For more than a decade, makers of government spyware have defended themselves from criticism by saying that their surveillance technology is intended to be used only against serious criminals and terrorists, and only in limited cases.
The evidence gathered from dozens, if not hundreds of documented instances of spyware abuse all over the world, however, shows that neither of those arguments are true.
Journalists, human rights activists, and politicians have repeatedly been targeted in both repressive regimes and democratic countries. The latest example is a political consultant who works for left-wing politicians in Italy, who came out as the most recently confirmed victim of Paragon spyware in the country.
This latest case shows that spyware is proliferating far beyond the scope of what we have typically considered to be “rare” or “limited” attacks targeting only a few people at a time.
“I think that there is some misunderstanding at the heart of stories about who gets targeted by this kind of government spyware, which is that if you are targeted, you are Public Enemy Number One,” Eva Galperin, the director of cybersecurity at the Electronic Frontier Foundation, who has studied spyware for years, told TechCrunch.
“In reality, because targeting is so easy, we have seen governments use surveillance malware to spy on a broad range of people, including relatively minor political opponents, activists, and journalists,” said Galperin.
There are several reasons that explain why spyware often ends up on the devices of people who, in theory, should not be targeted.
The first explanation lies in the way that spyware systems work. Generally, when an intelligence or law enforcement agency purchases spyware from a surveillance vendor — like NSO Group, Paragon, and others — the government customer pays a one-time fee to acquire the technology, and then lower additional fees for future software updates and tech support.
The upfront fee is usually based on the number of targets that the government agency can spy on at any moment in time. The more targets, the higher the price. Previously leaked documents from the now-defunct Hacking Team show that some of its police and government customers could target anywhere from a handful of people to an unlimited number of devices at once.
While some democratic countries typically had fewer targets that they could surveil in one go, it wasn’t uncommon to see countries with questionable human rights records with an extremely high number of concurrent spyware targets.
... continue reading