Why are so many people hacked by government spyware?

For over a decade, makers Government spyware They defend themselves from criticism by saying that their surveillance technology is intended to be used only against serious criminals and terrorists, and only in limited cases.

However, evidence collected from dozens, if not hundreds of documented cases of spyware abuse around the world, shows that none of these arguments are valid.

Journalists, human rights activists and politicians have been repeatedly targeted in both repressive regimes and democratic countries. The most recent example is a political consultant who works for left-wing politicians in Italy He came out as a confirmed victim recently of Paragon spyware in the country.

This latest case shows that spyware is spreading beyond what we typically consider to be “infrequent” or “limited” attacks targeting just a few people at a time.

“I think there is some misunderstanding at the heart of the stories about who is being targeted by this kind of government spyware, which is that if you are being targeted, you are public enemy number one,” Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation, who has studied spyware for years, told TechCrunch.

“In fact, given the ease of targeting, we have seen governments use malicious surveillance software to spy on a wide range of people, including political dissidents, activists, and relatively junior journalists,” Galperin said.

There are many reasons why spyware often ends up on the devices of people who, in theory, should not be targeted.

The first explanation lies in the way spyware systems work. Generally, when an intelligence or law enforcement agency purchases spyware from a surveillance vendor — such as NSO Group, Paragon, and others — the government customer pays a one-time fee to acquire the technology, then discounts additional fees for future software updates and technical support.

The upfront fee is usually based on the number of targets the government agency can spy on at any given time. The higher the number of targets, the higher the price. Previously leaked Documents From the now-defunct hacking team, some police and government agents can target anywhere from a handful of people to an unlimited number of devices at once.

While some democratic countries typically have a smaller number of targets they can monitor at once, it was not uncommon to see countries with questionable human rights records have a very large number of simultaneous spyware targets.

Giving such a large number of simultaneous targets to countries with such a strong desire for surveillance ensures that governments will target a much larger number of people beyond just criminals and terrorists.

Moroccothe United Arab Emirates (twice), and Kingdom of Saudi Arabia (numerous times), all of whom have been caught targeting journalists and activists over the years. Security researcher Rona Sandvik, Who works with activists and journalists Who are at risk of being hacked, patronizes an ever-increasing group List of cases of spyware abuse around the world.

Another reason for the rise in the number of breaches is that spyware, especially in recent years, such as NSO’s Pegasus or Paragon’s Graphite, makes it extremely easy for government agents to successfully target anyone they want. In practice, these systems are essentially consoles where police or government officials type in the phone number, and the rest happens in the background.

Government spyware carries “significant temptations for abuse” for government agents, said John Scott-Railton, a senior researcher at The Citizen Lab who has investigated spyware companies and their abuses for a decade.

Scott-Railton said spyware “needs to be treated as a threat to democracy and elections.”

A general lack of transparency and accountability has also contributed to governments brazenly using this sophisticated surveillance technology without fear of repercussions.

“The fact that we saw relatively small fish being targeted is particularly concerning because it reflects the relative impunity the government feels in deploying this exceptionally invasive spyware against opponents,” Galperin told TechCrunch.

When it comes to victims getting accountability, there is some good news.

Paragon made a point Publicly severing ties with the Italian government Earlier this year, on the grounds that the country’s authorities had refused to help the company investigate alleged violations related to its spyware.

Formerly NSO Group revealed in court It said it had disconnected 10 government agents in recent years over misuse of its spyware technology, though it declined to name the countries. It is unclear whether these include the Mexican government or Saudi Arabia, where there are countless documented cases of abuse.

On the customer side, you love countries Greece and Poland Investigations into spyware violations have been initiated. During the Biden administration, the United States targeted some spyware makers, such as Cytrox, Intellexa and NSO Group By imposing sanctions on companies – and Executives – And put them on the economic embargo lists. And also a group of mostly Western countries Led by the United Kingdom and France They are trying to use diplomacy to rein in the spyware market.

It remains to be seen whether any of these efforts will in any way limit or curtail what has now become a multi-billion dollar global market, where companies are more than happy to supply advanced spyware to governments with a seemingly endless appetite to spy on almost everyone they want.