Israeli Malware Maker Linked To Six Government Purchasers, Abusive Deployments
Israel-located NSO Group may no longer be a malware option for the US and other discerning governments around the world, thanks to blacklists, lawsuits, and its disturbing willingness to sell to some of the most abhorrent governments of earth. But the market for powerful phone exploits isn’t dying up. Governments still want powerful surveillance tech, even if it means buying from the same market NSO Group almost ruined.
Paragon — formed by a former Israeli intelligence officer, and which currently has ex-Israel prime minister Ehud Barak on its board — is the new option, one even US agencies are willing to approach. Not that Paragon is necessarily that much more ethical than NSO. But, for now, its malware has only been traced to countries that most people wouldn’t consider to be habitual human rights abusers. This is from Lorenzo Franceschi-Bicchierai’s report for TechCrunch, which sums up the discoveries made by Toronto’s Citizen Lab, which has led the world in exposures of abusive deployments of NSO Group spyware.
The governments of Australia, Canada, Cyprus, Denmark, Israel, and Singapore are likely customers of Israeli spyware maker Paragon Solutions, according to a new technical report by a renowned digital security lab.
On Wednesday, The Citizen Lab, a group of academics and security researchers housed at the University of Toronto that has investigated the spyware industry for more than a decade, published a report about the Israeli-founded surveillance startup, identifying the six governments as “suspected Paragon deployments.”
It’s not that none of these governments are problem-free. Australia has always erred on the side of mass surveillance, encryption-breaking mandates, and ends-justifies-the-means thinking. Cyprus has spent plenty of years acting as an offshore conduit for malware sales to UN-blacklisted nations by setting up shell entities to handle the contractual work that would otherwise be illegal in malware companies’ home countries. Israel is malware central, with much of its homegrown exploit products being created by companies founded by former Israeli intelligence officers and analysts. Singapore has its own problems with control, corporal punishment, and domestic surveillance, even if it manages to offset these encroachments with a strong economy, actually safe and extremely clean streets, and a wealth of robust social services. And Denmark is Denmark, a country that rarely makes the wrong kind of headlines, outside of its bizarre takes on copyright law and its firm resistance to Greenland real estate deals.
Then there’s Canada. Canada’s government has also recently been pushing for more domestic surveillance, less oversight, and even engaged in some conversations about encryption backdoors. Still, it’s usually mostly harmless. But even though the Ontario Provincial Police don’t want to talk about their Paragon purchases, it’s pretty much impossible for the OPP to pretend this hasn’t actually happened. This is from Justin Ling’s op-ed for the Toronto Star, which calls out the OPP for its acquisition of Paragon spyware, as well as its lack of transparency about its use of Paragon’s products:
The Citizen Lab first uncovered Paragon’s operation when a tip led them to a domain name registered to the company, which in turn led to a server that the Citizen Lab says it believes Paragon uses to communicate with clients. Researchers then tracked that server to small town Ontario, to an address which matches only a warehouse, a strip mall, a brewery, an apartment — and the headquarters of the Ontario Provincial Police.
So, there’s no chance of plausible deniability, which explains the OPP’s statement that says nothing more than it won’t talk about its investigative tools in public.
But that’s not the end of the discussion. It’s more than a little concerning when a free world police agency decides it can be trusted with powerful malware that it then deploys against its fellow Canadians.
When cops deploy this cutting-edge technology without disclosure, or firm rules in place, they risk violating the public’s trust. That problem is only more acute when it comes to technology that risks collecting data on innocent people — like spyware. While adopting new tech can help police solve crimes, failing to fully disclose the nature of these new techniques risks getting evidence thrown out at trial on procedural grounds.
[…]
Even if the police are operating ethically, the same vulnerabilities they’re exploiting could put you at risk.
This is the trade-off the general public often isn’t aware is being made in its name, but without its consent: that cops will buy from companies that hoard exploits and refuse to inform the millions of innocent people affected by them of their existence simply because doing so might make it slightly more difficult for them to target and track suspected criminals. Meanwhile, active criminals are no doubt using the same undisclosed exploits to cause more harm. And that’s on top of any abuse of this spyware that’s being perpetuated by the governments that have purchased these products.
As Citizen Lab notes, there’s no way to “abuse-proof” powerful malware. As if to prove this point, reports surfaced last month showing an unknown government had been targeting Italian human rights activists. (This would seem to point to Cyprus, which has been a facilitator of abuse on behalf of countries trying to distance themselves from the consequences of their actions, but nothing has been confirmed at this point.)
Beppe Caccia, one of the co-founders of Mediterranea Saving Humans, an Italian non-government organization that helps immigrants, told TechCrunch that he had been targeted by the spyware campaign.
Caccia disclosed he was targeted after another one of his organization’s co-founders, Luca Casarini, said publicly last week that he had also received a notification from WhatsApp alerting him to the suspected spyware attack.
To assume the Ontario Provincial Police can be trusted with this powerful malware is foolish. All it takes is one person with access to violate whatever trust is left by using it for personal or political reasons. One of the few deterrents is robust oversight, which should always be accompanied by proactive transparency. If cops want powerful spyware, they should be expected to fully justify its deployment over less-intrusive forms of surveillance. And it should never be allowed to purchase or deploy this tech without stringent guidelines in place or prior to a period of public comment. Trust has to be earned. It’s not enough to just buy stuff from a company that has yet to prove it’s any better than the company it’s replacing.