For several days, the Federation of Journalists Prohibited stories Makes continuous revelations about spying software on thousands of political leaders, activists and journalists around the world.
Photos, videos, SMS, messaging that needs to be encrypted, but activating the microphone and remote camera, which is very close to the targets of the Pegasus virus scatter.
Can you present the structure of the Citizen Laboratory? How many people work there, and what is your main goal?
The Citizen Lab is a research lab, so we’re an investigative team. We have about two dozen employees or subsidiaries or people from different moral backgrounds. I am a political scientist and my expertise is in international security. However, many Citizen Lab employees come from other fields.
We use specific techniques and methods of computer science and engineering to carry out this type of hybridization and in legal and regional studies.
We will explore digital security issues such as targeted espionage, which usually arise from human rights concerns. So you might think of us as a monitoring group or a
ITUC on Human Rights.
What is your role in the latest revelations regarding Project Pegasus?
First, Citizen Lab has been investigating Pegasus and the NSO Group since its first publication on the NSO in August 2016. This is the report we first found on the Pegasus, and we actually got a copy. We started doing spyware and reverse engineering and mapping its command and control infrastructure and some of its government clients.
Therefore, spyware communicates in a special way, which leaves digital traces. Since then, we have written a series of reports showing that NSO spyware is widely abused worldwide.
We understand that there is no security barrier to this technology being sold to governments to help investigate serious cases of crime or terrorism. No wonder it is used to target journalists, human rights activists, lawyers and all sorts of people.
For the most recent project, our role is to provide some sort of peer review. Therefore, we were called to testify to the strategy followed by Amnesty International Security Laboratory, which we found to be very convincing. We help you with potential targets and devices to check whether the devices are targeted or not.
Your team is going to do this for a while, right?
Oh yes. This is an important part of the actions we take. You know, NSO is not the only one in this market. It is a large, growing and very lucrative industry. So the Pegasus will definitely always be on our radar.
Due to the nature of our investigations, you may start with one or two abuse cases. It’s always snowballs. With the most recent revelations, many people are worried that their devices have been hacked. We will no doubt find evidence of other abuse cases that we may report.
How many other spyware do you read, and from what countries?
So far, three Israeli-based companies have appeared on our radar: Cyberbit, which we discovered, I hope, in 2018. [en décembre 2017, NDLR], Used not only to market or provide services to Ethiopia, but also to engage in global Internet intelligence, including targeting Ethiopians in Canada and the United States.
But thanks to a functional security mistake made by the company, we were able to see to whom they were trying to sell their software. This includes the most confusing list of consumer countries with the worst human rights record.
You also have the canteen we reported last week. Again, a very similar story. It is a company that sells to government customers with bad human rights records. Then you have the NSO team.
There are many other companies outside of Israel. In the past, we have reported on Finfisher, a hacking group of German and British companies, which no longer exists. It was renamed an Italian company.
If you look away from the spyware market and the surveillance industry as a whole, I think it is fair to say that it has its roots in the industrialized economies of the West. Most of these companies got their start, which is starting to spread around the world.
What can you say about the situation outside the Western world?
There are a variety of ways to accomplish delivering Pegasus and similar tools to government customers. We are basically talking about how to hack and stealthily monitor a device.
Some governments use internal capabilities. Some governments contract with underground work groups. They can be criminal organizations during the day and then work for security agencies at night.
This would be the Russian example. So in Russia there are security agents, internal and external, and they all work with clients, they offer their hacking offers abroad.
A similar situation exists in China. You have the People’s Liberation Army, the Ministry of Defense, but all these small groups do contract work for the state. Tito in Syria, Iran etc.
It takes a lot of resources to set up such a function. There are probably many that serve countries Group of five [l’alliance des services de renseignement du Canada, des États-Unis, du Royaume-Uni, de la Nouvelle-Zélande et de l’Australie, NDLR].
Where does Canada get the technology to loot overseas? As far as we know, there are companies that provide this type of technology not from the NSO group, but to the United States, Canada and the United Kingdom. We do not find them, probably because they are sold exclusively to those countries because they are not abusive.
To continue with Canada, can you tell us about those who spied this way in Canada?
We know that the victim hacked the phone while he was a permanent resident of Canada, ie Omar Abdulaziz, who lives in Quebec. In fact, he became the journalist’s closest confidante Washington Post Jamal Kashogi was killed.
We found out that Saudi operators hacked his phone using Pegasus spyware.
I have no doubt there are many more [au Canada] Its devices have been hacked by various government operators using Pegasus.
There have been other companies in the past where Rwandan and Ethiopian activists have been targeted using a variety of spyware.
Is the Canadian government complicit in this? I do not believe it.
Canada has a unique opportunity here to play a leading role in addressing the harms we have seen in this unregulated industry. He is a member of the group of five. There are significant cases where Canadians are targeted. Of course the Citizen Lab is located in Canada. We put this problem on the map.
So I think Canada could lead the alliance of countries to impose surveillance and regulations on this industry or at least act towards it. This is a reason Canadians can be proud of, and it is in line with our stated values.
How much do you care about the possibility of spying on electronic devices, even for the average citizen?
Well, the sad fact is that the most intimate aspects of our personal lives are technology, devices, and telecommunications networks that are insecure, poorly organized, and therefore vulnerable to abuse.
Even the best company like Google or Apple can invest a lot of money to create more secure products. They do a good job overall.
Nevertheless, spyware vendors such as operators and the NSO Group with sufficient resources can allocate a lot of resources to identify software vulnerabilities that they may use. So this is a tough challenge for these sites.
These companies cause us trouble. They need to do more to help researchers like those in Citizen Labs identify the worst actors who can exploit their technology.
They may provide us with technical skills that allow us to do our work more efficiently.
Unfortunately, our entire communication ecosystem is like the card of digital cards. This is absolutely dangerous. This is the sad truth of the world in which we live.
If you are looking at your own iPhone or Android, you have many apps, with millions of lines and new features constantly updated and changed. And it relies on a cellular network, which is very complex and involves many technologies. So it is almost impossible to protect it completely.
Applications [de messagerie notamment, NDLR] Has many features. When you have a team of well-trained engineers, look for holes without doing anything so they can find mine.
“Prone to fits of apathy. Introvert. Award-winning internet evangelist. Extreme beer expert.”