I am disappointed that TikTok executives continue citing the Citizen Lab’s research in their statements to governments as somehow exculpatory. 

I’ve called them out on this in the past, and it’s unfortunate that I have to do it again.

Two years ago we analyzed the TikTok app. Our analysis was restricted to the application, and the kinds of data it collected.  Broadly speaking, we found that it was similar to other social media apps: a vacuum cleaner of personal data. This is not a good thing.

We also highlighted additional concerns, including about latent functionality that could potentially be activated, and noted that TikTok contained some dormant code originally written for Douyn (TikTok’s Chinese counterpart, also owned by ByteDance).

Our analysis was explicit about having no visibility into what happened to user data once it was collected and transmitted back to TikTok’s servers.   Although we had no way to determine whether or not it had happened, we even speculated about possible mechanisms through which the Chinese government might use unconventional techniques to obtain TikTok user data via pressure on ByteDance. 

The conversation about potential privacy and national security concerns with TikTok should serve as a reminder that most social media apps are unacceptably invasive-by-design, treat users as raw material for personal data surveillance, and fall short on transparency about their data sharing practices. This is why comprehensive privacy legislation is desperately needed.

I am very pleased to bring to your attention a new article I have published in the January/February 2023 issue of Foreign Affairs magazine, entitled “The Autocrat in your iPhone: How Mercenary Spyware Threatens Democracy.”

I had three objectives in writing this article:

1. To publish an authoritative article on mercenary spyware. While there is a lot of news about Pegasus and spyware abuses, there was not yet a single up-to-date piece that summarizes the issues surrounding this industry for an international relations and foreign policy audience. My objective was to help fill that gap.
2. To describe how spyware threatens the liberal order. I wanted to explain how this industry is helping to undermine the pillars of the liberal international order — including by disrupting free and fair elections, stifling independent journalism, violating attorney-client privileges, neutralizing independent investigations and oversight bodies, and stifling civil society advocacy. While there is a lot of attention to democratic backsliding and the spread of authoritarian practices, there has been relatively less attention paid to the role the unregulated spyware industry is having in these processes. I wanted to remedy that, by drawing on the numerous case studies on spyware undertaken by the Citizen Lab, our partner organizations, and journalists over the last ten years
3. To outline solutions. Finally, I wanted to point to some ways in which legal and other restraints could help remedy the harms caused by the mercenary spyware industry. Solving this problem is going to be challenging, in particular because many governments are conflicted and benefit by the status quo. But the tide is turning, and governments, the private sector, and civil society are all taking action — hopefully before it is too late.

It is an honour to publish in Foreign Affairs. The journal has had a big impact on my career. I read it closely as an undergraduate, both current issues and the classics (e.g., George Kennan’s famous “X” article, titled “The Sources of Soviet Conduct,” which was published in the July 1947 issue and helped make the case for post-World War II containment strategies). Those articles inspired my interest in international relations and global security, which I ended up pursuing as a profession.

Read the full article here: https://www.foreignaffairs.com/world/autocrat-in-your-iphone-mercenary-spyware-ronald-deibert

 

I published an opinion piece in the Globe and Mail. The link is here and I’m pasting the entire article below.

The pandemic has made us even more dependent on a highly invasive technological ecosystem

RONALD J. DEIBERT

SPECIAL TO THE GLOBE AND MAIL

UPDATED NOVEMBER 20, 2020

Ronald J. Deibert is director of the Citizen Lab at the University of Toronto’s Munk School, the 2020 CBC Massey lecturer and the author of Reset: Reclaiming the Internet for Civil Society.

My son is an undergraduate student at the University of British Columbia. Like many of his peers, he has seen his classes move online – and so have their exams.

Students in his program were recently required to consent to a remote exam invigilation software platform manufactured by a company called Proctorio. As with most tech companies, work-from-home measures and social isolation have been a boon to Proctorio: more than 2.5 million exams were proctored by the company in April, 2020, alone, a stunning 900-per-cent increase compared with April, 2019. Other companies in this space – such as ExamSoft, Examity and ProctorU – are enjoying similar surges in demand.

Once installed on a student’s device, applications like Proctorio can monitor students’ keystrokes, capture and record anything on their screens, track their web browsing, and even turn on cameras and microphones to record students’ faces, their surroundings and ambient sounds for evidence of cheating. Proctorio’s proprietary algorithms flag what it detects as “suspicious behavior” to faculty or teaching assistants (TAs) for follow up.

My son said using Proctorio made him feel “creeped out” and uncomfortable. Who can blame him?

It’s one thing to have a TA strolling up and down the aisles of an exam room. It’s quite another to force students to install spyware that tracks everything from their keystrokes to retina movements, sending that data down a mysterious black hole. Imagine having an omniscient, invisible robot looking over your shoulder, staring into your eyeballs, scrutinizing every movement, and scanning your bedroom – the entire time you’re taking an exam. Who could concentrate in those conditions? And yet, he had no choice: The course makes it mandatory.

As it turns out, my son is relatively fortunate. He is white, male, has a good WiFi connection, has no disabilities and lives alone. Many other students are not so fortunate, and pay a high price for it. As I dug deeper into Proctorio and other remote surveillance exam software platforms like it, I unearthed a litany of horror stories – most of them affecting students that were already disadvantaged or marginalized.

For example, Black students and other students of colour have reported authentication delays and even outright rejection by remote proctoring applications because of “poor lighting” or “camera position.” Flaws in the software’s facial recognition systems – technology that is notoriously bad at recognizing dark skin tones – is the more likely answer.

Students who experience facial tics have reported anxiety about being flagged for cheating, having spent the entire exam trying to suppress involuntary movements. Even those without disabilities have trouble with tools like Proctorio. On social media, students – some in tears – describe failing exams because the software flagged them for mouthing the questions or looking around their room while thinking, behaviour the system interprets as talking to someone offscreen.

Low-income students with shared living spaces and caregivers recount similar feelings of anxiety, worried that they’ll be flagged because of nearby noise. One student did her best to tune out her 12- and eight-year-old siblings banging on the door for the duration of the exam, siblings for whom she is the primary caregiver.

Beyond these discriminatory effects are even more serious concerns. A system that spies on students’ homes and bedrooms will almost certainly amplify risks of stalking and sexual harassment. It would never be appropriate for a professor or TA to roam around a student’s bedroom, but Proctorio and the like invite them in … by design.

Digital proctoring platforms (as with so much else of our big tech world) seem to presume their users are mostly white, affluent people with high-speed internet and free from crowded houses or caregiving responsibilities. They assume that they can protect students from abuse by making users subscribe to its terms and conditions. All assumptions that are proving to be highly questionable.

When it comes to digital technologies and COVID-19, by far the vast majority of discussion has focused on contact-tracing applications. Although important, this narrow focus has obscured more fundamental and far-reaching effects at the intersection of digital technology, surveillance and pandemic response. While we fixate on the merits of this or that app, we’ve been missing out on an entire landscape shifting beneath our feet.

Largely without public debate – and absent any new safeguards – we’ve become even more dependent on a technological ecosystem that is notoriously insecure, poorly regulated, highly invasive and prone to serial abuse. It’s like building a second floor addition on our homes without fixing the rotting infrastructure. Eventually, it will all come crumbling down – or slowly make us sick.

Consider Amazon. The company’s success amid COVID-19 becomes obvious just by staring out the window at the invasion of delivery vans perched on sidewalks and parked in bike lanes, delivering packages to makeshift home offices.

Once a startup reseller of books and DVDs, Amazon has become the corporate embodiment of globalization and surveillance capitalism. With shops and malls mostly shuttered, Amazon’s online services have exploded. Chief executive Jeff Bezos, the world’s richest person, saw his personal wealth grow by US$50-billion in the first six months of the pandemic alone.

But that sudden growth only exacerbates Amazon’s existing pathologies. They include the company’s predatory pricing, monopolistic practices, and dismal labour conditions for its warehouse and delivery personnel. These so-called “flex” workers lack health care or other benefits and are subject to extensive surveillance, including navigation software, wristbands, security and thermal cameras (likely as much for the prevention of union organizing as for “security”). The company is also responsible for the proliferation of Ring, a notorious home security system associated with racial profiling and warrantless data-sharing with law enforcement, as well as its vast, wasteful and highly polluting “data farms” (which power streaming video services such as Prime and Netflix) – graded “F” for energy transparency by Greenpeace in 2017.

Meanwhile, tech startups of all shapes and sizes – often with dubious qualifications – are trying to capitalize on the growing demand for technology to spy on workers at home (dubbed “bossware”), bust unions, enforce productivity, monitor symptoms, police physical distancing, detect emotions and, yes, invigilate exams remotely. This bewildering array of new digital bracelets, electronic ankle monitors, immunity passport apps, fever detection goggles, drones, thermal cameras, and video- and audio-capture systems are not subject to extensive auditing or built to protect privacy. Instead, many are the digital equivalent of “snake oil” looking to make quick cash on the rapidly expanding surveillance economy.

This explosion of pandemic-era applications will invariably amplify the defects of the mobile marketing and location tracking industry – a sector made up mostly of bottom-feeder companies whose business model relies on collecting billions of user-generated data points, later sold and repackaged to advertisers, law enforcement, the military, customs and border agencies, and private security services (not to mention bounty hunters and other dubious characters). A shocking number of entrepreneurs and policy makers are nonetheless turning to this cesspool of parasitic firms – poorly regulated and highly prone to abuses – as a proposed pandemic solution.

The entire ecosystem presents a bonanza for petty criminals, ransomware opportunists, spyware firms and highly sophisticated nation-state spies alike. Meanwhile, law enforcement and other state agencies – already growing accustomed to reaping a harvest of digital data with weak judicial oversight – will enjoy a bounty of new and revealing information about citizens without any new safeguards to prevent abuse of that power.

Some argue that this COVID-19-era innovation cycle will pass once there is a vaccine. But the more we embrace and habituate to these new applications, the deeper their tentacles reach into our everyday lives and the harder it will be to walk it all back. The “new normal” that will emerge after COVID-19 is not a one-off, bespoke contact-tracing app. Rather, it is a world that normalizes remote surveillance tools such as Proctorio, where private homes are transformed into ubiquitously monitored workplaces and where shady biometric startups and data analytics companies feed off the footloose biosurveillance economy.

There undoubtedly are positive aspects of digital technologies. But, as presently constituted, those benefits are far outweighed by the many long-term negative consequences that we are risking without serious public debate, and which will almost certainly come back to haunt us as this “new normal” settles in.

What’s the alternative? A different approach would use the historic crisis that the pandemic presents as an opportunity for a reset and to rethink the entire technological ecosystem from the ground up. For far too long, data surveillance companies have been largely insulated from government regulations. But this has come at a major social cost and with numerous unintended consequences. With digital technologies now a “lifeline” and an essential service for many who must adapt to both working and living at home, consumers and citizens have a right to demand more. What might those demands entail?

First, and most importantly, we need to clean up the cesspool of free-wheeling data broker, advertisement and location-tracking companies. New laws should be passed to give users real power and restrain how tech companies gather, process and handle their personal information. This includes meaningful and easy to understand “opt-in” measures, rules to minimize the type of data collected to specific and justifiable purposes, and better avenues for users to sue companies that transgress those laws. In particular, legislation should permit consumers to restrict the use of geolocation data by third parties, prohibiting targeted advertising to users visiting therapists, clinics and other “none-of-your-business” activities.

Second, the rights of “flex” workers, independent contractors and other “gig economy” workers need meaningful legal protection. Big tech platforms and other businesses should not be able to use COVID-19 as an excuse to spy on workers in warehouses, factories, rental cars and homes, or to clandestinely monitor their social-media feeds to disrupt labour organizing. Big tech CEOs and their shareholders should also be compelled to use the newfound prosperity they are reaping thanks to COVID-19 to improve their employee’s lives. It is both grotesque and unethical that the Jeff Bezoses of the world can lap up skyrocketing personal wealth while their front-line workers experience layoffs, longer hours, fewer benefits, disproportionate health risks and dehumanizing surveillance measures.

Third, tech platforms should be legally required to open up their algorithms and other proprietary technology to outside scrutiny and public interest audits. The giants of surveillance capitalism hold enormous power over our lives, including over the choices we make, the products we purchase, the news we see and the people with whom we associate. These platforms have increasingly become essential to just about everything we do, and they should no longer be able to operate as “black boxes” whose inner workings are obscured to all but a select few. It’s time to pry open the lid of the technologies that surround us.

Lastly, there’s something all of us can do. We’ve all become habituated to seeking technical solutions for complex social and political issues. And while technologies can produce enormous benefits, we’ll need a lot more than a few new gadgets to solve the problems of our time. We must resist the temptation to reflexively look to “apps” and “platforms” when there may be other more traditional and ultimately more enriching ways to organize our lives, respond to social problems and accomplish our goals.

Unlike many other industrial sectors, the tech platforms have emerged from the pandemic stronger and are already positioning themselves as indispensable to public health. It’s time to hold them, and all of us, to account for it.

Bring up the topic of social media and state-sponsored disinformation, and most people think reflexively of Russian interference in the 2016 U.S. election. As the Mueller report recently affirmed, Russian entities operated a sweeping and systematic social media “active measures” campaign designed to sow division and support Donald Trump leading up to the election.

But what may be less appreciated is just how many other actors in countries and regions all over the world are now undertaking social media influence operations, each with their own unique objectives, flavour, and style. In India, for example, citizens “are bombarded with fake news and divisive propaganda on a near-constant basis from a wide range of sources.” In Myanmar, it is now widely acknowledged that Facebook was used to incite genocide. Throughout Africa, hoaxes, disinformation, and spoofed articles circulate so widely that they are now commonplace; one study found that an alarming 38% of Kenyans, 28% of Nigerians, and 35% of South Africans surveyed acknowledged having shared stories which they knew to be fake.

Indeed, it is fair to say that social media has quickly become what Citizen Lab’s John Scott-Railton has described as a giant “disinformation laboratory.” Multiple actors in just about every region of the world are now experimenting with new techniques to sow disinformation, spread inauthentic narratives, project power and influence, and undermine adversaries. Given this new reality, it is imperative that researchers carefully dissect as many different disinformation operations as can be found to better understand the innovations in tactics, techniques and procedures in this quickly evolving terrain.

Enter “Endless Mayfly.” Endless Mayfly is the name we have given to “an Iran-aligned network of inauthentic personas and social media accounts that spreads falsehoods and amplifies narratives critical of Saudi Arabia, the United States, and Israel.”

Endless Mayfly is but one among many invasive species in the social media ecosystem. What distinguishes it from others, however, is a technique we dubbed “ephemeral disinformation.” Endless Mayfly publishes content on websites they create that impersonate legitimate media outlets, like Le Soir, or the Guardian, using a variety of typosquatting and domain spoofing techniques (e.g., bloomberq[.]com instead of bloomberg[.]com).

Inauthentic personas managed by Endless Mayfly, with names such as “Brian Hayden” or “Mona A. Rahman,” then attempt to amplify the content over social media, by circulating them on their own, or by privately and publicly engaging journalists and others over social media.

But Endless Mayfly’s real innovation comes in the form of its use of ephemerality. Once Endless Mayfly’s carefully constructed content achieves some degree of social media pickup, the spoofed articles are permanently deleted and the links are altered to redirect to the legitimate domain being impersonated.

Click on the link to one of Endless Mayfly’s inauthentic Guardian articles, for example, and after a period of time a user is taken to the legitimate Guardian website instead.

What happened to the original article? “Perhaps it’s the Guardian’s fault?” one might wonder. Who’s to say? In our data-saturated, always-on world, who has the time to find out? Endless Mayfly’s operators appear to be banking on social media users’ short attention spans and our inclination to trust headlines associated with what appear to be credible sources, rather than dig deeper to verify facts from the ground up ourselves.

In total, we found Endless Mayfly created 72 of these fake domains, many of which were used to host 135 of their inauthentic articles. Some of these domains the operators appear to have kept in reserve for future operations, like theglobalandmail[.]org (instead of .com), which was registered by Endless Mayfly but not employed in a specific campaign.

Did it work? It is difficult to measure whether this technique had much of an impact. Quantitatively, engagement with the links to their various articles, accounts, and personas was modest at best. But on several occasions, Endless Mayfly’s inauthentic content was picked up by mainstream media, creating significant confusion. In one instance, for example, Washington Post columnist Anne Applebaum stumbled upon part of Endless Mayfly’s operation and wrongly attributed it to yet more Russian malfeasance.

In terms of our own attribution, we determine with moderate confidence that Endless Mayfly is linked to Iran. This level of confidence is based on “the overall framing of the campaign, the narratives used, and indicators from overlapping data in other reports.” In terms of the latter, in August 2018 accounts and pages associated with Endless Mayfly were deactivated by Facebook in coordination with FireEye, and FireEye traced back registration information and other indicators to Iranian origins. But beyond that circumstantial evidence, we have no “smoking gun” that proves Endless Mayfly is an operation run by the Iranian state itself.

The technique of ephemerality pioneered by Endless Mayfly presents major challenges to researchers, policymakers, and others hoping to investigate and mitigate disinformation operations. Deliberately hiding one’s tracks in this way makes it harder to pin down, analyze, and trace the origins of a malicious campaign, let alone verify the truth-claims and other content that may be getting social media traction. If it becomes a popular tool in the disinformation toolkit, it could sow serious short-term confusion in social media spaces.

In the end, Endless Mayfly’s biggest accomplishment may not be around its principal objective, which was apparently to undermine Iran’s adversaries. It may have more to do with contributing in yet one more way to the ongoing poisoning of our social media public sphere.  

When it comes to cyber security, it is usually the technological layer that gets the most attention, like risks to critical infrastructure and other technical systems. But what about the social and cultural layer? In fact, it may be in this layer where the most intense geopolitical struggles and malicious experimentations are taking place. Given the properties of social media — which as presently constituted favor lewd, salacious, and shocking information — it may also be the layer that is most challenging to defend.

We have no simple remedy to the problems that operations like Endless Mayfly poses, other than to undertake more research, refine our methods, and collaborate with others to better understand the evolving terrain of social media disinformation. To that end, alongside our report, we are publishing a major disinformation research bibliography compiled and annotated by Citizen Lab fellow Gabrielle Lim.

Read the main report here: https://citizenlab.ca/2019/05/burned-after-reading-endless-mayflys-ephemeral-disinformation-campaign

Our annotated bibliography of disinformation research is here: https://citizenlab.ca/wp-content/uploads/2019/05/Disinformation-Bibliography.pdf

Doing the “60 Minutes Stroll” with correspondent Lesley Stahl

Last week, 60 Minutes broadcast an episode entitled “Pegasus” focusing on the controversies surrounding Israeli-based commercial spyware vendor, NSO Group. The episode profiled Citizen Lab’s work, and featured interviews with myself and my Citizen Lab colleague, Bill Marczak.

My Citizen Lab colleagues and I published an analysis of the episode today, highlighting some revelations and providing some broader context.

Read our post here: https://citizenlab.ca/2019/04/dubious-denials-scripted-spin-spyware-company-nso-group-goes-on-60-minutes/

And in case you missed it, the full episode and transcript is available online here:

https://www.cbsnews.com/news/interview-with-ceo-of-nso-group-israeli-spyware-maker-on-fighting-terror-khashoggi-murder-and-saudi-arabia-60-minutes/

 

 

Today, Citizen Lab is publishing a new report, entitled “Reckless VII: Wife of Journalist Slain in Cartel-Linked Killing Targeted with NSO Group Spyware.” This report continues our investigation of the abuse of commercial spyware manufactured by Israeli company NSO Group. Working with our partners in Mexico, we are now able to confirm that Griselda Triana, a journalist and the wife of Javier Valdez, a journalist who was assassinated while investigating Mexican cartels, was herself targeted with fake SMS messages in the days after her husband’s murder. The SMS messages she received in May 2017 purported to reveal details about the motive behind the murder, and other upsetting updates. We were able to connect the links in both messages to domains that we can verify were at the time part of NSO Group’s exploit infrastructure. Although she did not click on the links, doing so would have immediately infected her phone with NSO Group’s Pegasus spyware, providing the operators complete control of her device. Notably, she was targeted a week after two of Javier’s colleagues were also targeted with Pegasus spyware.

The targeting of Griselda Triana brings the total number of confirmed NSO Group targets in Mexico to 25. NSO Group markets its spyware as a tool strictly limited to government agencies to assist in anti-terror and criminal investigations. None of the 25 targets we identified were criminals or terrorists; rather, they were anti-corruption investigators, advocacy groups, health scientists and researchers, investigators into mass disappearances, and journalists.

NSO Spyware in Mexico: Claims vs Reality

It is notable that NSO Group has bragged about how its Pegasus spyware was used in Mexico to investigate drug cartels and was instrumental in the arrest of El Chapo. However, here we find it was used the other way around: to target individuals who were investigating drug cartels and government corruption. These cases add yet more weight to the mountain of evidence that NSO Group’s surveillance technology is being abused by its clients, and the company is either unwilling or unable to perform the type of due diligence to prevent that from happening.

Tackling The Proliferation of Commercial Spyware

What is to be done about the proliferation and harm caused by commercial spyware such as this? Many point to the need for government regulations, such as tighter export controls. But lacking political will, these are unlikely to be properly enforced. As it stands, NSO Group’s sales are reportedly approved by the Israeli Ministry of Defense, and they did not seem to take issue with the company selling its wares to a rogue’s gallery of autocratic rulers in spite of widespread public reporting of abuse.

Litigation is another avenue that might help bring about reform of companies’ practices. For example, NSO Group is currently embroiled in several lawsuits. Should those succeed and the company is fined or otherwise penalized in a significant manner, ownership groups may decide the liabilities are too steep to continue with business as usual. (As a significant aside, several weeks ago two Citizen Lab staff were targeted by undercover operatives reportedly with links to the Israeli-based private intelligence firm Black Cube. We organized a counter-sting with Associated Press to expose the operation. NSO Group strictly denies it hired Black Cube (if indeed it was them), and we have no solid evidence linking them to the operation. However, the operatives asked us about our research on the spyware vendor and they also attempted to entrap four other individuals around the world all of whom happen to be linked by their involvement in litigation against NSO.)

Communications with NSO Group

We have communicated several times to NSO Group, its previous majority owner, Francisco Partners, and the new ownership group who is seeking to acquire NSO Group, Novalpina Capital, led by Mr. Stephen Peel. The new group has made public statements espousing principles of corporate social responsibility, and has pledged to steer NSO Group sales according to the UN Guiding Principles of Business and Human Rights. However, they have systematically failed to acknowledge the numerous cases of abuse that we and others, including Amnesty International, have identified. Until they do so, these pledges will sound like the same old empty promises that NSO Group, and other spyware companies, have made in the past about “ethics committees” and other oversight mechanisms that allegedly review sales and prevent abuse. It is long past due to turn words into deeds, to acknowledge the facts and undertake real reform to prevent harm.

Photo Source: ContraLínea.com.mx

Javier Valdez Cárdenas was an award-winning Mexican investigative journalist known for his reporting on drug trafficking and organized crime. As with dozens of other investigative journalists in Mexico, Cárdenas’ brave reporting ended up having lethal consequences. On May 15, 2017 around noon, Cárdenas was forcibly removed from his vehicle and gunned down on the street, steps away from the offices of Río Doce, the newspaper he founded.

Our latest Citizen Lab report shows that in the days after his death, two of Cárdenas’ colleagues at Río Doce — Andrés Villarreal and Ismael Bojórquez — each received carefully crafted text messages on their iPhones containing links to highly sophisticated surveillance technology sold by Israeli-based “cyber warfare” company, NSO Group. Had they clicked on the links, the operators of the spyware would have been able to silently take over their devices and monitor everything they do, including intercepting emails, text messages (even those encrypted), turn on the camera, and silently record audio.

NSO Group claims that they sell their powerful surveillance technology only to governments to be used strictly for legitimate law enforcement and national security investigations, and have a strict oversight mechanism to ensure their technology is not abused. They also claim that they have rescinded sales to clients who are caught abusing their product. (As is customary, we sent NSO Group a letter prior to publication detailing the findings of this report and offering to publish their response in full, but we have received no reply).

Instead, as this latest case and numerous past reports we and others have published show, their technology is being used repeatedly to target members of civil society, including lawyers, health scientists, human rights defenders, activists, and journalists. These two additional targets bring the total number of individuals we (and our Mexican civil society partners R3D, Article19, and Social Tic) have been able to identify who were targeted with NSO Group spyware in Mexico to 24. None of them are either criminals or terrorists by any reasonable, rights-respecting legal standard.

Of particular concern with this latest report is yet more evidence of the abuse of NSO Group spyware to specifically target journalists and those associated with journalists. The targeting of Cárdenas’ colleagues mere days after his assassination suggests the operators were interested in what the journalists knew about who was responsible. Our prior reporting has shown several other Mexican journalists investigating murders or corruption were targeted with NSO Group spyware in much the same way. In one case, the minor child of Mexican journalist Carmen Aristegui was repeatedly sent text messages laden with NSO Group spyware links in an attempt to infect his phone — while he was attending boarding school in the United States.

Beyond Mexico, there is now growing evidence that NSO Group’s spyware was also potentially implicated in the murder of exiled Saudi dissident and Washington Post journalist Jamal Khashoggi. On October 1, 2018, we published a report detailing our discovery that the iPhone of Canadian permanent resident Omar Abdulaziz was infected with NSO Group spyware. Forbes followed up our report showing that London-based Saudi dissident Ghanem Almasarir had his phone targeted by the same Saudi operator we had earlier identified as targeting Omar Abdulaziz. Notably, both Omar Abdulaziz and Ghanem Almasarir were collaborating with Jamal Khashoggi around social media activism, and were reportedly viewed by Saudi Crown Prince Mohammed bin Salman as major threats.

The reckless and abusive use of commercial spyware to target journalists, their associates, and their families adds to the numerous and growing risks that journalists worldwide now face. Media organizations and investigative journalists are valuable “soft” targets who control important information, including information on sources, that threaten powerful actors. Thanks to companies like NSO Group, unscrupulous dictators and autocrats now have a powerful tool to aid in their sinister aims to stifle dissent and quell controversial reporting.

What is to be done? Unfortunately, liberal democratic governments who ostensibly support human rights and could take concerted action against the proliferation of commercial spyware seem unwilling to address the problem squarely. For example, in spite of the Citizen Lab’s discovery of apparent espionage by Saudi Arabia against a Canadian permanent resident using Israeli-made spyware — seemingly a significant violation of Canada’s sovereignty — the Trudeau government has only barely acknowledged our report possibly out of concern to not offend either Israel or Saudi Arabia (with whom Canada has weapons deals). Meanwhile, Donald Trump’s constant maligning of the press as the “enemy of the people,” and his decision to throw Khashoggi under the bus in favour of naked realpolitik calculations, shows clearly where the United States stands.

What about Israel, the sovereign jurisdiction in which NSO Group is headquartered? Earlier this week, Haaretz published a detailed investigation showing NSO Group may have sidestepped Israeli government export controls and negotiated a sale with Saudi Arabia directly. Revelations such as these may trigger greater scrutiny by the Israeli public and official regulators to strengthen export controls that are apparently very lax, if not ineffective altogether. However, in light of the close links between the Israeli government and the surveillance industry, and the strategic benefits that undoubtedly accrue to Israeli decision makers from the export of such technologies, I wouldn’t hold my breath in hope of something happening there either.

But the lack of government action does not mean there are no avenues left for recourse. The growing number of cases of harm caused by the abuse of commercial spyware we and others have documented may provide strong grounds for civil litigation and / or criminal prosecution. Indeed, NSO Group is currently facing two separate lawsuits (one of which was brought by Mexican journalists and activists), and one of its competitors, UK-based Gamma International Ltd, is the subject of another in the United Kingdom.

Should these legal efforts succeed in bringing real costs to bear on owners, they may prove to be the most effective remedy for the abuses of the commercial spyware market.

Until such time, we are now facing a crisis rich in terrible irony: a service marketed to government clients to assist in “cyber security” is quickly becoming one of the greatest sources of widespread insecurity instead.