This article is from the source 'nytimes' and was first published or seen on . It last changed over 40 days ago and won't be checked again for changes.

You can find the current article at its original source at https://www.nytimes.com/2019/07/19/opinion/private-surveillance-industry.html

The article has changed 3 times. There is an RSS feed of changes available.

Version 0 Version 1
Anyone Can Hire a Team of Spies Private Surveillance Is a Lethal Weapon Anybody Can Buy
(about 5 hours later)
The plan was simple: give the government of Uzbekistan the ability to monitor everyone’s communications.The plan was simple: give the government of Uzbekistan the ability to monitor everyone’s communications.
I first heard the story about five years ago from an American defense consultant. I had spoken to him over the years about arms sales, particularly those involving the former Soviet Union. He had been involved in overseeing foreign military sales for the American government before he went into the private sector, using his expertise to help broker deals around the world. In 2014, the market in Uzbekistan looked promising.I first heard the story about five years ago from an American defense consultant. I had spoken to him over the years about arms sales, particularly those involving the former Soviet Union. He had been involved in overseeing foreign military sales for the American government before he went into the private sector, using his expertise to help broker deals around the world. In 2014, the market in Uzbekistan looked promising.
It was the same year that Human Rights Watch declared that “Uzbekistan’s human rights record remained abysmal across a wide spectrum of violations.” Islam Karimov, the country’s president at the time, reportedly boiled at least one of his enemies alive. The Uzbek government wanted to buy what is known in official parlance as “lawful interception,” and among privacy advocates as surveillance technology. The American company the defense consultant was working for was offering the Uzbeks technology to surveil cellphone and internet communications as well as fixed landlines.It was the same year that Human Rights Watch declared that “Uzbekistan’s human rights record remained abysmal across a wide spectrum of violations.” Islam Karimov, the country’s president at the time, reportedly boiled at least one of his enemies alive. The Uzbek government wanted to buy what is known in official parlance as “lawful interception,” and among privacy advocates as surveillance technology. The American company the defense consultant was working for was offering the Uzbeks technology to surveil cellphone and internet communications as well as fixed landlines.
A small team representing the American company went to Tashkent, the Uzbek capital, to meet with officials and tell them what they had to offer. “We don’t want to stop people from using the internet, we want to control it,” the American defense consultant said the Uzbek general in charge of the procurement told one of his colleagues.A small team representing the American company went to Tashkent, the Uzbek capital, to meet with officials and tell them what they had to offer. “We don’t want to stop people from using the internet, we want to control it,” the American defense consultant said the Uzbek general in charge of the procurement told one of his colleagues.
It was by any measure a memorable trip. In the evening, the defense consultant and his colleagues walked around the city, taking in the modern luxury hotels and Soviet-era Brutalist architecture. Knowing the Uzbek government would monitor foreign visitors whom it suspected of being spies or involved in political activities, the group made sure to keep to the main streets, so it wouldn’t appear they were trying to do anything secretive. (There were even stranger aspects to the trip: At one point, the consultant recalled, the Uzbek hosts sent prostitutes to his group’s hotel; the women were turned away by hotel security.)It was by any measure a memorable trip. In the evening, the defense consultant and his colleagues walked around the city, taking in the modern luxury hotels and Soviet-era Brutalist architecture. Knowing the Uzbek government would monitor foreign visitors whom it suspected of being spies or involved in political activities, the group made sure to keep to the main streets, so it wouldn’t appear they were trying to do anything secretive. (There were even stranger aspects to the trip: At one point, the consultant recalled, the Uzbek hosts sent prostitutes to his group’s hotel; the women were turned away by hotel security.)
After the American defense consultant told me about the trip, I’d filed it away in my mental archive as one of those stories I often hear about the strange underbelly of the overseas defense market. But more than five years later, the type of technology he was selling has become more widespread, and more controversial.After the American defense consultant told me about the trip, I’d filed it away in my mental archive as one of those stories I often hear about the strange underbelly of the overseas defense market. But more than five years later, the type of technology he was selling has become more widespread, and more controversial.
High-tech surveillance technology, once the purview of sophisticated spy services in wealthy countries, is now being offered by private contractors around the world as part of a highly secretive multibillion-dollar industry.High-tech surveillance technology, once the purview of sophisticated spy services in wealthy countries, is now being offered by private contractors around the world as part of a highly secretive multibillion-dollar industry.
In the past year, there have been at least two high-profile reports that authoritarian states have used Western surveillance technology intended to track down criminals and terrorists to spy on journalists or political activists: The United Arab Emirates company DarkMatter allegedly spied on journalists (a claim the company denies); the Saudi government has been accused of using spyware made by the Israeli firm NSO Group to hack into the phone of a close associate of Jamal Khashoggi, the Saudi writer killed in his country’s consulate in Istanbul last October. And in the United States, security researchers are raising the alarm that cheaper versions of this technology are being used and abused by private consumers.In the past year, there have been at least two high-profile reports that authoritarian states have used Western surveillance technology intended to track down criminals and terrorists to spy on journalists or political activists: The United Arab Emirates company DarkMatter allegedly spied on journalists (a claim the company denies); the Saudi government has been accused of using spyware made by the Israeli firm NSO Group to hack into the phone of a close associate of Jamal Khashoggi, the Saudi writer killed in his country’s consulate in Istanbul last October. And in the United States, security researchers are raising the alarm that cheaper versions of this technology are being used and abused by private consumers.
While other kinds of weapons are subjected to stringent international regimes and norms — even if these are often broken — the trade in spy technology is barely regulated. The American defense consultant, who shared materials and details so long as I agreed not to use his name or the name of his company because it would endanger his professional contacts abroad, was quick to point out that nothing in what he was proposing in 2014 was illegal. It still isn’t.While other kinds of weapons are subjected to stringent international regimes and norms — even if these are often broken — the trade in spy technology is barely regulated. The American defense consultant, who shared materials and details so long as I agreed not to use his name or the name of his company because it would endanger his professional contacts abroad, was quick to point out that nothing in what he was proposing in 2014 was illegal. It still isn’t.
But allowing this sort of technology to fall into the wrong hands can have the same impact as selling a lethal weapon. If you have a cellphone, “you are enabling your surveillance,” said Alec Ross, a senior adviser on innovation to Hillary Clinton when she was secretary of state. “The capabilities of foreign intelligence services are only growing. This issue creates a body count.”But allowing this sort of technology to fall into the wrong hands can have the same impact as selling a lethal weapon. If you have a cellphone, “you are enabling your surveillance,” said Alec Ross, a senior adviser on innovation to Hillary Clinton when she was secretary of state. “The capabilities of foreign intelligence services are only growing. This issue creates a body count.”
In the end, the company that the American defense consultant represented didn’t get the contract. He heard that the business went to an Israeli firm, though he had no way of knowing for sure — the government of Uzbekistan never posted the tender online, let alone announced the winner. But his assumption appears to be backed up by a 2015 report from Privacy International, a nongovernmental organization that tracks the export of surveillance technology, that said two companies operating from Israel had set up monitoring centers in Uzbekistan with the ability to intercept any phone, ensuring the “communications of every individual are within the reach of the security and law enforcement agencies.”In the end, the company that the American defense consultant represented didn’t get the contract. He heard that the business went to an Israeli firm, though he had no way of knowing for sure — the government of Uzbekistan never posted the tender online, let alone announced the winner. But his assumption appears to be backed up by a 2015 report from Privacy International, a nongovernmental organization that tracks the export of surveillance technology, that said two companies operating from Israel had set up monitoring centers in Uzbekistan with the ability to intercept any phone, ensuring the “communications of every individual are within the reach of the security and law enforcement agencies.”
Uzbeks have given detailed accounts of their surveillance. Gulasal Kamolova, a journalist who fled Uzbekistan in 2015 and now lives in France, told Amnesty International that she believes her mobile phone has been under surveillance since 2008. She described how once, while she was still in Uzbekistan, she was contacted by an Uzbek security services officer who said, shortly after she received an international call: “You got a call from abroad. Who was calling?”Uzbeks have given detailed accounts of their surveillance. Gulasal Kamolova, a journalist who fled Uzbekistan in 2015 and now lives in France, told Amnesty International that she believes her mobile phone has been under surveillance since 2008. She described how once, while she was still in Uzbekistan, she was contacted by an Uzbek security services officer who said, shortly after she received an international call: “You got a call from abroad. Who was calling?”
Ms. Kamolova worries that the Uzbek security service still tracks her number in France. She has reason to be concerned: The marketing material the American defense consultant’s company gave to the Uzbeks said the company could search for a phone user based on his unique “voice print,” regardless of what phone number he’s using, and to pinpoint his location. Another document described an option for “worldwide tracking of mobile phones.”Ms. Kamolova worries that the Uzbek security service still tracks her number in France. She has reason to be concerned: The marketing material the American defense consultant’s company gave to the Uzbeks said the company could search for a phone user based on his unique “voice print,” regardless of what phone number he’s using, and to pinpoint his location. Another document described an option for “worldwide tracking of mobile phones.”
Did an Israeli surveillance company help intercept Ms. Kamolova’s call? It’s impossible to know because who gets what contracts is almost never public knowledge, and it is a complex business involving software companies, hardware vendors and even traditional telecoms.Did an Israeli surveillance company help intercept Ms. Kamolova’s call? It’s impossible to know because who gets what contracts is almost never public knowledge, and it is a complex business involving software companies, hardware vendors and even traditional telecoms.
Stephen E. Arnold, a former manager at Booz Allen Hamilton and a specialist in online systems for law enforcement and intelligence software, told me that most estimates of the value are “pure baloney,” and said creating a realistic estimate would require collecting data that most companies are loath to provide. One market research report claims that it could be worth $3.3 billion in the next few years; the NSO Group, which has been raising money, is more optimistic, saying the industry is valued at some $12 billion.Stephen E. Arnold, a former manager at Booz Allen Hamilton and a specialist in online systems for law enforcement and intelligence software, told me that most estimates of the value are “pure baloney,” and said creating a realistic estimate would require collecting data that most companies are loath to provide. One market research report claims that it could be worth $3.3 billion in the next few years; the NSO Group, which has been raising money, is more optimistic, saying the industry is valued at some $12 billion.
One thing is clear: The private surveillance industry is growing. A firm that creates a catalog of these technologies, once named the “Little Black Book of Electronic Surveillance” changed the name in 2016 to the “Big BlackBook.” It had doubled in size in its first three years. The 2017 edition includes 150 vendors.One thing is clear: The private surveillance industry is growing. A firm that creates a catalog of these technologies, once named the “Little Black Book of Electronic Surveillance” changed the name in 2016 to the “Big BlackBook.” It had doubled in size in its first three years. The 2017 edition includes 150 vendors.
The genesis of this global spy bazaar can be traced back to the frenetic weeks after the Sept. 11 attacks, when Congress rushed through the Patriot Act, a law that vastly expanded the American government’s wiretapping authorities. In the process, lawmakers inadvertently created a market for companies interested in providing services and technologies to collect and analyze the new trove of data.The genesis of this global spy bazaar can be traced back to the frenetic weeks after the Sept. 11 attacks, when Congress rushed through the Patriot Act, a law that vastly expanded the American government’s wiretapping authorities. In the process, lawmakers inadvertently created a market for companies interested in providing services and technologies to collect and analyze the new trove of data.
In 2002, in a testament to the American entrepreneurial spirit, a company in McLean, Va., called TeleStrategies held the first ISS World conference, for companies interested in helping government authorities gather intelligence. The conference, labeled the “Wiretappers Ball” by critics, is now held several times a year in cities like Washington, Dubai, Prague, Panama City and Kuala Lumpur. (Jerry Lucas, who owns TeleStrategies, declined to comment on his company’s success. “I don’t make myself available to talk to the press about ISS World,” he told me.)In 2002, in a testament to the American entrepreneurial spirit, a company in McLean, Va., called TeleStrategies held the first ISS World conference, for companies interested in helping government authorities gather intelligence. The conference, labeled the “Wiretappers Ball” by critics, is now held several times a year in cities like Washington, Dubai, Prague, Panama City and Kuala Lumpur. (Jerry Lucas, who owns TeleStrategies, declined to comment on his company’s success. “I don’t make myself available to talk to the press about ISS World,” he told me.)
The technical discussions from those early days now almost seem quaint: The information that was collected was largely phone calls made through landlines and mobile phones, and emails. Over the next few years, the way people communicated changed drastically — first Facebook, then Skype, then the iPhone. Within a few years, billions of people were walking around with devices in their pocket that did everything from finding a date to tracking exercise habits.The technical discussions from those early days now almost seem quaint: The information that was collected was largely phone calls made through landlines and mobile phones, and emails. Over the next few years, the way people communicated changed drastically — first Facebook, then Skype, then the iPhone. Within a few years, billions of people were walking around with devices in their pocket that did everything from finding a date to tracking exercise habits.
“It used to be that if you wanted to look into somebody’s brain, you needed to talk to them or to physically follow them, or to pick them up and then torture them until they told you what was inside,” said Eva Galperin, the director of cybersecurity at the Electronic Frontier Foundation, a digital rights advocacy group. “Then it used to be all you had to do was install malware remotely on their computer. And even then, you had sort of a limited look inside their brain.”“It used to be that if you wanted to look into somebody’s brain, you needed to talk to them or to physically follow them, or to pick them up and then torture them until they told you what was inside,” said Eva Galperin, the director of cybersecurity at the Electronic Frontier Foundation, a digital rights advocacy group. “Then it used to be all you had to do was install malware remotely on their computer. And even then, you had sort of a limited look inside their brain.”
“Now everyone carries a tracking device around in their pocket, which also contains all of their messages, all of their contacts, basically a map of their friends, all of their photos,” she said. “It is essentially the inside of your brain.”“Now everyone carries a tracking device around in their pocket, which also contains all of their messages, all of their contacts, basically a map of their friends, all of their photos,” she said. “It is essentially the inside of your brain.”
Surveillance tech companies quietly began to spring up in the United States and Europe; some were traditional telecoms that had long worked with government authorities to conduct lawful interception. Others were smaller start-ups.Surveillance tech companies quietly began to spring up in the United States and Europe; some were traditional telecoms that had long worked with government authorities to conduct lawful interception. Others were smaller start-ups.
One country in particular saw an opportunity in this emerging market: Israel. In 2010, Prime Minister Benjamin Netanyahu decided he needed to jump-start his country’s cyberindustry, unrolling a series of measures to allow veterans of Israel’s version of the National Security Agency, known as Unit 8200, to create private businesses.One country in particular saw an opportunity in this emerging market: Israel. In 2010, Prime Minister Benjamin Netanyahu decided he needed to jump-start his country’s cyberindustry, unrolling a series of measures to allow veterans of Israel’s version of the National Security Agency, known as Unit 8200, to create private businesses.
Speaking this year at a cybersecurity conference in Tel Aviv, Mr. Netanyahu said his inspiration dated back to the 1970s, when he was studying management at the Massachusetts Institute of Technology. He saw a big “ugly warehouse” that he was told belonged to the C.I.A. or N.S.A. The future prime minister liked the potential in merging intelligence with academia, and creating a work force that could carry the technology into the private sector. “My idea was, why don’t we do that here?” he said.Speaking this year at a cybersecurity conference in Tel Aviv, Mr. Netanyahu said his inspiration dated back to the 1970s, when he was studying management at the Massachusetts Institute of Technology. He saw a big “ugly warehouse” that he was told belonged to the C.I.A. or N.S.A. The future prime minister liked the potential in merging intelligence with academia, and creating a work force that could carry the technology into the private sector. “My idea was, why don’t we do that here?” he said.
But to do that, he said, he needed to make sure that there weren’t regulations holding the industry back. “There’s no industry more susceptible and more inviting of regulations than cybersecurity,” he said. “It’s like weapons — it is a weapon.”But to do that, he said, he needed to make sure that there weren’t regulations holding the industry back. “There’s no industry more susceptible and more inviting of regulations than cybersecurity,” he said. “It’s like weapons — it is a weapon.”
In 2011, he established a special task force to help develop Israel’s private cyber industry and reduce “export impediments” on cybertechnology. Veterans of Unit 8200 and other parts of the Israeli military began to create businesses, many involved in defensive cybersecurity, but others went into offense, including several who created NSO Group, which is now one of the most prominent private spy tech companies. Rather than defending computer systems from attack, this new breed of offense-oriented companies would help hack into foreign systems.In 2011, he established a special task force to help develop Israel’s private cyber industry and reduce “export impediments” on cybertechnology. Veterans of Unit 8200 and other parts of the Israeli military began to create businesses, many involved in defensive cybersecurity, but others went into offense, including several who created NSO Group, which is now one of the most prominent private spy tech companies. Rather than defending computer systems from attack, this new breed of offense-oriented companies would help hack into foreign systems.
The timing was auspicious. In 2011, popular uprisings fueled by social media and messaging apps swept the Arab world. Intelligence agencies everywhere wanted ways to monitor social media to see — and often stop — protests spreading.The timing was auspicious. In 2011, popular uprisings fueled by social media and messaging apps swept the Arab world. Intelligence agencies everywhere wanted ways to monitor social media to see — and often stop — protests spreading.
Even then, knowledge about what these companies were offering, and what the governments were using, was highly restricted. But in May 2013, an intelligence contractor named Edward Snowden left for Hong Kong with a trove of top-secret material that detailed the N.S.A.’s global surveillance programs, including Prism, which gathers a vast amount of internet communications. These revelations changed the conversation about electronic surveillance overnight.Even then, knowledge about what these companies were offering, and what the governments were using, was highly restricted. But in May 2013, an intelligence contractor named Edward Snowden left for Hong Kong with a trove of top-secret material that detailed the N.S.A.’s global surveillance programs, including Prism, which gathers a vast amount of internet communications. These revelations changed the conversation about electronic surveillance overnight.
“I think those disclosures had the unintended effect of putting forth a kind of blueprint,” Ronald Deibert, the director of Citizen Lab, a cybersecurity watchdog group at the University of Toronto, told me. “In June 2013, you wake up and you read The Guardian report about Prism; first thing I would do is turn to my security chief and say, ‘How do I get myself one of those?’”“I think those disclosures had the unintended effect of putting forth a kind of blueprint,” Ronald Deibert, the director of Citizen Lab, a cybersecurity watchdog group at the University of Toronto, told me. “In June 2013, you wake up and you read The Guardian report about Prism; first thing I would do is turn to my security chief and say, ‘How do I get myself one of those?’”
Few countries have the resources to build or buy a program like Prism, but they can afford the services of NSO Group. Around the time of the Snowden revelations, a shift was happening: By 2013, about one-third of the companies at the Wiretappers Ball were from “non-Western countries,” including China, India, Saudi Arabia and South Africa, according to a 2013 interview Mr. Lucas gave to Mr. Arnold, the former Booz Allen manager.Few countries have the resources to build or buy a program like Prism, but they can afford the services of NSO Group. Around the time of the Snowden revelations, a shift was happening: By 2013, about one-third of the companies at the Wiretappers Ball were from “non-Western countries,” including China, India, Saudi Arabia and South Africa, according to a 2013 interview Mr. Lucas gave to Mr. Arnold, the former Booz Allen manager.
In the fall of 2012, an Ethiopian dissident who had been living in the United States for more than two decades opened an email attachment. The Word document, written in his native Amharic, admonished him for his political activities. “If you are not willing to cooperate with us, you should know that you will suffer from continuous and major attack,” it read.In the fall of 2012, an Ethiopian dissident who had been living in the United States for more than two decades opened an email attachment. The Word document, written in his native Amharic, admonished him for his political activities. “If you are not willing to cooperate with us, you should know that you will suffer from continuous and major attack,” it read.
In reality, the document was the attack: an embedded macro — unseen bits of computer code — covertly installed a spyware program called FinSpy on his computer. The spyware, which is made by Gamma Group, an Anglo-German company, can record every keystroke, call or text on an infected device. It can even secretly record audio using the computer’s built-in microphone. For several months, according to security experts who later conducted a forensic analysis of his computer, his activity was sent back to a server in Ethiopia.In reality, the document was the attack: an embedded macro — unseen bits of computer code — covertly installed a spyware program called FinSpy on his computer. The spyware, which is made by Gamma Group, an Anglo-German company, can record every keystroke, call or text on an infected device. It can even secretly record audio using the computer’s built-in microphone. For several months, according to security experts who later conducted a forensic analysis of his computer, his activity was sent back to a server in Ethiopia.
The spyware transmitted dozens of his Skype and internet phone calls, copies of emails, and even swept up the web search history of his ninth-grade son. He never knew this spyware was operating in the background of his computer until he was approached by Ms. Galperin of the Electronic Frontier Foundation, who suspected he was being monitored.The spyware transmitted dozens of his Skype and internet phone calls, copies of emails, and even swept up the web search history of his ninth-grade son. He never knew this spyware was operating in the background of his computer until he was approached by Ms. Galperin of the Electronic Frontier Foundation, who suspected he was being monitored.
In 2014, the foundation sued the Ethiopian government for illegal wiretapping on behalf of the dissident, an American-Ethiopian dual citizen. The goal of the suit, according to Ms. Galperin, was to set a legal precedent that could be used to place limits on the spyware market. Unconvinced that new export regulations would work, Ms. Galperin and her team hoped that the American court system could.In 2014, the foundation sued the Ethiopian government for illegal wiretapping on behalf of the dissident, an American-Ethiopian dual citizen. The goal of the suit, according to Ms. Galperin, was to set a legal precedent that could be used to place limits on the spyware market. Unconvinced that new export regulations would work, Ms. Galperin and her team hoped that the American court system could.
They lost the suit. But Ms. Galperin still believes the legal system offers one of the best tools for holding people and governments accountable for spying. Her organization is looking for a new case to try again: “The wheels of justice move slowly, and the wheels of impact litigation move even slower,” she said.They lost the suit. But Ms. Galperin still believes the legal system offers one of the best tools for holding people and governments accountable for spying. Her organization is looking for a new case to try again: “The wheels of justice move slowly, and the wheels of impact litigation move even slower,” she said.
Around the same time, momentum was building in calls for further regulation of the private spy industry.Around the same time, momentum was building in calls for further regulation of the private spy industry.
In 2015, Hacking Team, an Italian company that markets software to remotely break into and monitor people’s electronic devices, was itself hacked. Five years’ worth of the company’s internal emails and documents were posted online, revealing that Hacking Team had marketed its product to authoritarian countries including Syria and Azerbaijan — and that Italian export laws didn’t forbid such activity.In 2015, Hacking Team, an Italian company that markets software to remotely break into and monitor people’s electronic devices, was itself hacked. Five years’ worth of the company’s internal emails and documents were posted online, revealing that Hacking Team had marketed its product to authoritarian countries including Syria and Azerbaijan — and that Italian export laws didn’t forbid such activity.
The mounting outrage over these sorts of sales increased support for reforms proposed by Britain and France to the Wassenaar Arrangement, the pact signed by more than 40 countries, including the United States, that helps determine what sort of dual-use and weapons technologies are regulated.The mounting outrage over these sorts of sales increased support for reforms proposed by Britain and France to the Wassenaar Arrangement, the pact signed by more than 40 countries, including the United States, that helps determine what sort of dual-use and weapons technologies are regulated.
Among the new proposals was an attempt to include surveillance technology, such as spyware, in that pact. The changes wouldn’t prohibit companies from selling surveillance technology; they would simply have required signatories to regulate it in some manner. In the United States, this translated initially into a proposal to require export licenses for surveillance software. Other Wassenaar members, including the European Union, moved forward fitfully with regulations, but for a variety of reasons, the United States’ proposed changes have languished.Among the new proposals was an attempt to include surveillance technology, such as spyware, in that pact. The changes wouldn’t prohibit companies from selling surveillance technology; they would simply have required signatories to regulate it in some manner. In the United States, this translated initially into a proposal to require export licenses for surveillance software. Other Wassenaar members, including the European Union, moved forward fitfully with regulations, but for a variety of reasons, the United States’ proposed changes have languished.
So far, no one has come up with a good solution for how to regulate this industry. If anything, there’s evidence that the private spies have been emboldened. At a recent arms show in Abu Dhabi, WiSpear, a surveillance company, was openly advertising a mobile surveillance system fit for a Hollywood villain: a black van equipped with a suite of equipment that the company claims can spy on a phone several hundred meters away. Customers can also buy a drone to hack phones. WiSpear, which is registered in Cyprus, was founded by a former Israeli intelligence official who sold his last company to NSO Group.So far, no one has come up with a good solution for how to regulate this industry. If anything, there’s evidence that the private spies have been emboldened. At a recent arms show in Abu Dhabi, WiSpear, a surveillance company, was openly advertising a mobile surveillance system fit for a Hollywood villain: a black van equipped with a suite of equipment that the company claims can spy on a phone several hundred meters away. Customers can also buy a drone to hack phones. WiSpear, which is registered in Cyprus, was founded by a former Israeli intelligence official who sold his last company to NSO Group.
[If you’re online — and you are — chances are someone is using your information. We’ll tell you what you can do about it. Sign up for our limited-run newsletter.][If you’re online — and you are — chances are someone is using your information. We’ll tell you what you can do about it. Sign up for our limited-run newsletter.]
Even those who work in cybersecurity believe the industry requires oversight. “I think it needs to be better regulated — primarily in Europe and Asia, since that’s where companies like Hacking Team and these other sketchy shops operate from,” said Jason Syversen, a former Defense Advanced Research Projects Agency official and one-time hacker who later founded his own cybersecurity firm. But what to do is another question. “I’m not sure what the right answer is though, because it’s such a complicated, nuanced area,” he said. “And politicians suck at complex, nuanced technical topics.”Even those who work in cybersecurity believe the industry requires oversight. “I think it needs to be better regulated — primarily in Europe and Asia, since that’s where companies like Hacking Team and these other sketchy shops operate from,” said Jason Syversen, a former Defense Advanced Research Projects Agency official and one-time hacker who later founded his own cybersecurity firm. But what to do is another question. “I’m not sure what the right answer is though, because it’s such a complicated, nuanced area,” he said. “And politicians suck at complex, nuanced technical topics.”
Mr. Snowden, whose revelations helped shine light on the technology that fuels this market, offers a radical proposal: ban private spyware. “The commercial trade in software vulnerabilities and exploits produces little public value and extraordinary public harms, particularly in that it establishes a transient mercenary class of digital saboteurs that are as happy working for the Saudis and the Chinese as they are for the French,” he wrote in a message to me recently.Mr. Snowden, whose revelations helped shine light on the technology that fuels this market, offers a radical proposal: ban private spyware. “The commercial trade in software vulnerabilities and exploits produces little public value and extraordinary public harms, particularly in that it establishes a transient mercenary class of digital saboteurs that are as happy working for the Saudis and the Chinese as they are for the French,” he wrote in a message to me recently.
An outright ban may sound drastic, but Mr. Snowden’s underlying concerns are being proved out. In the latest twist of the spy market, DarkMatter, the United Arab Emirates-based cybercompany, which has employed former American intelligence employees, has reportedly targeted American citizens. The allegations appear to confirm longstanding fears that Western technology would eventually be used against citizens of those countries that it was supposed to protect.An outright ban may sound drastic, but Mr. Snowden’s underlying concerns are being proved out. In the latest twist of the spy market, DarkMatter, the United Arab Emirates-based cybercompany, which has employed former American intelligence employees, has reportedly targeted American citizens. The allegations appear to confirm longstanding fears that Western technology would eventually be used against citizens of those countries that it was supposed to protect.
Even more worrisome is the possibility that sophisticated spyware of the type marketed by companies like NSO Group and Gamma Group, which today is sold only to governments, could make its way to private users. Kate Moussouris, the chief executive of the cybersecurity company Luta Security, says this is already happening with products like FlexiSPY, which can be purchased by anyone for as little as $68. The maker of FlexiSPY says it can secretly “turn on the phone’s microphone and record its surroundings” and “spy on SMS, emails and photos.”Even more worrisome is the possibility that sophisticated spyware of the type marketed by companies like NSO Group and Gamma Group, which today is sold only to governments, could make its way to private users. Kate Moussouris, the chief executive of the cybersecurity company Luta Security, says this is already happening with products like FlexiSPY, which can be purchased by anyone for as little as $68. The maker of FlexiSPY says it can secretly “turn on the phone’s microphone and record its surroundings” and “spy on SMS, emails and photos.”
FlexiSPY is more basic technology than what is offered by NSO Group and similar companies, and it requires physical access to the targeted device to install the software. But as the commercial technology for private users evolves, it’s likely to pose some of the same dangers as today’s more professional spyware. And if individual users can buy versions of this type of spy technology, what about multinational corporations, drug cartels or terrorist groups?FlexiSPY is more basic technology than what is offered by NSO Group and similar companies, and it requires physical access to the targeted device to install the software. But as the commercial technology for private users evolves, it’s likely to pose some of the same dangers as today’s more professional spyware. And if individual users can buy versions of this type of spy technology, what about multinational corporations, drug cartels or terrorist groups?
A comprehensive solution for regulating private espionage is hard to imagine (though perhaps still easier to imagine than wiping out an entire industry, as Mr. Snowden suggests). But that doesn’t mean that there aren’t clear first steps to rein in the global spy industry.A comprehensive solution for regulating private espionage is hard to imagine (though perhaps still easier to imagine than wiping out an entire industry, as Mr. Snowden suggests). But that doesn’t mean that there aren’t clear first steps to rein in the global spy industry.
Intelligence gathering systems should be treated by the American government like what they are: weapons. And weapons require export licenses from the State Department. This move would require carefully carving out broad exemptions to cover security researchers and academics. This may not guarantee that exports won’t ever go to countries with spotty records, like Saudi Arabia, but it provides a stronger basis for Congress or the State Department to block them. It would also require pressuring allies — including Germany, Italy and Israel — to follow suit on allowing sales only to countries that respect human rights.Intelligence gathering systems should be treated by the American government like what they are: weapons. And weapons require export licenses from the State Department. This move would require carefully carving out broad exemptions to cover security researchers and academics. This may not guarantee that exports won’t ever go to countries with spotty records, like Saudi Arabia, but it provides a stronger basis for Congress or the State Department to block them. It would also require pressuring allies — including Germany, Italy and Israel — to follow suit on allowing sales only to countries that respect human rights.
This would require a shift in thinking not likely to take place under the Trump administration, which has trumpeted its record-setting arms sales to Saudi Arabia. And while changing the export laws wouldn’t have a direct impact on American companies that sell software to domestic consumers, classifying this technology as a weapon would make the case for regulations within the United States stronger as well.This would require a shift in thinking not likely to take place under the Trump administration, which has trumpeted its record-setting arms sales to Saudi Arabia. And while changing the export laws wouldn’t have a direct impact on American companies that sell software to domestic consumers, classifying this technology as a weapon would make the case for regulations within the United States stronger as well.
Regulating the export of weapons has long been a messy, and imperfect, endeavor. Academics will worry about the impact on research, American businesses will complain that regulations benefit competitors like China, and human rights advocates will point out that the State Department regularly allows weapons sales to dictatorships.Regulating the export of weapons has long been a messy, and imperfect, endeavor. Academics will worry about the impact on research, American businesses will complain that regulations benefit competitors like China, and human rights advocates will point out that the State Department regularly allows weapons sales to dictatorships.
But labeling something as a weapon may be the only way to acknowledge that technology used to surveil your most intimate communications is, in fact, part of a new arms race.But labeling something as a weapon may be the only way to acknowledge that technology used to surveil your most intimate communications is, in fact, part of a new arms race.
The American defense consultant is not coldblooded, but he is practical. The proposed sale to Uzbekistan was legal, and in his mind, ethical. The Uzbeks “understood, when you play with other countries, you’ve got to follow their rules,” he said. “The Israelis offered to actually hack into stuff. They were into breaking stuff. We were doing lawful intercept, front door.”The American defense consultant is not coldblooded, but he is practical. The proposed sale to Uzbekistan was legal, and in his mind, ethical. The Uzbeks “understood, when you play with other countries, you’ve got to follow their rules,” he said. “The Israelis offered to actually hack into stuff. They were into breaking stuff. We were doing lawful intercept, front door.”
He told me he believed that the technology he was marketing would help keep Uzbekistan safe. The company’s marketing material explains the system’s “warrant management” system to ensure a wiretap is legal. And even Steve Swerdlow, a researcher for Human Rights Watch who focuses on Central Asia, said that while he was concerned about Uzbekistan’s abuse of such technology, the government could have legitimate uses for surveillance systems, including stopping jihadist terrorism.He told me he believed that the technology he was marketing would help keep Uzbekistan safe. The company’s marketing material explains the system’s “warrant management” system to ensure a wiretap is legal. And even Steve Swerdlow, a researcher for Human Rights Watch who focuses on Central Asia, said that while he was concerned about Uzbekistan’s abuse of such technology, the government could have legitimate uses for surveillance systems, including stopping jihadist terrorism.
“We’ve always said the Uzbek government has a right to defend itself,” he said. “But for a long time, the specter of an Islamic takeover was used as cover for serious political repression.”“We’ve always said the Uzbek government has a right to defend itself,” he said. “But for a long time, the specter of an Islamic takeover was used as cover for serious political repression.”
Those who have worked in or around the lawful intercept business view the world in terms of Western national security interests, not human rights. It is up to Western governments to decide who can, or cannot, buy technology.Those who have worked in or around the lawful intercept business view the world in terms of Western national security interests, not human rights. It is up to Western governments to decide who can, or cannot, buy technology.
“It’s kind of a shame they didn’t get to help spy on everyone’s web traffic,” the American defense consultant joked of his company’s would-be Uzbek contract. But he still defended the proposal. The Uzbeks “didn’t want to do anything funny, they wanted to play by the rules,” he told me, when I asked him if he, or the company, ever had any hesitation about trying to sell to Uzbekistan. “I’ll even bet they had judges sign off” on wiretaps, he said.“It’s kind of a shame they didn’t get to help spy on everyone’s web traffic,” the American defense consultant joked of his company’s would-be Uzbek contract. But he still defended the proposal. The Uzbeks “didn’t want to do anything funny, they wanted to play by the rules,” he told me, when I asked him if he, or the company, ever had any hesitation about trying to sell to Uzbekistan. “I’ll even bet they had judges sign off” on wiretaps, he said.
He paused for a moment before adding, in a moment of reflection: “In the Soviet Union, everything was approved by a judge. They had everything done legally.”He paused for a moment before adding, in a moment of reflection: “In the Soviet Union, everything was approved by a judge. They had everything done legally.”
Sharon Weinberger (@weinbergersa) is the Washington bureau chief for Yahoo News and the author, most recently, of “The Imagineers of War: The Untold Story of Darpa, the Pentagon Agency That Changed the World.”Sharon Weinberger (@weinbergersa) is the Washington bureau chief for Yahoo News and the author, most recently, of “The Imagineers of War: The Untold Story of Darpa, the Pentagon Agency That Changed the World.”
Like other media companies, The Times collects data on its visitors when they read articles like this one. For more detail please see our privacy policy and our publisher's description of The Times's practices and continued steps to increase transparency and protections.Like other media companies, The Times collects data on its visitors when they read articles like this one. For more detail please see our privacy policy and our publisher's description of The Times's practices and continued steps to increase transparency and protections.
Follow @privacyproject on Twitter and The New York Times Opinion Section on Facebook and Instagram.Follow @privacyproject on Twitter and The New York Times Opinion Section on Facebook and Instagram.