• En Belgique, le réseau de communication Sky ECC infiltré par la police
    https://www.lemonde.fr/pixels/article/2021/03/10/en-belgique-le-reseau-de-communication-sky-ecc-infiltre-par-la-police_607256

    L’opération, menée par quelque 1 600 agents, qui ciblait les utilisateurs de ce logiciel réputé inviolable, a permis la saisie de 17 tonnes de cocaïne, d’armes, de voitures de luxe, d’uniformes de police ou encore d’1,2 million d’euros. La police belge a mené, mardi 9 mars, ce qu’elle présente comme la plus grande opération de son histoire en ciblant un milieu criminel « tentaculaire » qui utilisait des téléphones cryptés, équipés du logiciel de la société Sky ECC, qui opère à partir du Canada et des (...)

    #cryptage #smartphone #police #criminalité #écoutes #surveillance

    ##criminalité

  • Drogue, criminalité financière, corruption : les criminels trahis par leurs téléphones, réputés impénétrables
    https://www.rtbf.be/info/societe/detail_operation-de-police-sans-precedent-en-belgique-les-criminels-trahis-par-

    La police fédérale a mené ce matin environ 200 perquisitions, dont une vingtaine renforcée avec les unités spéciales, visant le crime organisé lors d’une intervention coordonnée au plus haut niveau policier et judiciaire, selon les informations recueillies par la RTBF. L’opération est le fruit d’une intense coopération internationale. En Belgique, les forces de l’ordre ont été mobilisées sur tout le territoire avec un déploiement particulièrement important autour d’Anvers où le port fait figure de plaque (...)

    #cryptage #smartphone #criminalité #écoutes #surveillance #PGP #hacking

    ##criminalité

    • Les cryptophones sont des téléphones mobiles réputés impénétrables et impossibles à placer sur écoute. La protection des communications procurée par l’emploi d’une application de messagerie cryptée est renforcée par la désactivation des caméras, micros, système GPS ou connectivité USB de l’appareil. Il est aussi possible d’effacer toutes les données du téléphone à distance si celui-ci est saisi par les autorités.

      Ces dernières années, la police a régulièrement été confrontée à cette technologie très répandue dans le milieu criminel et constituant un obstacle majeur aux enquêtes. Pour déjouer le système, les enquêteurs de la police judiciaire ont dû déployer des moyens techniques de pointe et mobiliser une importante capacité d’analyse de données.

      #police

  • Clubhouse Is Recording Your Conversations. That’s Not Even Its Worst Privacy Problem
    https://www.inc.com/jason-aten/clubhouse-is-recording-your-conversations-thats-not-even-its-worst-privacy-prob

    The popular new social media platform is scooping up more data than you might think. Clubhouse was sort of perfectly made for the pandemic. People aren’t going out, and they’re desperately searching for social connections and entertainment. The app provides both in a way, while also capitalizing on the draw of celebrity influencers on the platform. It’s also built on one of the most effective strategies for generating buzz and excitement—scarcity. In order to join Clubhouse, you have to have (...)

    #consentement #données #écoutes #microtargeting #profiling #SocialNetwork #Clubhouse_

  • « Il nous faut retrouver une forme d’hygiène numérique »
    https://le1hebdo.fr/journal/silence-on-vous-surveille/298/article/il-nous-faut-retrouver-une-forme-d-hygine-numrique-3865.html

    Quelles traces numériques laissons-nous au quotidien ? Elles sont de plus en plus nombreuses. L’image d’Épinal de ces « traces » renvoie surtout au profil que l’on se construit sur un réseau social. On y renseigne son nom, son état civil, son âge, sa profession, ses goûts… Mais ces données personnelles ne constituent que la face la plus visible, la plus évidente du traçage numérique. Ce que l’on saisit peut-être moins, c’est la transformation de toutes nos petites actions quotidiennes en signaux (...)

    #Airbus #Clearview #Datakalab #DGSI #Google #In-Q-Tel #Microsoft #Palantir #Ring #CIA #FBI #Amazon #Facebook #Gmail #ProtonMail #algorithme #Alexa #CCTV #domotique #InternetOfThings #Navigo #Siri #technologisme #vidéo-surveillance #COVID-19 #écoutes (...)

    ##santé ##surveillance ##CNIL ##LaQuadratureduNet

  • FBI Seized Congressional Cellphone Records Related to Capitol Attack
    https://theintercept.com/2021/02/22/capitol-riot-fbi-cellphone-records

    The inclusion of congressional phone data in the FBI investigation raises thorny constitutional questions. Within hours of the storming of the Capitol on January 6, the FBI began securing thousands of phone and electronic records connected to people at the scene of the rioting — including some related to members of Congress, raising potentially thorny legal questions. Using special emergency powers and other measures, the FBI has collected reams of private cellphone data and communications (...)

    #FBI #élections #écoutes #extrême-droite #surveillance

  • Amazon’s Data Dragnet
    https://www.techtransparencyproject.org/articles/amazons-data-dragnet

    Amazon is expanding into every corner of people’s lives with its growing list of products and services. That’s allowing it to collect far more data about its users than many people realize. Facebook, Google, and Twitter have faced hard questions about the data they collect on their users and what they do with that information. Often lost in this justifiable alarm over online privacy, however, is a platform that knows a staggering amount about its customers’ home lives, spending habits, and (...)

    #WholeFoods #Amazon #Ring #AmazonWebServices-AWS #AmazonsPrime #algorithme #Alexa #cookies #domotique #Echo #InternetOfThings #Kindle #famille #géolocalisation #domination #données #émotions #BigData #CloudComputing #domicile #écoutes #finance (...)

    ##surveillance ##publicité ##voisinage ##voix ##consommation

  • Vie privée : deux tiers des emails reçus contiendraient un « pixel espion »
    https://www.nextinpact.com/lebrief/46114/vie-privee-deux-tiers-emails-recus-contiendraient-pixel-espion

    C’est le résultat d’une analyse demandée par la BBC à la société Hey, qui fournit pour rappel un service de messagerie qui veut « réinventer l’email ». Le pixel espion – souvent appelé aussi « pixel invisible » – est une pratique courante dans le monde de la publicité, puisqu’il permet de fournir de nombreux renseignements par son simple affichage. Dans un courrier au format web, il renvoie ainsi de précieuses données, comme le type d’appareil utilisé et ses caractéristiques principales, l’emplacement plus (...)

    #BritishAirways #HSBC #TalkTalk #Tesco #Unilever #Vodafone #écoutes #surveillance

  • ’Spy pixels in emails have become endemic’
    https://www.bbc.com/news/technology-56071437

    The use of “invisible” tracking tech in emails is now “endemic”, according to a messaging service that analysed its traffic at the BBC’s request. Hey’s review indicated that two-thirds of emails sent to its users’ personal accounts contained a “spy pixel”, even after excluding for spam. Its makers said that many of the largest brands used email pixels, with the exception of the “big tech” firms. Defenders of the trackers say they are a commonplace marketing tactic. And several of the (...)

    #géolocalisation #écoutes #surveillance

  • How Oracle Sells Repression in China
    https://theintercept.com/2021/02/18/oracle-china-police-surveillance

    In its bid for TikTok, Oracle was supposed to prevent data from being passed to Chinese police. Instead, it’s been marketing its own software for their surveillance work. Police in China’s Liaoning province were sitting on mounds of data collected through invasive means : financial records, travel information, vehicle registrations, social media, and surveillance camera footage. To make sense of it all, they needed sophisticated analytic software. Enter American business computing giant (...)

    #Oracle #TikTok #BigData #Walmart #surveillance #HumanRightsWatch #géolocalisation #prédiction #écoutes #Microsoft #Palantir #Amazon #IBM #Predpol #DataBrokers #Huawei (...)

    ##ZTE

  • L’Évasion d’un guérillero
    Écrire la violence

    Ernest London

    https://lavoiedujaguar.net/L-Evasion-d-un-guerillero-Ecrire-la-violence

    Militant de l’Armée populaire révolutionnaire (EPR), Andrés Tzompaxtle Tecpile, dit Rafael, est enlevé, détenu et torturé par l’armée mexicaine en 1996. Par un récit polyphonique, fruit d’un long travail d’enquête de terrain, le journaliste américain John Gibler dévoile la stratégie contre-insurrectionnelle de l’État mexicain. Il interroge également le processus d’écriture, les rapports de celle-ci avec une supposée objectivité, avec les partis pris, la violence qu’elle impose en voulant témoigner. Adaptant un mot d’ordre zapatiste, il défend la forme d’un écrit qui écoute (escribir escuchando). « Ce livre cherche à utiliser une arme coloniale, l’écriture, pour combattre la violence coloniale. »

    S’appuyant essentiellement sur trente heures d’entretien avec Andrés Tzompaxtle Tecpile, mais aussi sur les témoignages des journalistes qui ont assisté à son enlèvement, d’une travailleuse sociale et d’une avocate, membres d’une association de défense des droits de l’homme, sur les articles de presse parus au sujet de cette affaire, il livre un récit polyphonique, notamment de la détention, des séances de torture infligées pendant quatre mois, et de son incroyable évasion, objet de beaucoup de suspicions. Son enfance dans une communauté indigène nahua de la Sierra de Zongolica (Veracruz) est aussi racontée, imprégnée d’un permanent sentiment d’injustice qui le pousse à rejoindre la guérilla. « La violence à la fois ontologique et corporelle de l’invasion est gravée dans ce que nous appelons aujourd’hui l’État, le droit, l’économie. On perpétue le massacre du massacré en se justifiant par cette chose qu’on appelle le droit. » (...)

    #Mexique #guérilla #John_Gibler #écriture #écoute #violence #torture #guerre_sale #droit #État

  • Clouds gather over Google’s Saudi deal
    https://www.codastory.com/authoritarian-tech/saudi-arabia-google-cloud

    Saudi dissidents accuse the tech giant of bolstering a brutal dictatorship with its plan to provide cloud computing in the kingdom Ten days before Joe Biden’s inauguration, Abdullah Alaoudh was at his home in Washington, D.C. catching up with emails, when a warning banner flashed up on his screen. “Google may have detected government-backed attackers trying to steal your password,” read the text, advising him to tighten his online security. Though the Google alert did not name names, Alaoudh (...)

    #Google #activisme #CloudComputing #surveillance #écoutes

  • Smart TVs like Samsung, LG and Roku are tracking everything we watch
    https://www.washingtonpost.com/technology/2019/09/18/you-watch-tv-your-tv-watches-back/?campaign_id=158&emc=edit_ot_20210125&instance_id=26381&nl=on-tech-w

    In our latest privacy experiment, we tracked how four of the most popular TV brands record everything we watch Wrapped in a Snuggie, I like to binge on reruns of “The Golden Girls” all by myself. Except I’m not really alone. Once every few minutes, my TV beams out a report about what’s on my screen to Samsung, the company that made it. Chances are, your TV is watching you, too, through a few nosy pixels on the screen. Ever wondered why TV sets are getting so cheap ? Manufacturing efficiency (...)

    #Roku #Samsung #LG #TV #consommation #écoutes #marketing #profiling #surveillance (...)

    ##Vizio

  • « J’ai dérapé à tous les niveaux » : les confessions d’« Haurus », ex-policier de la DGSI - Le Parisien
    https://www.leparisien.fr/faits-divers/j-ai-derape-a-tous-les-niveaux-les-confessions-d-un-ex-policier-de-la-dgs

    Son métier d’enquêteur en #contre-terrorisme l’a habitué à rester dans l’ombre. Mais deux ans après son arrestation, Cédric D., alias « Haurus », a accepté de raconter pour la première fois sa dérive au cœur de l’un des services de #police les plus prestigieux : la Direction générale de la sécurité intérieure (#DGSI). Soupçonné d’avoir vendu des informations confidentielles tirées de fichiers de police sur le Darknet, ce brigadier de 34 ans tombé en disgrâce sera bientôt jugé : la procureure de la République de Nanterre a requis en personne le 18 décembre son renvoi devant le tribunal correctionnel.

    [...]

    On peut faire dire n’importe quoi à la téléphonie dans une enquête, qu’on présente comme une preuve irréfutable. J’ai décidé de rédiger cet ouvrage en vulgarisant mon expérience du fonctionnement des investigations : factures détaillées, écoutes, #géolocalisations …*

    (...) L’ex-agent vient de publier à compte d’auteur un livre [« Investigations et téléphonie mobile », autoédition, 183 pages, 22,90 euros./LP/Jean-Baptiste Quentin ] qui risque de faire parler dans la police : il y donne des clés pour comprendre les techniques d’investigation policière dans la #téléphonie : #fadettes, #écoutes, #Imsi_Catcher, #messageries_chiffrées…❞

    #preuve #PNIJ (plateforme nationale des interceptions judiciaires) #magistrats

  • Comment des posts Facebook privés d’une salariée ont servi de preuves pour son licenciement
    https://www.europe1.fr/societe/comment-des-posts-facebook-prives-dune-salariee-ont-servi-de-preuves-pour-so

    Dans une décision récente, la Cour de cassation a validé l’utilisation de publications privées postées sur un compte Facebook comme preuves dans le cadre du licenciement pour faute grave d’une salariée de la marque de vêtements Petit Bateau. Europe 1 décrypte les enjeux de cette décision de justice. Nombreux sont les salariés a être très actifs sur les réseaux sociaux comme Instagram, Facebook ou Twitter. En revanche, il est possible que peu sachent que les publications postées sur leur compte Facebook (...)

    #Facebook #procès #copyright #écoutes #surveillance #travail

    • En l’espèce, l’information communiquée présente une nature professionnelle et il s’agit de préserver les créations de l’entreprise, au cœur de la liberté d’entreprendre. L’atteinte à la vie privée parait acceptable. Mais d’autres situations se présenteront, où l’information présentera en soi une nature privée (on songe par ex. à une information relative à la santé ou à l’activité syndicale) et où l’enjeu pour l’employeur sera légitime mais moindre (Un peu à la manière du contentieux portant sur la preuve du nombre d’adhérent d’une section syndicale : l’adhésion du salarié à un syndicat relève de sa vie personnelle et ne peut être divulguée sans son accord ; à défaut d’un tel accord, le syndicat qui entend créer ou démontrer l’existence d’une section syndicale dans une entreprise, alors que sa présence y est contestée ne peut produire ou être contraint de produire une liste nominative de ses adhérents, Soc. 9 juill. 2009, n° 09-60.011). 

      La solution pourrait alors être différente selon les arguments en présence ! Rien n’est figé ! C’est tout l’intérêt du jeu de la #proportionnalité.
      https://actu.dalloz-etudiant.fr/a-la-une/article/publication-sur-facebook-mefiez-vous-de-vos-amis/h/71a87d5dc3b88bd8799a47cae752fa6c.html

      Verhältnismäßigkeit en allemand, c’est souvent autour de cette notion juridique floue que les choses se jouent. Jusqu’à la BCE.
      https://www.monde-diplomatique.fr/2020/06/LORDON/61886

      2/ Les précédents jurisprudentiels.
      L’arrêt du 30 septembre 2020 est inédit en ce que, pour la première fois, la Cour de cassation admet que l’employeur se prévale d’informations extraites d’un compte privé Facebook au soutien du licenciement d’une salariée.

      Sans nier l’atteinte à la vie privée en résultant, la Cour considère que l’intérêt légitime de l’employeur peut justifier une telle entorse, sous réserve :
      – que les éléments de preuve aient été recueillis loyalement ;
      – que l’atteinte à la vie privée soit proportionnée au but poursuivi par l’employeur ;
      – que la production des éléments soit indispensable à l’exercice du droit de la preuve.

      Dans un arrêt du 12 septembre 2018 (n° 16-11.690), la chambre sociale de la Cour de cassation avait jugé que des propos litigieux diffusés sur Facebook, accessibles uniquement « à des personnes agréées par une salariée et peu nombreuses » (groupe fermé composé de 14 personnes) relevaient d’une conversation de nature privée ne caractérisant pas une faute grave.

      En l’occurrence, la salariée avait été licenciée pour avoir adhéré à un groupe Facebook intitulé « extermination des directrices chieuses ».

      Il sera intéressant de savoir si la Cour de cassation entend maintenir cette jurisprudence, qui semble beaucoup plus protectrice de l’intérêt des salariés.

      Précédemment, la Cour avait été conduite à statuer sur la question de savoir si l’employeur pouvait consulter la page Facebook du salarié.

      Dans cet arrêt, elle avait jugé que l’employeur porte une atteinte déloyale et disproportionnée à la vie privée du salarié en accédant au contenu de son compte Facebook sans y être autorisé, au moyen du téléphone portable professionnel d’un autre salarié.

      En l’espèce, l’employeur, à la recherche de preuves dans le cadre d’un litige prud’homal, avait téléchargé des informations du compte Facebook d’une salariée partie au litige à partir du téléphone portable professionnel d’un autre salarié, les deux étant des contacts Facebook.

      L’employeur avait alors été condamné par la Cour d’appel d’Aix-en-Provence à payer des dommages-intérêts à la salariée en réparation de l’atteinte à sa vie privée.

      La Cour de cassation avait rejeté le pourvoi de l’employeur, en ces termes :

      « Ayant relevé que le procès-verbal de constat d’huissier [établi à la demande de la société] rapportait des informations extraites du compte Facebook de la salariée obtenues à partir du téléphone portable d’un autre salarié, informations réservées aux personnes autorisées, la cour d’appel a pu en déduire que l’employeur ne pouvait y accéder sans porter une atteinte disproportionnée et déloyale à la vie privée de la salariée ; que le moyen n’est pas fondé ».

      Ainsi, la Cour utilisait déjà les deux critères repris dans l’arrêt du 30 septembre 2020 : le caractère proportionné ou non de l’atteinte à la vie privée et le caractère loyal ou non de la preuve ainsi obtenue grâce à Facebook.

      Les juges du fond étant régulièrement appelés à statuer sur ces questions, la Cour de cassation devrait probablement se prononcer à nouveau.
      https://www.village-justice.com/articles/compte-prive-facebook-mode-preuve-licite-matiere-licenciement,36699

  • So-called “Consent Searches” Harm Our Digital Rights
    https://www.eff.org/deeplinks/2021/01/so-called-consent-searches-harm-our-digital-rights

    Imagine this scenario : You’re driving home. Police pull you over, allegedly for a traffic violation. After you provide your license and registration, the officer catches you off guard by asking : “Since you’ve got nothing to hide, you don’t mind unlocking your phone for me, do you ?” Of course, you don’t want the officer to copy or rummage through all the private information on your phone. But they’ve got a badge and a gun, and you just want to go home. If you’re like most people, you grudgingly (...)

    #smartphone #consentement #données #écoutes #surveillance #EFF

  • I looked at all the ways Microsoft Teams tracks users and my head is spinning
    https://www.zdnet.com/article/i-looked-at-all-the-ways-microsoft-teams-tracks-users-and-my-head-is-spinning

    Microsoft Teams isn’t just there to make employees’ lives easier. It’s also there to give bosses data about so many things. My head is recovering from something of a pivot. You see, a couple of weeks ago Microsoft CEO Satya Nadella declared, in an interview with the Financial Times, that Teams could soon be a digital platform as important as the internet browser. Yes, Microsoft Teams. This startled me a touch. The world seems to have moved rather quickly of late. I thought of all those (...)

    #Microsoft #ProductivityScore #Windows #données #écoutes #surveillance #travail

  • Police surveillance of Black Lives Matter shows the danger technology poses to democracy
    https://theconversation.com/police-surveillance-of-black-lives-matter-shows-the-danger-technolo

    US police forces have been turning to technology to track down Black Lives Matter protestors. Content from social media platforms and affiliated sites has been instrumental in the authorities being able to identify protestors based on photos of their faces, clothes and hair, or on the fact that they posted while at the protests. Meanwhile, drones have been added to the police’s own means of capturing footage of the protests. Making technology-driven state surveillance part of the police’s (...)

    #Google #Ring #Amazon #Signal #Home #Alexa #CCTV #drone #InternetOfThings #sonnette #activisme #journalisme #police #racisme #données #vidéo-surveillance #violence #BlackLivesMatter #discrimination #écoutes #extrême-droite (...)

    ##surveillance

  • Insecure wheels : Police turn to car data to destroy suspects’ alibis
    https://www.nbcnews.com/tech/tech-news/snitches-wheels-police-turn-car-data-destroy-suspects-alibis-n1251939

    Looser privacy standards for vehicle data are a treasure chest of data for law enforcement. On June 26, 2017, the lifeless body of Ronald French, a bearded auto mechanic with once-twinkling eyes, was mysteriously found in a cornfield in Kalamazoo County, Michigan. French, a grandfather of eight who always tried to help people “down on their luck,” his daughter Ronda Hamilton told NBC affiliate WOOD of Kalamazoo, had disappeared three weeks before. According to the police report, a cord (...)

    #Cellebrite #Bluetooth #capteur #smartphone #voiture #GPS #USBKey #géolocalisation #criminalité #données #écoutes #surveillance (...)

    ##criminalité ##FTC

  • La voiture connectée, nouveau lieu du crime et de l’enquête
    https://korii.slate.fr/tech/voiture-connectee-nouveau-lieu-crime-enquete-indices-donnees-police

    Position GPS, vitesse, enregistrements audio… La voiture est une véritable mine d’indices pour la police. Le 26 juin 2017, le corps de Ronald French, un mécanicien automobile, a été retrouvé dans un champ de maïs du comté de Kalamazoo, dans le Michigan. Durant deux ans, l’enquête a piétiné sans aboutir à la moindre piste. Jusqu’à ce que la police se tourne vers une nouvelle source d’indices : la voiture de la victime. En examinant les données enregistrées dans la Chevy Silverado, le pick-up de Ronald (...)

    #Bluetooth #smartphone #voiture #SIM #USBKey #criminalité #géolocalisation #données (...)

    ##criminalité ##écoutes

  • A prison video visitation service exposed private calls between inmates and their attorneys
    https://techcrunch.com/2020/10/10/prison-visitation-homewav-leak/?guccounter=1

    Thousands of calls were spilling from an unprotected server. Fearing the spread of coronavirus, jails and prisons remain on lockdown. Visitors are unable to see their loved ones serving time, forcing friends and families to use prohibitively expensive video visitation services that often don’t work. But now the security and privacy of these systems are under scrutiny after one St Louis-based prison video visitation provider had a security lapse that exposed thousands of phone calls between (...)

    #données #écoutes #prison #surveillance #ACLU

  • La CEDH déclare recevable le recours de RSF contre le service de renseignements allemand
    https://rsf.org/fr/actualites/la-cedh-declare-recevable-le-recours-de-rsf-contre-le-service-de-renseignements

    Reporters sans frontières (RSF) salue la décision de la Cour européenne des droits de l’homme en faveur de la requête déposée par l’organisation sur les pratiques de surveillance de masse en Allemagne. La Cour européenne des droits de l’homme (CEDH) a déclaré recevable, ce lundi 11 janvier, le recours déposé par RSF visant les pratiques de surveillance de masse, sans motif valable, du service fédéral de renseignement allemand, le Bundesnachrichtendienst (BND). La section allemande de l’organisation accuse (...)

    #BND #journalisme #écoutes #surveillance #RSF #CEDH

  • Signal : tout comprendre à l’application de messagerie sécurisée à très fort succès
    https://www.lemonde.fr/pixels/article/2021/01/11/signal-tout-comprendre-a-l-application-de-messagerie-securisee-a-tres-fort-s

    Disponible sur Android comme sur iOS, l’application est prisée pour être particulièrement bien sécurisée, et n’avoir aucun lien avec Facebook, propriétaire de WhatsApp. Signal est une application de messagerie sécurisée, disponible sur Android comme sur iOS. Elle permet d’échanger par écrit, entre deux personnes ou en groupe, de passer des appels audio ou vidéo, d’envoyer des fichiers… Bref, elle fonctionne comme à peu près toutes les messageries populaires, mais elle est aussi réputée pour être, depuis (...)

    #Google #Apple #Facebook #Instagram #Messenger #Parler #Signal #Twitter #cryptage #écoutes (...)

    ##surveillance

  • WhatsApp Doesn’t Read Your Messages, It Doesn’t Need To - Pen Magnet
    https://medium.com/swlh/whatsapp-doesnt-read-your-messages-it-doesn-t-need-to-7ce0ec2846f9

    As of this writing, WhatsApp released a newer version of its privacy policy on Jan 4, 2021. Among other things, it mentions : We are one of the Facebook Companies. You can learn more further below in this Privacy Policy about the ways in which we share information across this family of companies. When I opened WhatsApp yesterday, I was greeted with a prompt to read the fine print. Among other things, it talks highly about “End to end encryption.” WhatsApp even has a ridiculous (...)

    #NSA #CIA #FBI #Facebook #Messenger #Signal #Skype #WhatsApp #Zoom #algorithme #cryptage #Android #payement #WiFi #iOS #données #écoutes (...)

    ##surveillance
    https://miro.medium.com/max/1200/0*l-aSb_r4sZU6Ktk1

  • Inside NSO, Israel’s billion-dollar spyware giant
    https://www.technologyreview.com/2020/08/19/1006458/nso-spyware-controversy-pegasus-human-rights

    The world’s most notorious surveillance company says it wants to clean up its act. Go on, we’re listening.

    Maâti Monjib speaks slowly, like a man who knows he’s being listened to.

    It’s the day of his 58th birthday when we speak, but there’s little celebration in his voice. “The surveillance is hellish,” Monjib tells me. “It is really difficult. It controls everything I do in my life.”

    A history professor at the University of Mohammed V in Rabat, Morocco, Monjib vividly remembers the day in 2017 when his life changed. Charged with endangering state security by the government he has fiercely and publicly criticized, he was sitting outside a courtroom when his iPhone suddenly lit up with a series of text messages from numbers he didn’t recognize. They contained links to salacious news, petitions, and even Black Friday shopping deals.

    A month later, an article accusing him of treason appeared on a popular national news site with close ties to Morocco’s royal rulers. Monjib was used to attacks, but now it seemed his harassers knew everything about him: another article included information about a pro-democracy event he was set to attend but had told almost no one about. One story even proclaimed that the professor “has no secrets from us.”

    He’d been hacked. The messages had all led to websites that researchers say were set up as lures to infect visitors’ devices with Pegasus, the most notorious spyware in the world.

    Pegasus is the blockbuster product of NSO Group, a secretive billion-dollar Israeli surveillance company. It is sold to law enforcement and intelligence agencies around the world, which use the company’s tools to choose a human target, infect the person’s phone with the spyware, and then take over the device. Once Pegasus is on your phone, it is no longer your phone.

    NSO sells Pegasus with the same pitch arms dealers use to sell conventional weapons, positioning it as a crucial aid in the hunt for terrorists and criminals. In an age of ubiquitous technology and strong encryption, such “lawful hacking” has emerged as a powerful tool for public safety when law enforcement needs access to data. NSO insists that the vast majority of its customers are European democracies, although since it doesn’t release client lists and the countries themselves remain silent, that has never been verified.

    Monjib’s case, however, is one of a long list of incidents in which Pegasus has been used as a tool of oppression. It has been linked to cases including the murder of Saudi journalist Jamal Khashoggi, the targeting of scientists and campaigners pushing for political reform in Mexico, and Spanish government surveillance of Catalan separatist politicians. Mexico and Spain have denied using Pegasus to spy on opponents, but accusations that they have done so are backed by substantial technical evidence.

    NSO’s basic argument is that it is the creator of a technology that governments use, but that since it doesn’t attack anyone itself, it can’t be held responsible.

    Some of that evidence is contained in a lawsuit filed last October in California by WhatsApp and its parent company, Facebook, alleging that Pegasus manipulated WhatsApp’s infrastructure to infect more than 1,400 cell phones. Investigators at Facebook found more than 100 human rights defenders, journalists, and public figures among the targets, according to court documents. Each call that was picked up, they discovered, sent malicious code through WhatsApp’s infrastructure and caused the recipient’s phone to download spyware from servers owned by NSO. This, WhatsApp argued, was a violation of American law.

    NSO has long faced such accusations with silence. Claiming that much of its business is an Israeli state secret, it has offered precious little public detail about its operations, customers, or safeguards.

    Now, though, the company suggests things are changing. In 2019, NSO, which was owned by a private equity firm, was sold back to its founders and another private equity firm, Novalpina, for $1 billion. The new owners decided on a fresh strategy: emerge from the shadows. The company hired elite public relations firms, crafted new human rights policies, and developed new self-­governance documents. It even began showing off some of its other products, such as a covid-19 tracking system called Fleming, and Eclipse, which can hack drones deemed a security threat.

    Over several months, I’ve spoken with NSO leadership to understand how the company works and what it says it is doing to prevent human rights abuses carried out using its tools. I have spoken to its critics, who see it as a danger to democratic values; to those who urge more regulation of the hacking business; and to the Israeli regulators responsible for governing it today. The company’s leaders talked about NSO’s future and its policies and procedures for dealing with problems, and it shared documents that detail its relationship with the agencies to which it sells Pegasus and other tools. What I found was a thriving arms dealer—inside the company, employees acknowledge that Pegasus is a genuine weapon—struggling with new levels of scrutiny that threaten the foundations of its entire industry.Retour ligne automatique
    “A difficult task”

    From the first day Shmuel Sunray joined NSO as its general counsel, he faced one international incident after another. Hired just days after WhatsApp’s lawsuit was filed, he found other legal problems waiting on his desk as soon as he arrived. They all centered on the same basic accusation: NSO Group’s hacking tools are sold to, and can be abused by, rich and repressive regimes with little or no accountability.

    Sunray had plenty of experience with secrecy and controversy: his previous job was as vice president of a major weapons manufacturer. Over several conversations, he was friendly as he told me that he’s been instructed by the owners to change NSO’s culture and operations, making it more transparent and trying to prevent human rights abuses from happening. But he was also obviously frustrated by the secrecy that he felt prevented him from responding to critics.

    “It’s a difficult task,” Sunray told me over the phone from the company’s headquarters in Herzliya, north of Tel Aviv. “We understand the power of the tool; we understand the impact of misuse of the tool. We’re trying to do the right thing. We have real challenges dealing with government, intelligence agencies, confidentiality, operational necessities, operational limitations. It’s not a classic case of human rights abuse by a company, because we don’t operate the systems—we’re not involved in actual operations of the systems—but we understand there is a real risk of misuse from the customers. We’re trying to find the right balance.”

    This underpins NSO’s basic argument, one that is common among weapons manufacturers: the company is the creator of a technology that governments use, but it doesn’t attack anyone itself, so it can’t be held responsible.

    Still, according to Sunray, there are several layers of protection in place to try to make sure the wrong people don’t have access.Retour ligne automatique
    Making a sale

    Like most other countries, Israel has export controls that require weapons manufacturers to be licensed and subject to government oversight. In addition, NSO does its own due diligence, says Sunray: its staff examine a country, look at its human rights record, and scrutinize its relationship with Israel. They assess the specific agency’s track record on corruption, safety, finance, and abuse—as well as factoring in how much it needs the tool.

    Sometimes negatives are weighed against positives. Morocco, for example, has a worsening human rights record but a lengthy history of cooperating with Israel and the West on security, as well as a genuine terrorism problem, so a sale was reportedly approved. By contrast, NSO has said that China, Russia, Iran, Cuba, North Korea, Qatar, and Turkey are among 21 nations that will never be customers.

    Finally, before a sale is made, NSO’s governance, risk, and compliance committee has to sign off. The company says the committee, made up of managers and shareholders, can decline sales or add conditions, such as technological restrictions, that are decided case by case. Retour ligne automatique
    Preventing abuse

    Once a sale is agreed to, the company says, technological guardrails prevent certain kinds of abuse. For example, Pegasus does not allow American phone numbers to be infected, NSO says, and infected phones cannot even be physically located in the United States: if one does find itself within American borders, the Pegasus software is supposed to self-destruct.

    NSO says Israeli phone numbers are among others also protected, though who else gets protection and why remains unclear.

    When a report of abuse comes in, an ad hoc team of up to 10 NSO employees is assembled to investigate. They interview the customer about the allegations, and they request Pegasus data logs. These logs don’t contain the content the spyware extracted, like chats or emails—NSO insists it never sees specific intelligence—but do include metadata such as a list of all the phones the spyware tried to infect and their locations at the time.

    According to one recent contract I obtained, customers must “use the system only for the detection, prevention, and investigation of crimes and terrorism and ensure the system will not be used for human rights violations.” They must notify the company of potential misuse. NSO says it has terminated three contracts in the past for infractions including abuse of Pegasus, but it refuses to say which countries or agencies were involved or who the victims were.

    “We’re not naïve”

    Lack of transparency is not the only problem: the safeguards have limits. While the Israeli government can revoke NSO’s license for violations of export law, the regulators do not take it on themselves to look for abuse by potential customers and aren’t involved in the company’s abuse investigations.

    Many of the other procedures are merely reactive as well. NSO has no permanent internal abuse team, unlike almost any other billion-dollar tech firm, and most of its investigations are spun up only when an outside source such as Amnesty International or Citizen Lab claims there has been malfeasance. NSO staff interview the agencies and customers under scrutiny but do not talk to the alleged victims, and while the company often disputes the technical reports offered as evidence, it also claims that both state secrecy and business confidentiality prevent it from sharing more information.

    The Pegasus logs that are crucial to any abuse inquiry also raise plenty of questions. NSO Group’s customers are hackers who work for spy agencies; how hard would it be for them to tamper with the logs? In a statement, the company insisted this isn’t possible but declined to offer details.

    If the logs aren’t disputed, NSO and its customers will decide together whether targets are legitimate, whether genuine crimes have been committed, and whether surveillance was done under due process of law or whether autocratic regimes spied on opponents.

    Sunray, audibly exasperated, says he feels as if secrecy is forcing him to operate with his hands tied behind his back.

    “It’s frustrating,” he told me. “We’re not naïve. There have been misuses. There will be misuses. We sell to many governments. Even the US government—no government is perfect. Misuse can happen, and it should be addressed.”

    But Sunray also returns to the company’s standard response, the argument that underpins its defense in the WhatsApp lawsuit: NSO is a manufacturer, but it’s not the operator of the spyware. We built it but they did the hacking—and they are sovereign nations.

    That’s not enough for many critics. “No company that believes it can be the independent watchdog of their own products ever convinces me,” says Marietje Schaake, a Dutch politician and former member of the European Parliament. “The whole idea that they have their own mechanisms while they have no problem selling commercial spyware to whoever wants to buy it, knowing that it’s used against human rights defenders and journalists—I think it shows the lack of responsibility on the part of this company more than anything.”

    So why the internal push for more transparency now? Because the deluge of technical reports from human rights groups, the WhatsApp lawsuit, and increasing governmental scrutiny threaten NSO’s status quo. And if there is going to be a new debate over how the industry gets regulated, it pays to have a powerful voice. Retour ligne automatique
    Growing scrutiny

    Lawful hacking and cyber-espionage have grown enormously as a business over the past decade, with no signs of retreat. NSO Group’s previous owners bought the company in 2014 for $130 million, less than one-seventh of the valuation it was sold for last year. The rest of the industry is expanding too, profiting from the spread of communications technology and deepening global instability. “There’s no doubt that any state has the right to buy this technology to fight crime and terrorism,” says Amnesty International’s deputy director, Danna Ingleton. “States are rightfully and lawfully able to use these tools. But that needs to be accompanied more with a regulatory system that prevents abuses and provides an accountability mechanism when abuse has happened.” Shining a much brighter light on the hacking industry, she argues, will allow for better regulation and more accountability.

    Earlier this year Amnesty International was in court in Israel arguing that the Ministry of Defense should revoke NSO’s license because of abuses of Pegasus. But just as the case was starting, officials from Amnesty and 29 other petitioners were told to leave the courtroom: a gag order was being placed on the proceedings at the ministry’s urging. Then, in July, a judge rejected the case outright.

    “I do not believe as a matter of principle and as a matter of law that NSO can claim a complete lack of responsibility for the way their tools are being used,” says United Nations special rapporteur Agnès Callamard. “That’s not how it works under international law.”

    Callamard advises the UN on extrajudicial executions and has been vocal about NSO Group and the spyware industry ever since it emerged that Pegasus was being used to spy on friends and associates of Khashoggi shortly before he was murdered. For her, the issue has life-or-death consequences.

    If NSO loses the WhatsApp case, one lawyer says, it calls into question all those companies that make their living by finding flaws in software and exploiting them.

    “We’re not calling for something radically new,” says Callamard. “We are saying that what’s in place at the moment is proving insufficient, and therefore governments or regulatory agencies need to move into a different gear quickly. The industry is expanding, and it should expand on the basis of the proper framework to regulate misuse. It’s important for global peace.”

    There have been calls for a temporary moratorium on sales until stronger regulation is enacted, but it’s not clear what that legal framework would look like. Unlike conventional arms, which are subject to various international laws, cyber weapons are currently not regulated by any worldwide arms control agreement. And while nonproliferation treaties have been suggested, there is little clarity on how they would measure existing capabilities, how monitoring or enforcement would work, or how the rules would keep up with rapid technological developments. Instead, most scrutiny today is happening at the national legal level.

    In the US, both the FBI and Congress are looking into possible hacks of American targets, while an investigation led by Senator Ron Wyden’s office wants to find out whether any Americans are involved in exporting surveillance technology to authoritarian governments. A recent draft US intelligence bill would require a government report on commercial spyware and surveillance technology.

    The WhatsApp lawsuit, meanwhile, has taken aim close to the heart of NSO’s business. The Silicon Valley giant argues that by targeting California residents—that is, WhatsApp and Facebook—NSO has given the court in San Francisco jurisdiction, and that the judge in the case can bar the Israeli company from future attempts to misuse WhatsApp’s and Facebook’s networks. That opens the door to an awful lot of possibilities: Apple, whose iPhone has been a paramount NSO target, could feasibly mount a similar legal attack. Google, too, has spotted NSO targeting Android devices.

    And financial damages are not the only sword hanging over NSO’s head. Such lawsuits also bring with them the threat of courtroom discovery, which has the potential to bring details of NSO’s business deals and customers into the public eye.

    “A lot depends on exactly how the court rules and how broadly it characterizes the violation NSO is alleged to have committed here,” says Alan Rozenshtein, a former Justice Department lawyer now at the University of Minnesota Law School. “At a minimum, if NSO loses this case, it calls into question all of those companies that make their products or make their living by finding flaws in messaging software and providing services exploiting those flaws. This will create enough legal uncertainty that I would imagine these would-be clients would think twice before contracting with them. You don’t know if the company will continue to operate, if they’ll get dragged to court, if your secrets will be exposed.” NSO declined to comment on the alleged WhatsApp hack, since it is still an active case. Retour ligne automatique
    “We are always spied on”

    In Morocco, Maâti Monjib was subjected to at least four more hacking attacks throughout 2019, each more advanced than the one before. At some point, his phone browser was invisibly redirected to a suspicious domain that researchers suspect was used to silently install malware. Instead of something like a text message that can raise the alarm and leaves a visible trace, this one was a much quieter network injection attack, a tactic valued because it’s almost imperceptible except to expert investigators.

    On September 13, 2019, Monjib had lunch at home with his friend Omar Radi, a Moroccan journalist who is one of the regime’s sharpest critics. That very day, an investigation later found, Radi was hit with the same kind of network injection attacks that had snared Monjib. The hacking campaign against Radi lasted at least into January 2020, Amnesty International researchers said. He’s been subject to regular police harassment ever since.

    At least seven more Moroccans received warnings from WhatsApp about Pegasus being used to spy on their phones, including human rights activists, journalists, and politicians. Are these the kinds of legitimate spying targets—the terrorists and criminals—laid out in the contract that Morocco and all NSO customers sign?

    In December, Monjib and the other victims sent a letter to Morocco’s data protection authority asking for an investigation and action. Nothing formally came of it, but one of the men, the pro-democracy economist Fouad Abdelmoumni, says his friends high up at the agency told him the letter was hopeless and urged him to drop the matter. The Moroccan government, meanwhile, has responded by threatening to expel Amnesty International from the country.

    What’s happening in Morocco is emblematic of what’s happening around the world. While it’s clear that democracies are major beneficiaries of lawful hacking, a long and growing list of credible, detailed, technical, and public investigations shows Pegasus being misused by authoritarian regimes with long records of human rights abuse.

    “Morocco is a country under an authoritarian regime who believe people like Monjib and myself have to be destroyed,” says Abdelmoumni. “To destroy us, having access to all information is key. We always consider that we are spied on. All of our information is in the hands of the palace.”

    #Apple #NSO #Facebook #WhatsApp #iPhone #Pegasus #smartphone #spyware #activisme #journalisme #écoutes #hacking #surveillance #Amnesty (...)

    ##CitizenLab