A Year in the Life of a Phishing Operation

It’s often remarked that digital espionage can be undertaken on the cheap. But just how cheap?

In a new Citizen Lab report released this morning, we give one answer. Taking advantage of simple errors committed by the operator of a phishing operation, we were able to get an “inside view” of just what it takes to mount an effective digital spying job.  

For more than 8 months, we quietly observed as the operator set up phishing lures, registered decoy domains disguised as popular email services, made fake login pages, sent targeted emails to individuals and organizations, and maintained the back-end infrastructure for the entire enterprise.

Total estimated cost: $1,068.00  

Running this operation would require only basic system administration and web development skills and although it was sloppy in execution, the phishing campaign was nonetheless successful. At least two accounts we tracked were compromised, with contact lists stolen from the victims used to send out more phishing emails to other targets.  We suspect there were likely other successful compromises beyond these accounts based on decoy documents we collected that appear to be private files likely extracted from compromised accounts.

Who was behind it? While we have no evidence linking the individual(s) running it to a specific government agency or other client, there are a number of clues as to its motivation and possible benefactor.  The bulk of activity we observed was focused on Tibetan organizations, and we were able to verify this targeting with the cooperation of individuals and organizations involved in Tibet-related activism who shared with us phishing emails they received from the operator.

But the operator was interested in more than Tibet. Our analysis of decoy documents, phishing pages, and registered domains used in the operation  shows several non-Tibetan themes that suggest there were other targets.  These themes include the Uyghur ethnic minority group, Epoch Times (a media group founded by members of the persecuted religious organization Falun Gong), themes related to Hong Kong, Burma, the Pakistan Army, the Sri Lankan Ministry of Defence, the Thailand Ministry of Justice, and a controversial Chinese billionaire critical of state corruption.  

Add these up and the common denominator uniting them all is that they fall within the strategic interest of the People’s Republic of China. While we have no evidence to show the operator was working on behalf of a specific Chinese government agency, it’s well known that freelancers and security contractors do so on a regular basis. In November 2017, for example, the US Department of Justice indicted three Chinese nationals working at an Internet security firm for digital theft of commercial secrets. (One wonders what it will take to marshall the political will to bring such an indictment against an individual for hacking a human rights organization). Although the indictment didn’t say so, it’s reported that the Internet security firm (Boyusec) is ultimately working on behalf of the Chinese Ministry of State Security. Such arms-length relationships are beneficial to the state, which can reap the fruits of espionage while retaining a certain degree of plausible deniability.

The sloppiness of the operator may also be suggestive. Who ever was behind this campaign may have just been amateurs who made mistakes. Or they may also have been operating on the assumption that their actions were, if not condoned by some higher authority, then at least implicitly tolerated. In other words: operational security may be inversely correlated with fear of consequences, And in China there are, at present, very few consequences of running a hacking operation for hire — whether the targets are a foreign company’s intellectual property assets or a NGO’s strategic communications plans. Why worry about operational security if getting caught doesn’t matter?

The case also illustrates yet another important lesson: digital espionage operations will only be as sophisticated and expensive in their execution as what it takes for them to work. Someone is not going to bother spending more time and money than necessary if something “on the cheap” like this setup will do the job just as well.

But there’s a flip side to this lesson, one that we hope individuals and organizations will pick up upon in their digital security planning: simple phishing operations can also be simply blunted.  The successful compromises would likely have never happened had the individuals and organizations in question implemented  two-factor authentication — a security feature that requires a second ‘factor’ (like a code on a mobile phone) to access an account. Unfortunately, two-factor authentication is still far from being widely adopted by many users, and is not on by default in almost all popular online platforms.

We need to start thinking of two-factor authentication as the equivalent of a “seat belt” for the Internet: not perfect, but it may help mitigate the impact of a digital crash. Major platform providers should mainstream security features like two factor authentication into their services to help limit the harm done by inexpensive but effective phishing. And just as with seat belts and automobile manufacturers, if the companies can’t do it themselves, perhaps it’s time that regulators step in and require that it be done.

Read the full report here: Spying on a Budget: Inside  Phishing Operation with Targets in the Tibetan Community.

Also, check out a few of our digital security resources to learn more about two factor authentication and other ways to protect yourself online at Net Alert and Security Planner.

A close look at the proposed “CSE Act”

The Citizen Lab is releasing a new report today, in collaboration with our partners at the Canadian Internet Policy & Public Interest Clinic (CIPPIC), entitled, “Analysis of the Communications Security Establishment Act and Related Provisions in Bill C-59.”

The 75 page report provides a detailed overview of Canada’s SIGINT agency, the Communications Security Establishment (CSE), an analysis how the Liberal government’s new proposed national security legislation, Bill C-59, will impact its mandate, operations and oversight, and some recommendations on legislative and other changes.  

The report was researched and written by our SIGINT working group at Citizen Lab that includes (along with myself) Christopher Parsons, Lex Gill, and Bill Robinson, and CIPPIC’s Tamir Israel.  

Agencies like CSE are critical to public safety, foreign policy, and national security.  It is essential that they are well-equipped and trained.  However, their extraordinary and far-reaching capabilities and activities present enormous governance challenges for liberal democratic societies.  Much of CSE’s activities are shrouded in secrecy — the most highly classified of any Canadian government agency.   There are obvious good reasons for that secrecy.  But government secrecy without strong independent oversight is a recipe for the abuse of power.

It is important to recognize that CSE does not act alone.  It is part of a large and very powerful global alliance of SIGINT agencies that share data, infrastructure, and personnel.  Among those partnerships the most important is the “Five Eyes” alliance that includes New Zealand, Australia, the United Kingdom and the United States’ massive National Security Agency. These alliances allow Canada to “punch above its weight,” but they can also further obscure CSE’s activities and distance them from proper domestic oversight.

CSE’s expertise is in the area of data collection and analysis — the “signals” of “signals intelligence”  Whereas at one time this expertise was focused on the interception of a relatively narrow band of diplomatic, military, and government communications, today it’s focused on all of society’s communications, all of the time.  This broad sweep may be necessary and justifiable to identify threatening “needles in haystacks” that could wreak havoc. But it also raises tremendous and largely unprecedented civil liberties’ concerns.  At a time when we have turned our digital lives inside out, and carry around in our pockets devices that track our movements, social relationships, and habits, agencies like CSE have been granted extraordinary powers to collect and monitor it all.  Making sure such agencies are checked with thorough oversight and public accountability measures is critical to liberal democracy.

The proposed Communications Security Establishment Act  ( “CSE Act” ) is a major component of the comprehensive national security reforms proposed by the Trudeau government in Bill C-59. Among the many far-reaching implications of the CSE Act, Bill C-59 would add an entire new “mandate” to CSE to engage in “active cyber operations,” which in other words means granting the CSE authorization to engage in state sponsored hacking.  Although CSE has for many years already engaged in such activities, codifying this mission into law as an entirely new mandate will legitimize and undoubtedly amplify them.  The implications of doing so definitely require broad public debate.   

Having CSE engage in state sponsored hacking will (among other things) further the already harmful and opaque practice of hoarding software vulnerabilities as weapons of warfare and intelligence, as opposed to disclosing them to vendors in the interest of public safety; encourage the poorly regulated market for commercial spyware, whose harmful consequences the Citizen Lab has extensively documented; and contribute to the normalization abroad of the already dangerously escalating militarization of cyberspace, including the spread of state-sponsored disinformation campaigns.  For a heavily networked country so dependent on global communications, Canadians should seriously debate what is most in our national interest: to contribute to an already escalating arms race in cyberspace, or to be a force for mutual restraint and the control of weapons instead?

Our 75 page analysis raises numerous issues of concern for CSE around Bill C-59, as well as outlines over 50 recommendations to improve systems of review, oversight, and control of the CSE and to constrain the CSE’s ability to engage in activities that are problematic, abusive, unconstitutional, or in violation of international human rights norms.

Our post and a link to the full report can be found here https://citizenlab.ca/2017/12/citizen-lab-and-cippic-release-analysis-of-the-communications-security-establishment-act/.

Ethiopian Cyber Espionage with Israel-based Commercial Spyware

Citizen Lab has published a new report today in which we uncover a major global cyber espionage campaign targeting numerous individuals in the United States, United Kingdom, Canada, Germany, and more than a dozen other countries.  Strong circumstantial evidence points to Ethiopia, with the surveillance technology supplied by an Israel-based company, Cyberbit Solutions.

WIRED has published an opinion piece I wrote that summarizes the report’s findings and puts them in a larger context, which can be found here.  Reuters also published a good overview here.

The full, very detailed report entitled, “Champing at the Cyberbit: Ethiopian Dissidents Targeted with New Commercial Spyware,” and authored by Citizen Lab’s Bill Marczak, Geoffrey Alexander, Sarah McKune, John Scott-Railton, and myself, can be found here.

Among the report’s notable details: public logfiles located by Citizen Lab’s Bill Marczak allowed us to track Cyberbit employees as they carried infected laptops around the world, apparently providing demonstrations of the spyware to the Royal Thai Army, Uzbekistan’s National Security Service, Zambia’s Financial Intelligence Centre, the Philippine President’s Malacañang Palace, ISS World Europe 2017 in Prague, and Milipol 2017 in Paris. Cyberbit also appears to have provided other demos of PSS in France, Vietnam, Kazakhstan, Rwanda, Serbia, and Nigeria.  Bill’s extraordinary detective work here is spectacular. Special shout to to Geoff Alexander, who did some excellent supportive work reverse engineering malware samples.

A graphic (put together thanks to John Scott Railton, as usual) that shows the locations of these demonstrations can be found here.

The operators also tried to infect Citizen Lab lead technical researcher on the project, Bill Marczak, as outlined in this Motherboard piece.  As Daily Beast reporter, Joseph Cox, noted, that’s “one of the dumbest things you can possibly do with your nation-state malware.”

A companion piece (led by Citizen Lab’s Sarah Mckune) detailing legal and regulatory issues raised by our report can be found here. Great to see support from Human Rights Watch, who wrote a lengthy post and a letter to Cyberbit.

Citizen Lab Submission to UN SR on Online Violence Against Women

In March 1994, the United Nations Commission on Human Rights appointed a “Special Rapporteur on violence against women, including its causes and consequences”.  The current Special Rapporteur is Dr. Dubravka Šimonović.

Recently,  Dr. Šimonović issued a call for submissions on the topic of “online violence against women” and Citizen Lab decided to make such a submission.

Over the years, Citizen Lab research has touched on many subjects that are relevant to the topic of online violence against women and girls, and we are committed to integrating a gender and diversity based analysis into our work.  As our submission notes, “Citizen Lab research has exposed efforts to target women in digital espionage campaigns, revealed the use of surveillance tools against those seeking justice for slain women’s rights advocates, mapped Internet censorship systems that filter out information related to women’s rights and sexuality, and supported partners in the Global South who study online threats faced by women human rights defenders”.

Based on these experiences, we have become concerned about the ways in which the very real vulnerabilities of women and girls in online and offline spaces are exploited to justify new, expansive, and sometimes unaccountable censorship and surveillance powers.  We see little evidence that these powers will mitigate the problems affecting women and other at-risk communities.  In fact, sometimes they can actually make matters worse, as in the case of the massive security vulnerabilities we discovered in South Korean child monitoring applications that actually put parents and their minor children at greater risk had they not used the application in the first place.

In order to assist the UN Special Rapporteur, we make several recommendations which we hope will inform the report she is preparing on the topic, to be presented at the next Human Rights Council in June 2018.  These recommendations stress the importance of robust digital security to protect women and girls online; the importance of proper oversight, transparency, and public accountability with respect to sharing of user data and removal of content undertaken by social media and other companies when requested by governments or otherwise; the need for better regulation of the commercial spyware market, the abuses around which include so-called “stalkerware” used by spouses to track their partners; and finally the importance of education, training, and capacity- building so that all stakeholders are more literate in all of the areas above.

The authors of the submission include researchers from the Citizen Lab (Ron Deibert, Lex Gill, Irene Poetranto, Amitpal Singh), Chelsey Legge from the International Human Rights Program at the University of Toronto, and Tamir Israel from the Canadian Internet Policy and Public Interest Clinic.

The full report can be found here.

Canada’s new national security bill: one step forward, two steps back?

Over the last year, the Canadian government has been engaged in extensive public consultations meant to address widespread concerns around C-51 (the anti-terror law implemented by Prime Minister Harper’s government) as well as a range of other national security practices, policies, and oversight and public accountability issues raised by Canadians.  (I participated in some of these consultations and found them to be informative and useful, for the most part).

The outcome of those consultations is a new proposed national security legislation, Bill C-59.  Bill C-59 is arguably the most comprehensive reform of Canada’s national security laws in decades.   While it contains a lot that is positive — particularly in the area of some new forms of oversight and accountability — there is also quite a bit in Bill C-59 that I and many others have found troubling.

Today, a letter is being released, signed by over 40 individuals and organizations, that publicly raises issues with Bill C-59.  Some of my colleagues and I at Citizen Lab — who together are part of an internal working group on signals intelligence — are among the signatories.

To accompany the joint public letter, we have also written a blog post that fleshes out in more detail some of our concerns.   You can read that letter here: https://citizenlab.ca/2017/09/joint-letter-concerning-bill-c-59/

Generally speaking, it is exceedingly difficult for members of the public to hold national security organizations to account.  National security agencies operate in the shadows, and are governed by what can be, at times, confusing and opaque laws, methods, and practices.  Unless you’re a specialist or an insider, it can be frustratingly difficult to know just what is going on that might warrant a citizen’s concern.  In an age when we are effectively turning our digital lives inside out on the one hand, while entrusting to some of these agencies enormous resources, capabilities, and responsibilities on the other, this gap in understanding is a major problem for liberal democracy.

Our internal working group on signals intelligence — myself, Christopher Parsons, Bill Robinson, and Lex Gill — aims to help rectify that confusion.  We are working on a series of outputs and public engagements, of which this is the first, which we hope helps better inform Canadians on these critical issues.

 

Korean Child Monitoring Applications: Insecure by Design

Nearly every day it seems, a friend asks about how to cope with a digital security risk.  Among those with the most acute concerns are parents of minor children, many of whom now carry with them mobile devices.  Parents ask how they can protect their children from inappropriate content, whether their child’s use of their mobile device exposes them to bullying, monitoring, or other threats, and what they can do to mitigate those risks.

These are legitimate concerns for which serious solutions are required.  

Unfortunately, as our new report shows, sometimes good intentions can lead to very bad outcomes — especially when bad public policy is combined with poor software design and engineering.

In April 2015, South Korea became the first country in the world to mandate that all phones registered to individuals under the age of 19 be equipped with monitoring and filtering apps that block content deemed  “harmful.”   At the time, Korea’s telecommunications regulatory body, the Korean Communications Commission (KCC), funded and promoted an app called “Smart Sheriff,” produced by the Korean Mobile Internet Business Association (MOIBA).

Followers of the Citizen Lab may remember that, in collaboration with Cure53, we published a detailed security audit of Smart Sheriff in September 2015 that found the app contained more than 26 serious security vulnerabilities.   We disclosed these vulnerabilities to MOIBA, and eventually Smart Sheriff was withdrawn from the market in November 2015.   

Our latest report, done in collaboration again with Cure53 and our colleagues at OpenNet Korea, analyzes two other  child monitoring applications produced by MOIBA, called Cyber Security Zone and Smart Dream.

To say our findings are disturbing is an understatement.

To our astonishment, our analysis of “Cyber Security Zone” found that it was actually a rebranded version of Smart Sheriff, containing many of the same privacy and security vulnerabilities we identified back in September 2015.   In other words, rather than digest our detailed security audit and start from scratch with proper engineering design principles in mind, MOIBA simply changed the name and slapped on a new logo!

Smart Dream, also produced by MOIBA, is an application that allows concerned parents to monitor their children’s messaging and online history.  What we found is that the application’s poor design actually exposes those children to numerous serious security and privacy risks.

Among the problems we identified:

  • We found both applications were susceptible to a “man-in-the-middle” attack, meaning that someone with access to any network through which the application’s communications passes could easily intercept those communications and acquire passwords, login information, and other sensitive details of children or parents using the apps.  To give you a concrete example, this could be someone with malicious intent operating the local cafe’s wifi hotspot next to the child’s school.
  • Both applications were designed with poor encryption, which means they both leak highly sensitive user data, such as phone numbers, device IDs, and dates of birth of children.
  • If an attacker knew the phone number of a user (see above) we found that they could also insert fake content, making it appear that children were visiting websites or sending messages they were not. Imagine the cyber-bullying possibilities of that vulnerability?
  • We found a security vulnerability in Smart Dream that allows an attacker to collect every single text message and search query of every minor child using the application stored on the Smart Dream server.

In short, what we found was — rather than protecting minor children —  both applications actually put minor children, and their parents, at much greater risk than had they not used the applications in the first place.  

That MOIBA knew of the security vulnerabilities of Smart Sheriff going back to our 2015 report, and simply pushed out a rebranded version containing the same flaws, is grossly irresponsible.

The fact that the applications were funded by a Korean regulatory body and promoted by a respected Korean industry group only makes matters worse. Concerned Korean parents looking to protect their children and follow a law that makes installation of these type of applications mandatory, would naturally expect to receive honest and trustworthy advice from such institutions.  Unfortunately, they were deeply misled.  

We have communicated for weeks with MOIBA about our findings, working with them to ensure that the applications’ problems are fixed. However, given MOIBA’s track record we have no expectation that MOIBA will reform itself and begin undertaking application development with best security practices from the ground up.

We are releasing our report as part of our “NetAlert” series, which includes a cartoon developed by illustrator and designer Jason Li that nicely summarizes the findings and risks and makes recommendations to parents, policymakers, and developers in both English and Korean.  

Parents who are concerned about their children’s safety while using mobile devices may decide to install applications such as these.  If they do, it is critical that they use applications that are thoroughly audited to ensure they conform to secure engineering design principles.   In other words, do not use Smart Dream, Cyber Security Zone, or any other application developed by MOIBA.

Read the report here:   https://netalert.me/safer-without.html

Mexican Surveillance Abuse Continues

We are publishing yet another update to the ongoing investigations Citizen Lab has been conducting, in partnership with R3D, SocialTic, and Article 19, on abuse of commercial spyware in Mexico.  

Our latest report shows that the Claudio X. González, director of the Mexican anti-corruption organization Mexicanos Contra la Corrupción y la Impunidad (MCCI), was targeted with SMS messages containing links to the exploit infrastructure of the Israeli spyware company, NSO Group.   Had the links been clicked on, González’s phone would have been silently commandeered allowing the operators to surreptitiously turn on the camera and microphone, read emails and texts (even those that are encrypted), and track his movements.

This most recent case brings the total number to 22 individuals that we have confirmed being targeted with NSO Group spyware in Mexico.  NSO Group claims it restricts sale of its powerful spyware to government agencies to combat terrorism and track criminals.  Our investigations have shown that it has been used instead to target an alarming number of people who are exercising their political rights and / or doing their jobs as lawyers, journalists, and investigators.   As for who is responsible, we have no specific evidence. However, leaked documents show the Mexican Attorney General’s office is a client of NSO Group and the President of Mexico has gone on record with the admission that it has purchased NSO Group technology.  It is also highly incriminating of the Mexican government that many of the targets we confirmed, including the latest, share a common characteristic: investigations into official Mexican government corruption.

The spyware market is very lucrative and growing, but also replete with abuse.  NSO Group’s US-based majority owner, Francisco Partners, was recently reportedly looking to sell partial ownership of NSO Group to another investment firm, Blackstone Group, for $400 million.  When we learned of the possible sale, we published an open letter to Blackstone Group informing them of our research on the abuse of NSO Group’s spyware in Mexico and elsewhere, and urging them to exercise due diligence over the company’s behavior should the sale go through. Reports of the deal also attracted critical attention from a range of organizations, including Mexican NGOs involved in investigating NSO, Access Now, and Business and Human Rights.  On August 15 2017, Reuters reported that the Blackstone Group deal had fallen through.

The research on the use of NSO Group in Mexico is led by Citizen Lab senior researcher, John Scott-Railton.  Our ability to positively identify NSO Group’s spyware is based on careful network scanning and reverse engineering, undertaken by Citizen Lab’s Bill Marczak.  Using the technical indicators collected from this research, Scott-Railton engages with local advocacy partners to help identify targets in civil society who are willing to cooperate in the research.  We then compare the domains contained in the links in the SMS messages sent to the targets to known NSO Group infrastructure. Overall, this case is a good example of the general mission of the Citizen Lab, which aims to use mixed methods research to highlight digital security issues that arise out of human rights concerns, and then engage in high-level policy and legal engagement to try to mitigate the problem.

As to how this type of abuse can ultimately be solved, there is no simple remedy.  Companies like NSO Group are not violating any law by selling their technology to countries like Mexico.  And if a corrupt government client chooses to use that technology for abusive purposes, there is little that can be done to prevent it.

But that does not mean the situation is hopeless.  Companies like NSO Group can be encouraged to undertake more responsible “know your customer” practices to prevent abuse of their product. That pressure can come from the countries within which they are domiciled as companies (e.g., Israel) who can pass more strict export control regulations that require NSO Group to undertake due diligence. It can come from ownership groups and investment firms that control the purse strings and who themselves are sensitive to public criticism (as our open letter and the other campaigns described above may demonstrate). It can come from legal action in cases in which local laws are violated, as in the targeting of US citizens we discovered in the Mexico NSO Group case (which would be a violation of the U.S. criminal code).  

However, all the above depends in the first instance on patient, evidence-based research of the sort we are undertaking in collaboration with our Mexican partners.

Read the full report here: https://citizenlab.ca/2017/08/nso-spyware-mexico-corruption/

Yet More Evidence of Gross Misuse of NSO Group Spyware In Mexico

The Citizen Lab’s investigation into the abuse of commercial spyware in Mexico continues with yet more troubling findings. Today, we are releasing a new report that affirms two additional individuals’ phones were targeted with Israeli-based NSO Group’s sophisticated Pegasus spyware technology.  

As in some of the prior cases we researched, the individuals in question — Karla Micheel Salas and David Peña — are lawyers representing family members of individuals involved in horrific targeted killings.  Specifically, this case concerns the torture and murder in July 2015 of Nadia Vera and Rubén Espinosa, an activist and journalist respectively, alongside three of their acquaintances.  There were also reports of sexual assault and torture against some of the victims prior to the murders.

Vera and Espinosa had been critical of the then governor of the Mexican state of Veracruz, Javier Duarte, and had received numerous threats in the course of their work. Under Duarte’s reign as governor, Veracruz became the most dangerous place in Mexico for journalists, with 17 killed during his term. Facing numerous and ongoing threats, Vera and Espinosa fled Veracruz to Mexico City, hoping the distance would protect them. Unfortunately, they (along with three people present at the scene: Yesenia Quiroz Alfaro, Mile Virginia Martin, and Alejandra Negrete) were brutally murdered.

Protests followed the Mexico City Attorney General’s investigation into the murder, which was widely perceived as inadequate.  The families of the slain individuals contracted Salas and Peña to push for an investigation.  In September and October 2015, Salas and Peña received text messages containing what we confirmed were links to the NSO Group’s exploit infrastructure which, if clicked on, would have silently infected their phones, allowing the operators to surreptitiously track their movements, phone calls, emails, and SMS’s, as well as record their voices and take pictures. (Watch Citizen Lab’s John Scott-Railton describe how NSO’s spyware works in this video).

While part of the story of these cases concerns the brutal environment for journalists in Mexico, the other part concerns the gross abuse of highly sophisticated surveillance technologies sold by companies like NSO Group.

In spite of the fact that Mexico was widely known to be a country struggling with corruption and abuse, and in spite of the well-known targeting of journalists, advocacy groups, lawyers and others using extrajudicial means, NSO Group went ahead and sold its technology to the Mexican government.  Clearly, there is a serious control problem around commercial spyware that needs to be urgently addressed lest such cases continue to mount.  Indeed, as we outline in our latest report, investigative reporting in the context of Panama has revealed that the former president of Panama, Ricardo Martinelli, used $13.5 million worth of NSO Group services to illegally spy on more than 150 opponents, including several U.S. citizens in the U.S. Embassy and in the United States proper.  Panama authorities are seeking to extradite Martinelli from the United States, where he fled from these charges.

One way to prevent such abuses is to encourage ownership groups to exercise greater due diligence over companies like NSO Group.  Over the last several weeks, it has been reported that the US-based investment firm Blackstone Group is exploring partial acquisition of the NSO Group.  Last week, Citizen Lab wrote to Blackstone Group with a detailed list of questions they should consider prior to the sale, as well as others concerning corporate social responsibility measures they should adopt, should the purchase go through. We hope these questions serve as a baseline for an industry that has yet to develop the type of mature due diligence practices as found in mining, oil, textiles, and other industries (however flawed those may still be).

Meanwhile, we fully expect to find more cases of the abuse of NSO Group technology, not just in Mexico but in other jurisdictions, where corrupt public officials with access to their spyware illegitimately turn it on those who present obstacles to their unscrupulous aims.

As before, the Citizen Lab’s research into Mexican surveillance has been led by senior researcher John Scott-Railton, working in close consultation with our partners in Mexico, R3D, SocialTic, and Article 19.

Read the report here: https://citizenlab.ca/2017/08/lawyers-murdered-women-nso-group/

 

Letter to Blackstone Group Regarding Possible Acquisition of NSO Group

For the last year, Citizen Lab has written five separate reports that document extensive abuse of, and lack of controls around the use of spyware manufactured by the Israeli cyber warfare company, NSO Group.   

These reports are part of a larger interest we have at the Citizen Lab in the lack of controls around the spyware market, from weak or nonexistent export controls of countries in which spyware companies are headquartered, to opaqueness around the market for cyber security, to an absence of due diligence on the part of companies themselves to know their clients.

A growing number of our reports has shown how the products and services of this largely unregulated market end up facilitating abuses in which journalists, human rights defenders, and others end up being targeted by powerful software ostensibly limited to governments to fight terrorists and investigate crime.

In a previous publication, my colleague Sarah McKune and I outlined a checklist of measures that could be taken to reign in the abuse of commercial spyware.  As part of that more comprehensive approach, we have suggested that the industry should be encouraged to adopt “voluntary yet genuine accountability frameworks and human rights-oriented policies and practices.”

To that end, we are today sending a letter to the Blackstone Group, an American private equity, asset management, and financial services firm in the process of considering acquiring a large stake in the NSO Group.  

Should Blackstone Group’s acquisition of NSO Group proceed, we hope our letter will encourage them to exercise stronger due diligence over NSO Group’s sales, and help ensure that the company itself better manages the end-uses of its products.

Read the letter here: https://citizenlab.ca/2017/07/open-letter-to-blackstone-possible-nso-acquisition/

PDF here: https://citizenlab.ca/wp-content/uploads/2017/07/Blackstone_open_letter_NSO_group_citizen_lab.pdf

 

A World Without Liu Xiaobo

Liu Xiaobo died of cancer last week.  A veteran of the 1989 Tiananmen Square protests, and one of the authors of the Charter 08 manifesto advocating for democratic reform, Liu was China’s first Nobel Peace Prize winner.

In spite of Liu’s advocacy for non-violent change, Chinese authorities sentenced Liu in 2009 to eleven years’ imprisonment for “inciting subversion of state power.”

Last month, Chinese authorities acknowledged Liu had contracted cancer.  Liu made an appeal to leave the country to receive outside medical treatment, an appeal that was backed by numerous governments, international organizations, and NGOs.  Apparently concerned that Liu would speak out against the regime, Chinese authorities denied the request.  On July 13, 2017 Liu Xiaobo succumbed to cancer.

The passing of Liu Xiaobo is a very sensitive event for the Chinese Communist Party.  The 1989 Tiananmen Square protests grew out of the mourning of the death of another person advocating for greater government transparency and reform, Hu Yaobang.

Concerned that martyrdom around Liu may spur similar collective action, as well as being concerned about saving face, the kneejerk reaction of China’s authorities is to quash all public discussion of Liu, which in today’s world translates into censorship on social media.

In our latest report, entitled “Remembering Liu Xiaobo: Analyzing censorship of the death of Liu Xiaobo on WeChat and Weibo,” we document the full extent of China’s heavy hand.

Our experiments show that the scope of censorship of keywords, images, and search terms related to Liu Xiaobo on two of China’s most popular social media platforms, WeChat and Weibo, has greatly increased since his passing.

Prior to his death, Liu’s name, in combination with a selection of other keywords perhaps related to his illness or political rights, might trigger censorship.  Afterwards, we found that simply including his name alone was enough to trigger blocking of messages.

We also found that images related to Liu, such as those commemorating his passing, were blocked on WeChat after his death, including images shared in one-to-one chats — the first time we have observed that phenomenon.

As with our prior WeChat research, we confirmed that the censorship is undertaken without any notification to the users, and only applies to users with accounts registered to mainland China phone numbers.  For example, we show that images of Liu posted to an international user’s WeChat feed was visible to other users abroad, but hidden from users with Chinese accounts.

For Weibo, we analyzed search term blocking and confirmed that the platform maintains a blanket ban on searches for Liu Xiaobo’s name. Indeed, searching just his given name, “Xiaobo”, is enough to trigger censorship in English and both Simplified and Traditional Chinese

Freedom of speech is the antithesis to one-party rule.  Dictators throughout history have forced embarrassing truths into the shadows, typically by imprisoning those who speak it, and have scrubbed dissidents from history books, photographs, and other mass media.

The social media censorship we document in our latest report is but the latest manifestation of this authoritarian tendency, and underscores why careful evidence-based research is so essential to the progress of human rights.

Read the full report here: https://citizenlab.ca/2017/07/analyzing-censorship-of-the-death-of-liu-xiaobo-on-wechat-and-weibo/

The New York Times: https://www.nytimes.com/2017/07/17/world/asia/liu-xiaobo-censor.html

Global Voices: https://globalvoices.org/2017/07/17/censorship-after-death-chinese-netizens-quietly-mourn-nobel-laureate-liu-xiaobo/