basically starve the customer of software updates and new features and sort of wean them off slowly and slowly.
S19: But they can’t exactly march into some of these government secure facilities and rip their products out of the wall.
S20: You know if we’re thinking about this as a growing I guess market or sector where is that demand coming from. Well you know governments say that they’re buying these tools for legitimate reasons which is to track terrorist to track drug kingpins and pedophiles and to be fair.
S21: Nso has said that Mexico was only able to capture or walking Guzman El Chapo. Yeah right. By installing NSA spyware I don’t know if it was on his device but it was definitely on Mexican film actresses device that was in touch with El Chapo. So in some ways they’re are completely legitimate use cases for this.
S3: You know we’re talking about an hour so because of the WhatsApp hack. But I want to get a sense of kind of how they fit into this industry and how big this industry is.
S18: It’s such a good question right now. They are the most sophisticated spyware maker that we know of. So in terms of sophistication they’re right up there just because they’re coding is much more sophisticated and the obfuscation with which they’re deployed is more sophisticated. That said I worry that this is just the tip of the iceberg and that there is a whole entire constellation of companies out there selling these spyware capabilities to governments. Some of the best I’m told are here in the United States that there are hundreds of companies selling spyware technologies to U.S. government agencies. The problem is that even if those companies promise to sell exclusively to U.S. government agencies and our closest allies the market abroad is getting so much bigger the demand is getting so much bigger for these tools and the interest in acquiring these tools is only getting higher and higher as tech companies roll out end to end encryption.
S1: It’s worth pausing here to quickly explain end to end encryption as far as digital privacy goes. This is one of the most fundamental tools the public has. And if your messages for example are end to end encrypted that means no one can access them not the company that provides the technology not even the government if they have a warrant. And the thing is users want it. Encryption is becoming more and more popular.
S3: Well I want to break that down a little bit because when you think about encryption and the increase in encryption I messages encrypted Apple’s signal or WhatsApp as we’ve talked about I guess are you saying that this kind of growth in privacy for users and the demand for it is leading governments to look for different ways to get in and primarily doing that via spyware.
S22: That’s right. So you remember a couple years back the FBI was suing Apple in court to try to get backdoor access to an iPhone used by one of the shooters in the San Bernardino attacks.
S23: The FBI standoff with Apple continues. The company refusing to help hack into the gunman’s iPhone and eventually.
S24: And this was always a shocker to me having covered this for so long. The FBI finally said You know what. We’re dropping our case we were able to get a get into the phone anyway by paying a third party.
S23: The FBI will now drop the lawsuit it filed to force Apple to help. Agents are now analyzing at the time.
S2: Director Comey was director of the FBI and he basically announced in public that they had paid upwards of a million dollars to get into this iPhone.
S25: So how much did you pay for this software. A lot. Really. Let’s see. More than I will make in the remainder of this job which is seven years and four months for sure. Wow.
S26: So what that illustrated was the dilemma. Governments all over the world are having that. The more companies like Apple wrap encryption around their products and services the more it’s forcing governments to hack into what they call the end devices be the phones and tablets and computers themselves to get the content off those computers and devices in an encrypted form. And when you think about you know Mark Zuckerberg said last March that he is planning on adding end to end encryption to all three Facebook messaging services not just WhatsApp but Facebook Messenger and Instagram messaging and eventually its entire service.
S21: And that has wreaked a lot of governments out including ours including ours the new Bill Barr just send a letter along with our allies and in the UK and Australia at Facebook asking them to reconsider their move to Iraq and to end encryption around those services.
S27: So I don’t foresee Facebook really backing down from this. But what’s clear is it will create an even bigger market for some of these spyware technologies like NSA those because it really leaves these governments with very little option except to hack into the devices.
S3: It seems to me like there’s this tension if you have governments that want access to people’s communications so that their warrants can remain effective. Tech companies who don’t want to comply with that who want their stuff encrypted. Is there a way to think about commercial spyware as like some weird middle ground.
S28: You know I do. Know if you remember we had had this decades long discussion between technologists and security folks and and law enforcement governments about end to end encryption. And when Edward Snowden’s leaks happened in 2013 it really expired. I did a lot of plans that these companies had in place or instigated new plans for companies to wrap and to end encryption around their services. Sort of a reassuring customers especially their customers abroad that all their communications weren’t just being hurt by the NSA but at the time what Snowden said was end to end encryption made mass government surveillance a lot more difficult and led to a more constitutional targeted form of surveillance.
S27: And you know in that case like this spyware is sort of what you just called like a happy medium. I mean it would sort of force governments especially when I’ve seen NSA those pricing model to think about OK who are we going to target. It’s not everyone we really have to think methodically about who we’re going to target.
S11: But indeed it does force governments to train these tools on a smaller subset of people than they would if end to end encryption wasn’t being wrapped increasingly around our communications.
S29: Sure you’re writing a book about all this stuff.
S1: I guess I wonder what you’re watching what you think about for the future that hasn’t even popped into my mind yet.
S12: The sad thing is is that this market and sort of the awareness around what this spyware can do is drifting out to more and more countries that will always have the resources to pay a company to buy their spyware.
S11: And right now we’re talking about NSO you know alias NSO claims to have some kind of mechanism for vetting governments period. You know we don’t really know exactly what that looks like. But I sort of worry about the NSO competitors that will inevitably pop up around the world that will have no such vetting in place and will really only sell their spyware to governments that present them with the biggest bag of cash Nicole Paul Roth thank you so much.
S30: Thank you so much.
S1: Nicole Paul Roth covers cybersecurity for the New York Times.
S9: Okay. That’s the show. What next TBD is produced by Ethan Brooks and hosted by me Lizzie O’Leary and it’s part of a larger what next family. Mary Harris will be talking about impeachment later today. Lot happening this week so keep an eye out for that episode in your feed TBD is also part of Future Tense a partnership of Slate Arizona State University and New America. Thanks for listening. Talk to you next week.