tag:theconversation.com,2011:/id/topics/spyware-31261/articlesSpyware – The Conversation2023-09-22T12:30:58Ztag:theconversation.com,2011:article/2136852023-09-22T12:30:58Z2023-09-22T12:30:58ZSpyware can infect your phone or computer via the ads you see online – report<figure><img src="https://images.theconversation.com/files/549436/original/file-20230920-25-eqmqt5.jpg?ixlib=rb-1.1.0&rect=0%2C0%2C4508%2C3003&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">A new type of spyware means those online ads could go from annoying to menacing.</span> <span class="attribution"><a class="source" href="https://newsroom.ap.org/detail/VirusOutbreakUnemploymentBenefits/b08e140ac8b54973ba793dd93b806b6d/photo">AP Photo/Julio Cortez</a></span></figcaption></figure><p>Each day, you leave digital traces of what you did, where you went, who you communicated with, what you bought, what you’re thinking of buying, and much more. This mass of data serves as a library of clues for personalized ads, which are sent to you by a sophisticated network – <a href="https://theconversation.com/why-bad-ads-appear-on-good-websites-a-computer-scientist-explains-178268">an automated marketplace</a> of advertisers, publishers and ad brokers that operates at lightning speed. </p>
<p>The ad networks are designed to shield your identity, but companies and governments are able to combine that information with other data, particularly phone location, <a href="https://www.google.com/books/edition/Ethics_of_Data_and_Analytics/E51kEAAAQBAJ?hl=en&gbpv=1&dq=advertising+privacy&pg=PA161&printsec=frontcover">to identify you and track your movements and online activity</a>. More invasive yet is <a href="https://csrc.nist.gov/glossary/term/spyware">spyware</a> – malicious software that a government agent, private investigator or criminal installs on someone’s phone or computer without their knowledge or consent. Spyware lets the user see the contents of the target’s device, including calls, texts, email and voicemail. Some forms of spyware can take control of a phone, including turning on its microphone and camera.</p>
<p>Now, according to <a href="https://www.haaretz.com/israel-news/2023-09-14/ty-article-magazine/.highlight/revealed-israeli-cyber-firms-developed-an-insane-new-spyware-tool-no-defense-exists/0000018a-93cb-de77-a98f-ffdf2fb60000">an investigative report</a> by the Israeli newspaper Haaretz, an Israeli technology company called Insanet has developed the means of delivering spyware via online ad networks, turning some targeted ads into Trojan horses. According to the report, there’s no defense against the spyware, and the Israeli government has given Insanet approval to sell the technology.</p>
<h2>Sneaking in unseen</h2>
<p>Insanet’s spyware, Sherlock, is not the first spyware that can be installed on a phone without the need to trick the phone’s owner into clicking on a malicious link or downloading a malicious file. <a href="https://www.nsogroup.com/">NSO</a>’s <a href="https://theconversation.com/what-is-pegasus-a-cybersecurity-expert-explains-how-the-spyware-invades-phones-and-what-it-does-when-it-gets-in-165382">iPhone-hacking Pegasus</a>, for instance, is one of the most controversial spyware tools to emerge in the past five years.</p>
<p>Pegasus relies on vulnerabilities in Apple’s iOS, the iPhone operating system, to infiltrate a phone undetected. Apple issued a <a href="https://support.apple.com/en-us/HT213905">security update</a> for <a href="https://www.theverge.com/2023/9/8/23864150/ios-16-6-1-iphone-security-vulnerability-0-day-exploit-patch-update">the latest vulnerability</a> on Sept. 7, 2023.</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/457773/original/file-20220412-23-9qtbd2.png?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="Diagram showing the different entities involved in real time bidding, and the requests and responses" src="https://images.theconversation.com/files/457773/original/file-20220412-23-9qtbd2.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/457773/original/file-20220412-23-9qtbd2.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=348&fit=crop&dpr=1 600w, https://images.theconversation.com/files/457773/original/file-20220412-23-9qtbd2.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=348&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/457773/original/file-20220412-23-9qtbd2.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=348&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/457773/original/file-20220412-23-9qtbd2.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=438&fit=crop&dpr=1 754w, https://images.theconversation.com/files/457773/original/file-20220412-23-9qtbd2.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=438&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/457773/original/file-20220412-23-9qtbd2.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=438&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">When you see an ad on a web page, behind the scenes an ad network has just automatically conducted an auction to decide which advertiser won the right to present their ad to you.</span>
<span class="attribution"><span class="source">Eric Zeng</span>, <a class="license" href="http://creativecommons.org/licenses/by-nd/4.0/">CC BY-ND</a></span>
</figcaption>
</figure>
<p>What sets Insanet’s Sherlock apart from Pegasus is its exploitation of ad networks rather than vulnerabilities in phones. A Sherlock user creates an ad campaign that narrowly focuses on the target’s demographic and location, and places a spyware-laden ad with an ad exchange. Once the ad is served to a web page that the target views, the spyware is secretly installed on the target’s phone or computer.</p>
<p>Although it’s too early to determine the full extent of Sherlock’s capabilities and limitations, the Haaretz report found that it can infect Windows-based computers and Android phones as well as iPhones.</p>
<h2>Spyware vs. malware</h2>
<p>Ad networks have been used to deliver malicious software for years, a practice dubbed <a href="https://www.csoonline.com/article/567045/what-is-malvertising-and-how-you-can-protect-against-it.html">malvertising</a>. In most cases, the malware is aimed at computers rather than phones, is indiscriminate, and is designed to lock a user’s data as part of a ransomware attack or steal passwords to access online accounts or organizational networks. The ad networks constantly scan for malvertising and rapidly block it when detected.</p>
<p>Spyware, on the other hand, tends to be aimed at phones, is targeted at specific people or narrow categories of people, and is designed to clandestinely obtain sensitive information and monitor someone’s activities. Once <a href="https://usa.kaspersky.com/resource-center/threats/spyware">spyware infiltrates your system</a>, it can record keystrokes, take screenshots and use various tracking mechanisms before transmitting your stolen data to the spyware’s creator. </p>
<p>While its actual capabilities are still under investigation, the new Sherlock spyware is at least capable of infiltration, monitoring, data capture and data transmission, according to the Haaretz report.</p>
<figure>
<iframe width="440" height="260" src="https://www.youtube.com/embed/R0RVI7bghj8?wmode=transparent&start=0" frameborder="0" allowfullscreen=""></iframe>
<figcaption><span class="caption">The new Sherlock spyware is likely to have the same frightening capabilities as the previously discovered Pegasus.</span></figcaption>
</figure>
<h2>Who’s using spyware</h2>
<p>From 2011 to 2023, at least 74 governments engaged in contracts with commercial companies <a href="https://carnegieendowment.org/2023/03/14/why-does-global-spyware-industry-continue-to-thrive-trends-explanations-and-responses-pub-89229">to acquire spyware or digital forensics technology</a>. National governments might deploy spyware for surveillance and gathering intelligence as well as combating crime and terrorism. Law enforcement agencies might similarly use spyware <a href="https://www.nbcnews.com/tech/security/iphone-spyware-lets-cops-log-suspects-passcodes-when-cracking-doesn-n1209296">as part of investigative efforts</a>, especially in cases involving cybercrime, organized crime or national security threats. </p>
<p>Companies might use spyware <a href="https://www.wsj.com/articles/the-new-ways-your-boss-is-spying-on-you-11563528604">to monitor employees’ computer activities</a>, ostensibly to protect intellectual property, prevent data breaches or ensure compliance with company policies. Private investigators might use spyware to <a href="https://www.hg.org/legal-articles/private-investigator-on-cellphone-spyware-42193">gather information and evidence for clients</a> on legal or personal matters. Hackers and organized crime figures might use spyware to <a href="https://www.cisa.gov/sites/default/files/publications/spywarehome_0905.pdf">steal information to use in fraud or extortion schemes</a>.</p>
<p>On top of the revelation that Israeli cybersecurity firms have developed a defense-proof technology that appropriates online advertising for civilian surveillance, a key concern is that Insanet’s advanced spyware was legally authorized by the Israeli government for sale to a broader audience. This potentially puts virtually everyone at risk. </p>
<p>The silver lining is that Sherlock appears to be expensive to use. According to an internal company document cited in the Haaretz report, a single Sherlock infection costs a client of a company using the technology a hefty US$6.4 million.</p><img src="https://counter.theconversation.com/content/213685/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Claire Seungeun Lee does not work for, consult, own shares in or receive funding from any company or organization that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>You probably won’t be targeted by spyware, but if you are, odds are you won’t know about it. The latest spyware slips in unseen through online ads as you go about your digital life.Claire Seungeun Lee, Associate Professor of Criminology and Justice Studies, UMass LowellLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1992892023-02-06T06:08:48Z2023-02-06T06:08:48ZBeyond spy balloons: here are 7 kinds of intelligence spies want, and how they get it<p>The news of a so-called “<a href="https://gcp.theconversation.com/chinese-spy-balloon-over-the-us-an-aerospace-expert-explains-how-the-balloons-work-and-what-they-can-see-199245">Chinese spy balloon</a>” being shot down over the US has reignited interest in how nation-states spy on one another.</p>
<p>It’s not confirmed that the balloon, seen floating over US military areas, was indeed a dedicated vessel for spying. China <a href="https://www.bbc.com/news/world-64514120">has claimed</a> it was a “civilian airship” deployed for weather research and blown off-course by the wind. Nonetheless, the very threat of potential spycraft has the US <a href="https://www.ft.com/content/52a791c3-5df8-4957-8685-e88f9b7f9715">up in arms</a>. </p>
<p>And that makes sense. The significance of intelligence can’t be overstated. Nations make important political, economic and military decisions based on it. </p>
<p>While people may chuckle at the idea of using a balloon to passively float above a country to spy on it, the reality is anything goes when it comes to getting the upper hand on your adversaries. So what are some other ways nations collect intelligence today?</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/did-chinas-balloon-violate-international-law-199271">Did China's balloon violate international law?</a>
</strong>
</em>
</p>
<hr>
<h2>Signals intelligence</h2>
<p>One major <a href="https://theconversation.com/explainer-how-the-australian-intelligence-community-works-94422">intelligence collection strategy</a> is signals intelligence. This involves using a variety of ground- and space-based technologies to target the signals and communications coming from a target’s device/s. </p>
<p>The results, called the “product”, often reveal highly sensitive information, which explains why signals intelligence is also the most contested form of espionage. </p>
<p>Countries that turn this capability inward face mounting criticism from those caught in the net, and from citizens concerned with privacy. In 2013, Edward Snowden <a href="https://theconversation.com/behind-the-scenes-at-the-start-of-the-snowden-era-citizenfour-is-crucial-viewing-33345">disclosed</a> the US National Security Agency’s use of signals intelligence for bulk data collection from the public. The US government has since worked to convince citizens the NSA’s efforts are largely focused on external collection. </p>
<p>The White House also recently published an <a href="https://www.whitehouse.gov/briefing-room/statements-releases/2022/10/07/fact-sheet-president-biden-signs-executive-order-to-implement-the-european-union-u-s-data-privacy-framework/">executive order</a> on this topic.</p>
<h2>Geo-spatial intelligence</h2>
<p><a href="https://theconversation.com/in-sea-of-satellite-images-experts-eyes-still-needed-53192">Geo-spatial intelligence</a> concerns human activity on and beneath the ground, including waterways. It’s generally focused on military and civilian construction, human movements (such as movement of refugees and migrants) and natural resource use.</p>
<p>Geo-spatial intelligence exploits information obtained through satellites, drones, high-altitude aircraft and, yes, even balloons!</p>
<p>Spy balloons can collect not just images and signals, but also chemical analyses of the air. They aren’t common, since this approach lacks plausible deniability and (as we have seen) balloons are easily observed and shot down. On the other hand, they do offer a low radar signature, are cheap and can seem innocuous.</p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"1622270072365400069"}"></div></p>
<h2>Imagery intelligence</h2>
<p>Closely related to geo-spatial intelligence is imagery intelligence, which is also often conducted using satellites, drones and aircraft.</p>
<p>This is intelligence derived from the overhead collection of images of civilian and military activities. Imagery intelligence often focuses on the strategic movements of troops and weapons systems, and specifically targets military bases, nuclear arsenals and other strategic assets.</p>
<h2>Measurement and signature intelligence</h2>
<p>One highly technical form of intelligence collection – and one that’s rarely mentioned – is measurement and signature intelligence. This is intelligence derived from the electromagnetic signatures of rockets, command and control systems, radar and weapons systems, and other military and civilian equipment. </p>
<p>The data collection is done using high-tech instruments, designed specifically to identify and categorise the electromagnetic emanations. Among other things, this form of intelligence collection allows for the remote identification of weapons deployments and detailed information on space platforms.</p>
<h2>Cyber intelligence</h2>
<p><a href="https://theconversation.com/morrisons-1-3-billion-for-more-cyber-spies-is-an-incremental-response-to-a-radical-problem-141692">Cyber intelligence</a> is generally lumped together with signals intelligence, but is distinct in that it uses direct human interaction (such as through hackers) to penetrate protected systems and gain access to data.</p>
<p>Cyber intelligence refers to the overt and covert collection of information from friendly and adversarial networks. It can be obtained through signals collection, malware, or through hackers gaining direct unauthorised access into a systems. Nations may even target their own allies’ networks.</p>
<p>One example of cyber intelligence was the 2015 data breach of the <a href="https://en.wikipedia.org/wiki/Office_of_Personnel_Management_data_breach">US Office of Personnel Management</a>. This breach was designed to collect all the available information on US government and military personnel who had been screened for a security clearance.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/us-hack-shows-data-is-the-new-frontier-in-cyber-security-conflict-42904">US hack shows data is the new frontier in cyber security conflict</a>
</strong>
</em>
</p>
<hr>
<h2>Open source intelligence</h2>
<p>The newest of the intelligence <a href="https://theconversation.com/open-source-intelligence-how-digital-sleuths-are-making-their-mark-on-the-ukraine-war-179135">collection disciplines</a> is open source intelligence. Emerging in the late 1980s, open source information comes from a variety of primary sources such as newspapers, blogs, official postings and reports, and secondary sources such as <a href="https://www.smh.com.au/technology/spies-blow-their-cover-through-the-internet-20121225-2bvaf.html">leaks</a> on sites including WikiLeaks, The Intercept and social media. </p>
<p>Although this information is readily available, turning it into actionable intelligence requires specific tools such as web scrapers and data miners, as well as trained analysts who can find connections between large datasets.</p>
<h2>Human intelligence</h2>
<p>Human intelligence is the oldest form of intelligence collection and perhaps the most well-known. Spies are generally divided into three categories: </p>
<ul>
<li>declared intelligence officers (overt)</li>
<li>people working under official cover, such as spies working as diplomats, military personnel and embassy/civilian support personnel </li>
<li>non-official cover spies, often ostensibly working in commercial, academic and trade positions. </li>
</ul>
<p>Human intelligence officers will recruit citizens of a country to spy, wittingly or unwittingly, and run agents (co-operating citizens of a host nation) to support the strategic objectives of their nation. </p>
<p>Thanks to the internet and dark net, we now have cyber-based human intelligence that allows spies to assess, recruit and operate assets and sources from the safety of their home nation. This is even happening on <a href="https://theconversation.com/you-could-break-espionage-laws-on-social-media-without-realising-it-151665">LinkedIn</a>.</p>
<p>While intelligence collection disguised as a stray weather balloon seems rather sloppy, the latest events remind us of the constant war for information that nations are waging. Analysts following the war in Ukraine <a href="https://theconversation.com/why-are-governments-sharing-intelligence-on-the-ukraine-war-with-the-public-and-what-are-the-risks-191114">are reviewing</a> reams of information to compare Russian, Chinese and Iranian weapon systems with those of Ukraine and its NATO supporters. </p>
<p>As the world continues to face new challenges, including climate change and the rapid development of new technologies, the intelligence focus of nations will likely need to expand to keep up.</p><img src="https://counter.theconversation.com/content/199289/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Dennis B Desmond received funding from the Australian Government under an ARC linkage Grant. Dr Desmond previously worked for the US intelligence community.</span></em></p>While human spies are the best-known way nations collect intelligence, there are several methods countries can use to spy on one another.Dennis B. Desmond, Lecturer, Cyberintelligence and Cybercrime Investigations, University of the Sunshine CoastLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1883272022-08-12T13:19:36Z2022-08-12T13:19:36ZUniversities shouldn’t use software to monitor online exams: here’s why<figure><img src="https://images.theconversation.com/files/478930/original/file-20220812-26-i7rj1p.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><span class="source">FluxFactory/Getty Images</span></span></figcaption></figure><p>Proctoring software monitors a student’s computer or phone while they write exams. These programs have been around for some time but became ubiquitous during online learning in the pandemic.</p>
<p>Proctoria, Respondus and Proctor U, the most popular programs, have enjoyed <a href="https://www.eff.org/deeplinks/2021/06/long-overdue-reckoning-online-proctoring-companies-may-finally-be-here">a 500% increase</a> in usage since the start of COVID-19 and proctoring software is now a <a href="https://brownpoliticalreview.org/2020/12/big-ed-tech-is-watching-you-privacy-prejudice-and-pedagogy-in-online-proctoring/">US$19 billion global market</a>. </p>
<p>Some proctoring programs work by checking that the student has only the test software and no other programs open; others monitor keystrokes. Some use the computer’s camera or cellphone audio to check that the student is working alone. A number of South African universities have taken up <a href="https://www.unisa.ac.za/sites/corporate/default/Colleges/Economic-and-Management-Sciences/News-&-events/Articles/Unisa-pilots-proctoring-tools-for-2nd-online-exam">cellphone monitoring</a> programs.</p>
<p>But this software is not innocuous.</p>
<p>I argue in a <a href="https://www.tandfonline.com/doi/full/10.1080/14767430.2022.2100612">recent article</a> that the uptake of proctoring software is a symptom of a much larger problem.</p>
<p>Universities have neglected their educational responsibilities in service of a neoliberal ideology. This positions students as customers and higher education as a business. It’s a problem because when universities become businesses selling qualifications, it narrows their potential to be places where students enjoy transformative relationships with knowledge, and where knowledge is created to serve people and the planet. </p>
<p>The ability to memorise information and regurgitate it within a short time limit is required in only a small handful of situations. What most students need is to understand how knowledge is made in their field of study, what contributions that field makes to society, and how they can source and evaluate information to answer questions and <a href="https://theconversation.com/how-school-maths-could-better-prepare-south-africans-for-the-world-of-work-147394">resolve problems</a>. They need to learn how to be <a href="https://theconversation.com/education-needs-a-refocus-so-that-all-learners-reach-their-full-potential-154649">ethical, critical citizens</a>. </p>
<p>Assessment directed towards such ends looks very different from current practices, which are obsessed with both memorisation and cheating.</p>
<h2>What’s wrong with proctoring</h2>
<p>Proctoring raises three issues of concern: privacy, racism and ableism.</p>
<p><strong>Privacy:</strong> Those selling the software insist that students give consent to its use. But if students don’t, they are excluded from the exam. Universities have ethics committees to make sure their researchers don’t use such coercive tactics and yet they use them on students. Researchers have to ensure that potential participants fully understand a study’s potential risks and benefits before they can offer informed consent. </p>
<p>The invasiveness of the software is <a href="https://www.theverge.com/2020/10/22/21526792/proctorio-online-test-proctoring-lawsuit-universities-students-coronavirus">well documented</a> and many scholars have said it has most of the characteristics of <a href="https://www.forbes.com/sites/seanlawson/2020/04/24/are-schools-forcing-students-to-install-spyware-that-invades-their-privacy-as-a-result-of-the-coronavirus-lockdown/?sh=6db401d9638d">illegal spyware</a>. </p>
<p>Allowing a stranger to listen in on a student’s family home as they write a test is surely an indication that it’s the wrong way of doing assessment. </p>
<p><strong>Racism of facial recognition software:</strong> Whether it is the photo tagging suggestions of social media, border security systems, or proctoring software, <a href="https://arxiv.org/abs/2010.07023">facial recognition</a> remains poor at recognising people <a href="https://quod.lib.umich.edu/t/tia/17063888.0039.308?view=text;rgn=main">with darker skin</a>. The artificial intelligence that compares the face on the student card to the person in front of the computer camera is far more likely to <a href="https://jitp.commons.gc.cuny.edu/toward-abolishing-online-proctoring-counter-narratives-deep-change-and-pedagogies-of-educational-dignity/">flag a suspicion</a> if that student is black than if they are white.</p>
<p><strong>Ableism of facial recognition:</strong> Anyone with a body shape that does not meet the program’s expectations can find themselves flagged as suspicious. This includes the tics and stimming of people with Tourette’s syndrome, cerebral palsy, Huntington’s syndrome and autism.</p>
<p>Many American universities have now opted out of proctoring software in response to protests by academics and students.</p>
<p>But opting out attends to the symptom – universities spying on their students – and not to the causes of such activities.</p>
<h2>Neoliberal ideology</h2>
<p>The underlying cause is that many universities around the world have taken on a <a href="https://www.britannica.com/topic/neoliberalism">neoliberal ideology</a>, whereby the worth of any person, object, creature or activity is thought to be measurable in terms of its contribution to the economy.</p>
<p>A neoliberal university believes, firstly, that it is a business in the knowledge market. In commercialising education, universities <a href="http://www.cilt.uct.ac.za/cilt/projects/uct-leeds">increasingly outsource educational activities</a> – such as monitoring examinations using proctoring software. </p>
<p>When Ian Linkletter, an educational technologist at the University of British Columbia in Canada, tweeted criticisms of the proctoring software used in his university, <a href="https://www.theverge.com/2020/10/22/21526792/proctorio-online-test-proctoring-lawsuit-universities-students-coronavirus">he was sued</a> by the company. The market cannot allow the critical engagement that should be at the heart of a university.</p>
<p>Secondly, the neoliberal university treats the student as a customer. In a world where knowledge is packaged and sold as a commodity, software companies convince universities that their product, the qualifications they award, can be devalued if they are not policed. </p>
<p>In such an understanding of the university, proctoring software makes sense.</p>
<p>It should come as no surprise that students are quickly learning <a href="https://www.vice.com/en/article/3an98j/students-are-easily-cheating-state-of-the-art-test-proctoring-tech">to game the system</a>. The internet is replete with tips on how to confuse the software and get assistance online even while the software is running.</p>
<p>The third characteristic of neoliberal ideology is that power is accorded along lines of <a href="https://theconversation.com/education-and-inequality-in-2021-how-to-change-the-system-158470">wealth</a>. This characteristic is also in evidence in most universities worldwide. The university, as a relatively wealthy institution, has the power to implement invasive technology without much challenge. The average student must simply comply.</p>
<h2>Universities for the common good</h2>
<p>It becomes impossible to implement proctoring software if the conception of the university is that it is a social structure that contributes powerful, principled knowledge in service of people and the planet.</p>
<p>Such a social structure would need to expend significant energy in inducting students into their role as knowledge creators and encouraging them to take on this identity responsibly. This would require shifts in how academics interact with students and articulate the purpose of a higher education to students and the public. It would also require a rethink of the form and function of assessment.</p><img src="https://counter.theconversation.com/content/188327/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Sioux McKenna does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Proctoring software is a symptom of a bigger problem: universities see themselves as businesses and students as customers.Sioux McKenna, Director of Centre for Postgraduate Studies, Rhodes University & Visiting Research Professor in Center for International Higher Education, Boston College, Rhodes UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1761872022-02-21T15:32:02Z2022-02-21T15:32:02ZHow tech is driving new forms of domestic abuse<figure><img src="https://images.theconversation.com/files/447257/original/file-20220218-43851-ne7qik.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Spyware and covert monitoring devices can be exploited to abusive ends. </span> <span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/smart-technologies-your-smartphone-collection-analysis-1516856447">Trismegist san | Shutterstock</a></span></figcaption></figure><p>Perpetrators of domestic abuse are <a href="https://www.refuge.org.uk/our-work/our-services/tech-abuse-empowerment-service/">increasingly</a> exploiting <a href="https://post.parliament.uk/technology-and-domestic-abuse/">digital tools</a> to coerce and control their victims. Where there is abuse in a relationship, technology will also feature in how that abuse is conducted. Police forces now expect as much, when responding to cases of domestic abuse.</p>
<p>Such <a href="https://post.parliament.uk/technology-and-domestic-abuse/">technological abuse</a> features everyday tools, from smart devices to online platforms and mobile phone apps. And the information on where to find them and how to use them is easily accessible online, often using a simple Google search. </p>
<p>To understand the extent of this problem, we <a href="https://pure.port.ac.uk/ws/portalfiles/portal/50080933/Home_office_FINAL_report.pdf">conducted</a> a wide-ranging study for the UK government. We reviewed 146 domestic abuse cases reported in British and international media, and conducted in-depth interviews with support charity workers and frontline police officers in England. </p>
<p>We found that abusers often have <a href="https://nixdell.com/papers/a046-freed.pdf">physical access</a> to their partners’ devices and use them to monitor, harass and humiliate. Abusers can force their victims to disclose passwords, PIN codes or swipe patterns to get into their devices so they can install sypware – all without sophisticated tech knowledge. </p>
<p>Geolocation software and other surveillance spyware <a href="https://www.tandfonline.com/doi/abs/10.1080/14680777.2018.1447341?journalCode=rfms20">provide</a> new possibilities for abusers to monitor and track victims’ movements. In our study, we found hundreds of tools online that could be used for these purposes.</p>
<figure class="align-center ">
<img alt="Someone holds up a smart phone next to a model of a home." src="https://images.theconversation.com/files/447266/original/file-20220218-3064-15tefi2.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/447266/original/file-20220218-3064-15tefi2.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=400&fit=crop&dpr=1 600w, https://images.theconversation.com/files/447266/original/file-20220218-3064-15tefi2.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=400&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/447266/original/file-20220218-3064-15tefi2.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=400&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/447266/original/file-20220218-3064-15tefi2.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=502&fit=crop&dpr=1 754w, https://images.theconversation.com/files/447266/original/file-20220218-3064-15tefi2.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=502&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/447266/original/file-20220218-3064-15tefi2.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=502&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">Smart tech and apps designed for legitimate purposes can be misused.</span>
<span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/internet-things-iot-smart-home-network-526662046">Zapp2Photo | Shutterstock</a></span>
</figcaption>
</figure>
<h2>Surveillance</h2>
<p>Some apps are <strong><a href="https://digitalcommons.law.uidaho.edu/idaho-law-review/vol51/iss3/5/">hint at the possibility of</a></strong> allowing hidden surveillance. One survey found <a href="https://press.avast.com/use-of-stalkerware-and-spyware-apps-increase-by-93-since-lockdown-began-in-the-uk">a 93% increase</a> in the use of spyware and “stalkerware” apps since the beginning of the pandemic. </p>
<p>We also found that there are tracking apps which are designed for legitimate purposes, such as child or anti-theft protection, and which are widely available on equally legitimate sites and app stores. Research shows these <a href="https://dl.acm.org/doi/pdf/10.1145/3173574.3174241">have</a> been <a href="https://research.monash.edu/en/publications/new-forms-of-gendered-surveillance-intersections-of-technology-an">exploited</a> to spy on or reportedly to <a href="https://www.vice.com/en/article/aemeae/meet-flexispy-the-company-getting-rich-selling-stalkerware-to-jealous-lovers">stalk</a> a partner (or ex-partner). Studies now <a href="https://ieeexplore.ieee.org/document/8418618">refer</a> to them as dual-use apps.</p>
<p>Similar concerns have been voiced about covert monitoring devices and smart tech such as Apple’s AirTags. These small bluetooth devices are designed to be paired with tracking apps for finding lost belongings, such as car keys. But stalkers have <a href="https://www.theguardian.com/technology/2022/jan/20/apple-airtags-stalking-complaints-technology">reportedly</a> exploited them too.</p>
<p>It’s not just <a href="https://www.ucl.ac.uk/steapp/sites/steapp/files/giot-report.pdf">smart devices</a> that are being used to access personal information. Smart locks, thermostats, networked TV and sound systems, as well as security monitoring equipment are also being exploited to control and terrify victims – to monitor their movements and any visits they get.</p>
<p>Further, where an abuser has access to cloud-based voice services, they will be able to access past conversations, order information and other data that might give them insights into the plans of a victim, potentially even if they are planning to leave. </p>
<figure class="align-center ">
<img alt="A woman with long black hair holds a phone in one hand and her other hand cover her eyes." src="https://images.theconversation.com/files/447255/original/file-20220218-44444-1lh2v8g.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/447255/original/file-20220218-44444-1lh2v8g.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=400&fit=crop&dpr=1 600w, https://images.theconversation.com/files/447255/original/file-20220218-44444-1lh2v8g.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=400&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/447255/original/file-20220218-44444-1lh2v8g.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=400&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/447255/original/file-20220218-44444-1lh2v8g.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=503&fit=crop&dpr=1 754w, https://images.theconversation.com/files/447255/original/file-20220218-44444-1lh2v8g.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=503&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/447255/original/file-20220218-44444-1lh2v8g.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=503&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">Abusers are setting up fake accounts in their victims’ names in order to harass and humiliate them.</span>
<span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/women-who-have-smart-phone-suffering-1931340914">kei907 | Shutterstock</a></span>
</figcaption>
</figure>
<h2>Harassment</h2>
<p>We found that fake accounts on online platforms and social media are often set up with abusive intent. They can be used to present the victim in a derogatory manner. A man in Liverpool <a href="https://www.liverpoolecho.co.uk/news/liverpool-news/dumped-boyfriend-created-fake-swinger-19591442">was jailed</a> after he listed his ex-girlfriend’s workplace in accounts set up in her name on swinger and dating platforms. </p>
<p>Legally, this is a grey area. Hacking a person’s account is a clear criminal offence, while impersonating someone to create a fake account is not. In some but not all instances, it can be argued that doing so constitutes <a href="https://www.researchgate.net/publication/264365163_IH8U_Confronting_Cyberbullying_and_Exploring_the_Use_of_Cybertools_in_Teen_Dating_Relationships">cyber-harassment</a>. </p>
<p>A case in point is the man who, in 2018, <strong>reportedly</strong> set up a fraudulent Facebook profile of his ex-wife in which he falsely claimed she fantasised about <a href="https://www.thesun.co.uk/news/6889072/husband-fake-facebook-profile-encouraged-rape-wife-revenge-plot/">being raped</a>. Because he included contact details in the profile, a random stranger turned up at her workplace to meet her.</p>
<p>Similarly, in 2017, another man <strong>allegedly</strong> <a href="http://www.outsmartmagazine.com/2017/04/man-sues-grindr-after-1100-men-show-up-at-home-thanks-to-exs-revenge-scheme/">set up fake Grindr accounts</a> in the name of his ex-boyfriend. Over 1,000 men turned up at the victim’s house and workplace, looking for sex. </p>
<p>Elsewhere, perpetrators are engaging in <a href="https://inherentlyhuman.wordpress.com/2016/02/15/not-revenge-porn-but-abuse-lets-call-it-image-based-sexual-abuse/">image-based sexual abuse</a>. People might <a href="https://theconversation.com/revenge-porn-is-sexual-violence-not-millennial-negligence-126233">threaten</a> to release intimate pictures or videos to retain control over their victim. </p>
<p>In other instances we noted that perpetrators, in setting up fake social media profiles of their victims, have used these to disseminate intimate images of their victims. Other means of distributing these materials have been to send them directly to friends, family, and employers, as well as publishing them publicly online. </p>
<p>The term <a href="https://theconversation.com/revenge-porn-is-sexual-violence-not-millennial-negligence-126233">“revenge porn”</a> is widely understood as the sharing or distribution of nude or sexual images by jilted ex-lovers whose primary motivations are revenge or retribution. It <a href="https://theconversation.com/dont-watch-pam-and-tommy-the-series-turns-someones-trauma-into-entertainment-176844">does not</a>, however, capture the full range of motivations under which perpetrators might be operating, from blackmail and extortion to control, sexual gratification, voyeurism, social-status building and monetary gain. It also focuses attention on the content of the image, rather than on the abusive actions of perpetrators who misuse nude or sexual images.</p>
<p>Technological abuse does not require IT proficiency. Perpetrators are using everyday, affordable, accessible tech. What we need is a better, more accurate definition of what constitutes domestic abuse and support services that are equipped to deal with it. As one charity worker we spoke to put it:</p>
<blockquote>
<p>We know that domestic violence takes place online as well, but our service provisions tend to be very much shelters, workers, keyworkers, support officers, social workers who deal with the physical act and taking people out of a situation. But when you talk about a phone and other digital devices, I don’t think we’re there yet.</p>
</blockquote>
<p><em>If you or anyone you know has been a victim of any of the aspects we discussed above, there is help available. Please reach out to Refuge Freephone 24-Hour National Domestic Abuse Helpline: 0808 2000 247
or visit www.nationaldahelpline.org.uk (access live chat Mon-Fri 3-10pm)</em></p><img src="https://counter.theconversation.com/content/176187/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Lisa Sugiura receives funding from The UK Home Office
Acknowledgements go to:
Professor Mark Button, Dr Jacki Tapley, Dr Rahime Belen-Saglam, Dr Brian Frederick, Dr Chloe Hawkins, and Mr Dean Blackbourn, for their invaluable contributions working on this research.
</span></em></p><p class="fine-print"><em><span>Jason R.C. Nurse receives funding from The Engineering and Physical Sciences Research Council (EPSRC) and the UK Home Office. </span></em></p>Abusers are exploiting all manner of smart tech and software to extend their capacity for coercive control.Lisa Sugiura, Senior Lecturer in Criminology and Cybercrime, University of PortsmouthJason R.C. Nurse, Associate Professor in Cyber Security, University of KentLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1690022021-11-19T13:15:10Z2021-11-19T13:15:10ZMonitor or talk? 5 ways parents can help keep their children safe online<figure><img src="https://images.theconversation.com/files/432663/original/file-20211118-20-t5yhng.jpg?ixlib=rb-1.1.0&rect=60%2C0%2C6649%2C4466&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Communication is key, experts say.</span> <span class="attribution"><a class="source" href="https://www.gettyimages.com/detail/photo/mother-an-son-using-laptop-at-home-royalty-free-image/1033164998?adppopup=true">damircudic/E+ via Getty Images</a></span></figcaption></figure><p>Children have been <a href="https://www.nytimes.com/2021/01/16/health/covid-kids-tech-use.html">spending more time online</a>. A May 2020 study found that U.S. teenagers spent <a href="https://dx.doi.org/10.1001/jamapediatrics.2021.4334">around seven hours a day, on average</a>, using screens. Even before the pandemic, U.S. teens were indicating in surveys that they were “<a href="https://www.pewresearch.org/internet/2018/05/31/teens-social-media-technology-2018/#a-growing-share-of-teens-describe-their-internet-use-as-near-constant">almost constantly online</a>.”</p>
<p>As with any venue, parents might be concerned about what dangers lurk on the internet – from <a href="https://cyberbullying.org/bullying-during-the-covid-19-pandemic">cyberbullying</a> to <a href="https://doi.org/10.1542/peds.2018-3183">teen-to-teen sexting</a> – and tempted to use various technological tools to monitor their children’s online activities. </p>
<p>As a researcher who specializes in <a href="https://scholar.google.com/citations?user=N3T-78EAAAAJ&hl=en&oi=ao">how teens operate in online environments</a>, I know that spying on your children’s keystrokes and web browsers isn’t the only or even the best parental practice to employ and may create problems of its own. Here are five tips on how parents can encourage their children to adopt safer online behavior beyond using spyware or computer surveillance.</p>
<h2>1. Don’t just monitor your kids online, talk to them</h2>
<p>Technical measures, such as those that allow parents to monitor <a href="https://www.mspy.com/">every keystroke</a>, can provide parents with an additional way to keep tabs on what their children are doing. However, parental controls should not replace an ongoing conversation with children about their digital media use and what it means to be safe online. </p>
<p>Many parents <a href="https://doi.org/10.1016/j.chb.2017.04.004">value open communication</a> with their children about their internet use. This can be beneficial in keeping them safe. Research on related traditional risk behaviors, such as teenage substance use, has found that children who have open conversations with their parents are less likely to engage in <a href="https://doi.org/10.1080/15267431.2016.1251920">these risky behaviors</a>. Open communication about online experiences may also allow children to stay safer online.</p>
<h2>2. Search for conversation starters</h2>
<p>More and more television series and films have story lines about digital media use that serve as natural conversation starters. For example, in Episode 5 of the first season of Netflix’s “<a href="https://www.netflix.com/title/80197526">Sex Education</a>,” sexting is a central theme as sexually explicit images of a girl are sent to her schoolmates. The main characters of the show try to put a stop this revenge porn. The movie “<a href="https://www.20thcenturystudios.com/movies/love-simon">Love, Simon</a>” portrays the struggles of a gay teenage boy who seeks and finds online support from another closeted gay student in his school through an online confession site, only to be outed through the same online platform. </p>
<p>Alternatively, you could ask your children to teach you how to use some of their favorite apps. This would be an excellent opportunity to discover together all the features as well as the privacy settings that these applications offer.</p>
<h2>3. Assure your children they can turn to you if they run into trouble</h2>
<p>As part of an ongoing conversation about media use, parents should make sure that their children feel they can reach out to them for help when they run into unpleasant online experiences. Research has found that some children are <a href="https://www.igi-global.com/article/adolescents-experiences-of-cyberbullying/173740">afraid to talk</a> to their parents when they face problems such as cyberbullying. They worry that parents may overreact or take away their devices. </p>
<p>Making sure that your child knows that they can reach out for help and that you will try your best to understand their needs can make them less vulnerable to risks like online extortion. If your child does disclose a particular online problem, a good way to respond is to simply ask your child how the problem makes them feel.</p>
<h2>4. Explain why you’re monitoring their online activities</h2>
<p>Parents who do decide to monitor their children’s internet use should always disclose that they are doing so. Most parents already do this, as evidenced in a study that found most parents believe that not telling their children that they are being monitored would <a href="https://doi.org/10.1080/17482798.2020.1744458">violate their child’s sense of privacy and security</a>.</p>
<p>Moreover, when children find out that their internet use has been monitored without their knowledge, it could lead to a <a href="https://www.lse.ac.uk/media-and-communications/assets/documents/research/projects/childrens-privacy-online/Evidence-review-final.pdf">breach of trust</a>. One study found that <a href="https://doi.org/10.1037/dev0000615">intrusive parenting</a>, such as snooping without their children’s knowing, can lead to more negative interactions between parents and children once the children find out and could make some children less likely to communicate with their parents. Consequently, parents will become less informed about their children’s lives. Therefore, it is important for parents to explain the reasons they are monitoring their children’s online behavior.</p>
<h2>5. Tailor monitoring to your child’s maturity and unique situation</h2>
<p>While young children can benefit from a close monitoring of their internet use, research has found that many parents gradually grant more autonomy to their children and <a href="https://doi.org/10.1016/j.chb.2017.04.004">become less restrictive in their monitoring</a><a href="https://doi.org/10.1016/j.adolescence.2010.09.002">as the children get older</a>. As a natural part of growing up, teenagers increasingly value <a href="https://doi.org/10.1016/j.chb.2017.04.004">personal autonomy</a>, especially when it comes to their media use.</p>
<p>Just as parents cannot always monitor their teenage children in the offline world, they could find it useful to grant their children gradual increased autonomy in the online world as they get older. This can encourage children to develop <a href="https://doi.org/10.1007/s10639-020-10342-w">problem-solving skills</a> and teaches them to navigate online risks. What this looks like will differ for each child and depends on their age. Everyone is susceptible in different ways <a href="https://doi.org/10.1002/9781119011071.iemp0122">to media effects and online risks</a>. This is why it is important to adapt the autonomy that you grant your child based on their personality, their maturity and their prior online experiences.</p>
<p>Online monitoring can also have some unintended side effects. For example, parents of LGBTQ teenagers should be aware that sexual and gender minority youths often rely on the internet to find information, explore their identities and connect with the <a href="https://doi.org/10.1080/2005615X.2017.1313482">broader LGBTQ community</a>. Restrictive forms of monitoring may take away youth agency and may severely limit opportunities for them to grow in their identities.</p>
<p>Whether or not parents decide to monitor their children’s internet use, there is still <a href="https://doi.org/10.1177/20501579211012436">much to learn</a> about effective parental mediation in an increasingly complex digital world. While parental monitoring differs for each child, it should primarily start with good communication and a balance between <a href="https://doi.org/10.1007/s10639-020-10342-w">surveillance and autonomy</a>.</p>
<p>[<em>Like what you’ve read? Want more?</em> <a href="https://memberservices.theconversation.com/newsletters/?source=inline-likethis">Sign up for The Conversation’s daily newsletter</a>.]</p><img src="https://counter.theconversation.com/content/169002/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Joris Van Ouytsel received funding from the Research Foundation - Flanders.</span></em></p>Parents who spy on their children’s online activity run the risk of doing more harm than good, an expert says.Joris Van Ouytsel, Assistant Professor of Interpersonal Communication, Arizona State UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1653822021-08-09T12:26:14Z2021-08-09T12:26:14ZWhat is Pegasus? A cybersecurity expert explains how the spyware invades phones and what it does when it gets in<figure><img src="https://images.theconversation.com/files/415046/original/file-20210806-90251-104b4rt.jpg?ixlib=rb-1.1.0&rect=8%2C0%2C5455%2C3645&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">A woman holds a phone in front of the office of NSO Group, which makes a tool that can see and hear everything a phone is used for.</span> <span class="attribution"><a class="source" href="https://www.gettyimages.com/detail/news-photo/an-israeli-woman-uses-her-iphone-in-front-of-the-building-news-photo/596871396">Jack Guez/AFP via Getty Images</a></span></figcaption></figure><p>End-to-end encryption is technology that scrambles messages on your phone and unscrambles them only on the recipients’ phones, which means anyone who intercepts the messages in between can’t read them. Dropbox, Facebook, Google, Microsoft, Twitter and Yahoo are among the companies whose apps and services <a href="https://www.eff.org/encrypt-the-web-report">use end-to-end encryption</a>.</p>
<p>This kind of encryption is good for protecting your privacy, but <a href="https://www.washingtonpost.com/politics/2021/03/04/cybersecurity-202-fbi-renews-attack-encryption-ahead-another-possible-attack-capitol/">governments don’t like it</a> because it makes it difficult for them to spy on people, whether tracking criminals and terrorists or, as some governments have been known to do, snooping on dissidents, protesters and journalists. Enter an Israeli technology firm, <a href="https://www.nsogroup.com/">NSO Group</a>.</p>
<p>The company’s flagship product is Pegasus, <a href="https://techterms.com/definition/spyware">spyware</a> that can stealthily enter a smartphone and gain access to everything on it, including its camera and microphone. Pegasus is designed to infiltrate devices running Android, Blackberry, iOS and Symbian <a href="https://techterms.com/definition/operating_system">operating systems</a> and turn them into surveillance devices. The company says it sells Pegasus <a href="https://www.nsogroup.com/about-us/">only to governments</a> and only for the purposes of tracking criminals and terrorists.</p>
<h2>How it works</h2>
<p><a href="https://economictimes.indiatimes.com/tech/trendspotting/what-is-pegasus-spyware-and-how-it-works/articleshow/84607533.cms">Earlier version of Pegasus</a> were installed on smartphones through <a href="https://nvd.nist.gov/vuln">vulnerabilities</a> in commonly used apps or by <a href="https://www.trendmicro.com/vinfo/us/security/definition/spear-phishing">spear-phishing</a>, which involves tricking a targeted user into clicking a link or opening a document that secretly installs the software. It can also be installed over a wireless <a href="https://www.pcmag.com/encyclopedia/term/transceiver">transceiver</a> located near a target, or manually if an agent can steal the target’s phone.</p>
<figure class="align-right zoomable">
<a href="https://images.theconversation.com/files/415050/original/file-20210806-19-17pnxr8.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="Close-up of an icon on a smartphone screen" src="https://images.theconversation.com/files/415050/original/file-20210806-19-17pnxr8.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=237&fit=clip" srcset="https://images.theconversation.com/files/415050/original/file-20210806-19-17pnxr8.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=400&fit=crop&dpr=1 600w, https://images.theconversation.com/files/415050/original/file-20210806-19-17pnxr8.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=400&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/415050/original/file-20210806-19-17pnxr8.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=400&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/415050/original/file-20210806-19-17pnxr8.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=502&fit=crop&dpr=1 754w, https://images.theconversation.com/files/415050/original/file-20210806-19-17pnxr8.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=502&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/415050/original/file-20210806-19-17pnxr8.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=502&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Pegasus can infiltrate a smartphone via the widely used messaging app WhatsApp without the phone’s user noticing.</span>
<span class="attribution"><a class="source" href="https://flickr.com/photos/140988606@N08/25076398627/">Christoph Scholz/Flickr</a>, <a class="license" href="http://creativecommons.org/licenses/by-sa/4.0/">CC BY-SA</a></span>
</figcaption>
</figure>
<p>Since 2019, Pegasus users have been able to install the software on smartphones with a <a href="https://economictimes.indiatimes.com/tech/trendspotting/what-is-pegasus-spyware-and-how-it-works/articleshow/84607533.cms">missed call on WhatsApp</a>, and can even delete the record of the missed call, making it impossible for the the phone’s owner to know anything is amiss. Another way is by simply sending a message to a user’s phone that produces no notification. </p>
<p>This means the latest version of this spyware does not require the smartphone user to do anything. All that is required for a successful spyware attack and installation is having a particular vulnerable app or operating system installed on the device. This is known as a <a href="https://www.news18.com/news/tech/explained-what-are-zero-click-hacks-and-why-are-they-such-a-menace-3988664.html">zero-click exploit</a>.</p>
<p>Once installed, Pegasus can theoretically <a href="https://www.documentcloud.org/documents/4599753-NSO-Pegasus.html">harvest any data</a> from the device and transmit it back to the attacker. It can steal photos and videos, recordings, location records, communications, web searches, passwords, call logs and social media posts. It also has the capability to activate cameras and microphones for real-time surveillance without the permission or knowledge of the user. </p>
<h2>Who has been using Pegasus and why</h2>
<p>NSO Group says it builds Pegasus solely for governments to use in counterterrorism and law enforcement work. The company markets it as a targeted spying tool to track criminals and terrorists and not for mass surveillance. The company does not disclose its clients.</p>
<p>The <a href="https://www.ynetnews.com/articles/0,7340,L-5444330,00.html">earliest reported use</a> of Pegasus was by the Mexican government in 2011 to track notorious drug baron Joaquín “El Chapo” Guzmán. The tool was also reportedly used to <a href="https://www.washingtonpost.com/investigations/interactive/2021/jamal-khashoggi-wife-fiancee-cellphone-hack/">track people</a> close to murdered Saudi journalist Jamal Khashoggi.</p>
<p>It is unclear who or what types of people are being targeted and why. However, <a href="https://www.bbc.com/news/technology-57881364">much of the recent reporting</a> about Pegasus centers around a list of 50,000 phone numbers. The list has been attributed to NSO Group, but the list’s origins are unclear. A statement from Amnesty International in Israel stated that <a href="https://twitter.com/KimZetter/status/1418212758185648146">the list contains phone numbers</a> that were marked as “of interest” to NSO’s various clients, though it’s not known if any of the phones associated with numbers have actually been tracked. </p>
<p>A media consortium, <a href="https://forbiddenstories.org/case/the-pegasus-project/">the Pegasus Project</a>, analyzed the phone numbers on the list and identified over 1,000 people in over 50 countries. The findings included people who appear to fall outside of the NSO Group’s restriction to investigations of criminal and terrorist activity. These include politicians, government workers, journalists, human rights activists, business executives and Arab royal family members. </p>
<h2>Other ways your phone can be tracked</h2>
<p>Pegasus is breathtaking in its stealth and its seeming ability to take complete control of someone’s phone, but it’s not the only way people can be spied on through their phones. Some of the ways phones <a href="https://ssd.eff.org/en/playlist/privacy-breakdown-mobile-phones">can aid surveillance and undermine privacy</a> include location tracking, eavesdropping, <a href="https://techterms.com/definition/malware">malware</a> and collecting data from sensors. </p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/415049/original/file-20210806-90685-1xfv372.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="An electronic device with handles on either side of a front panel containing buttons and lights and a graphic representation of a stingray" src="https://images.theconversation.com/files/415049/original/file-20210806-90685-1xfv372.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/415049/original/file-20210806-90685-1xfv372.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=384&fit=crop&dpr=1 600w, https://images.theconversation.com/files/415049/original/file-20210806-90685-1xfv372.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=384&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/415049/original/file-20210806-90685-1xfv372.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=384&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/415049/original/file-20210806-90685-1xfv372.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=482&fit=crop&dpr=1 754w, https://images.theconversation.com/files/415049/original/file-20210806-90685-1xfv372.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=482&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/415049/original/file-20210806-90685-1xfv372.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=482&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Law enforcement agencies use cell site simulators like this StingRay to intercept calls from phones in the vicinity of the device.</span>
<span class="attribution"><a class="source" href="https://newsroom.ap.org/detail/WashingtonSuspectedPhoneSpying/4e99d5e5bd054437abaf4ae4981894a0/photo">U.S. Patent and Trademark Office via AP</a></span>
</figcaption>
</figure>
<p>Governments and phone companies can track a phone’s location by tracking cell signals from cell tower transceivers and <a href="https://www.eff.org/pages/cell-site-simulatorsimsi-catchers">cell transceiver simulators</a> like the <a href="https://www.engadget.com/2015-04-08-erie-county-police-stingray-spy.html">StingRay</a> device. Wi-Fi and Bluetooth signals can also be <a href="https://arstechnica.com/tech-policy/2020/08/beware-of-find-my-phone-wi-fi-and-bluetooth-nsa-tells-mobile-users/">used to track phones</a>. In some cases, apps and web browsers can determine a phone’s location. </p>
<p>Eavesdropping on communications is harder to accomplish than tracking, but it is possible in situations in which encryption is weak or lacking. Some types of malware can compromise privacy by accessing data.</p>
<p>The National Security Agency has sought agreements with technology companies under which the companies would give the agency special access into their products via <a href="https://techterms.com/definition/backdoor">backdoors</a>, and has <a href="https://www.reuters.com/article/us-usa-security-congress-insight/spy-agency-ducks-questions-about-back-doors-in-tech-products-idUSKBN27D1CS">reportedly built backdoors on its own</a>. The companies say that backdoors <a href="https://www.zdnet.com/article/coalition-of-tech-giants-hit-by-nsa-spying-slams-encryption-backdoors/">defeat the purpose of end-to-end encryption</a>.</p>
<p>The good news is, depending on who you are, you’re unlikely to be targeted by a government wielding Pegasus. The bad news is, that fact alone does not guarantee your privacy.</p>
<p>[<em>Understand new developments in science, health and technology, each week.</em> <a href="https://theconversation.com/us/newsletters/science-editors-picks-71/?utm_source=TCUS&utm_medium=inline-link&utm_campaign=newsletter-text&utm_content=science-understand">Subscribe to The Conversation’s science newsletter</a>.]</p><img src="https://counter.theconversation.com/content/165382/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Bhanukiran Gurijala does not work for, consult, own shares in or receive funding from any company or organization that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>A tool made for tracking criminals and terrorists has potentially been used against politicians, dissidents and journalists. Here’s how the spyware works.Bhanukiran Gurijala, Assistant Professor of Computer Science & Information Systems, West Virginia UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1649172021-07-22T13:24:22Z2021-07-22T13:24:22ZSpyware: why the booming surveillance tech industry is vulnerable to corruption and abuse<figure><img src="https://images.theconversation.com/files/412661/original/file-20210722-23-1582yi3.jpeg?ixlib=rb-1.1.0&rect=0%2C0%2C7329%2C3628&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/man-finger-clicks-on-open-padlock-1934920949">Zoomik/Shutterstock</a></span></figcaption></figure><p>The world’s most sophisticated commercially available spyware may be being abused, according to <a href="https://amp.theguardian.com/world/2021/jul/18/revealed-leak-uncovers-global-abuse-of-cyber-surveillance-weapon-nso-group-pegasus">an investigation</a> by 17 media organisations in ten countries. <a href="https://www.independent.co.uk/world/pegasus-spyware-nso-activists-journalists-b1886317.html">Intelligence leaks</a> and <a href="https://www.amnesty.org/en/latest/news/2021/07/amnesty-categorically-pegasus-project-data-linked-to-nso/">forensic phone analysis</a> suggests the surveillance software, called <a href="https://www.theguardian.com/news/2021/jul/18/what-is-pegasus-spyware-and-how-does-it-hack-phones">Pegasus</a>, has been <a href="https://www.theguardian.com/news/2021/jul/19/nso-clients-spying-disclosures-prompt-political-rows-across-world">used to target</a> and spy on the phones of human rights activists, investigative journalists, politicians, researchers and academics. </p>
<p>NSO Group, the Israeli cyber intelligence firm behind Pegasus, insists that it only licenses its spyware to <a href="https://www.nsogroup.com/Newses/cyber-intelligence-sector-leader-nso-group-unveils-the-industrys-first-transparency-and-responsibility-report/">vetted government clients</a> in the name of combating transnational crime and terrorism. It has labelled reports from investigative journalists a “<a href="https://www.nsogroup.com/Newses/enough-is-enough/">vicious and slanderous campaign</a>” upon which it will no longer comment.</p>
<p>Yet the founder and chief executive of NSO Group <a href="https://www.theguardian.com/news/2021/jul/19/fifty-people-close-mexico-president-amlo-among-potential-targets-nso-clients">previously admitted</a> that “in some circumstances our customers might misuse the system.” Given that the group has sold its spyware to a reported <a href="https://www.theguardian.com/world/2021/jul/18/revealed-leak-uncovers-global-abuse-of-cyber-surveillance-weapon-nso-group-pegasus">40 countries</a>, including some with poor records of <a href="https://www.theguardian.com/news/audio/2021/jul/21/the-pegasus-project-part-3-cartels-corruption-and-cyber-weapons-podcast">corruption</a> and <a href="https://observatoryihr.org/news/spyware-leak-reveals-pegasus-was-used-to-hack-human-rights-activists-journalists-and-lawyers-globally/">human rights violations</a>, it’s alleged that Pegasus has been significantly misused, undermining the freedom of the press, freedom of thought and free and open democracies.</p>
<p>These revelations are the latest indication that the spyware industry is out of control, with licensed customers free to spy on political and civilian targets as well as suspected criminals. We may be heading to a world in which <a href="https://www.theguardian.com/news/2021/jul/19/edward-snowden-calls-spyware-trade-ban-pegasus-revelations">no phone is safe</a> from such attacks. </p>
<h2>How Pegasus works</h2>
<p>Pegasus is regarded as the <a href="https://theconversation.com/how-does-the-pegasus-spyware-work-and-is-my-phone-at-risk-164781">most advanced spyware</a> on the market. It can infiltrate victims’ devices without their even having to click a malicious link – a so-called “<a href="https://cybersecurity-journal.com/2020/08/14/demystifying-zero-click-attacks/">zero-click attack</a>”. Once inside, the power Pegasus possesses to transform a phone into a surveillance beacon is astounding. </p>
<p>It immediately sets to work copying messages, pictures, videos and downloaded content to send to the attacker. As if that’s not insidious enough, Pegasus can record calls and track a target’s location while independently and secretly activating a phone’s camera and microphone. With this capability, an infected phone acts like a fly on the wall, seeing, hearing and reporting back the intimate and sensitive conversations that it <a href="https://www.theguardian.com/news/2021/jul/18/what-is-pegasus-spyware-and-how-does-it-hack-phones">watches continuously</a>.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/how-does-the-pegasus-spyware-work-and-is-my-phone-at-risk-164781">How does the Pegasus spyware work, and is my phone at risk?</a>
</strong>
</em>
</p>
<hr>
<p>There’s previous evidence of Pegasus misuse. It was implicated in the <a href="https://www.ohchr.org/EN/NewsEvents/Pages/DisplayNews.aspx?NewsID=25488&LangID=E">alleged hacking</a> of Jeff Bezos’ phone by the crown prince of Saudi Arabia in 2018. The following year, it was revealed that several <a href="https://www.huffpost.com/archive/in/entry/did-indian-govt-buy-pegasus-spyware-home-ministry-answer-is-worrying_in_5dd3bbb1e4b082dae813a058">Indian lawyers and activists</a> had been targeted by a Pegasus attack via WhatsApp. </p>
<p>The new revelations suggest that Pegasus was used to watch Mexico’s president Andres Manuel Lopez and <a href="https://www.theguardian.com/news/2021/jul/19/fifty-people-close-mexico-president-amlo-among-potential-targets-nso-clients">50 members</a> of his inner circle – including friends, family, doctors, and aides – when he was an opposition politician. Pegasus has also been linked to the <a href="https://www.theguardian.com/news/2021/jul/19/modi-accused-treason-opposition-india-spyware-disclosures">surveillance of Rahul Gandhi</a>, the current political rival to Indian prime minister Narendra Modi. </p>
<p>A Pegasus infiltration has also now <a href="https://www.theguardian.com/world/2021/jul/18/nso-spyware-used-to-target-family-of-jamal-khashoggi-leaked-data-shows-saudis-pegasus">been found</a> among phones belonging to the family and friends of <a href="https://www.bbc.com/news/world-europe-45812399">murdered journalist</a> Jamal Khashoggi, and there are indications that Pegasus may also have been <a href="https://www.theguardian.com/news/2021/jul/18/revealed-murdered-journalist-number-selected-mexico-nso-client-cecilio-pineda-birto">used by a Mexican NSO client</a> to target the Mexican journalist Cecilio Pineda Birto, who was <a href="https://rsf.org/en/news/mexico-reporters-murder-revives-debate-about-effectiveness-protection">murdered</a> in 2017.</p>
<figure>
<iframe width="440" height="260" src="https://www.youtube.com/embed/G7H9uo3j5FQ?wmode=transparent&start=0" frameborder="0" allowfullscreen=""></iframe>
</figure>
<h2>Spyware industry</h2>
<p>Although the power of Pegasus is shocking, spyware in its various forms is far from a new phenomenon. Basic spyware can be traced back to <a href="https://www.sciencedirect.com/science/article/pii/B9780444516084500250">the early 1990s</a>. Now it’s a <a href="https://www.economist.com/business/2019/12/12/offering-software-for-snooping-to-governments-is-a-booming-business">booming industry</a> with thousands of eager buyers. </p>
<p>At the base of the spyware industry are the lesser snooping tools, sold for as little as $70 (£51) <a href="https://www.techrepublic.com/article/how-much-malware-tools-sell-for-on-the-dark-web/">on the dark web</a>, which can remotely access webcams, log computer keystrokes and harvest location data. The use of such spyware by <a href="https://www.bbc.co.uk/news/technology-50166147">stalkers and abusive partners</a> is a growing, concerning issue.</p>
<p>Then of course there’s the <a href="https://www.theguardian.com/world/2013/jun/09/edward-snowden-nsa-whistleblower-surveillance">global surveillance estate</a> that Edward Snowden lifted the curtain on in 2013. His leaks revealed how <a href="https://www.wired.com/story/edward-snowden-in-his-own-words-why-i-became-a-whistle-blower/">surveillance tools</a> were being used to amass a volume of citizens’ personal data that seemed to go well beyond the brief of the intelligence agencies using them.</p>
<p>In 2017, we also learned how a secret team of elite programmers at the US National Security Agency had developed an advanced cyber-espionage weapon called <a href="https://www.wired.co.uk/article/what-is-eternal-blue-exploit-vulnerability-patch">Eternal Blue</a>, only for it to be stolen by the hacker collective Shadow Brokers and <a href="https://www.wired.com/story/eternalblue-leaked-nsa-spy-tool-hacked-world/">sold on the dark web</a>. It was this spyware that would later be used as the backbone of the infamous 2017 <a href="https://www.cbsnews.com/news/wannacry-ransomware-attacks-wannacry-virus-losses/">Wannacry ransomware attack</a>, which <a href="https://www.nao.org.uk/report/investigation-wannacry-cyber-attack-and-the-nhs/">targeted the NHS</a> and hundreds of other organisations.</p>
<h2>Why Pegasus is different</h2>
<p>When the Snowden leaks were published, many were shocked to learn of the scale of surveillance that digital technologies had enabled. But this mass spying was at least developed and conducted within state intelligence agencies, who had some legitimacy as agents of espionage.</p>
<p>We’re no longer debating the right of the state to violate our own rights to privacy. The Pegasus revelations show we’ve arrived in a new, uncomfortable reality where highly sophisticated spyware tools are <a href="https://www.wired.com/story/the-murky-merits-of-a-private-spy-registry/">sold on an open market</a>. To be under no illusion, we’re referring here to an industry of for-profit malware developers creating and selling the same types of tools – and sometimes the very same tools – used by “bad hackers” to bring businesses and government organisations to their knees.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/spyware-merchants-the-risks-of-outsourcing-government-hacking-80891">Spyware merchants: the risks of outsourcing government hacking</a>
</strong>
</em>
</p>
<hr>
<p>In the wake of the Pegasus revelations, Edward Snowden has called for an <a href="https://www.theguardian.com/news/2021/jul/19/edward-snowden-calls-spyware-trade-ban-pegasus-revelations">international spyware ban</a>, stating that we’re moving towards a world where no device is safe. That will certainly be the case if Pegasus meets the same fate as Eternal Blue, with its source code finding its way onto the dark web for use by criminal hackers.</p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"1417813151521951746"}"></div></p>
<p>We’ve only just begun to fully contemplate the full implications of Pegasus on our collective privacy and democracy. Without transparency, we have no sense of how and under what circumstances Pegasus is licensed, who has authorisation to use Pegasus once it’s licensed, under what circumstances a license may be revoked, or what international regulations are in place to police against its abuse. Evidence suggests that Pegasus has been misused and greater accountability and oversight is needed. We must also seek to rekindle important debates around enforceable controls on the creation and sale of corporate spyware. Without this, the threat that Pegasus and future spyware tools pose to privacy will not be limited to the high-profile targets that have so far been revealed, but will be a threat to us all.</p><img src="https://counter.theconversation.com/content/164917/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Christian Kemp does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Revelations of spyware abuse suggest we’re moving to a new reality in which no phone is safe from surveillance.Christian Kemp, Lecturer, Criminology, Anglia Ruskin UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1647812021-07-20T20:10:35Z2021-07-20T20:10:35ZHow does the Pegasus spyware work, and is my phone at risk?<figure><img src="https://images.theconversation.com/files/412089/original/file-20210720-19-1dkrvnr.jpeg?ixlib=rb-1.1.0&rect=75%2C0%2C4528%2C3071&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><span class="source">Shutterstock</span></span></figcaption></figure><p>A major <a href="https://www.washingtonpost.com/technology/2021/07/18/reactions-pegasus-project-nso/">journalistic investigation</a> has found evidence of malicious software being used by governments around the world, including allegations of spying on prominent individuals. </p>
<p>From a list of more <a href="https://www.amnesty.org/en/latest/news/2021/07/pegasus-project-apple-iphones-compromised-by-nso-spyware/">50,000 phone numbers</a>, journalists identified more than 1,000 <a href="https://www.smh.com.au/world/middle-east/journalists-activists-and-leaders-targets-of-mass-pegasus-hacks-20210719-p58au7.html">people in 50 countries</a> reportedly under surveillance using the Pegasus spyware. The software was developed by the Israeli company NSO Group and sold to government clients.</p>
<p>Among the reported targets of the spyware are journalists, politicians, government officials, chief executives and human rights activists. </p>
<p>Reports thus far allude to a surveillance effort reminiscent of an <a href="https://books.google.com.au/books?hl=en&lr=&id=8OVYU1dze2wC&oi=fnd&pg=PT3&dq=orwell+1984+big+brother+surveillance&ots=ExHVODf95v&sig=8uF9PHt-bw8JV2ZVZucEcoxEfZM&redir_esc=y#v=onepage&q=orwell%201984%20big%20brother%20surveillance&f=false">Orwellian nightmare</a>, in which the spyware can capture keystrokes, intercept communications, track the device and use the camera and microphone to spy on the user.</p>
<h2>How did they do it?</h2>
<p>The Pegasus spyware can infect the phones of victims through a variety of mechanisms. Some approaches may involve an SMS or iMessage that provides a link to a website. If clicked, this link delivers malicious software that compromises the device. </p>
<p>Others use the more concerning “<a href="https://9to5mac.com/2021/07/19/zero-click-imessage-exploit/">zero-click</a>” attack where vulnerabilities in the iMessage service in iPhones allows for infection by simply receiving a message, and no user interaction is required. </p>
<p>The aim is to seize full control of the mobile device’s operating system, either by rooting (on Android devices) or jailbreaking (on Apple iOS devices). </p>
<p>Usually, <a href="https://www.digitaltrends.com/mobile/how-to-root-android/">rooting</a> on an Android device is done by the user to install applications and games from non-supported app stores, or re-enable a functionality that was disabled by the manufacturer.</p>
<p>Similarly, a <a href="https://www.digitaltrends.com/mobile/how-to-jailbreak-your-iphone/">jailbreak</a> can be deployed on Apple devices to allow the installation of apps not available on the Apple App Store, or to unlock the phone for use on alternative cellular networks. Many jailbreak approaches require the phone to be connected to a computer each time it’s turned on (referred to as a “<a href="https://www.diffen.com/difference/Tethered_Jailbreak_vs_Untethered_Jailbreak">tethered jailbreak</a>”).</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/holding-the-world-to-ransom-the-top-5-most-dangerous-criminal-organisations-online-right-now-163977">Holding the world to ransom: the top 5 most dangerous criminal organisations online right now</a>
</strong>
</em>
</p>
<hr>
<p>Rooting and jailbreaking both remove the security controls embedded in Android or iOS operating systems. They are typically a combination of configuration changes and a “hack” of core elements of the operating system to run modified code.</p>
<p>In the case of spyware, once a device is unlocked, the perpetrator can deploy further software to secure remote access to the device’s data and functions. This user is likely to remain completely unaware.</p>
<p>Most media reports on Pegasus relate to the compromise of Apple devices. The spyware infects Android devices too, but <a href="https://www.kaspersky.com.au/blog/pegasus-spyware/14604/">isn’t as effective</a> as it relies on a rooting technique that isn’t 100% reliable. When the initial infection attempt fails, the spyware supposedly prompts the user to grant relevant permissions so it can be deployed effectively.</p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"1417188924087160841"}"></div></p>
<h2>But aren’t Apple devices more secure?</h2>
<p>Apple devices are <a href="https://us.norton.com/internetsecurity-mobile-android-vs-ios-which-is-more-secure.html">generally considered more secure</a> than their Android equivalents, but neither type of device is 100% secure.</p>
<p>Apple applies a high level of control to the code of its operating system, as well as apps offered through its app store. This creates a closed-system often referred to as “<a href="https://www.bcs.org/content-hub/security-through-obscurity/">security by obscurity</a>”. Apple also exercises complete control over when updates are rolled out, which are then quickly <a href="https://9to5mac.com/2020/09/21/ios-14-adoption-after-5-days/">adopted by users</a>.</p>
<p>Apple devices are frequently updated to the latest iOS version via automatic patch installation. This helps improve security and also increases the value of finding a workable compromise to the latest iOS version, as the new one will be used on a large proportion of devices globally.</p>
<p>On the other hand, Android devices are based on open-source concepts, so hardware manufacturers can <a href="https://www.makeuseof.com/tag/android-differs-hardware-manufacturer/">adapt the operating system</a> to add additional features or optimise performance. We typically see a large number of Android devices running a variety of versions — inevitably resulting in some unpatched and insecure devices (which is advantageous for cybercriminals).</p>
<p>Ultimately, both platforms are vulnerable to compromise. The key factors are convenience and motivation. While developing an iOS malware tool requires greater investment in time, effort and money, having many devices running an identical environment means there is a greater chance of success at a significant scale.</p>
<p>While many Android devices will likely be vulnerable to compromise, the diversity of hardware and software makes it more difficult to deploy a single malicious tool to a wide user base.</p>
<h2>How can I tell if I’m being monitored?</h2>
<p>While the leak of more than 50,000 allegedly monitored phone numbers seems like a lot, it’s unlikely the Pegasus spyware has been used to monitor anyone who isn’t publicly prominent or politically active. </p>
<p>It is in the very nature of spyware to remain covert and undetected on a device. That said, there are mechanisms in place to show whether your device has been compromised.</p>
<p>The (relatively) easy way to determine this is to use the <a href="https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/">Amnesty International Mobile Verification Toolkit (MVT)</a>. This tool can run under either Linux or MacOS and can examine the files and configuration of your mobile device by analysing a backup taken from the phone. </p>
<p>While the analysis won’t confirm or disprove whether a device is compromised, it detects “<a href="https://github.com/AmnestyTech/investigations/tree/master/2021-07-18_nso">indicators of compromise</a>” which can provide evidence of infection.</p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"1417235912677855240"}"></div></p>
<p>In particular, the tool can detect the presence of specific <a href="https://github.com/AmnestyTech/investigations/blob/master/2021-07-18_nso/processes.txt">software (processes)</a> running on the device, as well as a range of <a href="https://github.com/AmnestyTech/investigations/tree/master/2021-07-18_nso">domains</a> used as part of the global infrastructure supporting a spyware network.</p>
<h2>What can I do to be better protected?</h2>
<p>Unfortunately there is no current solution for the zero-click attack. There are, however, simple steps you can take to minimise your potential exposure — not only to Pegasus but to other malicious attacks too.</p>
<p><strong>1)</strong> Only open links from known and trusted contacts and sources when using your device. Pegasus is deployed to Apple devices through an iMessage link. And this is the same technique used by <a href="https://link.springer.com/article/10.1007/s12117-020-09397-5">many cybercriminals</a> for both malware distribution and less technical scams. The same advice applies to links sent via email or other messaging applications.</p>
<p><strong>2)</strong> Make sure your device is updated with any relevant patches and upgrades. While having a standardised version of an operating system creates a stable base for attackers to target, it’s still your <a href="https://us.norton.com/internetsecurity-how-to-the-importance-of-general-software-updates-and-patches.html">best defence</a>. </p>
<p>If you use Android, don’t rely on notifications for new versions of the operating system. Check for the latest version yourself, as your device’s manufacturer <a href="https://www.avg.com/en/signal/why-is-my-android-phone-not-getting-updates">may not be providing updates</a>.</p>
<p><strong>3)</strong> Although it may sound obvious, you should limit physical access to your phone. Do this by enabling pin, finger or face-locking on the device. The <a href="https://www.esafety.gov.au/key-issues/domestic-family-violence/video-library">eSafety Commissioner’s website</a> has a range of videos explaining how to configure your device securely.</p>
<p><strong>4)</strong> Avoid public and free WiFi services (<a href="https://www.techrepublic.com/article/wi-fi-security-fbi-warns-of-risks-of-using-wireless-hotel-networks/">including hotels</a>), especially when accessing sensitive information. The use of a VPN is a good solution when you need to use such networks.</p>
<p><strong>5)</strong> <a href="https://spreadprivacy.com/how-to-encrypt-devices/">Encrypt your device data</a> and enable <a href="https://www.lifewire.com/install-or-enable-remote-wipe-on-your-smartphone-2377851">remote-wipe features</a> where available. If your device is lost or stolen, you will have some reassurance your data can remain safe.</p>
<hr>
<p><em>Correction: this article was changed to reflect reports iPhone users targeted with the Pegasus spyware seem to have been targeted specifically with zero-click attacks.</em></p><img src="https://counter.theconversation.com/content/164781/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>The authors do not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and have disclosed no relevant affiliations beyond their academic appointment.</span></em></p>It’s reported the Pegasus spyware can capture a user’s keystrokes, intercept communications, track their device and tap into their camera and microphone.Paul Haskell-Dowland, Associate Dean (Computing and Security), Edith Cowan UniversityRoberto Musotto, Research fellow, Edith Cowan UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1406232020-06-16T05:10:55Z2020-06-16T05:10:55ZA question of trust: should bosses be able to spy on workers, even when they work from home?<figure><img src="https://images.theconversation.com/files/342006/original/file-20200616-65942-1kldyhy.jpg?ixlib=rb-1.1.0&rect=19%2C0%2C4373%2C2891&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><span class="source">www.shutterstock.com</span></span></figcaption></figure><p>Anyone familiar with George Orwell’s novel 1984 will relate to the menace of Big Brother watching their every keystroke and mouse click. For a growing share of the workforce that dystopian reality arrived while most of us were hunkering down in our “bubbles”. </p>
<p>With employees working from home during the COVID-19 pandemic, more companies felt the need to track them remotely. US-based Hubstaff, which develops and markets employee time-tracking software, <a href="https://www.rnz.co.nz/news/national/418055/employee-surveillance-software-sales-surge-in-lockdown">boasted</a> a three-fold increase in New Zealand sales during the first month of lockdown alone.</p>
<p>Now, with <a href="https://www.stuff.co.nz/business/121777578/the-start-of-a-trend-amp-wealth-moves-out-of-the-city">some organisations</a> thinking of continuing work-from-home flexibility beyond the pandemic restrictions, that scrutiny should cut both ways. </p>
<p>Employers have long used swipe cards and video surveillance for safety and security, and monitoring staff email during work hours is nothing new. But the latest generation of employee surveillance software has transformed the modern workplace into a digital panopticon. </p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"1267533124155645952"}"></div></p>
<p>While newer tools aimed at tracking employee productivity, such as computer-usage monitors, have increased the management arsenal, most focus on specific activities. What is now proposed are mechanisms that monitor employees 24/7, including apps that can be loaded onto mobile phones.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/working-from-home-remains-a-select-privilege-its-time-to-fix-our-national-employment-standards-139472">Working from home remains a select privilege: it's time to fix our national employment standards</a>
</strong>
</em>
</p>
<hr>
<p>One such <a href="https://www.theonespy.com/">product</a> advertises its ability to “catch disgruntled employees and protect business intellectual property”. It can “monitor all social media and networking apps by accessing conversations, passwords and media shared through the apps”.</p>
<h2>More trust means better productivity</h2>
<p>The uncomfortable reality is that many employers feel entitled to monitor employee activity. If I’m paying their salaries, they argue, they should be doing my work. Their time is mine. </p>
<p>The problem with effectively intimidating employees into being productive is that it strongly suggests an organisational culture of mistrust – yet <a href="https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2179889">research</a> shows that mistrust undermines productivity.</p>
<p>Spyware that is introduced outside the collective bargaining process concerns trade unions, who argue workers’ privacy may be unfairly invaded in the name of performance measurement. </p>
<p>In the year to June 2019, only 5% of collective agreements in New Zealand included a specific clause (or referred to a document outside the agreement) dealing with internet or telephone monitoring. That amounts to only 1.1% of employees on such agreements.</p>
<p>The prevalence of agreements that mention work being electronically monitored varies considerably across the labour market. But far more employees are on collective agreements that make no mention of it, despite their work being regularly monitored. </p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/about-that-spare-room-employers-requisitioned-our-homes-and-our-time-139854">About that spare room: employers requisitioned our homes and our time</a>
</strong>
</em>
</p>
<hr>
<p>Those who make up the 80% of the New Zealand workforce covered by individual agreements have few choices. The obligation to install and use monitoring software derives from the duty of employees to obey the reasonable orders of their employer, and contractual obligations to comply with employer policies. </p>
<h2>The law is getting left behind</h2>
<p>The standard against which actions are judged is that of the “reasonable employer” – not a neutral party, let alone a reasonable employee. The result is that employees have very limited protection from intrusions into their privacy and personal life.</p>
<p>Compounding the problem, monitoring software is evolving so rapidly the law has no time to respond. Other than in the most egregious circumstances, the courts are unlikely to hold that using already widely adopted tools constitutes the action of an unreasonable employer. </p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"1045931302166310912"}"></div></p>
<p>Under the principles of the <a href="http://www.legislation.govt.nz/act/public/1993/0028/latest/whole.html">Privacy Act 1993</a>, people should be made aware of any information being collected about them and why. They are entitled to know how it will be used and stored, who will have access to it and whether anyone can be modify it. </p>
<p>The information should not be kept longer than necessary, and it is essential to know how it will eventually be disposed of and by whom. Above all, such information should not be collected if it intrudes “to an unreasonable extent on the personal affairs of the individual concerned”. </p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/if-more-of-us-work-from-home-after-coronavirus-well-need-to-rethink-city-planning-136261">If more of us work from home after coronavirus we'll need to rethink city planning</a>
</strong>
</em>
</p>
<hr>
<p>Naturally, people should be entitled to access that information. However, as with employment law, privacy law tends to give greater weight to the right to manage than to intrusions into employee privacy. </p>
<h2>Privacy is a health and safety issue too</h2>
<p>The law reflects an underlying assumption that time spent on a job equates with higher-quality work. But this is not necessarily correct. </p>
<p>In many industries, including IT, the focus is very much on the task. Employees are often dotted all over the world in different time zones. They contribute at times of day that work for them. </p>
<p>Monitoring attendance, productivity and hours worked – in other words, checking up on employees to ensure they’re not “skiving off” – leaves them feeling mistrusted and that their privacy has been invaded. Stress and sick days increase, morale drops and staff turnover rises. </p>
<p>As yet, the health and safety implications of intense monitoring have received little attention in the courts from workplace health and safety regulator Worksafe.</p>
<p>Allowing staff to work at home requires trust and the openness to have honest, frank and supportive discussions if substandard performance is noticed. Employers seriously considering monitoring employees working at home should be very clear about their reasons before jumping on the post-COVID work-from-home bandwagon. </p>
<p>The devices that allow the monitoring of home workers should be used carefully and not exploited. Otherwise, the trust inherent in good workplace culture will quickly erode, along with the productivity that goes with it.</p><img src="https://counter.theconversation.com/content/140623/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>The authors do not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and have disclosed no relevant affiliations beyond their academic appointment.</span></em></p>With more people working from home post-COVID-19, what are the privacy implications of employers using spyware to monitor worker activity?Val Hooper, Associate Professor, and Head of the School of Marketing and International Business, Te Herenga Waka — Victoria University of WellingtonGordon Anderson, Professor of Law, Te Herenga Waka — Victoria University of WellingtonStephen Blumenfeld, Director, Centre for Labour, Employment and Work, Te Herenga Waka — Victoria University of WellingtonLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1260272019-10-31T18:53:28Z2019-10-31T18:53:28ZWould you notice if your calculator was lying to you? The research says probably not<figure><img src="https://images.theconversation.com/files/299628/original/file-20191031-187903-hakehj.jpg?ixlib=rb-1.1.0&rect=0%2C0%2C2700%2C1782&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">As our worlds are become increasingly digitised, we're starting to rely more on machines and devices for everyday tasks. But in an age when even pacemakers can be hacked, how do we know when and who to trust?</span> <span class="attribution"><span class="source">SHUTTERSTOCK</span></span></figcaption></figure><p>These days, it’s hard to know whom to <a href="https://www.routledge.com/Truth-Lies-and-Trust-on-the-Internet-1st-Edition/Whitty-Joinson/p/book/9780203938942">trust</a> online, and how to discern genuine content from fakery.</p>
<p>Some degree of trust in our devices is necessary, if we’re to embrace the growing number of technologies that could potentially enhance our lives. How many of us, however, bother trying to confirm the truth, and how many blindly approach their online communications?</p>
<p>In a <a href="https://journals.plos.org/plosone/article?id=10.1371/journal.pone.0223736">study published this week</a>, Texas Tech University researchers tested how university students reacted when unknowingly given incorrect calculator outputs. Some students were presented with an onscreen calculator that was programmed to give the wrong answers, whereas a second group was given a properly functioning calculator. </p>
<p>Participants could also opt not to use the calculator, but most chose to use it - even if they had good numeracy skills. Researchers found most participants raised few or no suspicions when presented with wrong answers, until the answers were quite wrong. In addition, those with higher numeracy skills were, unsurprisingly, more suspicious of incorrect answers than others.</p>
<h2>Do the math</h2>
<p>To understand these results, we need to acknowledge calculators were created to make our lives easier, by reducing our mental burden. Also, there were no real consequences for participants who did not realise they were being duped. </p>
<p>Perhaps if they were completing their income tax forms, or applying for a loan, they may have been more thorough in checking their results. More importantly, there’s no reason an individual ought to feel suspicious about a calculator, so the participants were acting in accord with what we might expect.</p>
<p>People can’t spend their time deciding if they should trust every tool they use. This would consume too much time and energy. This study, however, was carried out with university students in a lab. What are the consequences of this in the real world, when much more is at stake? </p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/lie-detectors-and-the-lying-liars-who-use-them-28167">Lie detectors and the lying liars who use them</a>
</strong>
</em>
</p>
<hr>
<p>The Internet and digital technologies have changed our lives for the better in so many ways. We can access information at super speeds, communicate regularly (and in fun ways) with our friends and family, and carry out mundane tasks such as banking and shopping with ease. </p>
<p>However, new technologies pose new challenges. Is the person you’re talking to online a real person or a <a href="https://www.aaai.org/ocs/index.php/ICWSM/ICWSM17/paper/viewPaper/15587">bot</a>? Are you developing a real romantic relationship on your dating app, or being conned in a <a href="https://academic.oup.com/bjc/article-abstract/53/4/665/396759">romance scam</a>? </p>
<p>To what extent do people blindly accept their technologies are safe, and that everyone online is who they claim to be?</p>
<h2>Hackers are often phishing for data</h2>
<p>The <a href="https://www.forbes.com/sites/jacobmorgan/2014/05/13/simple-explanation-internet-things-that-anyone-can-understand/#5e48e2931d09">Internet of Things</a> is already changing our lives in and outside the home. At home, there’s the constant threat that we’re being listened to and watched through our devices. In August, Apple publicly apologised for allowing contractors to <a href="https://www.theguardian.com/technology/2019/aug/29/apple-apologises-listen-siri-recordings">listen to voice recordings</a> of Siri users. </p>
<p>Similarly, as autonomous vehicles become the norm, they too <a href="https://ieeexplore.ieee.org/abstract/document/8038391">pose ethical concerns</a>. Not only do we need to be worried about the programmed moral choices on whom to harm if an accident becomes inevitable, but also whether criminals can hack into these vehicles and alter programmed decisions. </p>
<p>Also, there have been reports of benign-looking USB cables being rigged with small WiFi-enabled implants which, when plugged into a computer, let a nearby hacker run commands. We even need to think about the safety of health devices, such as pacemakers, which can <a href="https://www.wired.com/story/pacemaker-hack-malware-black-hat/">now be hacked</a>.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/with-usb-c-even-plugging-in-can-set-you-up-to-be-hacked-102296">With USB-C, even plugging in can set you up to be hacked</a>
</strong>
</em>
</p>
<hr>
<p>A major problem organisations and governments are trying to solve is stopping individuals from falling victim to phishing. A phish is an email or text which is made to appear authentic and trustworthy, but isn’t. </p>
<p>Cybercriminals use them to trick users into revealing secret information, such as bank account details, or clicking on a link that downloads malicious software onto their computer. This software can then steal passwords and other important personal data. </p>
<p>Clicking on a phishing message can have long-lasting detrimental effects on an individual or an organisation, as was the case with an Australian National University <a href="https://www.anu.edu.au/news/all-news/anu-releases-detailed-account-of-data-breach">data breach</a> last year.</p>
<p>We’re yet to effectively train people to recognise a phish. This is partly because because they’re often realistic and difficult to identify. However, it’s also because, as illustrated in the Texas Tech University study, people tend to place undue trust in technology and devices, without pausing to check the facts.</p>
<h2>Knowledge is power, and safety</h2>
<p>It’s incredibly difficult to have the right balance between scepticism and trust in the digital age. Individuals need to function in the world, and the mental effort required to constantly check all information is perhaps more than what we can expect of people. </p>
<p>That said, one positive takeaway from the calculator study is that training is critical if we want to improve people’s cybersecurity practices. This includes training individuals on what to do as online users, how to do it, and why it’s important. </p>
<p>As with all learning, this needs to be repetitive and the individual needs to be motivated to learn. Without effective learning methods, end-users, organisations, and state nations will remain vulnerable to cybercriminals.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/payid-data-breaches-show-australias-banks-need-to-be-more-vigilant-to-hacking-123529">PayID data breaches show Australia's banks need to be more vigilant to hacking</a>
</strong>
</em>
</p>
<hr>
<img src="https://counter.theconversation.com/content/126027/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Monica Whitty does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Research shows we’re pretty gullible as it is. And our increasing reliance on machines for completing everyday tasks makes us all-the-more vulnerable to being exploited.Monica Whitty, Chair in Human Factors in Cyber Security, The University of MelbourneLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1171732019-05-15T06:26:14Z2019-05-15T06:26:14ZWhatsApp hacked and bugs in Intel chips: what you need to know to protect yourself<figure><img src="https://images.theconversation.com/files/274481/original/file-20190515-60567-1tp8wul.jpg?ixlib=rb-1.1.0&rect=49%2C344%2C5414%2C3252&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">WhatsApp says more than 1 billion use the app.</span> <span class="attribution"><span class="source">Shutterstock/XanderS</span></span></figcaption></figure><p>It’s been a day of high-profile security incidents. </p>
<p>First there was news the popular <a href="https://www.wired.com/story/whatsapp-hack-intel-vulnerability-todays-news/">WhatsApp messenger app was hacked</a>. Updated versions of WhatsApp have been released, which you should install if you’re one of the <a href="https://www.whatsapp.com/about/">more than one billion people who use the app</a>.</p>
<p>There was also news of <a href="https://www.wired.com/story/intel-mds-attack-speculative-execution-buffer/">several security flaws</a> in the majority of Intel processors, found in many of the world’s desktop, laptop and server computers.</p>
<p>Software patches to prevent exploitation of these hardware flaws have been released by several vendors, including Microsoft. You should install security updates from vendors promptly, including these. </p>
<h2>WhatsApp hack revealed</h2>
<p>The WhatsApp news was revealed first by the Financial Times, <a href="https://www.ft.com/content/4da1117e-756c-11e9-be7d-6d846537acab">which says</a> the bug was used in an attempt to access content on the phone of a UK-based human rights lawyer.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/becoming-more-like-whatsapp-wont-solve-facebooks-woes-heres-why-113368">Becoming more like WhatsApp won't solve Facebook’s woes – here's why</a>
</strong>
</em>
</p>
<hr>
<p>The lawyer reported unusual activity on his phone to the <a href="https://citizenlab.ca/about/">Citizen Lab</a>, an academic research centre that focuses on digital espionage. The centre then contacted WhatsApp, which had independently noted signs of some kind of hack and put in place preliminary preventative measures in its network infrastructure.</p>
<p>When asked by the Financial Times how many users were attacked using this vulnerability, a WhatsApp spokesperson <a href="https://www.forbes.com/sites/zakdoffman/2019/05/14/whatsapps-cybersecurity-breach-phones-hit-with-israeli-spyware-over-voice-calls/#6a6627845549">said</a> “a number in the dozens would not be inaccurate”.</p>
<p>Facebook, the corporate parent of WhatsApp, has issued a <a href="https://www.facebook.com/security/advisories/cve-2019-3568">technical notice</a> about the vulnerability, saying versions of WhatsApp for iOS, Android, Windows Phone (and the lesser-known Tizen platform used in Samsung smart watches) were affected. </p>
<h2>Evading end-to-end encryption</h2>
<p>Messages and calls on WhatsApp are <a href="https://theconversation.com/when-is-not-a-backdoor-just-a-backdoor-australias-struggle-with-encryption-79421">end-to-end encrypted</a>, which means they are practically invulnerable to being read while in transit.</p>
<p>The only way an attacker can gain access to the contents of WhatsApp messages and calls is at either end, on the sending or receiving device.</p>
<p>Unfortunately, in this case, by modifying the sequence of data sent to a phone to initiate a call, an attacker could take over the WhatsApp application running on the device. </p>
<p>This would cause it to do whatever the attacker wishes, which could include sending the unscrambled WhatsApp messages directly to the attacker. </p>
<p>While on its own the vulnerability does not appear to give the attackers full access to everything on a target phone, it could well be used in combination with other vulnerabilities to gain full access and control.</p>
<h2>Suspicions fall on NSO Group</h2>
<p>Unlike the Intel processor flaws, which were discovered by academic and commercial researchers and are not known to have been used for hacking to date, the WhatsApp security bug was discovered because of hacking activity. </p>
<p>The Financial Times attributes the hacking attempts using the bug to software developed by the <a href="https://www.nsogroup.com/">NSO Group</a>.</p>
<p>Facebook, while not naming NSO, told the Financial Times:</p>
<blockquote>
<p>[…] the attack has all the hallmarks of a private company known to work with governments to deliver spyware that reportedly takes over the functions of mobile phone operating systems.</p>
</blockquote>
<p>NSO Group is an Israel-based company that sells intelligence-gathering software – essentially, mobile phone spyware – to governments around the world. </p>
<p>Software sold by NSO Group has <a href="https://theconversation.com/iphone-hack-attack-shows-why-we-need-to-rein-in-the-trade-in-spyware-65348">previously been implicated</a> in attempts to spy on an Emirati human rights activist, Mexican journalists, and other civil society targets. </p>
<p>The UK human rights lawyer targeted using the WhatsApp bug was representing the Mexican journalists previously allegedly targeted using NSO Group software.</p>
<h2>We’re not likely targets</h2>
<p>While this particular bug is no longer a problem if you’ve updated WhatsApp, in general there is relatively little an average citizen targeted by this kind of spyware can do about it. </p>
<figure class="align-left zoomable">
<a href="https://images.theconversation.com/files/274479/original/file-20190515-60541-1edgbnb.png?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="" src="https://images.theconversation.com/files/274479/original/file-20190515-60541-1edgbnb.png?ixlib=rb-1.1.0&q=45&auto=format&w=237&fit=clip" srcset="https://images.theconversation.com/files/274479/original/file-20190515-60541-1edgbnb.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=372&fit=crop&dpr=1 600w, https://images.theconversation.com/files/274479/original/file-20190515-60541-1edgbnb.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=372&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/274479/original/file-20190515-60541-1edgbnb.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=372&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/274479/original/file-20190515-60541-1edgbnb.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=468&fit=crop&dpr=1 754w, https://images.theconversation.com/files/274479/original/file-20190515-60541-1edgbnb.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=468&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/274479/original/file-20190515-60541-1edgbnb.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=468&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Make sure you WhatsApp app is up-to-date.</span>
<span class="attribution"><span class="source">WhatsApp Android app/Screenshot</span></span>
</figcaption>
</figure>
<p>This genre of bug-exploiting spyware is highly unlikely to be used by anyone other than governments, and then only to target a relatively small number of people. But the lawyer in this latest case <a href="https://www.theguardian.com/technology/2019/may/14/whatsapp-spyware-vulnerability-targeted-lawyer-says-attempt-was-desperate">says he does not know who</a> is behind his WhatsApp hack.</p>
<p>Sooner or later, the use of spyware is inevitably detected, and the bug used to install it is found and fixed. The more phones are attacked, the quicker this will occur.</p>
<p>In the Australian context, software bugs are not the only means available to law enforcement to access encrypted messaging.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/why-we-need-to-fix-encryption-laws-the-tech-sector-says-threaten-australian-jobs-110435">Why we need to fix encryption laws the tech sector says threaten Australian jobs</a>
</strong>
</em>
</p>
<hr>
<p>The controversial <a href="https://www.legislation.gov.au/Details/C2018A00148">Access and Assistance</a> legislation, <a href="https://www.news.com.au/technology/online/hacking/the-federal-government-and-labor-have-passed-controversial-new-encryption-laws-what-do-they-actually-mean/news-story/1908381486502c1913598fc2853cd48c">approved late last year</a>, contains <a href="https://theconversation.com/the-devil-is-in-the-detail-of-government-bill-to-enable-access-to-communications-data-96909">provisions</a> that can require software and hardware developers to provide assistance to law enforcement and intelligence agencies to access communications, including those secured with end-to-end encryption.</p>
<p>The use of this kind of spyware – sold to countries with dubious human rights credentials, and used to target activists, journalists and lawyers – is disturbing.</p>
<p>I have previously argued that the international trade in such powerful tools should be <a href="https://theconversation.com/iphone-hack-attack-shows-why-we-need-to-rein-in-the-trade-in-spyware-65348">curtailed</a>. But fortunately, as insidious as they are, their reach is limited and likely to remain so.</p><img src="https://counter.theconversation.com/content/117173/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Robert Merkel does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Two security scares in the past 24 hours should prompt you to make sure your software is up-to-date. But what are the risks?Robert Merkel, Lecturer in Software Engineering, Monash UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/836052017-09-07T14:43:16Z2017-09-07T14:43:16ZLeaked emails: Ramaphosa’s hypocrisy on spying by the South African state<figure><img src="https://images.theconversation.com/files/185057/original/file-20170907-8341-1gjep07.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">South African Deputy President Cyril Ramaphosa claims the country's security agencies hacked his emails.</span> <span class="attribution"><span class="source">GCIS</span></span></figcaption></figure><p>In the run up to the election of the <a href="http://www.anc.org.za/content/54th-national-conference">next president</a> of South Africa’s governing ANC in December, unknown entities are clearly working hard to discredit candidates who have spoken out against <a href="https://theconversation.com/the-threat-to-south-africas-democracy-runs-deeper-than-state-capture-78784">state capture</a>.</p>
<p>The latest dirty tricks have targeted Deputy President Cyril Ramaphosa, who recently <a href="http://www.news24.com/SouthAfrica/News/ramaphosa-launches-campaign-with-attack-on-zuma-guptas-20170423">condemned</a> the capture of the South African state, allegedly by <a href="http://pari.org.za/betrayal-promise-report/">business interests linked to</a> President Jacob Zuma. Someone has <a href="https://www.iol.co.za/sundayindependent/news/ramaphosa-in-womanising-e-mail-shock-11056138">leaked</a> Ramaphosa’s emails from his private Gmail accounts, suggesting that he was having multiple affairs, despite being married.</p>
<p>Ramaphosa has claimed that the fingerprints of the state intelligence services are all over the leaks. He has also <a href="https://www.timeslive.co.za/politics/2017-09-02-intelligence-resources-hacked-my-email-ramaphosa/">located</a> the smear attempt within</p>
<blockquote>
<p>…a broader campaign that has targeted several political leaders‚ trade unionists‚ journalists and civil society activists.</p>
</blockquote>
<p>How much credibility do his claims have? Those responsible could be private actors with no links to the spy agencies. But, no one should be surprised if his allegations of state spying turn out to be correct. </p>
<p>After all, in 2005, state spy agencies were <a href="https://assets.publishing.service.gov.uk/media/57a08baae5274a31e0000cc8/ReviewComm.Sept08.pdf">abused</a> in the bruising succession battle between then President Thabo Mbeki and his rival for the ANC presidency, Jacob Zuma. That behaviour seems to have been sustained.</p>
<p>There are systemic weaknesses in how the state intelligence services are regulated that predispose them to abuse. As a senior member of government, Ramaphosa must take political responsibility for keeping silent about these problems until now.</p>
<h2>Eavesdropping in South Africa</h2>
<p>It’s quite possible that Ramaphosa’s Gmail accounts were hacked. An intrusive piece of hacking software like <a href="http://www.zdnet.com/article/adelaides-accumulus-launches-b-one-hub-smart-home-play/">Finfisher</a> could do the trick. Finfisher is a weapons grade intrusion tool sold exclusively to governments. It is particularly useful for monitoring security conscious and mobile targets who make extensive use of encryption.</p>
<p>The tool allows its operator to take control of a target’s computer as soon as it is connected to the internet. Once the operator does so, it can turn on web cameras and microphones for surveillance purposes, and exfiltrate -withdraw- data from the target’s computer, such as emails.</p>
<p>By 2014, South Africa was the <a href="https://wikileaks.org/spyfiles4/customers.html">third largest named user</a> of Finfisher, after Slovakia and Estonia. </p>
<p>In 2015, the University of Toronto’s <a href="https://www.citizenlab.co/">Citizenlab</a> detected a Finfisher command-and-control server in South Africa. The discovery strongly suggested that the South African government continued to be a Finfisher user.</p>
<p>Leaked <a href="https://wikileaks.org/hackingteam/emails/">emails</a> from Finfisher’s competitor, the Italian-based Hacking Team, also provided evidence that South African government departments were in the market for hacking tools. And South Africa has a <a href="https://www.pressreader.com/south-africa/mail-guardian/20151218/281625304257040">reputation</a> in international intelligence circles for targeting individuals (like journalists, activists and academics) through hacking, rather than engaging in <a href="https://probonomatters.co.za/online-privacy-guide-for-journalists-2017/">mass surveillance</a> of the kind practised by the US and the UK. Tools like Finfisher come in handy.</p>
<h2>Safeguards against abuse</h2>
<p>In spite of their invasiveness, hacking tools are under regulated in South Africa.</p>
<p>There are two communication interception centres in the State Security Agency that the general public knows about. The first is the <a href="http://www.oic.gov.za/">Office for Interception Centres</a>, which handles targeted interceptions approved by a special judge. It is inwardly focused, and provides services to national crime fighting agencies.</p>
<figure class="align-right ">
<img alt="" src="https://images.theconversation.com/files/185069/original/file-20170907-10812-16j7d4l.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=237&fit=clip" srcset="https://images.theconversation.com/files/185069/original/file-20170907-10812-16j7d4l.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=600&fit=crop&dpr=1 600w, https://images.theconversation.com/files/185069/original/file-20170907-10812-16j7d4l.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=600&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/185069/original/file-20170907-10812-16j7d4l.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=600&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/185069/original/file-20170907-10812-16j7d4l.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=754&fit=crop&dpr=1 754w, https://images.theconversation.com/files/185069/original/file-20170907-10812-16j7d4l.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=754&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/185069/original/file-20170907-10812-16j7d4l.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=754&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption"></span>
<span class="attribution"><span class="source">shutterstock</span></span>
</figcaption>
</figure>
<p>The second is the <a href="http://www.mediaanddemocracy.com/uploads/1/6/5/7/16577624/comms-surveillance-nia-swart_feb2016.pdf">National Communications Centres</a>, which monitors the electronic communication. This centre is externally focused. It collects foreign signals intelligence.</p>
<p>While the Office for Interception Centres is established in terms of the <a href="http://www.saflii.org/za/legis/num_act/roiocapocia2002943.pdf">Regulation of Interception of Communications</a> and Provision of Communication Related Information Act <a href="http://www.internet.org.za/ricpci.html">(Rica)</a>, the National Communications Centres has no explicit founding legislation, and no known rules that govern its activities. This is why the current <a href="http://amabhungane.co.za/article/2017-04-20-amab-challenges-snooping-law">court challenge</a> is significant.</p>
<p>In 2008, the European Court of Human Rights <a href="https://www.ilsa.org/jessup/jessup16/Batch%201/WEBER%20AND%20SARAVIA%20v.%20GERMANY.pdf">identified</a> six safeguards for strategic intelligence gathering, to limit the potential for abuses. </p>
<p>It says the law needs to:</p>
<ul>
<li>Spell out the nature of the offences which may give rise to an interception order.</li>
<li>Provide a definition of the categories of people liable to have their telephones tapped.</li>
<li>Limit on the duration of tapping.</li>
<li>Set out the procedure to be followed for examining, using and storing the data obtained</li>
<li>List precautions to be taken when communicating the data to other parties. </li>
<li>Spell out the circumstances in which recordings may or must be erased or the tapes destroyed. </li>
</ul>
<p>South Africa’s laws fail these tests dismally.</p>
<p>There are also no known rules governing the State Security Agency’s use of selectors - the search terms used to process raw communications data - for analysing mass communication. This could lead to abuse. </p>
<h2>Spying on political dissent</h2>
<p>The problem of under regulation does not end with the National Communications Centre. As the country’s civilian intelligence agency, the State Security Agency is meant to develop high level strategic intelligence to inform the Cabinet in deciding on the nation’s most urgent national intelligence priorities.</p>
<p>But, a State Security Agency <a href="https://www.documentcloud.org/documents/1672699-organogram-of-south-africa-state-security-agency.html">organogram</a> leaked to Al Jazeera points to the existence of an operational entity in the domestic intelligence section called the Special Operations Unit. Little is known about its exact mandate.</p>
<p>The Sunday newspaper, City Press has <a href="http://www.news24.com/Archives/City-Press/Sex-Sars-and-rogue-spies-20150429">linked</a> this unit to a number of dirty tricks. These include smearing top civil servants, and forming a rival trade union to the Association for Mineworkers and Construction Union in the platinum belt, as well as spying.</p>
<p>And, a recent <a href="https://www.privacyinternational.org/node/1031">investigation</a> by Privacy International exposed a revolving door between the intelligence agencies, the mining industry, and private security companies in the communications surveillance sector. In other words, not only are the state spy agencies underregulated; private sector ones are too.</p>
<p>So the available evidence points to the State Security Agency’s political and economic intelligence focus being used to legitimise government spying on perceived political critics, and protect the exploitative business practices of mining companies.</p>
<h2>Ramaphosa double standards</h2>
<p>In 2013, Parliament <a href="https://pmg.org.za/committee-meeting/15616/">narrowed</a> the definition of what constitutes a national security threat to exclude legitimate political activities. Be that as it may, it has not done enough to address the weaknesses that created space for the 2005 spying abuses to occur.</p>
<p>Complaints from <a href="http://www.r2k.org.za/2016/05/05/6594/">journalists</a> and <a href="http://bigbrother.r2k.org.za/">activists</a> about illegitimate spying by the state have been piling up for several years. As the Deputy President, Ramaphosa would have been aware of these complaints. Yet, as a shareholder and non-executive director of Lonmin, Ramaphosa would have benefited from the spy agencies’ interference in labour struggles in the platinum belt.</p>
<p>He has not spoken out about the under regulation of the spy agencies until now. Ramaphosa must take political responsibility for the utter mess that grips the state spy agencies.</p>
<p>Undoubtedly, spying on political elites threatens democracy, but it is self-serving of Ramaphosa to complain only when he himself becomes the target. Political leaders who are vying for the highest office in the land really need to be more principled.</p>
<p><em>The author is completing a book manuscript entitled ‘Stopping the spies: constructing and resisting the surveillance state in South Africa’ (forthcoming with Wits University Press in 2018)</em>.</p><img src="https://counter.theconversation.com/content/83605/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Jane Duncan receives funding from the Open Society Foundation for South Africa. She is a member of the secrecy and securitisation sub-committee of the Right 2 Know Campaign, and a project leader of the Media Policy and Democracy Project.</span></em></p>It would be no surprise if Deputy President Cyril Ramaphosa’s claims of the state spying on him turn out to be true. After all, state spy agencies have been abused before in ANC factional battles.Jane Duncan, Professor in the Department of Journalism, Film and Television, University of JohannesburgLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/799812017-07-28T05:47:01Z2017-07-28T05:47:01ZFor many Mexicans, this government spying scandal feels eerily familiar<figure><img src="https://images.theconversation.com/files/180080/original/file-20170727-10836-1yrzopd.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Pegasus statue in front of the Palacio de Bellas Artes, Mexico City</span> <span class="attribution"><a class="source" href="https://www.flickr.com/photos/acorreu/34177634231/in/photolist-VBDg4S-5ZF284-78R2GX-79ZHQL-78R2EZ-78UU8N-6jvEcn-7Be7fb-8crmXh-9Yft9F-5RvXRV-666SdL-86q3KS-6ZLWPk-bSnnr-662AGa-2yxf4C-TFMCnC-c89u-ETZFwX-U5aiVH-dq79Fq">Alberto Correu/ flickr</a>, <a class="license" href="http://creativecommons.org/licenses/by-sa/4.0/">CC BY-SA</a></span></figcaption></figure><p>The <a href="http://www.palacionacionaldemexico.mx/">National Palace</a> in Mexico City has been home for Mexican ruling classes since the Aztec empire. Its main courtyard is adorned with a fountain crowned by a baroque sculpture of <a href="https://www.britannica.com/topic/Pegasus-Greek-mythology">Pegasus</a>, the winged mythological stallion. Pegasus has thus presided over the centre of power in Mexico <a href="http://zedillo.presidencia.gob.mx/welcome/PAGES/culture/note_pegasus.html">since 1625</a>.</p>
<p>It was Enrico Martínez (1560-1632), a cosmographer who worked for King Phillip II of Spain, who chose the Pegasus constellation as the <a href="https://babel.hathitrust.org/cgi/pt?id=ucm.5323537537;view=1up;seq=259">cosmic ruler</a> of Mexico’s destiny, recalling that Pegasus created a spring whose waters protected the muses and “made men wise.” </p>
<p>Mexico could use a little more Pegasus these days. Last month, the <a href="https://www.nytimes.com/2017/06/19/world/americas/mexico-spyware-anticrime.html?hp&action=click&pgtype=Homepage&clickSource=story-heading&module=first-column-region&region=top-news&WT.nav=top-news">New York Times</a> raised a ruckus in Mexico and abroad when it <a href="https://r3d.mx/gobiernoespia/">revealed</a> that President Enrique Peña Nieto’s administration was using sophisticated spyware to keep watch over prominent journalists and human rights activists in the country.</p>
<h2>#SpyingGovernment, or the autocrat’s apprentice</h2>
<p>The spyware – known paradoxically as Pegasus – collects all communications of a targeted smartphone if the recipient opens a malicious link sent via text message. It is purportedly meant for fighting criminal organisations, such as drug cartels, and terrorism.</p>
<p>The report spotlighted by the New York Times, which was also distributed through social networks under the hashtag #<em>GobiernoEspía</em> (#SpyingGovernment), was prepared by the Mexican NGOs <a href="https://articulo19.org/">Artículo 19</a>, <a href="https://r3d.mx/">R3D</a> and <a href="https://socialtic.org/">SocialTic</a>, with support from the Canada-based <a href="https://citizenlab.ca/2017/06/reckless-exploit-mexico-nso/">Citizen Lab</a>. It alleges that the Mexican government purchased over US$80 million worth of the spyware from the Israeli <a href="https://au.linkedin.com/company/nso-group">NSO Group</a>.</p>
<figure>
<iframe width="440" height="260" src="https://www.youtube.com/embed/4I-rrOmQInw?wmode=transparent&start=0" frameborder="0" allowfullscreen=""></iframe>
</figure>
<p>Over <a href="https://citizenlab.ca/2017/06/reckless-exploit-mexico-nso/">76 text messages</a> containing the Pegasus malware were sent to <a href="http://www.animalpolitico.com/2017/07/giei-espionaje-pegasus-nyt/">members of the international team</a> investigating the disappearance of 43 students in Ayotzinapa, Guerrero, in 2014, <a href="https://motherboard.vice.com/en_us/article/mbjyqx/mexico-hacking-and-spying-on-its-citizens-is-a-human-rights-crisis">lobbyists</a> working on anti-corruption legislation and to Peña Nieto’s <a href="https://elpais.com/internacional/2017/06/29/mexico/1498746107_370586.html">political opponents</a>.</p>
<p>Critical journalists were targeted, too. Among them was Carmen Aristegui, the reporter who exposed the biggest government corruption case to date when she uncovered that Peña Nieto’s wife, Angélica Rivera, had purchased a <a href="https://news.vice.com/article/mexicos-president-and-first-lady-face-scandal-over-lavish-white-house-mansion">lavish mansion</a> in one of the most expensive areas of Mexico City. Aristegui’s underage son was also <a href="http://aristeguinoticias.com/1906/mexico/gobiernoespia-a-emilio-aristegui/">a victim of attempted espionage</a>. </p>
<p>The texted spyware links were accompanied by <a href="https://citizenlab.ca/2017/06/reckless-exploit-mexico-nso/">personalised messages of intimidation or insinuation</a>, many of them sexual in tone. Some people received crude taunts; others, accusations of leaked sex tapes.</p>
<figure class="align-right zoomable">
<a href="https://images.theconversation.com/files/180110/original/file-20170727-29849-1k6zibd.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="" src="https://images.theconversation.com/files/180110/original/file-20170727-29849-1k6zibd.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=237&fit=clip" srcset="https://images.theconversation.com/files/180110/original/file-20170727-29849-1k6zibd.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=400&fit=crop&dpr=1 600w, https://images.theconversation.com/files/180110/original/file-20170727-29849-1k6zibd.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=400&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/180110/original/file-20170727-29849-1k6zibd.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=400&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/180110/original/file-20170727-29849-1k6zibd.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=503&fit=crop&dpr=1 754w, https://images.theconversation.com/files/180110/original/file-20170727-29849-1k6zibd.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=503&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/180110/original/file-20170727-29849-1k6zibd.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=503&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption"></span>
<span class="attribution"><a class="source" href="https://www.flickr.com/photos/presidenciamx/8425470348/in/photolist-dQwJsA-dQr9gn-dQr9hD-dQr9k2-dQr9pK-dQr9iD-dQwJGj-dQwJDC-dQr9xT-dQwJN9-dQwJB5-dQr9J2-dQwJLG-dQr9qX-dQwJHE-dQwJzo-dQr9CX-dQr9nk-dQr9vF">Peña Nieto, a technology fan</a>, <a class="license" href="http://creativecommons.org/licenses/by/4.0/">CC BY</a></span>
</figcaption>
</figure>
<p>The scandal has marked a new low for the <a href="http://www.latimes.com/world/mexico-americas/la-fg-mexico-president-20170301-story.html">crisis-ridden</a> Mexican government. In a June 22 press conference, Peña Nieto <a href="https://www.nytimes.com/2017/06/22/world/americas/mexico-pena-nieto-hacking-pegasus.html?_r=0">acknowledged</a> that his government had bought Pegasus, but denied that it had ordered the surveillance. </p>
<h2>The authoritarian’s new clothes</h2>
<p>This is neither the first nor the only case in which the citizens of an allegedly democratic country have recently been betrayed by technological tools that are supposedly designed to protect them. </p>
<p>Former US president Barack Obama, for example, created one of the <a href="http://foreignpolicy.com/2016/09/07/every-move-you-make-obama-nsa-security-surveillance-spying-intelligence-snowden/">most intrusive surveillance apparatus</a> in the world, a reminder that the nexus between safety and liberty is delicate and violable.</p>
<p>Peña Nieto’s Revolutionary Institutional Party (PRI), which ruled Mexico unstopped for seven decades, also has prior experience in exercising untrammelled violence over its opponents. For any Mexican born before 2000, there is something uncannily familiar about the turning Pegasus into a Mexican Big Brother.</p>
<p>In 1947, under the PRI presdient Miguel Alemán Valdés (1946-1952), the Dirección Federal de Seguridad (Federal Security Directorate, DFS) was created with the <a href="http://www.lib.utexas.edu/taro/utlac/00200/lac-00200.html">duty</a> of preserving the internal stability of Mexico against subversion and terrorist threats. </p>
<p>According to <a href="http://www.variant.org.uk/pdfs/issue11/Variant11.pdf">Peter Dale Scott</a>, “the DFS was in part a CIA creation”, and it soon became a formidable tool for sustaining authoritarian and corrupt governments in Mexico.</p>
<figure>
<iframe width="440" height="260" src="https://www.youtube.com/embed/TnzccFhNUKI?wmode=transparent&start=0" frameborder="0" allowfullscreen=""></iframe>
</figure>
<p>Throughout the Cold War and after, an unsettled period that in Mexico is often referred to as the <em>Guerra Sucia</em> (1954-2000), the DFS was a key element in the conflict between the US-backed PRI governments and the left-wing student and guerrilla groups it was fighting, particularly during the 1960s and 1970s. </p>
<p>Under the consecutive presidencies of Luis Echeverría (1970-1976) and José López Portillo (1976-1982), espionage was a crucial tool for both identifying opponents of the Mexican state and hiding or eliminating the information that would have made the government accountable for its actions.</p>
<p>This history was hidden away for years. In 2003, president Vicente Fox, the first non-PRI president to rule the country in 70 years, requested a <a href="http://nsarchive.gwu.edu/NSAEBB/NSAEBB180/index2.htm">report</a> on the Mexican government’s counter-insurgency actions during the Dirty War.</p>
<p>The final document stated that over the course of a half century the Mexican army had “kidnapped, tortured, and killed hundreds of rebel suspects”, accusing the state of genocide.</p>
<h2>False accusations</h2>
<p>The Pegasus scandal thus marks the second time in 15 years that Mexican citizens have learnt the dangers of unfettered state intrusion into their private lives.</p>
<p>Under <a href="http://dof.gob.mx/nota_detalle.php?codigo=5154016&fecha=03/08/2010">Mexican law</a>, any intervention on private communications must be authorised by a judge in cases that involve grave crimes. So, in his June press conference on the subject, Peña Nieto promised an investigation into the misuse of the spyware. </p>
<p>Then he moved onto threats, <a href="https://www.theguardian.com/world/2017/jun/30/mexico-spying-scandal-pegasus-opposition">warning</a> that the attorney general’s office would “apply the law against those who have levelled false accusations against the government”.</p>
<p>The reaction was bald shock. </p>
<p>“This not the expected behaviour of the head of state of a young democracy,” Juan Pardinas, the head of the <a href="http://imco.org.mx/home/">Mexican Institute for Competitiveness</a>, who was a hacking target, <a href="https://www.nytimes.com/2017/06/22/world/americas/mexico-pena-nieto-hacking-pegasus.html">told the New York Times</a>. “This is the statement of an apprentice of Vladimir Putin.”</p>
<p>Peña Nieto later said he misspoke and did not intend to threaten anyone. </p>
<p>“What I said,” he <a href="https://www.nytimes.com/2017/06/22/world/americas/mexico-pena-nieto-hacking-pegasus.html">clarified</a>, “was precisely to follow up on the criminal complaints that some activists have filed regarding this supposed spying.”</p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"884429932646019072"}"></div></p>
<p>Even this recanting avoids directly responding to Pardinas’ critique of the implications of using spyware to monitor individuals that the Mexican government finds inconvenient or uncomfortable. </p>
<p>It is now impossible to see Pegasus ruling over the National Palace and take to heart its aspirational motto: <em>ic itur ad astra</em>, thus one goes to the stars. For nearly a century, what this mythological creature has embodied is Mexican authoritarianism, the legacy of a state that vows to protect its citizens by exercising violence over them.</p>
<p>If Mexicans want to recover the 17th-century promise of Pegasus, they must firmly reject its modern reincarnation. Democracy is a fragile thing, and no one can buy safety by sacrificing liberty.</p><img src="https://counter.theconversation.com/content/79981/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Luis Gómez Romero does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>This is not the first time Mexico’s government has been accused of spying on and harassing citizens whose activities it finds inconvenient.Luis Gómez Romero, Senior Lecturer in Human Rights, Constitutional Law and Legal Theory, University of WollongongLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/808912017-07-21T00:48:14Z2017-07-21T00:48:14ZSpyware merchants: the risks of outsourcing government hacking<p>An Australian Tax Office (ATO) staffer <a href="http://www.abc.net.au/news/2017-07-12/tax-office-slip-up-reveals-new-phone-hacking-capabilities/8698800">recently leaked</a> on LinkedIn a step-by-step guide to hacking a smartphone.</p>
<p>The documents, which have since been removed, indicate that the ATO has access to Universal Forensic Extraction software made by the Israeli company Cellebrite. This technology is part of a commercial industry that profits from bypassing the security features of devices to gain access to private data. </p>
<p>The ATO <a href="https://www.ato.gov.au/Media-centre/Media-releases/Second-Commissioner-s-Statement--ATO-digital-forensic-capability/">later stated</a> that while it does use these methods to aid criminal investigations, it “does not monitor taxpayers’ mobile phones or remotely access their mobile devices”. </p>
<p>Nevertheless, the distribution of commercial spyware to government agencies appears to be common practice in Australia. </p>
<p>This is generally considered to be lawful surveillance. But without proper oversight, there are serious risks to the proliferation of these tools, here and around the world.</p>
<h2>The dangers of the spyware market</h2>
<p>The spyware market is estimated to be worth <a href="https://www.forbes.com/sites/thomasbrewster/2017/02/16/government-iphone-android-spyware-is-the-same-as-seedy-spouseware/#2e300813455c">millions of dollars globally</a>. And as Canadian privacy research group Citizen Lab <a href="https://citizenlab.ca/2017/03/whos-watching-little-brother-checklist-accountability-industry-behind-government-hacking/">has noted</a>, spyware vendors have been willing to sell their wares to autocratic governments. </p>
<p>There are numerous examples of spyware being used by states with dubious human-rights records. These include the surveillance of journalists, political opponents and human rights advocates, including more recently by the <a href="https://citizenlab.ca/2017/06/reckless-exploit-mexico-nso/">Mexican government</a> and in the <a href="https://citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/">United Arab Emirates</a>. In Bahrain, the tools have reportedly been used to <a href="https://theintercept.com/2016/12/08/phone-cracking-cellebrite-software-used-to-prosecute-tortured-dissident/">silence political dissent</a>.</p>
<p>Commercial spyware often steps in when mainstream technology companies resist cooperating with law enforcement because of security concerns.</p>
<p>In 2016, for example, <a href="https://www.apple.com/customer-letter/">Apple refused</a> to assist the FBI in circumventing the security features of an iPhone. Apple claimed that being forced to redesign their products could undermine the security and privacy of all iPhone users. </p>
<p>The FBI eventually dropped its case against Apple, and it was <a href="https://www.theguardian.com/technology/2016/apr/21/fbi-apple-iphone-hack-san-bernardino-price-paid">later reported</a> the FBI paid almost US$1.3 million to a spyware company, <a href="http://www.reuters.com/article/us-apple-encryption-cellebrite-idUSKCN0WP17J">reportedly Cellebrite</a>, for technology to hack the device instead. This has never been officially confirmed.</p>
<p>For its part, <a href="http://www.cellebrite.com/Mobile-Forensics/News-Events/Press-Releases/cellebrite-announces-availability-of-mobile-device-forensics-solutions-through-federal-government-wide-procurement-vehicles">Cellebrite</a> claims on its website to provide technologies allowing “investigators to quickly extract, decode, analyse and share evidence from mobile devices”. </p>
<p>Its services are “widely used by federal government customers”, it adds.</p>
<h2>Spyware merchants and the Australian Government</h2>
<p>The Australian government has shown considerable appetite for spyware.</p>
<p><a href="https://www.tenders.gov.au/?event=public.advancedsearch.keyword&keyword=Cellebrite">Tender records</a> show Cellebrite currently holds Australian government contracts worth hundreds of thousands of dollars. But the specific details of these contracts remain unclear.</p>
<p>Fairfax Media <a href="http://www.canberratimes.com.au/national/asic-ato-afp-and-defence-buy-services-of-phonehacking-company-cellebrite-20170622-gwwbnb.html">has reported</a> that the ATO, Australian Securities and Investment Commission, Department of Employment , Australian Federal Police (AFP) and Department of Defence all have contracts with Cellebrite. </p>
<p>The Department of Human Services <a href="https://www.tenders.gov.au/?event=public.cn.view&CNUUID=07C42438-B724-7039-1F98A5667818BBA6">has had</a> a contract with Cellebrite, and <a href="http://www.canberratimes.com.au/national/centrelink-hacking-into-fraudsters-phones-20170627-gwzgqc.html">Centrelink</a> apparently uses spyware to hack the phones of suspected welfare frauds. </p>
<p>In 2015 <a href="http://www.abc.net.au/news/2015-07-28/wikileaks-reveals-australian-companies-selling-spyware/6652184">WikiLeaks released emails</a> from Hacking Team, an Italian spyware company. These documents revealed <a href="http://www.abc.net.au/news/2015-07-10/leaked-emails-expose-australian-government-agencies-hacking-team/6609276">negotiations with</a> the Australian Security and Intelligence Organisation (ASIO), the AFP and other law enforcement agencies. </p>
<h2>Laws and licensing</h2>
<p>In Australia, the legality of spyware use varies according to government agency.</p>
<p>Digital forensics tools are used with a warrant by <a href="https://www.ato.gov.au/About-ATO/Access,-accountability-and-reporting/In-detail/Our-approach-to-information-gathering/?page=2#Legislative_references">the ATO</a> to conduct federal criminal investigations. <a href="http://www.austlii.edu.au/au/legis/cth/consol_act/ca191482/s3e.html">A warrant</a> is typically required before Australian police agencies can use spyware.</p>
<p>ASIO, on the other hand, <a href="http://www.austlii.edu.au/au/legis/cth/consol_act/asioa1979472/">has its own powers</a>, and those under the <a href="http://www.austlii.edu.au/au/legis/cth/consol_act/taaa1979410/">Telecommunications (Interception and Access) Act 1979</a>, that enable spyware use when authorised by the attorney-general. </p>
<p>ASIO also has <a href="http://www.austlii.edu.au/au/legis/cth/consol_act/asioa1979472/s25a.html">expanded powers</a> to hack <a href="https://policyreview.info/articles/analysis/computer-network-operations-and-rule-law-australia">phones and computer networks</a>. These powers raise concerns about the adequacy of independent oversight.</p>
<p>International control of these tools is also being considered.</p>
<p>The <a href="http://www.wassenaar.org/">Wassenaar Arrangement</a>, of which Australia is participant, is an international export control regime that aims to limit the movement of goods and technologies that can be used for both military and civilian purposes.</p>
<p>But there are questions about whether this agreement can be enforced. Security experts also question whether it could criminalise <a href="https://www.wired.com/2015/06/arms-control-pact-security-experts-arms/">some forms of cybersecurity research</a> and limit the exchange of important <a href="https://www.privacyinternational.org/node/344">encryption technology</a>. </p>
<p>Australia has export <a href="http://www.defence.gov.au/ExportControls/DTC.asp">control laws</a> that apply <a href="http://www.defence.gov.au/ExportControls/ICT.asp#Overview">to intrusion software</a>, but the process lacks transparency about the domestic export of spyware technologies to overseas governments. Currently, there are few import controls.</p>
<p>There are also moves to regulate spyware through licensing schemes. For example, Singapore is <a href="https://www.csa.gov.sg/news/press-releases/mci-and-csa-seek-public-feedback-on-proposed-cybersecurity-bill">considering</a> a license for ethical hackers. This could potentially improve transparency and control of the sale of intrusion software. </p>
<p>It’s also concerning that “off-the-shelf” spyware is <a href="https://motherboard.vice.com/en_us/article/aeyea8/i-tracked-myself-with-dollar170-smartphone-spyware-that-anyone-can-buy">readily accessible</a> to the public.</p>
<h2>‘War on math’ and government hacking</h2>
<p>The use of spyware in Australia should be viewed alongside the recent announcement of Prime Minister Malcolm Turnbull’s so-called <a href="http://www.zdnet.com/article/labor-not-distancing-itself-from-turnbulls-war-on-maths/">war on maths</a>. </p>
<p>The prime minister has <a href="https://theconversation.com/australias-planned-decryption-law-would-weaken-cybersecurity-81028">announced laws</a> will be introduced obliging technology companies to intercept encrypted communications to fight terrorism and other crimes. </p>
<p>This is part of a general appetite to undermine security features that are designed to provide the public at large with privacy and safety when using smartphones and other devices.</p>
<p>Despite the prime minister’s <a href="https://www.computerworld.com.au/article/620329/no-one-talking-about-backdoors-says-pm-cyber-guy/">statements to the contrary</a>, these policies can’t help but force technology companies to build <a href="https://www.theregister.co.uk/2017/07/07/oz_governments_definition_of_backdoor/">backdoors</a> into, or otherwise weaken or undermine, encrypted messaging services and the security of the hardware itself.</p>
<p>While the government tries to bypass encryption, spyware technologies already rely on the inherent weaknesses of our digital ecosystem. This is a secretive, lucrative and unregulated industry with serious potential for abuse. </p>
<p>There needs to be more transparency, oversight and strong steps toward developing a robust framework of <a href="https://citizenlab.ca/2017/03/whos-watching-little-brother-checklist-accountability-industry-behind-government-hacking/">accountability</a> for both the government and private spyware companies.</p><img src="https://counter.theconversation.com/content/80891/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Monique Mann is a Board Member of the Australian Privacy Foundation and is on the Advisory Council of Digital Rights Watch Australia. While at the Australian Institute of Criminology, she consulted for the Australian Criminal Intelligence Commission on information systems and cybercrime. The views expressed here are those of the author and do not represent the views of any Commonwealth agency.</span></em></p><p class="fine-print"><em><span>Adam Molnar is a Board Member of the Australian Privacy Foundation and is on the Advisory Council of Digital Rights Watch Australia. </span></em></p><p class="fine-print"><em><span>Dr Ian Warren is affiliated with The Australian Privacy Foundation. </span></em></p>The Australian government is using spyware. Is that legal?Monique Mann, Lecturer, School of Justice, Researcher at the Crime and Justice Research Centre and Intellectual Property and Innovation Law Research Group, Faculty of Law, Queensland University of TechnologyAdam Molnar, Lecturer in Criminology, Deakin UniversityIan Warren, Senior Lecturer, Criminology, Deakin UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/653482016-09-16T01:57:44Z2016-09-16T01:57:44ZiPhone hack attack shows why we need to rein in the trade in spyware<figure><img src="https://images.theconversation.com/files/137901/original/image-20160915-30617-12pqlsr.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Apple didn't know about the vulnerability until the iPhone hack.</span> <span class="attribution"><a class="source" href="https://www.flickr.com/photos/matsuyuki/8444605636/">Flickr/Toshiyuki IMAI</a>, <a class="license" href="http://creativecommons.org/licenses/by-sa/4.0/">CC BY-SA</a></span></figcaption></figure><p>Downloading security updates for computers and mobile devices is a regular routine for most of us.</p>
<p>But not all such updates are created equal. Apple’s recent <a href="https://support.apple.com/en-au/HT207107">iOS 9.3.5 update</a> (and a related update to parts of OS X) was one of the more significant in recent memory. </p>
<p>The update fixed three security flaws which, used in combination, could give an attacker full control over an iPhone if the phone’s user clicked on a malicious link.</p>
<p>The discovery of these security flaws brought to light a relatively new, low-profile and ethically questionable business: selling potent hacking tools, and information about security flaws that make them effective, to government agencies and private companies around the world. </p>
<h2>Zero-day exploits – a hacker’s wild card</h2>
<p>In the world of information security, a vulnerability is a flaw in an IT system with security implications. A zero-day vulnerability is simply one that is unknown to the developers of an IT system. This means there is no fix available for the it.</p>
<p>An exploit is a computer program that takes advantage of one or more vulnerabilities to make an IT system to do something its administrator didn’t intend it to do. </p>
<p>A zero-day exploit is an exploit that uses an zero-day vulnerability. If an zero-day exploit is in the hands of an attacker, there is little a user or system administrator can do to stop them. </p>
<p>Exploits vary greatly in the scope of things they enable an attacker to do to a system. The most potent exploits are “root” exploits, which give an attacker complete control over the system.<br>
Similarly, exploits vary in the ways that they can be delivered. A remote exploit is one that can be transmitted to the target device over a network.</p>
<p>The most insidious remote exploits happen without any user involvement, but even remote exploits that require tricking a user to click on a link, for instance, are often effective.</p>
<h2>Spying on a human rights activist</h2>
<p>The vulnerabilities in iOS came to light when an internationally recognised Emirati human rights activist, <a href="https://twitter.com/ahmed_mansoor">Ahmed Mansoor</a>, received an odd-looking text message on his iPhone. </p>
<p>Mansoor was sufficiently sceptical to forward the message to security researchers, who investigated the message and discovered the exploit and its origins. Detailed reports are available from the researchers at <a href="https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/">Citizen Lab</a> and <a href="https://blog.lookout.com/blog/2016/08/25/trident-pegasus/">Lookout Security</a>.</p>
<p>The attempted attack against Mansoor’s iPhone was extremely potent. It used a combination of three zero-day vulnerabilities that were unknown to Apple and would have given the attackers complete control over his iPhone and the data on it. </p>
<p>It was sent to his phone as a text message. Its one weakness was that it required that Mansoor actually click on the malicious link in that message. It is the first known such attack against the iPhone.</p>
<h2>NSO Group, spyware exporters extraordinaire</h2>
<p><a href="https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/">According to Citizen Lab researchers</a>, the software used to target Mansoor’s iPhone was probably the work of NSO Group, an Israel-based company that is <a href="http://www.bloomberg.com/research/stocks/private/snapshot.asp?privcapId=257152480">reportedly</a> American-owned. </p>
<p>The <a href="https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/">Citizen Lab report on the Mansoor case</a> says:</p>
<blockquote>
<p>The high cost of iPhone zero-days, the apparent use of NSO Group’s government-exclusive Pegasus product, and <a href="https://citizenlab.org/2012/10/backdoors-are-forever-hacking-team-and-the-targeting-of-dissent/">prior known targeting of Mansoor</a> by the UAE government provide indicators that point to the UAE government as the likely operator behind the targeting.</p>
</blockquote>
<p>It says the same NSO Group software was also used to target journalists in Mexico, and had also been used in Kenya. </p>
<p>Israeli newspaper <a href="http://www.ynetnews.com/articles/0,7340,L-4851719,00.html">YnetNews</a> reports that the Defense Export Controls Agency (DECA) granted the NSO Group a license to sell its espionage program, Pegasus, to a private company in an Arab state, despite some strong objections.</p>
<p>The news report goes on to say that Foreign Ministry officials stress the NSO Group was not involved in any data breach itself. </p>
<h2>The spyware bazaar</h2>
<p>NSO Group is but one of a number of companies domiciled in wealthy American-allied democracies offering similar hacking tools to government agencies, including undemocratic governments known for systematic human rights violations. </p>
<p>One such company, Italy-based Hacking Team, <a href="http://motherboard.vice.com/read/here-are-all-the-sketchy-government-agencies-buying-hacking-teams-spy-tech">was itself hacked</a> in 2014. Its customer list was leaked to media outlets, and included the Sudanese and Saudi Arabian governments.</p>
<p>As well as the trade in complete spyware products, another group of companies trade in information about zero-day vulnerabilities. One company, <a href="https://www.zerodium.com/">Zerodium</a>, has even posted a <a href="https://www.zerodium.com/program.html">“reward list”</a>, indicating what it will pay for different zero-day exploits against different software platforms. Apple iOS exploits can fetch up to US$500,000.</p>
<p>Zerodium <a href="https://www.zerodium.com/ios9.html">claims to have purchased</a> a zero-day remote exploit against the iPhone, similar in its effects to the NSO Group hack, in November 2015. </p>
<p>It is unknown whether the vulnerabilities used by the exploit (if it indeed exists) are common to the NSO Group hack, and therefore whether it still works on iOS 9.3.5 and 10.</p>
<p>Zerodium’s client list is known only to Zerodium and the governments that permit it to operate. But spyware vendors such as NSO Group need a steady supply of exploits for their tools to remain functional, so they would be plausible customers.</p>
<h2>Leaving the rest of us exposed</h2>
<p>Police forces and intelligence agencies do have legitimate reasons for wanting to get covert access to IT systems. But the current trade in hacking tools and zero-day vulnerabilities should, in my view, be drastically reined in.</p>
<p>First, Western democracies are far too willing to permit the sale of these tools to undemocratic governments that use them to spy on political opponents.</p>
<p>Second, by stockpiling and exploiting vulnerabilities rather than assisting software developers to fix them, this trade leaves the rest of us unprotected if other parties discover and exploit the same zero-days.</p>
<p>While core government defence and intelligence infrastructure might get its own, secret protection against such attacks, there are a broad range of other targets who are potentially at risk of highly sophisticated attacks, even by state-sponsored hackers, and do not have the benefit of such protection.</p>
<p>Russian state-sponsored hackers, for instance, have been accused of attacking high-profile non-government organisations, such as the <a href="http://www.nytimes.com/2016/07/27/us/politics/spy-agency-consensus-grows-that-russia-hacked-dnc.html">organisational wing of the US Democratic Party</a>, and even the <a href="http://www.abc.net.au/news/2016-09-14/doping-wada-systems-hacked-by-russian-cyber-espionage-group/7842644">World Anti-Doping Agency</a> (WADA).</p>
<p>The WADA hack was <a href="http://www.bbc.com/news/world-37352326">apparently the result</a> of <a href="http://au.norton.com/spear-phishing-scam-not-sport/article">spearphishing</a> and probably did not involve use of a zero-day exploit. But zero-days could easily be used for similar attacks. </p>
<h2>‘NOBUS’ for the NSA, but not for the private sector</h2>
<p>The US government’s own hacking agency, the National Security Agency, reportedly has a <a href="https://www.washingtonpost.com/news/the-switch/wp/2013/10/04/why-everyone-is-left-less-secure-when-the-nsa-doesnt-help-fix-security-flaws/">“Nobody But Us” policy</a> that guides a decision whether to reveal vulnerabilities it finds to software developers, or keep them secret for exploitation. </p>
<p>As former NSA director Michael Hayden put it:</p>
<blockquote>
<p>If there’s a vulnerability here that weakens encryption but you still need four acres of Cray computers in the basement in order to work it you kind of think “NOBUS” and that’s a vulnerability we are not ethically or legally compelled to try to patch – it’s one that ethically and legally we could try to exploit in order to keep Americans safe from others.</p>
</blockquote>
<p>Whether the NSA is actually following the spirit of this stated policy is <a href="https://www.schneier.com/blog/archives/2016/08/the_nsa_is_hoar.html">open to doubt</a>. </p>
<p>But there is no such principle guiding the broader trade in hacking tools between private companies and governments around the world. It appears to be disturbingly close to open slather. </p>
<p>It’s time for this to change.</p><img src="https://counter.theconversation.com/content/65348/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Robert Merkel does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Rich rewards are on offer to people who can help private companies develop software to exploit vulnerabilities in technology such as smartphones. It might be legal but is it ethical?Robert Merkel, Lecturer in Software Engineering, Monash UniversityLicensed as Creative Commons – attribution, no derivatives.