NSO Group Covid19 New Mass Surveillance Tool
Updated: May 12
DigitalBank Vault® provides sophisticated Digital Anti Surveillance technologies: military-grade encryption devices for ultra-secure anonymous communication (voice calls & text messaging) with untraceable file transfers & storage solutions
In a recent post, I noted an Israeli news report that NSO was marketing a “civilian” version of its blockbuster hacking product, Pegasus, to a dozen or more countries. The new version is designed to use a national database to track citizens and their proximity to Covid19 victims in order to protect the populace from the spread of the virus. The new product has been touted by Israel’s defense minister, Naftali Bennet, who suggested installing it to monitor Israeli Covid19 victims. His Knesset colleagues promptly dismissed the suggestion.
Earlier this month, NSO went on a publicity binge in which they promoted the new product, inaptly called “Fleming” (Ian Fleming is probably turning over in his grave, his estate should demand royalties) to a gaggle of technology journalists. NBC Nightly News aired a segment last night (at 16:20 in this video). A number of reporters were rightly skeptical about the claims made by its promoters and the potential privacy violations its use entailed. But the most damning appraisal of all came from John-Scott Railton, the senior forensic researcher of Citizen Lab, who himself has been stalked by NSO in a case reported here.
This bit of promotional copy from the company’s website sent my skepticism meter through the roof: The technology anonymizes all data inputted by the operator, which adds an additional layer of privacy and security. NSO is a company built on the premise of targeting and exposing the identities of what it calls “targets.” How could anyone trust it to anonymize the data it collects. Not to mention that data analysts have proven that it is relatively easy to deanonymize such data. Railton uses NSO’s own promotional materials to evaluate the accuracy and reliability of Fleming and finds it sorely wanting. Among other things, he notes that the geo-location accuracy is pitiful and would potentially scoop up thousands of individuals who not only did not come into contact with a victim but didn’t even come close to one: “…The location data that NSO is rolling with is probably super imprecise. Carrier location data is mad inaccurate…”
Any national health authority which buys Fleming risks flooding itself with false data, imprecise contact-tracing, and implementing a dragnet that snares tens, if not hundreds of thousands of unwitting citizens. The goal of this technology should be to improve the precision of Covid19 tracking and pinpoint victims and those in close proximity. Instead, this product is a civil liberty nightmare waiting to happen. A technology ethicist wrote this, quoting Israeli historian Yuval Harari: Yuval Noah Harari argues that the choice between health and privacy is, in fact, a false one. He emphasizes the critical role of trust in achieving compliance and co-operation and says that public faith is not built through the deployment of authoritarian surveillance technologies, but by encouraging the populace to use personal tech to evaluate their own health in a way that informs responsible personal choices. Harari writes: When people are told the scientific facts, and when people trust public authorities to tell them these facts, citizens can do the right thing even without Big Brother watching over their shoulders. A self-motivated and well-informed population is usually far more powerful and effective than a policed, ignorant population. NSO’s Legal Woes Yesterday, Whatsapp attorneys offered a blockbuster legal filing in their lawsuit against NSO Group. Previously, the Israeli company had claimed that they should not be sued in U.S. courts because it is not a U.S. company and none of its customers are U.S. citizens. It made a further claim that Whatsapp was suing the wrong party because it had no control over what its clients did with its hacking tools once they installed them on their own computer systems. It would be easy for it to track the activities of its clients and uses they made of Pegasus. But of course, or so I thought, they deliberately would not do so because of precisely this potential liability for the misdeeds of the client. Boy, did it turn out I was wrong: the new filing reveals that NSO contracted with a U.S. data server company, QuadraNet, to run Pegasus for the client who attacked Whatsapp. And the data that was stolen was stored on that company’s servers. Caught ya red-handed, didn’t they? A total of 1,400 Whatsapp customers were hacked. The new filing reveals that over 700 of these attacks originated from the IP addresses of QuadraNet. Three others originated from Amazon AWS servers. NSO’s hacks were totally Made in the USA and destroy that defense. Further, the revelation shows that NSO did far more than sell the clients Pegasus and wash its hands of how the product was used. In fact, NSO orchestrated the attacks itself using servers it had contracted. No one has definitively identified who was NSO’s client. But it seems more than likely it was Saudi Arabia and its Crown Prince Mohammed bin Salman (MBS). The victims were likely Saudi dissidents and any party deemed hostile to Saudi Arabia. MBS is the very same man responsible for murdering Saudi dissident journalists, Jamal Khashoggi; and hacking the cell phone of Jeff Bezos (again using the same Whatsapp vulnerability exploited in the attacks on the other 1,400 users). I’m certain that the company’s lawyers are keeping exposure of NSO’s client’s identity under wraps for the appropriate moment when its revelation will create maximum damaging impact. If there is any country seriously considering buying Fleming, they ought to do some due diligence before they regret what they’ve done. Don’t forget that NSO has been named one of the twenty most dangerous digital predators in the world. Not the sort of company you’d want to bring home to meet your mama.
NSO gave the BBC a demonstration of how its system works, via a video conference link. A heat map of Israel showed hotspots where there were a high number of cases of the virus. Zooming in, individual phones of people with the infection were mapped and represented by an anonymized ID number. Details were also shown of other phones they had encountered and the relevant times and locations. The engineer demonstrating the system said that it could be used to: predict where the next cluster of cases was likely to be when to move ventilators to hospitals most in need when to allow certain regions of a country to come out of quarantine
NSO said a number of governments around the world were piloting the system, but would not reveal their identity or whether any of them had started using it in the field.
A spokesman added that the firm had made it a requirement that the authorities involved were operating in compliance with Europe's GDPR privacy law or their own data protection rules. Software requiring mobile networks to hand over customer data represents a very different approach from the contact-tracing apps being considered in the UK and many other European countries. Such apps would use a phone's Bluetooth connection to alert users if they had been in contact with someone infected with the virus, and would almost certainly be voluntary to download. Citizen Lab previously investigated NSO's Pegasus software. It found evidence that it had been secretly installed on the phones of journalists and dissidents in countries from Mexico to the Middle East. "NSO has shown that it is uniquely capable of damaging public trust," said Mr. Railton. "I can't think of a better brand name to make citizens nervous about a governmental tracking effort." There has been controversy in Israel over a separate project which could see its defense ministry work with NSO Group to assess the likelihood that individual citizens might spread the coronavirus. Defense minister Naftali Bennet proposed giving NSO access to highly sensitive data about citizens collected by the Shin Bet security services. But Israeli lawmakers attacked the plan, warning that handing data to a private company raised serious concerns.
Tweeting about the project, Israel's defense minister Naftali Bennett described it as a "national AI monitoring system", including an image that matched the platform demonstration shown to Sky News. "Every citizen at any moment will have a score from 1 - 10 measuring the likelihood they could transmit the coronavirus," Mr. Bennett explained. "A score of 3 says they probably aren't contagious; a score of 9.5 means they are probably contagious, and then we will ask you to be tested with a PCR throat swab." It is not clear how granular the location data being used in Israel would be were it deployed - this would be a decision for the authorities using the platform. However, the demonstration suggested that if the government used GPS data from smartphone devices then could identify individuals who had met with each other, potentially transmitting the virus. For other people whose location could only be estimated through cell-tower triangulation, there was a risk of introducing false positives if individual-level messaging was attempted. But regardless of the level of granularity, the demonstration focused on showing its capability of showing aggregate analysis of population-volume movements. This geoanalysis feature showed heat-maps which included two categories - the movements of known COVID-19 patients and those of people who had been potentially exposed to the virus after coming into contact with them. NSO Group hopes that by using this tool on a nation-scale view, its software could reveal regions where there was a lower number of people who had potentially been exposed to the virus. This could be used to inform predictions and allocate resources. For instance, the demonstration showed relatively low numbers in the southern Israeli city of Beersheba, suggesting the large hospital there would be able to free up ventilators for Tel Aviv where a large number of cases were putting medical systems under strain. Despite the claims by Mr. Bennett that "every citizen" would be given a score, the NSO system is only capable of analyzing data for those with mobile phones, approximately only 70% of Israel's population. Communities where these devices aren't present, notably including some Ultra-Orthodox communities where transmission rates are significantly higher than the rest of the population, would require additional government efforts to monitor and treat patients.
NSO GROUP DOCUMENTARY: