Op-ed in the Financial Times, 16 May 2019
This week’s revelation that hackers exploited software vulnerabilities in the WhatsApp messaging platform to inject spyware developed by the Israeli technology company NSO Group has shocked many. But the news should not come as a surprise.
It has become far too easy for commercial surveillance companies to sell the kinds of technologies that were long confined exclusively to the use of state intelligence or police services. Human rights defenders and journalists, such as the murdered Saudi writer Jamal Khashoggi, have allegedly been victims in the past. In fact, the proliferation of the most intrusive of technology systems has been going on for years unhindered. That must stop now.
The NSO Group claims it has a policy of only selling to governments and law enforcement, to fight crime and terrorism. Novalpina Capital, the private equity fund that backs the group, has promised to bring it in line with UN human rights rules. But it should not be up to the butcher to test his own meat.
The proliferation of lawful intercept technologies is a serious problem that needs to be curbed by stricter laws and regulations. Governments procure hacking tools from tech companies in order to hunt down terror suspects or criminals. Now they need to take the next step and make sure the technology does not fall into the wrong hands.
We have seen many horrifying examples of this: human rights defender Ahmed Mansoor is imprisoned in the United Arab Emirates after being targeted with surveillance technologies. And the researchers of Citizen Lab in Canada were also hacked, along with journalists. Surveillance and hacking tools are for sale to whoever can afford them in a billion-dollar market. This dark market needs to be restricted before it is too late.
We need stricter restrictions on the broad deployment of systems built for narrow use within the rule of law. When such systems are exported, they should be assessed for their impact on human rights first. In case of concern, the export license should not be granted. Imports of surveillance systems from countries such as China or Israel should also be scrutinised for possible abuse.
The reporting of software vulnerabilities needs to be improved and harmonised. Exploitation of such flaws in software code is a central ingredient to almost every cyber attack. It is important that governments and companies lead by example and show responsibility to report and patch. Governments need to upgrade contractual clauses to prevent intelligence officials being hired by tech firms, who want to take advantage of classified knowledge and skills that can later be used unhindered.
Last — and perhaps most controversially — governments themselves must weigh the benefits of stockpiling software vulnerabilities or planting so-called technological backdoors in exported surveillance systems, against the damage that could be done to users.
While US president Donald Trump put the Chinese technology company Huawei on a trade blacklist out of concern for national security yesterday, intelligence services in the US and elsewhere are pushing IT companies to build in backdoor access to user data. But these vulnerabilities can be accessed by criminals and foreign governments too.
It is a public secret that governments are working with tech companies on intelligence gathering. This may explain why some have held back support for a common European approach to controlling the export of hacking and surveillance systems thus far.
The market in surveillance technologies is sprawling. And while the spread of the Chinese surveillance state is a serious concern, democratic governments are doing nothing to curb the spread of tools designed and sold to enable intrusion and repression. Governments must act before it is too late.