For more than a decade, makers of government spyware have defended themselves from criticism by saying that their surveillance technology is intended to be used only against serious criminals and terrorists, and only in limited cases.
The evidence gathered from dozens, if not hundreds of documented instances of spyware abuse all over the world, however, shows that neither of those arguments are true.
Journalists, human rights activists, and politicians have repeatedly been targeted in both repressive regimes and democratic countries. The latest example is a political consultant who works for left-wing politicians in Italy, who came out as the most recently confirmed victim of Paragon spyware in the country.
This latest case shows that spyware is proliferating far beyond the scope of what we have typically considered to be “rare” or “limited” attacks targeting only a few people at a time.
“I think that there is some misunderstanding at the heart of stories about who gets targeted by this kind of government spyware, which is that if you are targeted, you are Public Enemy Number One,” Eva Galperin, the director of cybersecurity at the Electronic Frontier Foundation, who has studied spyware for years, told TechCrunch.
“In reality, because targeting is so easy, we have seen governments use surveillance malware to spy on a broad range of people, including relatively minor political opponents, activists, and journalists,” said Galperin.
There are several reasons that explain why spyware often ends up on the devices of people who, in theory, should not be targeted.
The first explanation lies in the way that spyware systems work. Generally, when an intelligence or law enforcement agency purchases spyware from a surveillance vendor — like NSO Group, Paragon, and others — the government customer pays a one-time fee to acquire the technology, and then lower additional fees for future software updates and tech support.
The upfront fee is usually based on the number of targets that the government agency can spy on at any moment in time. The more targets, the higher the price. Previously leaked documents from the now-defunct Hacking Team show that some of its police and government customers could target anywhere from a handful of people to an unlimited number of devices at once.
While some democratic countries typically had fewer targets that they could surveil in one go, it wasn’t uncommon to see countries with questionable human rights records with an extremely high number of concurrent spyware targets.
Giving such a high number of concurrent targets to countries with such strong appetites for surveillance all but guaranteed that the governments would target far more people outside the scope of just criminals and terrorists.
Contact Us
Do you have more information about government spyware? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or email. You also can contact TechCrunch via SecureDrop.
Morocco, the United Arab Emirates (twice), and Saudi Arabia (several times), have all been caught targeting journalists and activists over the years. Security researcher Runa Sandvik, who works with activists and journalists who are at risk of being hacked, curates an ever-expanding list of cases of spyware abuse around the world.
Another reason for the high number of abuses, especially in recent years, is that spyware — such as NSO’s Pegasus or Paragon’s Graphite — makes it extremely easy for government customers to successfully target whoever they want. In practice, those systems are essentially consoles where police or government officials type in a phone number, and the rest happens in the background.
John Scott-Railton, a senior researcher at The Citizen Lab who has investigated spyware companies and their abuses for a decade, said that government spyware carries a “huge abuse temptation” for government customers.
Scott-Railton said spyware “needs to be treated like the threat to democracy and elections that it is.”
The general lack of transparency and accountability has also contributed to governments brazenly using this sophisticated surveillance technology without fear of consequences.
“The fact that we have seen targeting of relatively small fish is particularly concerning because it reflects the relative impunity that the government feels in deploying this exceptionally invasive spyware against opponents,” Galperin told TechCrunch.
In terms of victims getting accountability, there is some good news.
Paragon made a point of very publicly cutting ties with the Italian government earlier this year, arguing that the country’s authorities refused help from the company in investigating abuses allegedly involving its spyware.
NSO Group previously revealed in court that it disconnected 10 government customers in recent years for abusing its spyware technology, although it refused to say which countries. And it’s unclear if those include the Mexican or Saudi government, where there have been countless documented cases of abuse.
On the customer side, countries like Greece and Poland have launched investigations into spyware abuses. The United States, during the Biden administration, targeted some spyware makers such as Cytrox, Intellexa, and NSO Group by imposing sanctions on the companies — and their executives — and putting them on economic blocklists. Also, a group of mostly Western countries led by the U.K. and France are trying to use diplomacy to put the brakes on the spyware market.
It remains to be seen if any of these efforts will curb or limit in any way what is now a global multibillion-dollar market, with companies more than happy to supply advanced spyware to governments with a seemingly endless appetite to spy on pretty much everyone they want to.
