In the almost 10 years since the Edward Snowden revelations, we have all been more-or-less aware that if the USA’s National Security Agency or the UK’s GCHQ wants to listen to our communications, they’re going to manage to do so.
Many of us might not be too happy about that, but many are also somewhat reassured that both countries are more-or-less functional democracies, with various safeguards and constitutional norms restricting how they use these functions. We might have different levels of trust in how well those work in practice – especially as those files revealed spy activity dragging in journalists and activists, and even hanging out and snooping in video games – but most of us know there generally are limits.
But what if the powers of the NSA and GCHQ were on sale to the highest bidder? That’s the reality of the modern world thanks to companies like NSO Group, which manufactures the notorious Pegasus spyware – capable of breaking into almost any phone and making everything on it vulnerable.
This type of attack is particularly revealing as encryption does nothing to stop it. If you use the instant messaging services WhatsApp or Signal, your messaging is encrypted as it travels between you and the person you’re speaking with. But if spyware can get inside your phone itself, then everything can be read and saved – it is the motherlode for any would-be snooper.
NSO Group insists that it only sells Pegasus access to accredited nation-states to use for legitimate purposes. But right across the world, it has been detected on the phones of politicians, journalists and activists – perhaps most shockingly on devices of opposition politicians and journalists within EU nations. There is mounting suspicion among investigating MEPs that it is European governments doing that targeting: the governments of Poland, Greece, Hungary and Spain have all made use of Pegasus, and all are alleged to have used it to enable illegal spying, including on their own citizens.
To the dismay of those affected – and of some MEPs – the EU has proven to be more strident on intrusions on the privacy of EU citizens by those outside the bloc than when the suspects lie within it. European nation-states have been caught red-handed buying commercial software from outside the bloc (NSO Group is based in Israel) and are using it to breach both national laws and EU treaties – and quite probably multiple human rights of the affected victims. The European Commission response so far is little more than a muted shrug.
The very existence of software like Pegasus destabilises the rules-based system that binds governments. Just because the tool has been bought in from a third-party contractor doesn’t change either the laws or the norms that govern it – but all too many nations seem willing to pretend it does.
There is little that can be done when those governments are authoritarian nations (though NSO Group claims to carefully vet its clients), but when countries that belong to powerful international blocs, with treaties and enforcement mechanisms, are allowed to breach them with impunity, the signal to the rest of the world could not be clearer.
The reality of the modern world, thanks to hackers-for-hire like NSO Group, is that we’re all caught in the crossfire of a ceaseless online conflict. NSO claims to only sell Pegasus to nation-states, but hacking groups often claim to have access to it or software like it through backchannels.
Whether it is Pegasus itself or other sophisticated hacking tools, almost any unscrupulous government, corporation or criminal gang can hire in capabilities that were until a few years ago only available to a handful of major nation-states. That genie will never be put back in the bottle – we just have to learn how to live in a world where this is possible.
A start for this is, of course, to delegitimise this as a business. NSO Group is not a criminal enterprise: it is a law-abiding company, which follows regulations, and is an important exporter for Israel – and doubtless a useful asset to the state, too.
For so long as we’re happy to allow that state of affairs – the online equivalent of the lax old era of arms shipments regularly getting misplaced – then we will see hacking tools used to breach the law and to breach the privacy of activists and journalists.
Without international agreement on regulation – and perhaps agreements on making the sale of some software illegal, whoever the client is – this practice will continue. It’s probable that making some of it illegal will drive parts of the trade underground, but… so what? Currently it is happening in the open with the veneer of legitimacy, which is not doing any of us much good.
But more important even than that is that we start to live the values we claim to hold and enforce the laws we already have. Democracies need to stop using the existence of hacking capabilities as a reason to use them – especially when their use is obviously in breach of their own laws or international agreements. For so long as the EU turns a blind eye to the misadventures of its members, its pronouncements to the rest of the world – where the commission is trying to be a world leader on privacy and tech regulation – will ring hollow, and will deserve to do so.
The state has a lot more power than any of its individual citizens. It has always been able to threaten us with violence, to lock us in jail, to tap our phones, or to intrude on us in numerous other ways. It does not do so with abandon because it knows doing that would rapidly erode any claim to legitimacy it may have.
This holds true for hacking tools, too – just because it’s possible doesn’t mean it’s necessary, or proportionate. There will always be a company willing to sell you a tool with which to do evil. It’s up to you whether or not you buy it.