The Spyware Industry is Out of Control. Now What?

Well everyone the spyware industry it's Pretty out of control isn't it it's nuts That so much going on in that space Right now but researchers are that Organizations like the citizen lab and Amnesty International have exposed Countless examples of governments uh Using spyware made by Western companies Indeed to hack activists journalists and Dissidents and really I'm afraid it's Just not on speaking as a journalist so Admittedly I might have an ax to grind In that in that vein so we're now going To be joined by uh maricha Shaka International policy director at Stanford the Cyber policy Center at Stanford and Bill martack who's a senior Researcher with citizen lab and please Welcome back our moderator Lorenzo Francesca bicarai thank you [Applause] [Music] [Applause] [Music] Hello again Hello welcome to the stage uh so today Well here right now we're here to talk About government spyware Uh sometimes I think more recently we Call it mercenary spyware you know Basically this is a malicious software Used by police and intelligence around The world And usually developed by government

Contractors in the Western in Western Countries Um So maybe let's start with your bill like Can you talk to us about you know one of The one of the most significant Investigations you've done recently and What that teaches us about this world ah Good question well so a lot of the work That we do at citizen lab is focused on Companies some of which you may have Heard of uh NSO group is an example a Company based in in Israel that sells These sorts of uh very sophisticated Spyware products to governments many of Them perhaps Less on the Democratic side And more in the authoritarian side and The products are often abused to Target Journalists dissidents human rights Activists a particularly interesting Case recently Um was uh you know a couple years ago we Were checking the phone of a human Rights activist based in Saudi Arabia And when we checked her phone one of the Interesting things we noticed aside from The fact that there had been you know Malicious processes that we were able to Link to NSO spyware running on her phone Is we were able to capture a little bit Of the vector the exploit that Facilitated the installation of the Spyware and what was really interesting About it is it was what's called a zero

Click exploit meaning that lejane didn't Have to do anything she was just sitting In front of her phone one minute it was Secure the next it was hacked Um and maricha can you tell us a little Bit about the work you did as a Parliament member in the EU about this Topic yeah so whenever we talk about Spyware today I'm sort of shocked and I Feel very old that this has been a topic I've been working on for 12 years And we still haven't solved it so I Think the idea that while governments in The EU from you know this side of the World the us but also other democratic Governments are you know protecting the Freedom of assembly supporting human Rights freedom of expression freedom of The press with their statements for Example when I first encountered this Technology around the Arab uprisings you Have these governments all supporting Universal human rights and then you have Companies from as you mentioned Democratic countries based in Democratic Countries selling the very technologies That are the key tool in the toolbox of Repression of authoritarian regimes What we've learned Over the years is that it's not only Authoritarian regimes that are using Spyware and I think of a Moore's Commercial spyware because this is stuff That also you know a Mafia Boss or some

Cartel leader can can buy it's not Exclusive to government so this is Really uh concerning as a type of Proliferation of Technology that's Really for sale for anyone who wants to Buy it But essentially we we initially thought Of the use of hacking tools and spyware As something that indeed neatly divided The authoritarian governments from the Democratic ones but now we also see case After case for example in the EU today Where Poland Hungary Spain Greece just To name a few State authorities have used these Commercial spyware tools to hack the Devices of journalists judges Critical opposition leaders and so Really Even if these tools are sold as Counter-terrorism measures crime Fighting Tools they're really also tools For repression and they undermine very Directly The credibility of democratic Governments to speak about human rights At all and this is really a problem yeah And I'm curious have you ever been Targeted with spyware during your work Not that I know of but that doesn't mean Anything because as Bill said it could Be that it you know it already Crawled into my devices without me Knowing but I've never experienced the Consequences and maybe that's also

Because as an elected official from A democratic country you do have Privilege in some ways right I mean if You look at activists from the Middle East for example that citizen lab is Also extensively researched not only Lu Jane who is very courageous as a human Rights activist in Saudi Arabia but also Others who've worked all over the world A lot of them You know don't have as much agency They're already in a vulnerable position For speaking truth to power for engaging In human rights work that may be illegal In these societies and then on top of That you know they become vulnerable We've seen with Khadija Ishmael for Example in um in Azerbaijan a very Courageous journalist who had Compromising material leaked in an in an Attempt to shame her which thankfully She sort of pushed back against and said I have nothing to be ashamed about but Really the the way in which the hacking Of people's devices the way which Spyware can be used against people Um can be devastating and Compared to the work of activists I've Always been in a position of privilege As an elected member of European Parliament And you actually anticipated what I Wanted to ask you know I think for years We all thought that this was a problem

Mostly of you know Western countries and Western companies based in Western Countries selling to our authoritarian Regimes but as you said as you said we Now see cases in Spain Hungary Poland Greece So Bill how has this changed you know First of all were you surprised you know Because you've been you've been Researching this like you know uh one of The first people For like 12 years were you surprised to See that actually this was happening Also you know in our in Western Countries and how has that changed your Work and your perception of the industry Well certainly you know from the very Early time when I was researching the Spyware one of the things we were able To do is uh once we identify a single Spyware attack and we can attribute the Spyware to a company we can often do a Process of what we call internet Scanning where we fingerprint the Mechanism by which the information is Exfiltrated by the spyware to the Command and control server as it's Called so this is some internet server We can fingerprint it scan the internet So from from one attack let's say in the Middle East we can get a fairly good Sense of the other servers involved and If it's a company selling the spyware Those could be their other customers and

Then we can ask further research Questions to try and attribute those Servers to specific other governments so Pretty early on we were able to Understand okay well yeah there are There are Western governments that are That are using these products but of Course when you find the server the next Question is well who is being spied on We can see maybe you know some Western Government is using this the spyware but Who are the targets Um and you know you might say okay well We expect that uh well if it's if it's The police in in uh you know some European country well there you know They're probably spying on criminals or Terrorists right like that's the sort of Natural you know you don't immediately Think like oh they're spying on the Political opposition right that it Doesn't really cross your mind because There's there's often not I mean you know if you look at the the Follow very closely the the local uh Landscape the local political landscape In these countries yeah you might sort Of get some Clues like oh the Government's you know uh trying to uh Intimidate uh uh opposition candidates Or their their you know charges are Being brought against specific Journalists you might think okay well There's some light level harassment of

The opposition or journalists but it was Quite surprising to see this uh you know Pretty aggressive hacking Um like you know cases in Poland where Uh uh lawyers were hacked you know Dozens of times in a very short time Period Um indicating the government was very Interested in in continuous uh Monitoring of their Communications yeah Perhaps we were a little bit naive and Had too much confidence in our own Institutions And speaking of Institutions maricha how As a law as a lawmaker what have been The biggest challenges trying to Regulate this this industry this power Industry I think strangely political Will So there is a perverse relation which You can already gather from the initial Comments that we've been making between Governments and these markets and the Willingness to cut off some of these Tools because we all know that very Sophisticated intelligence Services Maybe the ones in this country don't Need commercial Packing tools or spyware to be able to Gain access to the devices of people That they're interested in but I do Think it's safe to assume that the Polish government may have never had These capabilities had it not been for

NSO group or the Hungarian government or Another government for that matter So for for some of these State agencies Access to this capability is a sort of Crucial pipeline for them to have the Capabilities that they do And combined with that I think Oftentimes police intelligence services Are at risk of having a bit of tunnel Vision they are spending 24 7 going After that terrible terror suspect that Crime ring leader that they've been Hunting for years and I understand I Think this is painstaking work and I Don't want to diminish its importance But what we're talking about here is the Proliferation of these Technologies the Fact that they that they slip out of the Hands of these you know very narrow Context rule of law clad specific use Cases but that instead And this has been acknowledged by Experts in the national security Agencies these tools proliferate and They become a tool against the very Agencies and the Very Goals of the state for example to keep The state democratic and secure and you Know there there has been a lack of Appreciation That the harms of this Market are Actually more significant than the Benefits you know if you want to look at It sort of in that in those terms and so

When I was working on Um regulation in the European Union It was probably one of the hardest Things to move it just took forever and I couldn't really understand because to Me and until this day I think it is Entirely logical to want to ban Anti-democratic human rights violating Technologies that's what these Technologies are Um so I think they're the legitimate Legitimate use cases do not weigh up Against the harmful use cases anymore And and that governments in democracy Should really ask themselves do they Want to continue to facilitate this Market and the proliferation of these Tools therefore It was very very hard to to get any Change done through regulation and it's Probably because governments were Pushing back Ultimately though and I hope we'll get To talk about this the United States has Recently adopted a new executive order In a way That gets closer to addressing some of These perverse mechanisms between the Market the proliferation and the role of Government but we can talk about that More so do you think that ideally right Now maybe the best thing we could do is Ban the use of these tools completely I think it it should definitely be on

The table Um and especially and that's perhaps why It's not so surprising that the US Government has been willing to say the US government will no longer be allowed To use commercial spyware anymore which Is the recent Um executive order that I'm that I'm Referencing because they have plenty of Government capabilities they don't need These commercial tools for other Governments like I mentioned some of the Ones in Europe this would be a different Case altogether and so I personally think it's a it's a very Toxic Market I've tried to Reign it in For a long long time as a lawmaker and It's still a topic very close to my Heart one thing that I don't work as Much on on a day-to-day basis like build Us with citizen lab which it should be Said as done groundbreaking Work is really done crucial crucial Investigations uh courageously so to Shed light on this very dark nasty uh Industry that that doesn't really like The criticism that it's getting and so Um it has become sort of an activist Thing to do to even shed light on these Tools and the companies and the Investors behind them yeah And Um you you did a lot of work on trying To regulate the export of this this

Technologies Um I mean looking back do you think that Given the proliferation of power do you Think that Um you know trying to limit export was The right approach or was it flawed was It still worth it like what do you think Looking back So we Would be the only thing but Interesting thing is when when you look At policy tools that they're often Fragmented so if you look at what the EU Did we try to limit The sale of these Technologies to Countries with known human rights Violation track records Fast forward to what the US government Did this year they looked at their own Behavior saying the US government Shouldn't use these commercial spyware Tools anymore and so in a strange way There are mirror images of the problem The use and the export and then a third You could say the import because in the Case of many EU governments they import From Israel Israel is really a leading Markets here with NSO group and many Other companies in The Same Spirit many Founders of these companies come Directly from Israeli intelligence Services who also have great Capabilities in this in this sense And so if you look at the multiple

Dimensions of how these Technologies Create harm I think it would have been Better if we could have addressed the Industry in one go in the European Union Import use and Export but there was no Policy tool policy space to capture all Of it at once Plus at the time and I Realized how naive this may sound now But really at the time it seemed more of A problem of abuse by authoritarian Regimes rather than The fact that this that this Proliferation was already going on so Much and so what we could do is Europeans is tackle European companies Of which we of course knew they were not The only ones we knew there were Companies in the Middle East we knew That there would be new ones coming in The future but when your European Lawmaker your jurisdiction is the EU and So I had to work with in the limitations That that jurisdiction and the policy Tools created And Bill obviously you're a technologist Have you seen any changes because of Regulation in the last few years you Know from your visibility into the Market Is regulation made any difference Well yeah I think so um so one of the Major developments uh in the regulatory Space uh somewhat recently um a couple Years ago the United States Commerce

Department added NSO group and then more Recently I think earlier this year Another entity uh into Alexa to Essentially a list of special specially Designated entities Um which the the first order impacts of That are not super important the main Sort of signaling uh or the main sort of Second order impact is signaling to Potential investors to to other Governments to Um Israel where where uh where anastro Group is based uh hey we're we're not Happy about this like this you know this This can't can't keep going on the way It's going Um and in response uh what Israel did as Israel said okay well you know the Americans are mad at us we want to you Know placate the the Biden Administration so we're going to you Know like reduce the the list of country Trees which will automatically Grant Licenses for export and we're also going To you know more carefully police this Stuff and that does seem to have had an Effect we've seen reporting out of Israel that a number of of companies That we're sort of hoping to Hawk their Spyware is you know like some Anti-democratic countries in Africa for Instance Um we're not able to complete those Sales and thus Suffolk Revenue had some

Of them went out of business uh we Haven't seen any you know substantial New uh proliferation of for instance Pegasus since since that action was Taken by Israel so it sort of does Demonstrate that that these regulations On export can can have effects but again You know what what you would probably Sort of hope to happen is that well There would be some sort of panel that Would review these exports and take into Account human rights rather than just You know oh the the Americans are angry At us we need to we need to address that Problem right Um however on the other hand you know We've seen some of the slack left by by Israel being picked up by companies that Export from places like Cyprus or other Jurisdictions Um so we've seen companies like Intellecta and sitrox which can export From outside of Israel you know selling To some of the places that that maybe The the Israelis don't want NSO selling Yeah and we've we're speaking about the US guard and something that happened Last week is that Congress introduced The law called the the protecting Americans from foreign commercials power Act one of the goals of the the law is To prevent the U.S government from Giving assistance to governments that Have a track record of using mercenary

Spyware yeah Um you know question to both of you do You think this is the right approach can This make a difference Yeah I think it can make a difference it It sort of puts another tool in the Hands of the the executive branch that They can that they can use to tackle This problem Um so you know it's a my view of it is It's a good step but it also does Require uh the the occupant of the White House to be you know committed to and Interested in enforcing this this Provision yeah I take a slightly different Perspective of course I think every step Taken to curb this Market is necessary And helpful but Did we really need American devices to Be hacked to appreciate how problematic This Market was it it also underlines For me that there is especially uh in This country often a view that if it Doesn't touch our people it's not a Problem whereas I think this is Typically a global problem and the Writings have been on the wall for over A decade and so you know great but a More principled Global approach would Also be extremely helpful in this case And and not only the few and you know I'm very sorry that it happened to them But like diplomats that worked in third

Countries through uh who's whose hack Devices this came to light And maybe adding to the couple of Examples that we've mentioned it's very Hard to know still Who all are and have successfully been Targeted it's very incidental and it's Because of the work of Citizen lab but Also investigative journalists so all The credit to them The Pegasus papers were another Important Um Sign let's say of accountability that Really sped up the discussion about why This Market this technology is so Harmful because it turned out that Because of leaked documents that Presumably you know the editor-in-chief Of the financial times president Macau France were all Targets of this Technology and so I want to come back to the sort of Perception of why this is a problem And Um unfortunately The harms to Human Rights defenders in The Middle East were never taken Seriously enough it had to First Target Americans then Um Hotshot names that people understand But that we're clearly know that for Example president Macau is not a Terrorist suspect or a crime suspect or

That the editor-in-chief of one of the Biggest Publications you know is doing Journalistic work and is is you know not Sought by law enforcement and so I think we will learn more frankly of The harms of these tools and we should Be particularly concerned of the um Innovative capabilities and the new Companies that we will see springing up In parts of the world that have Absolutely zero appetite to regulate These companies so yes great good to Have a line in the sand uh U.S Government finally taking action but I'm Also worried about what more we will see From parts of the world that don't care About human rights that don't care about Curbing their own Industries but they do Do really like to see more and more Capabilities that can be used for Surveillance and control yeah yeah and As you mentioned uh you know the US uses Similar tools they develop similar tools Both internally in intelligence agencies Or and with some commercial producers so Can we rely on the US or any one country To sort of like police this industry No no But we do live in a world where Um getting any kind of global agreement On any kind of topic is incredibly Difficult so I would suggest that Democratic rule of law-based societies Owed to themselves into their own

Credibility to to tackle these Principally violating Technologies and Then from there they can try to through Multilateral organizations and bilateral Agreements come to a growing set of Countries that agree but I have no Illusions about how easy it is to get Some kind of handshake at the United Nations about this this topic even if I Care about it deeply yeah and speaking Of the U.S bill Um recently uh you know as we've said Spyware has been used inside the US and Recently you and your colleagues Discovered an exploit called Blast pass And you said that it was used against an Individual employed by a Washington Dc-based Civil Society organization what Can you tell us about this case yeah so This was another really interesting case Of the this sort of quote-unquote zero Click hacking capability right where uh Someone's phone can be hacked without Them taking any action like I think People sort of intuitively grasp the Fact oh well you know a hacker can Convince me to download like a dodgy Program or install something that's Malicious or you know type in my Password and then they have my password And you can steal my you know emails and Things like that but but it's it's a Little bit tricker trickier for many People to conceive of the fact that

Really your phone is doing a ton of Stuff in the background like it's Constantly receiving messages displaying Notifications rendering image images to Show you on your your lock screen things Like this Um so there's a there's a lot of code That's running in the background Processing messages from the internet And in this case the specific Vulnerability we were able to identify Resulted from a failed attempt to hack This person's device and because the the Attempt failed uh the remnants of this The zero click exploit were left over on The phone and in this case what it was Was it was a the root of the Vulnerability was a a bug in Google's webp image Library which is Integrated into the iPhone And the the attackers found some way to Exploit uh this this uh this bug to run Arbitrary code within uh Apple's blast Door iMessage sandbox which is supposed To you know Prevent these sorts of bugs from you Know affecting the whole system but then The attackers also found some way to Break outside of of Apple's uh sandbox And and you know all the spy around the System so this was a pretty pretty Interesting find whenever you you get Something like this and are able to Disclose it to to Apple and they release

An update Um it's kind of a big deal because it Sets the attackers back they have to you Know invest a considerable amount of Time energy and money in identifying new Weaknesses that they can exploit and Once people have installed the update They're immune to this particular Particular hack so it's important I Think to to look look out for and Discover this stuff and you know it Turned out to be quite a from a Technical perspective quite an exciting Case and there was certainly some buzz You know as you pointed out due to the Fact that this is a dc-based based NGO Which sort of again from the perspective Of of you know the US government us Regulators raises that Specter of ooh You know this this problem you know We've allowed hopefully what people are Thinking is oh but we've allowed this to Fester for too long it's now coming home And affecting the US and then we should Do something about it yeah yeah and Speaking of doing something about it you Were a long take care now you're you can Look at it from the outside You know what's what's the ideal here What are the regulations that you would Implement or you suggest you know you Would suggest your colleagues in the EU Parliament or US Congress and other Countries to do to implement

Yeah so it depends on whether there's Any kind of regulation in place already Or whether there is none but I think one There should be Restrictions if not bans on the use of Commercial spyware by democratic Governments I think the US's executive Order really sets a good example there Because it also chokes off the Procurement market for these for these Companies and it it decreases The Credibility that they get from supplying To U.S state agencies you see oftentimes With these companies that they say we Also sell to the American police so you Know we're actually very legitimate Actors it helps marketing In the EU There are a couple of more detailed Things that I think would be most Helpful I mean one I also think for Sorry to add to the U.S case It's great that the government can't use It anymore it doesn't mean that no one In the US can use it anymore if there is Someone who has the resources and wants To use commercial spyware in the United States they can so they could still use It to go after Civil Society groups or Journalists As long as they can get their hands on It and they're not the US government so That still leaves quite significant use Cases wide open so I think that's

Something that the US could tackle going Forward the exports would also be a Useful thing to to tackle Just Close the the loop in the EU there are Obvious Um uh priorities to take one is to have A standard of of non-use for for com for Governments themselves so that would Also mean uh no Imports for example such As from from Israel but the oversight Should be better in the EU at the moment It is National authorities overseeing National license applications and I Think the relationship between National Companies that may want to get a license To export and the national authorities Can be too close so I would prefer to Have EU level oversight so there's one Level of abstraction and so hopefully More Independence when when the Oversight happens and then ideally this Would become an international Norm the Way for example a Banning of the death Penalty which unfortunately this country Still hasn't done but most democratic Countries have done to become a norm That is actually no longer being Discussed that actually democratic Countries rule of law based countries Have a certain threshold of how they Regulate their own behavior and thereby Try to influence the behavior of others And so I would hope that this becomes

Something that is sort of integral to What it means to be a rule of law based Democratic Society And speaking of tech and we're close to Our time so Bill what do you think are There any Tech changes that can improve The situation you know other than Regulation what can apple Google and Other Tech Giants do to protect their Users Well it's interesting I mean you know There's attention uh on the tech side of Things right um companies want to make Their devices extremely easy to use they Want to reduce friction around Communication and messaging Um and those are all good goals but but You know on the other hand uh it enables These messaging apps to be used as a Vector of exploitation we've seen Positive steps from Apple in terms of Introducing their lockdown mode feature Which uh currently is is an optional Feature that you have to turn on it's It's disabled by default but it disables A lot of this automatic processing of of Message content from people that aren't Your friends right people not on your Your phone book or your contact list Um so so I think more steps like that That reduce the attack surface so Thinking about you know ways to prevent Things from automatically happening to Sort of slow things down I mean it's

Sort of antithetical right to to the way A lot of tech development is done but But that's I think one one key thing That uh could improve security yeah Well thank you so much for being here And thank you for listening Um yeah thank you yeah thanks [Applause]