Spyware Can be Used to Follow Canadians
It's a chilling tale that has unveiled a sinister use of technology. Not only can technology aid governments in tracking dangerous persons, but it can also help bad actors track members of the media. In fact, it's the tale of how a cybersecurity tool marketed to governments is falling into the wrong hands.
Spyware gathers, stores and/or monitors information about a person or organization, often without their knowledge. It may send this information to another entity without consent, or assert control over a device without a person's knowledge. Spyware can collect almost any type of data, including personal information like Internet surfing habits, login access, and bank or credit account information. Spyware can also interfere with a user's control of a computer by installing additional software or redirecting web browsers.
The Story of Javier Valdez Cárdenas
It begins with the murder of a celebrated Mexican journalist named Javier Valdez Cárdenas. As founder of RioDoce, a weekly magazine covering organized crime and drug trafficking, Cárdenas was on the forefront of a dangerous struggle to expose the Mexican drug war. Unsurprisingly, his work made him an enemy of some of the most dangerous players in the drug trafficking world. Starting with a series of exposés in 2009 entitled “Hitman: Confessions of an Assassin in Ciudad Juarez,” Valdez Cárdenas became a bold voice against drug cartels.
After enduring years of threats against himself and his staff, Valdez Cárdenas was killed by gunmen on May 15, 2017. He was shot 12 times after leaving the RioDoce offices and the perpetrators took his laptop, files, and his cellphone. In the days following his murder, the staff of RioDoce as well as the Valdez Cárdenas’ family began to receive odd text messages promising information on his killer. And this is where this tragic tale takes a shockingly disturbing turn.
A year later, two writers from The Globe & Mail, along with Mexican partners, came across new information that pointed to the Mexican government as the source of these text messages. After acquiring a Israeli-based surveillance app called Pegasus for US$80-million, the Mexican government infected the recipients’ phones with the Pegasus spyware. The infected phones then acted as a digital secret agent, giving the government the ability to eavesdrop and record conversations.
Not only can technology aid governments in tracking dangerous persons, but it can also help bad actors track members of the media.
The Controversy Surrounding Surveillance with Pegasus
Pegasus is developed by NSO Group, which markets its spyware as a powerful aid in combating terrorism and aiding in criminal investigations. Once it is installed on a device, it enables a jailbreak that can track phone calls, read text messages, and gather information from other apps operating on the device, such as Facebook, iMessage, Gmail, Skype, etc.
NSO Group provides assurances that it always uses due diligence to ensure that Pegasus isn't being used maliciously. Yet, this has not always been the case. After the murder of Valdez Cárdenas, and following an investigation that exposed how Pegasus was used to maliciously target innocent civilians, NSO Group has come under considerable global fire for developing a tool that is used in violation of human rights.
NSO Group is facing several lawsuits, including one that accuses the company of providing Pegasus spyware to the Saudi Arabian government in the aftermath of the brutal killing of Washington Post journalist, Jamal Khashoggi, at a Saudi Consulate. The lawsuits allege that the NSO Group knowingly violated human rights laws by providing the Saudi government with surveillance spyware that was then used to spy on Khashoggi and several of his colleagues.
One of these colleagues is Saudi dissident and refugee Omar Abdulaziz, a close confidant of Khashoggi, who was targeted by the Pegasus spyware while in Canada. In the months prior to Khashoggi’s murder, it is alleged that the Saudi government was able to use Pegasus to monitor conversations between the two over private messaging.
The use of such spyware breaches the privacy rights of individuals. Borders and distance don't offer any protection. Research done by the Citizen Lab shows that people in 45 different countries worldwide have had devices infected by Pegasus, with 30 different countries currently operating the spyware. Many of these countries have a notoriously bad track record in terms of human rights and freedom of the press—including countries like Saudi Arabia, United Arab Emirates, and Bahrain.
Moving Forward to end Spyware Abuse
Numerous lawsuits against NSO Group are still in progress. Should they be found liable for allowing the abuse of its Pegasus spyware, the company would likely make major changes in who can access their product and how it can be used. This could set a standard moving forward for manufacturers and providers of surveillance spyware.
Another avenue is to hit ‘em where it hurts: in the pocketbook. The spyware market is always booming, and draws the attention of major investors including banks and pension funds. Should the industry continue to demonstrate indifference to shocking evidence of such carelessness and disturbing abuse, investors will undoubtedly become more hesitant to associate themselves with the industry.
What does this mean to Canadians?
The average Canadian is unlikely to be targeted by a foreign government but many Canadian companies could find themselves being surveilled by foreign competition. Consult with an IT services specialist if you would like to learn more about your vulnerability to spyware.
If you're interested in locking down your systems from spyware, get in touch with CITI. We'll educate your users and implement a layered defence that will protect every system on your network with anti-spyware solutions.