Endless Mayfly: an invasive species in the social media ecosystem

Bring up the topic of social media and state-sponsored disinformation, and most people think reflexively of Russian interference in the 2016 U.S. election. As the Mueller report recently affirmed, Russian entities operated a sweeping and systematic social media “active measures” campaign designed to sow division and support Donald Trump leading up to the election.

But what may be less appreciated is just how many other actors in countries and regions all over the world are now undertaking social media influence operations, each with their own unique objectives, flavour, and style. In India, for example, citizens “are bombarded with fake news and divisive propaganda on a near-constant basis from a wide range of sources.” In Myanmar, it is now widely acknowledged that Facebook was used to incite genocide. Throughout Africa, hoaxes, disinformation, and spoofed articles circulate so widely that they are now commonplace; one study found that an alarming 38% of Kenyans, 28% of Nigerians, and 35% of South Africans surveyed acknowledged having shared stories which they knew to be fake.

Indeed, it is fair to say that social media has quickly become what Citizen Lab’s John Scott-Railton has described as a giant “disinformation laboratory.” Multiple actors in just about every region of the world are now experimenting with new techniques to sow disinformation, spread inauthentic narratives, project power and influence, and undermine adversaries. Given this new reality, it is imperative that researchers carefully dissect as many different disinformation operations as can be found to better understand the innovations in tactics, techniques and procedures in this quickly evolving terrain.

Enter “Endless Mayfly.” Endless Mayfly is the name we have given to “an Iran-aligned network of inauthentic personas and social media accounts that spreads falsehoods and amplifies narratives critical of Saudi Arabia, the United States, and Israel.”

Endless Mayfly is but one among many invasive species in the social media ecosystem. What distinguishes it from others, however, is a technique we dubbed “ephemeral disinformation.” Endless Mayfly publishes content on websites they create that impersonate legitimate media outlets, like Le Soir, or the Guardian, using a variety of typosquatting and domain spoofing techniques (e.g., bloomberq[.]com instead of bloomberg[.]com).

Inauthentic personas managed by Endless Mayfly, with names such as “Brian Hayden” or “Mona A. Rahman,” then attempt to amplify the content over social media, by circulating them on their own, or by privately and publicly engaging journalists and others over social media.

But Endless Mayfly’s real innovation comes in the form of its use of ephemerality. Once Endless Mayfly’s carefully constructed content achieves some degree of social media pickup, the spoofed articles are permanently deleted and the links are altered to redirect to the legitimate domain being impersonated.

Click on the link to one of Endless Mayfly’s inauthentic Guardian articles, for example, and after a period of time a user is taken to the legitimate Guardian website instead.

What happened to the original article? “Perhaps it’s the Guardian’s fault?” one might wonder. Who’s to say? In our data-saturated, always-on world, who has the time to find out? Endless Mayfly’s operators appear to be banking on social media users’ short attention spans and our inclination to trust headlines associated with what appear to be credible sources, rather than dig deeper to verify facts from the ground up ourselves.

In total, we found Endless Mayfly created 72 of these fake domains, many of which were used to host 135 of their inauthentic articles. Some of these domains the operators appear to have kept in reserve for future operations, like theglobalandmail[.]org (instead of .com), which was registered by Endless Mayfly but not employed in a specific campaign.

Did it work? It is difficult to measure whether this technique had much of an impact. Quantitatively, engagement with the links to their various articles, accounts, and personas was modest at best. But on several occasions, Endless Mayfly’s inauthentic content was picked up by mainstream media, creating significant confusion. In one instance, for example, Washington Post columnist Anne Applebaum stumbled upon part of Endless Mayfly’s operation and wrongly attributed it to yet more Russian malfeasance.

In terms of our own attribution, we determine with moderate confidence that Endless Mayfly is linked to Iran. This level of confidence is based on “the overall framing of the campaign, the narratives used, and indicators from overlapping data in other reports.” In terms of the latter, in August 2018 accounts and pages associated with Endless Mayfly were deactivated by Facebook in coordination with FireEye, and FireEye traced back registration information and other indicators to Iranian origins. But beyond that circumstantial evidence, we have no “smoking gun” that proves Endless Mayfly is an operation run by the Iranian state itself.

The technique of ephemerality pioneered by Endless Mayfly presents major challenges to researchers, policymakers, and others hoping to investigate and mitigate disinformation operations. Deliberately hiding one’s tracks in this way makes it harder to pin down, analyze, and trace the origins of a malicious campaign, let alone verify the truth-claims and other content that may be getting social media traction. If it becomes a popular tool in the disinformation toolkit, it could sow serious short-term confusion in social media spaces.

In the end, Endless Mayfly’s biggest accomplishment may not be around its principal objective, which was apparently to undermine Iran’s adversaries. It may have more to do with contributing in yet one more way to the ongoing poisoning of our social media public sphere.  

When it comes to cyber security, it is usually the technological layer that gets the most attention, like risks to critical infrastructure and other technical systems. But what about the social and cultural layer? In fact, it may be in this layer where the most intense geopolitical struggles and malicious experimentations are taking place. Given the properties of social media — which as presently constituted favor lewd, salacious, and shocking information — it may also be the layer that is most challenging to defend.

We have no simple remedy to the problems that operations like Endless Mayfly poses, other than to undertake more research, refine our methods, and collaborate with others to better understand the evolving terrain of social media disinformation. To that end, alongside our report, we are publishing a major disinformation research bibliography compiled and annotated by Citizen Lab fellow Gabrielle Lim.

Read the main report here: https://citizenlab.ca/2019/05/burned-after-reading-endless-mayflys-ephemeral-disinformation-campaign

Our annotated bibliography of disinformation research is here: https://citizenlab.ca/wp-content/uploads/2019/05/Disinformation-Bibliography.pdf

Citizen Lab on 60 Minutes

Doing the “60 Minutes Stroll” with correspondent Lesley Stahl

Last week, 60 Minutes broadcast an episode entitled “Pegasus” focusing on the controversies surrounding Israeli-based commercial spyware vendor, NSO Group. The episode profiled Citizen Lab’s work, and featured interviews with myself and my Citizen Lab colleague, Bill Marczak.

My Citizen Lab colleagues and I published an analysis of the episode today, highlighting some revelations and providing some broader context.

Read our post here: https://citizenlab.ca/2019/04/dubious-denials-scripted-spin-spyware-company-nso-group-goes-on-60-minutes/

And in case you missed it, the full episode and transcript is available online here:

https://www.cbsnews.com/news/interview-with-ceo-of-nso-group-israeli-spyware-maker-on-fighting-terror-khashoggi-murder-and-saudi-arabia-60-minutes/

 

Another Journalist in Mexico a Target of NSO Group’s Spyware

 

Today, Citizen Lab is publishing a new report, entitled “Reckless VII: Wife of Journalist Slain in Cartel-Linked Killing Targeted with NSO Group Spyware.” This report continues our investigation of the abuse of commercial spyware manufactured by Israeli company NSO Group. Working with our partners in Mexico, we are now able to confirm that Griselda Triana, a journalist and the wife of Javier Valdez, a journalist who was assassinated while investigating Mexican cartels, was herself targeted with fake SMS messages in the days after her husband’s murder. The SMS messages she received in May 2017 purported to reveal details about the motive behind the murder, and other upsetting updates. We were able to connect the links in both messages to domains that we can verify were at the time part of NSO Group’s exploit infrastructure. Although she did not click on the links, doing so would have immediately infected her phone with NSO Group’s Pegasus spyware, providing the operators complete control of her device. Notably, she was targeted a week after two of Javier’s colleagues were also targeted with Pegasus spyware.

The targeting of Griselda Triana brings the total number of confirmed NSO Group targets in Mexico to 25. NSO Group markets its spyware as a tool strictly limited to government agencies to assist in anti-terror and criminal investigations. None of the 25 targets we identified were criminals or terrorists; rather, they were anti-corruption investigators, advocacy groups, health scientists and researchers, investigators into mass disappearances, and journalists.

NSO Spyware in Mexico: Claims vs Reality

It is notable that NSO Group has bragged about how its Pegasus spyware was used in Mexico to investigate drug cartels and was instrumental in the arrest of El Chapo. However, here we find it was used the other way around: to target individuals who were investigating drug cartels and government corruption. These cases add yet more weight to the mountain of evidence that NSO Group’s surveillance technology is being abused by its clients, and the company is either unwilling or unable to perform the type of due diligence to prevent that from happening.

Tackling The Proliferation of Commercial Spyware

What is to be done about the proliferation and harm caused by commercial spyware such as this? Many point to the need for government regulations, such as tighter export controls. But lacking political will, these are unlikely to be properly enforced. As it stands, NSO Group’s sales are reportedly approved by the Israeli Ministry of Defense, and they did not seem to take issue with the company selling its wares to a rogue’s gallery of autocratic rulers in spite of widespread public reporting of abuse.

Litigation is another avenue that might help bring about reform of companies’ practices. For example, NSO Group is currently embroiled in several lawsuits. Should those succeed and the company is fined or otherwise penalized in a significant manner, ownership groups may decide the liabilities are too steep to continue with business as usual. (As a significant aside, several weeks ago two Citizen Lab staff were targeted by undercover operatives reportedly with links to the Israeli-based private intelligence firm Black Cube. We organized a counter-sting with Associated Press to expose the operation. NSO Group strictly denies it hired Black Cube (if indeed it was them), and we have no solid evidence linking them to the operation. However, the operatives asked us about our research on the spyware vendor and they also attempted to entrap four other individuals around the world all of whom happen to be linked by their involvement in litigation against NSO.)

Communications with NSO Group

We have communicated several times to NSO Group, its previous majority owner, Francisco Partners, and the new ownership group who is seeking to acquire NSO Group, Novalpina Capital, led by Mr. Stephen Peel. The new group has made public statements espousing principles of corporate social responsibility, and has pledged to steer NSO Group sales according to the UN Guiding Principles of Business and Human Rights. However, they have systematically failed to acknowledge the numerous cases of abuse that we and others, including Amnesty International, have identified. Until they do so, these pledges will sound like the same old empty promises that NSO Group, and other spyware companies, have made in the past about “ethics committees” and other oversight mechanisms that allegedly review sales and prevent abuse. It is long past due to turn words into deeds, to acknowledge the facts and undertake real reform to prevent harm.

Submission of the Citizen Lab to the UN Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression

In 1993, the United Nations Commission on Human Rights established the mandate of the Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression. The current Special Rapporteur is Mr. David Kaye.

Mr. Kaye recently issued a call for submissions on the topic of the surveillance industry and human rights. The call noted that government and non-governmental actors have increasingly used digital surveillance technologies to undermine human rights and sought information on regulatory frameworks for surveillance technologies, on the use of surveillance technologies against individuals and civil society, and on the policies and practices of private companies in this industry.

Over the years, Citizen Lab research has documented the abusive deployment of spyware manufactured and sold by private companies. Our submission first provides a review of our technical research into the application of sophisticated spyware technology sold by NSO Group Technologies Ltd., Cyberbit Ltd., FinFisher GmbH, and Hacking Team S.r.l (a subset of our research on targeted digital threats). Based on this research, and investigations by other organizations into the spyware industry, we have identified a number of overarching practices of concern within the industry that we believe urgently need to be addressed:

  1. The apparently unchecked sale of spyware to authoritarian and repressive governments with poor human rights records;
  2. The justification of such sales by private companies on the basis that they sell exclusively to sovereign nations and with the sole purpose of clients engaging in lawful use;
  3. A non-transparent business environment which insulates companies in the industry from public scrutiny and effective regulation; and,
  4. Private companies in this industry operating in violation of norms and rights set out in the International Covenant on Civil and Political Rights, the Universal Declaration of Human Rights, and the UN Guiding Principles on Business and Human Rights.

In order to assist the Special Rapporteur, we have also articulated a number of recommendations which we hope will inform the Special Rapporteur’s forthcoming report. These recommendations stress the importance of continued support for research into the spyware industry and the need to identify and define high priority practices of concern within the industry, as well as the broader aims of industry reform. Further, we recommend that the Special Rapporteur issue a report describing a comprehensive accountability framework that considers the effectiveness and changes necessary to all available mechanisms for ensuring accountability (e.g. regulation, litigation, due diligence requirements for companies, and export controls) and call on States to do more to protect against human rights in this area with specific actions that should be taken.

The full report can be found here.

Slain Mexican Journalist’s Colleagues Targeted With NSO Spyware

Photo Source: ContraLínea.com.mx

Javier Valdez Cárdenas was an award-winning Mexican investigative journalist known for his reporting on drug trafficking and organized crime. As with dozens of other investigative journalists in Mexico, Cárdenas’ brave reporting ended up having lethal consequences. On May 15, 2017 around noon, Cárdenas was forcibly removed from his vehicle and gunned down on the street, steps away from the offices of Río Doce, the newspaper he founded.

Our latest Citizen Lab report shows that in the days after his death, two of Cárdenas’ colleagues at Río Doce — Andrés Villarreal and Ismael Bojórquez — each received carefully crafted text messages on their iPhones containing links to highly sophisticated surveillance technology sold by Israeli-based “cyber warfare” company, NSO Group. Had they clicked on the links, the operators of the spyware would have been able to silently take over their devices and monitor everything they do, including intercepting emails, text messages (even those encrypted), turn on the camera, and silently record audio.

NSO Group claims that they sell their powerful surveillance technology only to governments to be used strictly for legitimate law enforcement and national security investigations, and have a strict oversight mechanism to ensure their technology is not abused. They also claim that they have rescinded sales to clients who are caught abusing their product. (As is customary, we sent NSO Group a letter prior to publication detailing the findings of this report and offering to publish their response in full, but we have received no reply).

Instead, as this latest case and numerous past reports we and others have published show, their technology is being used repeatedly to target members of civil society, including lawyers, health scientists, human rights defenders, activists, and journalists. These two additional targets bring the total number of individuals we (and our Mexican civil society partners R3D, Article19, and Social Tic) have been able to identify who were targeted with NSO Group spyware in Mexico to 24. None of them are either criminals or terrorists by any reasonable, rights-respecting legal standard.

Of particular concern with this latest report is yet more evidence of the abuse of NSO Group spyware to specifically target journalists and those associated with journalists. The targeting of Cárdenas’ colleagues mere days after his assassination suggests the operators were interested in what the journalists knew about who was responsible. Our prior reporting has shown several other Mexican journalists investigating murders or corruption were targeted with NSO Group spyware in much the same way. In one case, the minor child of Mexican journalist Carmen Aristegui was repeatedly sent text messages laden with NSO Group spyware links in an attempt to infect his phone — while he was attending boarding school in the United States.

Beyond Mexico, there is now growing evidence that NSO Group’s spyware was also potentially implicated in the murder of exiled Saudi dissident and Washington Post journalist Jamal Khashoggi. On October 1, 2018, we published a report detailing our discovery that the iPhone of Canadian permanent resident Omar Abdulaziz was infected with NSO Group spyware. Forbes followed up our report showing that London-based Saudi dissident Ghanem Almasarir had his phone targeted by the same Saudi operator we had earlier identified as targeting Omar Abdulaziz. Notably, both Omar Abdulaziz and Ghanem Almasarir were collaborating with Jamal Khashoggi around social media activism, and were reportedly viewed by Saudi Crown Prince Mohammed bin Salman as major threats.

The reckless and abusive use of commercial spyware to target journalists, their associates, and their families adds to the numerous and growing risks that journalists worldwide now face. Media organizations and investigative journalists are valuable “soft” targets who control important information, including information on sources, that threaten powerful actors. Thanks to companies like NSO Group, unscrupulous dictators and autocrats now have a powerful tool to aid in their sinister aims to stifle dissent and quell controversial reporting.

What is to be done? Unfortunately, liberal democratic governments who ostensibly support human rights and could take concerted action against the proliferation of commercial spyware seem unwilling to address the problem squarely. For example, in spite of the Citizen Lab’s discovery of apparent espionage by Saudi Arabia against a Canadian permanent resident using Israeli-made spyware — seemingly a significant violation of Canada’s sovereignty — the Trudeau government has only barely acknowledged our report possibly out of concern to not offend either Israel or Saudi Arabia (with whom Canada has weapons deals). Meanwhile, Donald Trump’s constant maligning of the press as the “enemy of the people,” and his decision to throw Khashoggi under the bus in favour of naked realpolitik calculations, shows clearly where the United States stands.

What about Israel, the sovereign jurisdiction in which NSO Group is headquartered? Earlier this week, Haaretz published a detailed investigation showing NSO Group may have sidestepped Israeli government export controls and negotiated a sale with Saudi Arabia directly. Revelations such as these may trigger greater scrutiny by the Israeli public and official regulators to strengthen export controls that are apparently very lax, if not ineffective altogether. However, in light of the close links between the Israeli government and the surveillance industry, and the strategic benefits that undoubtedly accrue to Israeli decision makers from the export of such technologies, I wouldn’t hold my breath in hope of something happening there either.

But the lack of government action does not mean there are no avenues left for recourse. The growing number of cases of harm caused by the abuse of commercial spyware we and others have documented may provide strong grounds for civil litigation and / or criminal prosecution. Indeed, NSO Group is currently facing two separate lawsuits (one of which was brought by Mexican journalists and activists), and one of its competitors, UK-based Gamma International Ltd, is the subject of another in the United Kingdom.

Should these legal efforts succeed in bringing real costs to bear on owners, they may prove to be the most effective remedy for the abuses of the commercial spyware market.

Until such time, we are now facing a crisis rich in terrible irony: a service marketed to government clients to assist in “cyber security” is quickly becoming one of the greatest sources of widespread insecurity instead.

Saudi-linked Cyber Espionage Against Canadian Victim Discovered

Figure 1: The Royal Embassy of Saudi Arabia to Canada (September 2018; Credit: Ron Deibert)

Today, the Citizen Lab is publishing a major new report, “The Kingdom Came to Canada: How Saudi-Linked Digital Espionage Reached Canadian Soil,” by Bill Marczak, John Scott-Railton, Adam Senft, Bahr Abdul Razzak, and myself.

Our report details how we discovered Canadian permanent resident and Saudi dissident Omar Abdulaziz was targeted with a fake SMS message and his phone infected with spyware manufactured by Israeli-based “Cyber Warfare” company, NSO Group. We attribute this infection to a spyware operator linked to Saudi Arabia.

The research for this report builds on our recently published “Hide and Seek” report, led by the Citizen Lab’s Bill Marczak, in which we detailed the results of more than two years of Internet scanning into NSO Group’s command and control infrastructure. That scanning revealed more than 45 countries in which we found infected devices “phoning home” to NSO Group’s infrastructure, operated by more than 30 likely government clients — many of them with highly problematic human rights issues.

Among those live infections was a particularly noteworthy one: a Saudi-linked operator, which we call KINGDOM, monitoring an infected device in Quebec, Canada. The surveillance of a victim in Canada is particularly intriguing as it takes place in the midst of a serious diplomatic dispute between Canada and Saudi Arabia that was triggered by tweets critical of Saudi Arabia’s human rights record sent by Canadian Foreign Affairs Minister, Chrystia Freeland, and by the official Twitter account of Global Affairs Canada.

Based on Saudi Arabia’s poor human rights track record and its prior history of abuse of spyware (including by the very same KINGDOM operator), we hypothesized that the target in Quebec would be a person or group connected to Saudi political activism. We then reached out to contacts in the Saudi diaspora and human rights communities to try to identify the target. Remarkably, we succeeded.

Omar Abdulaziz is a Canadian university student, and a prominent Saudi activist who sought and received asylum in Canada in 2014 after Saudi Arabia revoked his scholarship for his outspoken criticism of the regime.  Omar produces a very popular satirical talk show on YouTube that is followed by millions of viewers. He was also featured prominently in media coverage of the Canada-Saudi dispute, including on CBC’s The Current. During his interview on that show, Omar claimed Saudi authorities had threatened his family to try to discourage him from speaking out.

Earlier this summer, Omar received a fake DHL courier notification via SMS. The message arrived only hours after he placed an order on Amazon. When we met with Omar, we searched back through his SMS messages with his consent against a list of known NSO domains we had gathered, and discovered the fake DHL notification SMS. We were able to confirm that he was, indeed, targeted by the KINGDOM operator and that the SMS he received contained a link to the NSO Group’s “Pegasus” spyware infrastructure.

Further verification that Omar was the victim came from matches were able to make to his pattern of life. Our scanning showed the infected device moving between two Quebec-based networks at very specific intervals — Vidéotron and RISQ (Réseau d’informations scientifiques du Québec). Omar confirmed that those “check ins” precisely matched his movements between his home wifi network (Vidéotron), and the wifi network to which he connected during a regular evening activity (RISQ).

NSO’s Pegasus spyware is extraordinarily stealthy and invasive. Once a target clicks on a link, the operator has complete surreptitious control over the target’s device. This control includes being able to silently read emails and chat messages, including those that are encrypted, capture ambient sound, and turn on the camera. During the time Omar’s device was infected, several of his family members and friends disappeared in Saudi Arabia. Although we have no way to confirm it, it is certainly possible these disappearances are the direct result of the KINGDOM operator’s surveillance of Omar’s phone.

No doubt, this revelation of Saudi-linked espionage against a Canadian permanent resident will inflame the already tense Canada-Saudi diplomatic dispute. If it does, it will illustrate one major theme of Citizen Lab’s research: that the unregulated commercial spyware market produces costly negative externalities. It is also noteworthy that what we have unearthed may violate several Canadian Criminal Code offences, including willfully intercepting private communications contrary to section 184(1).

It should go without saying that the multiple cases of abuse we have uncovered over several years cast serious doubt on NSO Group’s claims about a “Business Ethics Committee” and other controls they have over their products. While they may treat it frivolously, NSO Group’s accumulating liabilities must be giving its ownership group, US-based investment firm Francisco Partners, serious cause for concern, particularly since the latter has unsuccessfully shopped NSO Group to potential buyers for a reported 1 billion USD.  Who wants to buy a company whose services routinely end up being abused, inflaming geopolitical tensions, or implicated in criminal conduct? What potential liabilities does NSO’s reckless sales present for its ownership group?

This case also illustrates yet again another major theme of our research: in the absence of controls to the contrary, powerful surveillance technology sold to governments for anti-terror or criminal investigations will inevitably be used by corrupt and autocratic rulers to target journalists, dissidents, human rights defenders, research scientists, and other members of civil society they deem a “threat.” Like Ahmed Mansoor of the United Arab Emirates and numerous other targets of spyware we have discovered, Omar Abdulaziz is neither a terrorist nor a criminal. His only “crime” is hosting what is the equivalent of The Daily Show for the Gulf region directed at a regime that brooks no dissent.

It is probable the cases we have reported on at Citizen Lab are but a tip of the iceberg. If so, numerous members of civil society are — right now — being unwittingly surveilled and effectively neutralized by their adversaries. Should these espionage attacks against global civil society continue unabated, democracy itself will be at growing risk.  

Read the full report here: https://citizenlab.ca/2018/10/the-kingdom-came-to-canada-how-saudi-linked-digital-espionage-reached-canadian-soil/

Watching NSO Group

I am pleased to announce a new Citizen Lab report, authored by Bill Marczak, John Scott-Railton, Sarah McKune, Bahr Abdul Razzak, and myself, entitled “Hide and Seek: Tracking NSO Group’s Pegasus Spyware to Operations in 45 Countries.” This report is the latest in a major research area for the Citizen Lab: the proliferation and abuse of commercial spyware.

Commercial spyware is sophisticated surveillance technology sold by companies to governments under the justification of assisting in law enforcement or national security investigations. It typically tricks targets into clicking on links or attachments and then takes advantage of undisclosed and often very valuable software flaws to surreptitiously take control of a target’s device. Once in control, an operator can secretly monitor emails and chats, even those that are protected with encryption, track movements and locations, and record audio and video.

As numerous government agencies have both the resources and a growing appetite for surveillance capabilities, the market for commercial spyware is lucrative and expanding. The company at the centre of our latest report, Israel-based NSO Group, was recently valued at around USD 1 billion.

Naturally, this market is also highly secretive. Spy agencies and the companies that service them do not, as a matter of practice, publicly disclose their contracts or operations. However, even the most sophisticated surveillance operations leave digital traces in the open that careful researchers can discover. One aim of our research is to shed light on what is otherwise opaque principally through structured, peer-reviewed Internet scanning techniques and other technical means we have refined.

The research for our latest report was led once again by Citizen Lab senior fellow Bill Marczak. From August 2016 to August 2018, we scanned the entire Internet on a regular basis for servers associated with NSO Group’s “Pegasus” spyware designed to target iPhones, and found 1,091 IP addresses that matched our fingerprint and 1,014 domain names that pointed to them. Using a novel technique we call Athena as well as a newly designed global DNS Cache Probing method, we were able to identify a total of 45 countries where Pegasus operators (which we group into more than 30 likely government clients) may be conducting surveillance operations. 

Among the likely government clients are a number with a highly-problematic track record not only of human rights abuses, but also prior abuse of commercial spyware. This list includes:

  • Bahrain — a country Amnesty International recently described as descending into “a full-blown human rights crisis”;
  • Kazakhstan — a country with a track record of abusing spyware to target journalists and activists critical of the government;  
  • Mexico — a country that was the focus of six separate Citizen Lab reports that exposed government surveillance of research scientists, health advocates, journalists, and international investigators into mass disappearances, including four reports that were the subject of separate front page exclusives in the New York Times in 2017;
  • Morocco — the subject of a 2012 Citizen Lab report on the use of Italy-based Hacking Team’s spyware to target the Moroccan citizen media and journalism project Mamfakinch;
  • Saudi Arabia — a country whose track record Human Rights Watch describes as including “arbitrary arrests, trials, and convictions of peaceful dissidents.”
  • The United Arab Emirates — the country in which we first encountered NSO Group in 2016 when we determined that the UAE had employed NSO Group technology to target the iPhone of award-winning human rights defender Ahmed Mansoor. Mansoor is presently serving a 10-year jail sentence for social media posts critical of the government.

The companies that sell commercial spyware claim they “follow local laws” and export control requirements. That claim is certainly true, but also precisely part of the problem. Some government clients use technology developed by companies like NSO Group not just to investigate what most reasonable people would describe as genuine “criminals” or “terrorists”; our research has shown they also use it to monitor the private communications of activists, human rights defenders, journalists, and other members of civil society. For corrupt or autocratic rulers whose aims are to limit human rights and public accountability, those are “legitimate” targets. This is the type of “local law” that companies like NSO Group follow.

Meanwhile, export controls are weak, flawed, or in some cases non existent. As a consequence, there is little disincentive for the companies to control the abuse of their technology. They reap the private rewards while passing the responsibility on to others. Clearly, as our report shows, NSO Group is either unable or unwilling to prevent the abuse of its technology and did not take any noticeable measures to restrict the use of its powerful surveillance technology even after widespread public reporting on cases where their surveillance technology was abused.

On 14 September 2018, I sent a letter on behalf of the Citizen Lab to two NSO Group principals, Mr. Omri Lavrie and Mr. Shalev Hulio, notifying them of the details of this report, explaining that we had shared an embargoed copy with journalists, and offering to publish in full any response they wished to communicate on the record.

NSO Group principals responded with initial emails, and a full public statement, which we are posting in full alongside our report.  In part, the statement claims:

“NSO has several times requested a meeting with Citizen Lab so we could present our position and provide additional details on our product. As in the past, Citizen Lab has not responded to our request to meet about this report and published a misleading report.”

I have no record of any such prior requests. More importantly, although I am always willing to listen to and learn from people who are involved in cases that are the subject of our research, I do not believe that a private meeting is a proper substitute for responsible communication on a serious matter of public interest.

The NSO statement also says “NSO Group develops products that are licensed only to legitimate government agencies for the sole purpose of investigating and preventing crime and terror. The company works in full compliance with all applicable laws, including export control laws.” The statement goes on to claim that there is a “Business Ethics Committee” operating at NSO Group “which includes outside experts from various disciplines, including law and foreign relations, [which] reviews and approves each transaction and is authorized to reject agreements or cancel existing agreements where there is a case of improper use.”  However, no comment was made or explanation given about the continued, repeated cases of abuse we have identified in spite of the supposed scrutiny of this committee.

What is to be done, then, about the proliferation and abuse of commercial spyware?

Awareness about these issues is still a very important part of the process. To that end, we at Citizen Lab will certainly continue to refine our methods to allow us to better uncover the continued proliferation and abuse of commercial spyware, and we encourage other research groups to use the methods we have developed to do the same.

Litigation of various sorts may also be an option. It is noteworthy that our report discloses that several of the operators using NSO Group technology are engaged in surveillance across international borders. We have no indication whether the country operators undertaking such cross-border surveillance are doing so with the permission or knowledge of the governments in whose jurisdictions they are spying. However, many countries in which such surveillance is occurring — for example, Canada, the United Kingdom, the United States — have laws that prohibit eavesdropping without a warrant. By facilitating and abetting such cross-border surveillance, NSO Group may be exposed to serious legal risks. Indeed, NSO Group is currently the target of two separate lawsuits alleging illegal spying. These legal risks should certainly cause ownership groups and investors to consider their own liabilities as a result of lax controls. NSO Group is currently owned by US-based investment firm, Francisco Partners.

Lastly, there is the prospect of more effective government oversight concerning the export of commercial spyware. Although the Israeli government has claimed it has strong export controls in this area, our research and other reporting shows clearly there are major gaps. It is ultimately up to Israeli policymakers, and Israeli citizens, to determine whether the continued harms caused by the abuse of commercial spyware that we document warrant new and more stringent export controls. We believe they do.

 

Digital Security for Whom or What?

With data surrounding us and networked into everything we do, the security of our data, both in transit and while at rest, is an obvious public safety issue. Which makes it puzzling why governments — whose principal job, since at least the time of Thomas Hobbes, is to keep us safe — have repeatedly sought to deliberately weaken the protocols that secure our data.

Figure: GCHQ Network Diagram shows how the agency proposed a system to identify encrypted traffic from its internet cable-tapping programs and decrypt what it could in near-real time. Source: The Guardian

 

As with much else, the root of this seeming paradox can ultimately be traced to differences in threat paradigms: differences between what are considered to be the principal objects of security (meaning, that which is to be protected). Is it the state, or is it the people? Is it the network within a particular sovereign territorial space, or is it the undifferentiated global network as a whole? A new resource jointly published today by Citizen Lab and CIPPIC will hopefully help unpack these issues.

Generally speaking, government agencies navigate the world through a realist political lens (“realist” in the IR theory sense, à la Thomas Hobbes). From this perspective, the world is divided into territorially-based sovereign states who compete against each other for political advantage. One state’s gain is another’s loss. Through most of modern history, one part of this competition for power involved governments using various forms of cryptography to protect their communications and to hide their machinations from each other while simultaneously racing to find ways to crack each other’s secret codes. (An infamous version of this competition was popularized in the film, The Imitation Game, which told the story of Alan Turing and his Bletchley Park colleagues’ attempts to break Nazi Germany’s Enigma-machine cryptographic algorithms using some of the earliest computing machines.)

While these state-vs-state contests over code may have made sense when the world was neatly divided into territorially-segmented communication spaces, they no longer do. Government agencies that deliberately weaken cryptographic protocols to gain some momentary advantage over their opponents do so at the expense of their own citizens’ security. The reason that they do is that governments, companies, and citizens all over the world increasingly rely on the same communication technologies for everything they do.  

National security concerns are not the only motivation for government agencies to weaken data security. Like intelligence agencies, law enforcement has also sought to keep cryptography contained or deliberately compromised, but for them the principal concern is about being able to investigate criminal behavior. It’s obviously much easier to solve a crime or chase down illegal activity if you can secretly listen in or watch what the criminals are doing. But as is the case as far as national security is concerned, a government agency can only gain such an advantage at the expense of the whole of society. Criminals and law-abiding citizens alike use the same communication systems: weaken them for one and you weaken them for all.

And yet continue to try to weaken them they do.

Time and again, government officials have used national security or lawful access justifications to argue for restrictions or special “back doors” on encryption. Time and again, computer scientists, engineers, and rights activists have argued the opposite case. Not always are the efforts to settle these debates undertaken in the open. One of the most serious revelations coming from the 2013 Edward Snowden disclosures showed that the NSA and its Five Eyes colleagues had surreptitiously foisted a deliberately weakened encryption standard (Dual EC ERGB) on the rest of the world, as part of a secret program codenamed “Bullrun.” Reports from the latest round of the International Organization of Standardization suggests they may still be up to such machinations.

There has been a lot written about these debates from all sides, but not much focusing in particular on the Canadian context. To be sure, it is not for lack of Canadian government agencies trying to influence the space. Canadian law enforcement and intelligence agencies have pushed for weakened encryption, back doors, company cooperation, or some kind of other “compromise” for lawful access as often as other governments do.  Canada’s SIGINT agency, CSE, may have also had a hand in the NSA’s subterfuge around the weakened encryption protocol mentioned above. Meanwhile, for the Canadian public, the issue is only getting more salient. Many Canadians carry with them devices that feature full-disk, biometric-enabled encryption that only they can unlock. Can government agents compel them to do so when they are detained, arrested, or while crossing a border?

To help Canadians navigate these issues, today the Citizen Lab, in collaboration with CIPPIC, is releasing a report, entitled “Shining a Light on the Encryption Debate: A Canadian Field Guide,” authored by the Citizen Lab’s Lex Gill and Christopher Parsons and CIPPIC’s Tamir Israel.  The report provides critical insight and analysis for policymakers, legal professionals, academics, journalists, and advocates who are trying to navigate the complex implications of encryption technology. It is designed to be a “field guide.” The report can be read top-to-bottom, but is also organized so that most sections can be reviewed as self contained references.

Now more than ever, encryption is vital to preserving and extending human rights. Encryption serves as an important guarantor of freedom of expression, opinion, privacy, anonymity, equality, and even physical safety for ordinary citizens, human rights activists, and journalists. With this latest report, we hope that those involved in encryption debates are better able to understand the full spectrum of issues related to the use and potential misuse of these technologies.

Sweeping the Internet for Netsweeper

Figure 1: Results of our Internet-wide scan for Netsweeper installations (John Scott-Railton)

The LGBTQ news website, “Gay Today,” is blocked in Bahrain; the website for Greenpeace International is blocked in the UAE; a matrimonial dating website is censored in Afghanistan; all of the World Health Organization’s website, including sub-pages about HIV/AIDS information, is blocked in Kuwait; an entire category of websites labeled “Sex Education,” are all censored in Sudan; in Yemen, an armed faction, the Houthis, orders the country’s main ISP to block regional and news websites.  

What’s the common denominator linking these examples of Internet censorship? All of them were undertaken using technology provided by the Canadian company, Netsweeper, Inc.

In a new Citizen Lab report published today, entitled Planet Netsweeper, we map the global proliferation of Netsweeper’s Internet filtering technology to 30 countries. We then focus our analysis on 10 countries with significant human rights, insecurity, or public policy issues in which Netsweeper systems are deployed on large consumer ISPs: Afghanistan, Bahrain, India, Kuwait, Pakistan, Qatar, Somalia, Sudan, UAE, and Yemen. The research was done using a combination of network measurement and in-country testing methods. One method involved scanning every one of the billions of IP addresses on the Internet to search for signatures we have developed for Netsweeper installations (think of it like an x-ray of the Internet).

National-level Internet censorship is a growing norm worldwide. It is also a big business opportunity for companies like Netsweeper. Netsweeper’s Internet filtering service works by dynamically categorizing Internet content, and then providing customers with options to choose categories they wish to block (e.g., “Matrimonial” in Afghanistan and “Sex Education” in Sudan). Customers can also create their own custom lists or add websites to categories of their own choosing.

Netsweeper markets its services to a wide range of clients, from institutions like libraries to large ISPs that control national-level Internet connectivity. Our report highlights problems with the latter, and specifically the problems that arise when Internet filtering services are sold to ISPs in authoritarian regimes, or countries facing insecurity, conflict, human rights abuses, or corruption. In these cases, Netsweeper’s services can easily be abused to help facilitate draconian controls on the public sphere by stifling access to information and freedom of expression.  

While there are a few categories that some might consider non-controversial—e.g., filtering of pornography and spam—there are others that definitely are not. For example, Netsweeper offers a filtering category called “Alternative Lifestyles,” in which it appears mostly legitimate LGBTQ content is targeted for convenient blocking. In our testing, we found this category was selected in the United Arab Emirates and was preventing Internet users from accessing the websites of the Gay & Lesbian Alliance Against Defamation (http://www.glaad.org) and the International Foundation for Gender Education (http://www.ifge.org), among many others. This kind of censorship, facilitated by Netsweeper technology, is part of a larger pattern of systemic discrimination, violence, and other human rights abuses against LGBTQ individuals in many parts of the world.

According to the United Nations Guiding Principles on Business and Human Rights, all companies have responsibilities to evaluate and take measures to mitigate the negative human rights impacts of their services on an ongoing basis. Despite many years of reporting and numerous questions from journalists and academics, Netsweeper still fails to take this obligation seriously.

As is customary for our research, we sent Netsweeper a letter prior to publication notifying them of our key findings, asking a series of questions, and offering to publish in full their response.  On the positive side, this report is the first in which Netsweeper has sent a formal reply. (Their only other prior “communication” with us was a defamation suit filed against me and the University of Toronto in January 2016, and then subsequently withdrawn four months later.)

On the negative side, however, its response lacks detail and makes sweeping, dubious assertions.  Rather than address our questions, Netsweeper (writing through its legal counsel) chose instead to disparage our research. It asserted that “Mr. Diebert’s [sic] analysis and conclusions, as well as representations he has made before Parliament, are alarming for the real absence of any sound technical understanding on how internet providers operate, how information technology companies support online operations, and how online programs function.” The careful methods we used to undertake our research are exceedingly well-detailed in Section 1 of our report, and so we will leave it for knowledgeable readers to draw their own conclusions.

Strangely, Netsweeper also asserts that “The ultimate effect of what Mr. Diebert [sic] and his interests propose would be the full-scale shut down of the internet in multiple jurisdictions worldwide.” In fact, by encouraging more transparency, accountability, and proportionality around Internet censorship, we are aiming to do precisely the opposite.

Our report also suggests Canada could be doing more. It should go without saying that the use of Canadian technology by authoritarian and other regimes to undertake Internet censorship undercuts Canada’s own foreign policy and commitment to human rights. The Trudeau Government has prioritized an international stance that promotes “gender equality,” and yet here we have the services of a Canadian company employed to do the exact opposite on behalf of the some of the world’s most illiberal regimes. Worse, both the Government of Canada and some Provincial Government entities have actually facilitated Netsweeper’s exports through grants and other forms of assistance, which we document in the report.  

To be more consistent with its own policies and obligations, we suggest the Canadian government could take measures to prevent these types of human rights violations, including tying whatever government support is provided to clear prohibitions against activities that undermine human rights, and effective and ongoing due diligence, public transparency reporting, and other accountability measures. Canada could also strengthen the control of exports for Internet censorship and surveillance services, and focus transparency and accountability efforts on the “dual-use” technology sector through the newly created Canadian Ombudsperson for Responsible Enterprise (CORE).

Access to information is a human right recognized under international law — yet one that many governments defy in practice through extensive Internet censorship. By facilitating these practices, Netsweeper is profiting from the dark curtain being drawn over the Internet for a large number of users around the world.

Introducing QUANTUM-as-a-Service

Imagine that your device could be silently commandeered and used to spy on you simply because you surfed the web. No need for anyone to have possession of it and physically install something. No need to trick you into downloading spyware, clicking on a malicious link, or entering your credentials into a phony login page.  Attackers just wait for you to visit any unencrypted website (http rather than https, that is) and — boom — you’re owned.

Now imagine this capability was commercialized and available for sale to operators all over the world…

Imagine no more.

In a new Citizen Lab report, titled Bad Traffic, we present our discovery of how operators appear to use technology manufactured by a company called Sandvine (formerly Procera) to help deliver exactly this type of nation-state malware in Turkey and Syria. Bizarrely, we also discovered that the same Sandvine technology was configured by operators apparently to commandeer unwitting Internet users in Egypt, but not to spy on them. Instead, there we found user requests appeared to have been manipulated by operators to covertly raise money through online ads and cryptocurrency mining scams.

Known as “packet injection,” and undertaken by Deep Packet Inspection (DPI) devices, the techniques we uncovered at work in Turkey and Egypt are similar to those revealed in the Edward Snowden disclosures, codenamed “QUANTUM.” QUANTUM attacks are considered among the most powerful weapons in the NSA’s (and its Five Eyes allies’) toolkit. One was reportedly employed by the UK’s GCHQ to get inside the computers of Belgium’s largest telco, Belgacom, by redirecting senior Belgacom technicians to fake Linkedin pages where their computers were silently infected with malware.  As the Belgacom operation demonstrates, QUANTUM attacks typically involve two components: a first, where packets are injected into Internet requests; and a second, in which a separate server controlled by the attackers (codenamed FOXACID by the NSA) injects spyware (Figure 1).  We found Sandvine Packetlogic devices were being used by operators to perform the first component, with spyware of the operator’s choice (presumably Turkish authorities) involved in the second.

Figure 1: Top Secret NSA Slide QUANTUM INSERT Diagrams

Pulling off a QUANTUM attack is relatively simple if you control the network of a group of users. Computer scientist Nick Weaver demonstrated a QUANTUM attack at our 2015 Citizen Lab Summer Institute. However, to be able to execute QUANTUM attacks at the national scale requires control or cooperation of a major telecommunications provider, something only national governments can practically do.  

In another Snowden disclosure, Canada’s spy agency, CSE, noted in a top-secret presentation that “it’s no lie, quantum is cool,” but then added “it’s easy to find.” Well, maybe for them. For researchers like us, it’s not so easy. Our report is the first case where nation-state spyware injection has been empirically documented “in the wild.” Credit goes to the Citizen Lab’s Bill Marczak, whose remarkable detective work included scanning every one of the billions of IPv4 addresses on the Internet to search for the unique fingerprint he developed for Sandvine’s PacketLogic device. We also verified the fingerprint in a laboratory setting using a second-hand PacketLogic device we purchased. Marczak’s sleuthing identified spyware injection targeting Türk Telekom subscribers in at least five provinces in Turkey, and hundreds of users across the border in Syria who were receiving their Internet access through WiFi connection points leased from Türk Telekom. The same methods helped uncover the Egyptian mass injections for profit scheme, which we have dubbed “AdHose”.

Figure 2: AdHose Packet Injection Diagram 

One imagines that the NSA, GCHQ, and their allies spent many years and considerable scientific and financial resources developing QUANTUM capabilities in house. Today, commercial DPI technology combined with spyware in the ways we have documented allows a government to simply order them up.  With QUANTUM-as-a-Service, many more governments will now be playing in the Five Eyes’ league  — governments like Turkey and Egypt, which Human Rights Watch describes respectively as “the world leader in jailing journalists and media workers,” and “continuing near-absolute impunity for abuses by security forces under the pretext of fighting ‘terrorism.’”

The prospect of QUANTUM capabilities being sold “off-the-shelf” to any government or government-controlled telco should give everyone pause, especially because the type of DPI sold by companies like Sandvine, as presently advertized, falls through the regulatory cracks. It is classic “dual-use” technology, marketed as benign-sounding “quality of service” or “quality of experience” functionality: helping Internet Service Providers manage network traffic, speed up the delivery of videos for higher-paying clients, and block forbidden applications. The 51 member-state, dual-use technology Wassenaar Arrangement targets “IP network communications surveillance” items for export controls, but specifically exempts “quality of service” and “quality of experience” systems. However, as our report shows, Sandvine’s technology (which appears at present to fall under this exemption) can also surreptitiously redirect users to sophisticated spyware, or permit the hijacking of browsers to mine cryptocurrency for profit. Its power is in the hands of the local operator — operators that answer to autocratic rulers like Turkey’s Erdogan or Egypt’s el-Sisi.

It is worth noting that Sandvine is owned by Francisco Partners, the same investment group that also happens to own Israeli spyware vendor NSO Group, another company whose misused services have been the subject of numerous Citizen Lab reports.  In response to our letters to these companies, Sandvine and Francisco Partners both claimed that they have stringent business ethics and other internal checks to prevent abuse of their services. Not good enough checks, it seems.

Until its acquisition by Francisco Partners last year, and its subsequent combination with Procera, Sandvine was headquartered in Waterloo, Canada. At the time of the proposed sale, I argued that the takeover warranted closer scrutiny by the federal government. In light of Citizen Lab’s report, I wonder if anything will be done by relevant authorities in Canada and the United States? Targeted injection of spyware at the nation-state level represents a major public safety risk, and technologies that facilitate such injection should be regulated accordingly.

While we wait for governments to act, there’s more that can be done right now to protect users. Properly encrypting websites by default would certainly frustrate these sorts of attacks. However, Google and Firefox stats show around 20-30% of all websites are still not encrypted by default. That needs to change.

Until such time, keep an eye out for the headers of the websites you visit. If it reads “http” without the “s”, and there’s no little lock icon up in the address bar that says “secure,” you too may be vulnerable to this type of attack.