Your phone rings. Within seconds, it’s infected with secret spyware that’s tracking everything you do. This isn’t a conspiracy theory or a twist in a Netflix thriller. It’s happening right now to people like you – and you have the power to stop it.
We all know that privacy matters. Our private thoughts, texts, friendships, social interactions make up who we are. It’s why COVID-19 has revived fears about governments and corporations snooping on our every move – and with good reason. At least one of the companies looking to capitalise on the contact tracing dilemma is NSO, the controversial company currently being sued by WhatsApp for allegedly installing spyware on the phones of thousands of users – including activists and journalists. (More about them later).
For many of us, that unsettling feeling of being watched is all too real. After all, we live in a world of mass surveillance, from facial recognition to online tracking – governments and tech companies are harvesting intimate information about billions of people. Targeted surveillance is slightly different. It’s the use of technology to spy on specific people.
You may think this is fine, because aren’t people only targeted when they’ve done something wrong? Think again.
From Mexico to the Middle East, governments are wielding a range of sophisticated cyber-tools to unlawfully spy on their critics. A seemingly innocuous missed call, a personalized text message or unknowingly redirected to malicious website for a split second, and without you being aware the spyware is installed.
The people targeted are often journalists, bloggers and activists (including Amnesty’s own staff) voicing inconvenient truths. They may be exposing corrupt deals, demanding electoral reform, or promoting the right to privacy. Their defence of human rights puts them at odds with their governments. Rather than listen, governments prefer to shut them down. And when governments attack the people who are defending our rights, then we’re all at risk.
Listen to the Witness podcast as Amnesty Tech’s team of Investigators race against the clock to expose a notorious spyware and stop it being used against activists.
Stop governments spying on activists
Until recently, Ahmed Mansoor was the United Arab Emirates’ (UAE’s) last active human rights defender. A blogger, poet and father-of-three, Mansoor called for political reforms that would have transformed the UAE into the progressive society it claims to be. The government responded by hacking into Mansoor’s phone, his computer, even his bank account before fabricating charges against him and locking him up for 10 years. Mansoor is in solitary confinement and gravely ill.
Maati Monjib suspected the Moroccan authorities had been spying on his phone and computer since 2015. The historian and freedom of expression advocate was proved right in 2019 when his phone was repeatedly targeted with suspicious WhatsApp text messages carrying links to websites connected to NSO Group’s notorious Pegasus spyware. Monjib continues to face bogus national security charges simply for training journalists on a phone app designed to protect users’ privacy.
A former Saudi Arabian Air Force officer, Yahya Assiri had always been troubled by the poverty and inequality he saw around him. His peaceful attempts to call attention to these issues online put him on the wrong side of the authorities. In 2018 Assiri, a friend of Jamal Khashoggi, was targeted using NSO Group’s Pegasus spyware. The software has been implicated in scores of attacks on human rights activists and has no framework to regulate its use.
How do governments target activists?
The authorities use clever cyber-attacks to access users’ phones and computers. Once in, they can find out who their contacts are, their passwords, their social media habits, their texts. They can record conversations. They can find out everything about that person, tap into their network, find out about their work, and destroy it. Since 2017, Amnesty’s own research has uncovered attacks like these in Egypt, India, Morocco, Pakistan, Saudi Arabia, UAE, Qatar and Uzbekistan.
Remember, the users we’re talking about are human rights activists, among them journalists, bloggers, poets, teachers and so many others who bravely take a stand for justice, equality and freedom. They take these risks so we don’t have to. But voicing concerns about government conduct and policy makes them unpopular with the authorities. So much so that governments resort to dirty tricks, smearing activists and re-branding them as criminals and terrorists.
The long arm of NSO
Some of the most insidious attacks on human rights defenders have been waged using spyware manufactured by NSO Group. A major player in the shadowy surveillance industry, they specialise in cyber-surveillance tools.
NSO is responsible for Pegasus malware, a powerful programme that can turn on your phone’s microphone and camera without your knowledge. It can also access your emails and texts, track your keystrokes and collect data about you. The worst thing is you don’t have to do anything to trigger it – Pegasus can be installed without you ever knowing.
NSO say they’re creating technology that helps governments fight terrorism and crime. But as early as 2018, when one of our own staff was targeted through WhatsApp, our Security Lab discovered a network of more than 600 suspicious websites owned by NSO that could be used to spy on journalists and activists around the world. We were not wrong. In 2019, thousands of people received scam WhatsApp call, leading WhatsApp to later sue NSO. More recently we documented the cases of Moroccan activists who had been similarly targeted.
In January 2020, we supported legal action in Israel, (where NSO is headquartered) demanding that Israel stop NSO from being able to export its spyware. In July 2020, the court in Tel Aviv rejected the attempt, leaving NSO free to carry on selling its technology to human rights abusers. We will continue to do all we can to stop NSO’s products being used to persecute activists
A booming industry
Cases of governments snooping on activists have increased massively in the last decade. This is down to more and more companies developing and selling spyware to governments. Dubbed “lawful interception technologies”, these products are ripe for misuse.
In a world where people defending human rights are increasingly branded criminals and terrorists, and where national security concerns are routinely used to suspend basic rights, the potential for exploiting this technology for nefarious purposes is huge. Right now, there’s no framework to prevent such misuse and no consequences when the technology is used to abuse the rights of activists. Companies are getting away with peddling deeply dangerous tech with zero penalties.
The missing link in all this is a proper regulation on the use of spyware technology. At its heart, this needs to be guided by human rights principles, to make sure that the kinds of abuses we’ve documented stop happening.
We all have the right to freely express our views and opinions, the right to gather and associate with others and the right to privacy. Digital spyware attacks on human rights activists violate these rights. When governments snoop on the people who are trying to defend our rights, our losses are doubled. It’s as simple as this: privacy matters. Our personal thoughts, our texts to friends, our kids’ photos, our work – are what make us who we are. Our right to privacy is a right to control what makes us us. It’s a right worth defending – for us and for the people who defend us.