In a modest effort to disrupt the global spyware market, the United States announced last week that four entities had been added to its blacklist.聽
The US Department of Commerce on November 3 that it would be adding Israeli-based companies NSO Group and Candiru to its entity list 鈥渂ased on evidence that these entities developed and supplied spyware to foreign governments that used these tools to maliciously target government officials, journalists, businesspeople, activists, academics and embassy workers鈥.
Russian company Positive Technologies and the Singapore-based Computer Security Initiative Consultancy also made the list 鈥渂ased on a determination that they traffic in cyber tools used to gain unauthorized access to information systems, threatening the privacy and security of individuals and organizations worldwide鈥.
The move had a measure of approval in Congress. 鈥淭he entity listing signals that the US government is ready to take strong action to stop US exports and investors from engaging with such companies,鈥 came the in a joint statement from House Democrats Tom Malinowski, Anna Eshoo and Joaquin Castro.
This offers mild comfort to students of the private surveillance industry, who have shown it to be governed by traditional capitalist incentive rather than firm political ideology. Steven Feldstein of the Carnegie Endowment鈥檚 Democracy, Conflict, and Governance Program how such entities have actually thrived in liberal democratic states. 鈥淩elevant companies, such as Cellebrite, Fin Fisher, Blue Coat, Hacking Team, Cyberpoint, L3 Technologies, Verint, and NSO group, are headquartered in the most democratic countries in the world, including the United States, Italy, France, Germany, and Israel.鈥
The Digital China and Austin-based Oracle shows how talk about democracy and such ideals are fairly meaningless in such transactions. Digital China is credited with aiding China to develop a surveillance state; software and data analytics company Oracle, despite pledging to 鈥渦phold and respect human rights for all people鈥 was still happy to count Digital China a global 鈥減artner of the year鈥 in 2018. Its software products to aid police in Liaoning province to do, among other things, gather details on financial records, travel information, social media and surveillance camera footage. What鈥檚 bad for human rights is very good for business.
NSO
In its indignant response to the Commerce department鈥檚 blacklisting, NSO how its own 鈥渢echnologies support US national security interests and policies by preventing terrorism and crime鈥, and thus would 鈥渁dvocate for this decision to be reversed鈥.聽 Portraying itself as a card-carrying member of the human rights fraternity, the company claimed to have 鈥渢he world鈥檚 most rigorous compliance and human rights programs that are based [on] the American values we deeply share鈥.聽 Previous contracts with governments had been terminated because they had 鈥渕isused our products鈥.
As NSO has shown on numerous occasions, such strident assertions rarely match the record.聽 In July, an investigation known as the , an initiative of 17 media organisations and groups, reported how 50,000 phone numbers had appeared on a list of hackable targets that had interested a number of governments. The spyware used in question was Pegasus, an NSO creation designed to infect the phone in question and turn it into a surveillance tool for the relevant user.
The range of targets included: human rights activists, business executives, journalists, politicians and government officials. None of this was new to those who have kept an eye on the exploits of the Israeli concern. Its sale of Pegasus has seen it feature from private citizens and companies, such as WhatsApp, keen to rein in its insidious practices.聽
Despite denying any connection, the company will be forever associated with providing the tools to one of its clients, the Kingdom of Saudi Arabia, made by Saudi journalist Jamal Khashoggi and a fellow dissident, Omar Abdulaziz.
Khashoggi was carved to oblivion on the premises of the Saudi consulate in Istanbul, in October 2018, by a hit squad with prints stretching back to Crown Prince Mohammed bin Salman. In a legal suit against NSO, lawyers for Abdulaziz that the hacking of his phone 鈥渃ontributed in a significant manner to the decision to murder Mr Khashoggi鈥. To date, the vicious, petulant modernist royal remains at large, feted by governments the world over as a reformer.
Candiru
While NSO has hogged the limelight on the international spyware market, that other Israeli-based concern, Candiru, has been a hit with government clients. Their products to infecting and monitoring iPhones, Androids, Macs, PCs and cloud accounts.
Those behind this company evidently have a distasteful sense of humour; the original candiru of Amazon River fame is, goes in the Journal of Travel Medicine, 鈥渒nown as a little fish keen on entering the nether regions of people urinating in the Amazon River.鈥 Equipped with spikes, the fish invades and fastens itself within the penis, vagina or rectum, making it a gruesome challenge to remove. However colourful the imaginative accounts of the candiru鈥檚 exploits are 鈥 William S Burroughs鈥 Naked Lunch is merely one 鈥 the Israeli version is far more sinister and deserves consternated worry.
In July this year, the Citizen Lab based at the University of Toronto more than 750 websites that had been influenced by the use of Candiru spyware. 鈥淲e found many domains masquerading as advocacy organizations such as Amnesty International, the Black Lives Matter movement, as well as media companies, and other civil-society themed entities.鈥
The company, founded in 2014, maintains an opaque operations and recruitment structure, reputedly drawing expertise from the Israeli Defence Forces Unit 8200, responsible for code encryption and gathering signals intelligence.
Within two years of its founding, the company in US$30 million in sales, establishing a slew of clients across Europe, states across the former Soviet Union, the Persian Gulf, Asia and Latin America. A labour dispute between a former senior employee and the company shed some light on the company鈥檚 activities, , signed by an unnamed vice president, noting the offering of a 鈥渉igh-end cyber intelligence platform dedicated to infiltrate PC computers, networks, mobile handsets, by using explosions and disseminations operations鈥.
NSO Group鈥檚 reputation, and credentials, are now impossible to ignore. The Israeli government, which grants the export licenses that enable the likes of NSO and Candiru to operate, is splitting hairs. 鈥淣SO is a private company,鈥 Israel鈥檚 Foreign Minister Yair Lapid, 鈥渋t is not a governmental project and therefore even if it is designated, it has nothing to do with the policies of the Israeli government.鈥 In his view, no other country had 鈥渟uch strict rules according to cyber warfare鈥 and was 鈥渋mposing those rules more than Israel鈥 and would 鈥渃ontinue to do so鈥.
No Israeli government is likely to entirely abandon companies that make in the business of offensive cyber. The efforts by governments the world over to attack encrypted communications while trampling human rights en route have become unrelenting. In that quest, it matters little whether you are a citizen journalist, a master criminal, or a terrorist. Those deploying the spyware rarely make such distinctions.
[Binoy Kampmark lectures at RMITUniversity.聽Email: bkampmark@gmail.com.]