Security news that informs and inspires

Lawmakers Put Pressure on Spyware Vendors

By

A group of 18 lawmakers is calling on the Biden administration to impose financial sanctions on companies that sell surveillance technology, which has been used by governments to track and target political dissidents, journalists and human rights activists.

A letter published by the group of Democratic lawmakers on Wednesday, addressed to Janet Yellen, Secretary of the Department of Treasury and Antony Blinken, Secretary of the Department of State, pinpointed several companies “that have enabled human rights abuses" through their sale of surveillance products and services. Of the identified companies, the most well known is Israeli company NSO Group. Multiple reports and investigations have condemned NSO Group for selling spyware, called Pegasus, to governments - such as Saudi Arabia, the United Arab Emirates, Mexico and Bahrain - used to hack into the devices of political dissidents. One investigation found the spyware was utilized to target the associates and family members of slain Saudi journalist Jamal Khashoggi, for instance.

In a stark reminder of the other companies beyond NSO Group that are operating in the cyber surveillance industry, the group of lawmakers also pointed to DarkMatter, which has been reportedly used by the United Arab Emirates to target activists and journalists; Nexa Technology (formerly known as Amesys), which according to reports by a French publication sold internet monitoring technology to the Egyptian and Libyan governments; and Trovicor, which reportedly provided bulk internet monitoring technology to Bahrain.

“Each of these companies are complicit in human rights abuses enabled through the surveillance technologies and services they sold to their authoritarian foreign government customers,” according to the letter, first reported by Reuters and penned by Ron Wyden (D-Ore.) and Adam Schiff (D-Cali.), among others.

'Enough is Enough'

The call for action comes during a time when technology companies and lawmakers alike are denouncing NSO Group and the broader industry of cyber surveillance technology vendors. Both Apple and Facebook’s WhatsApp division have filed lawsuits against NSO Group, claiming in part that the company gained unauthorized access to their servers. Beyond NSO Group, DarkMatter was hit with a lawsuit by the Electronic Frontier Foundation (EFF) last week on behalf of a Saudi human rights activist who claimed that the group and its former executives illegally hacked her iPhone.

Calls for a crackdown on NSO Group continued after reports in early December revealed the first confirmed cases of Pegasus being used to target American officials. Riana Pfefferkorn, research scholar at the Stanford Internet Observatory, said these recent moves “feel like part of a growing wave” of backlash against the surveillance technology industry.

“It feels like a number of disparate threads are coming together at the same time and putting pressure especially on one or two entities, but I think we’ll see hopefully increased attention to other players within the surveillance technology space, who don’t have the same name recognition as NSO Group but who nevertheless are part of this longstanding market for exploits that are leveraged in ways that harm human rights defenders around the world,” said Pfefferkorn.

In July, several congressmen said “enough is enough” and called on the government to “urgently” establish rules to ensure that hack-for-hire groups only do business with governments “in rule of law states.”

“A lot of this feels like something where we have an administration that wants to rehabilitate the image and usefulness of the State Department in terms of trying to rehabilitate the United State’s image as an upholder of democratic rights and values around the world, so this is one part of that,” said Pfefferkorn.

Financial Sanctions

In October, the Commerce Department highlighted an interim final rule that cracks down on the export of surveillance technologies and hacking tools used for malicious activities, by establishing a license requirement for items “that can be used for malicious cyber activities” being sold to “countries of national security or weapons of mass destruction concern.” In November, the Biden administration added the NSO Group - along with three other organizations - to the Department of Commerce’s Entity List, barring American companies and individuals from doing business with them. However, while export controls restrict the export by U.S. companies of technology to these foreign firms, this has a limited impact on the companies as their developers are located abroad and can search elsewhere for hardware and software used to develop their products.

The proposed financial sanctions would go a step further by clamping down on the U.S.-based investors that these surveillance companies depend on. The state of Oregon, for instance, became a stakeholder in NSO Group after investing $233 million in a private equity firm in 2017, which then acquired a majority share of NSO Group.

Financial sanctions would also specifically target CEOs and senior executives associated with these companies by adding them to the Specially Designated Nationals list, blocking their assets and prohibiting U.S. citizens from conducting business with them.

Several policies exist that enable the U.S. government to leverage sanctions for human rights violations. Lawmakers pointed to the Global Magnitsky Human Rights Accountability Act, enacted by Congress in 2016, which gives the president authority to sanction individuals responsible for violations of human rights; as well as Executive Order 13818, established in 2017, which gives authority to sanction individuals who provide technological support that abuses human rights.

“Each of these companies are complicit in human rights abuses enabled through the surveillance technologies and services they sold to their authoritarian foreign government customers,” said the lawmakers.