Meet the team that investigates cases of journalists and activists being hacked by government spyware

For more than a decade, dozens of journalists and human rights activists She was targeted And hacked by governments around the world. Cops and spies in Ethiopia, Greece, Hungary, India, Mexico, Poland, Kingdom of Saudi Arabiaand United Arab Emiratesamong others, used sophisticated spyware to hack into the phones of these victims, who sometimes also did so You encounter violence in the real world Exposure to intimidation, harassment and entry Extreme casesuntil killing.

In the past few years, in the fight to protect these most vulnerable communities, a team of dozens of digital security experts, mostly based in Costa Rica, Manila, and Tunisia, among other places, has played a key role. They work for the New York-based nonprofit, Access Now Digital Security Helpline.

Their mission is to be a team of people that journalists, human rights defenders and dissidents can go to if they suspect they have been hacked, as is the case with mercenary spyware made by companies like NSO Group, Intellexaor model.

“The idea is to provide this service 24/7 to civil society and journalists so that they can reach out whenever they experience a cybersecurity incident,” Hassan Salmi, who leads the helpline’s incident response team, told TechCrunch.

According to Bill Marczaka senior researcher at the University of Toronto’s Citizen Lab who has been investigating spyware for nearly 15 years, Access Now’s helpline is a “front-line resource” for journalists and others who may be targeted or compromised by spyware.

The helpline has become a crucial diversion for victims. So much so that when Apple sends its users a so-called “threat notification” alerting them that they are being targeted by mercenary spyware, The tech giant has long directed victims to Access Now investigators.

Speaking with TechCrunch, Salami described a scenario where… Someone receives one of these threat notificationsand where Access Now can help victims.

“Having someone who can explain it to them, tell them what they should do, what they shouldn’t do, what it means…that’s a huge relief for them,” Salmi said.

According to several digital rights experts who have investigated spyware cases and previously spoke with TechCrunch, Apple is generally taking the right approach, even if the optics look like a trillion-dollar tech giant ceding responsibility to a small team of nonprofit workers.

Salmi said that mentioning Apple in the notices was “one of the biggest milestones” for the helpline.

Salmi and his colleagues now look at about 1,000 cases of suspected government spyware attacks annually. About half of these cases turn into actual investigations, and only about 5% of them, or about 25 cases, lead to a confirmed spyware infection, according to Mohammed Al-Maskati, director of the helpline.

When Salami started doing this work in 2014, Access Now was only investigating about 20 cases of suspected spyware attacks a month.

At the time, there were three or four people working in each time zone in Costa Rica, Manila, and Tunisia, locations that allowed them to have someone online throughout the day. The team is not much bigger now, with less than 15 people working on the helpline. The helpline includes more people in Europe, the Middle East, North Africa and Sub-Saharan Africa, as these are hotspots for spyware issues, according to Al-Sulaimi.

Al-Salmi explained that the increase in cases is due to several circumstances. On the one hand, the helpline is now more popular and therefore attracts more people. Then, as government spyware spread globally and became more available, it came into being And perhaps more cases of abuse. Finally, the helpline team further outreached the target population, finding cases of abuse that would not have been found otherwise.

When someone calls the helpline, Selmi told TechCrunch, investigators first acknowledge receipt, then do a first check to see if the person who contacted them is within the scope of the organization’s mandate, meaning whether they are part of civil society — and not, say, a CEO or a lawmaker. Investigators then evaluate the case in triage. If a case is prioritized, investigators ask questions, such as why the person believes they are being targeted (if there was no notification), and what device they have, which helps determine what type of information investigators may need to collect from the victim’s device.

After performing an initial, limited remote device scan over the Internet, helpline handlers and investigators may ask the victim to submit more data, such as a full backup of their device, for a more comprehensive analysis to check for signs of intrusion.

“For every known type of exploit that has been used in the last five years, we have a process on how to verify that exploit,” Salami said, referring to known hacking techniques.

“We know more or less what is normal and what is abnormal,” Salmi said.

Access Now therapists, who manage communications and often speak the victim’s language, will also give the victim advice on what to do, such as whether to get another device, or take other precautions.

Each case the nonprofit considers is unique. “It varies from person to person, and from culture to culture,” Salmi told TechCrunch. “I think we should do more research, involve more people — not just technical people — to figure out how to deal with this type of victim.”

Salmi said the helpline also supports similar investigation teams in some regions of the world, and exchanges documents, knowledge and tools, as part of a so-called coalition CiviCERTa global network of organizations that can assist members of civil society who suspect they are being targeted by spyware.

Salmi said this network also helped reach journalists and others in places they could not reach.

“No matter where they are, (victims) have people they can talk to and report to,” Salmi told TechCrunch. “Having these people speak their language and know their context helped a lot.”