For more than a decade, dozens of journalists and human rights activists have been targeted and hacked by governments around the world. Police and spies in Ethiopia, Greece, Hungary, India, Mexico, Poland, Saudi Arabia, the United Arab Emirates and elsewhere use sophisticated spyware to compromise victims' mobile phones, sometimes facing real-world threats, harassment and even death.
In recent years, a team of more than a dozen digital security experts, primarily based in Costa Rica, Manila, and Tunisia, has played a key role in the fight to protect these high-risk communities. They work for the New York-based nonprofit organization Access Now, specifically its digital security helpline.
Their mission is to be the team journalists, human rights activists, and dissidents can turn to when they suspect they have been hacked, including by mercenary spyware created by companies like NSO Group, Intellexa, and Paragon.
“The idea is to make this service available to civil society and journalists 24/7 so they can contact us anytime when a cybersecurity incident occurs,” Hassen Selmi, who leads the incident response team at the helpline, told TechCrunch.
The Access Now helpline is a “front-line resource” for journalists and others who may have been targeted or hacked by spyware, said Bill Marczak, a senior researcher at the University of Toronto's Citizen Research Institute who has researched spyware for about 15 years.
Helplines have become an important funnel for victims. When Apple sends users so-called “threat notifications” warning them they're being targeted by mercenary spyware, the tech giant has long directed victims to Access Now researchers.
In an interview with TechCrunch, Selmi described a scenario where someone receives one of these threat notifications and Access Now can help the victim.
“If they have someone to explain it to them and tell them what to do, what not to do, what this means…this is a huge relief for them,” Selmi said.
According to several digital rights experts who have investigated the spyware scandal and previously spoke with TechCrunch, Apple is generally taking the right approach, even though the multitrillion-dollar tech giant appears to be shifting responsibility when it comes to optics to a small team of nonprofit employees.
What Apple mentioned in the notice was “one of the biggest milestones” for the helpline, Selmi said.
Selmi and his colleagues currently investigate about 1,000 suspected government spyware attacks a year. Mohamed Al Maskati, head of the helpline, said about half of these cases proceed to actual investigation, and only about 5%, or about 25 of them, were confirmed to be infected with spyware.
When Selmi started this work in 2014, Access Now was investigating only about 20 suspected spyware attacks a month.
At the time, Costa Rica, Manila, and Tunisia had three or four people working in each time zone. These places allowed someone to be online all day long. Currently, the team is not very large, with less than 15 people working on the helpline. Selmi said the helpline has more staff because Europe, the Middle East, North Africa and sub-Saharan regions are hotspots for spyware incidents.
Selmi explained that the increase in the number of infections is due to several circumstances. One is that the helpline has become more well-known and is attracting more people. And as government spyware becomes more prevalent and available globally, we are likely to see more cases of abuse. Finally, the helpline team has increased outreach to potential targets and uncovered cases of abuse that would not have been discovered otherwise.
Contact Us Did you receive a notification from Apple, Google, or WhatsApp that you're being targeted by spyware? Or do you have information about the spyware manufacturer? We'd love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely from your non-work device on Signal (+1 917 257 1382), on Telegram and Keybase @lorenzofb, or by email.
Selmi told TechCrunch that when someone contacts the helpline, investigators first acknowledge receipt and then check to see if the contact is within the scope of the organization's mandate, meaning that they are a member of civil society rather than a business executive or a member of Congress. Investigators then evaluate the case in triage. If the case is a priority, investigators will ask questions such as why the person believes they were targeted (if they were not notified) and what devices they own. This will help investigators establish what type of information they need to collect from the victim's device.
After an initial limited check of the device remotely over the Internet, helpline personnel and investigators may ask the victim to send additional data, such as a full backup of the device, in order to perform a more thorough analysis for signs of compromise.
“For every known type of exploit that has been used in the last five years, we have a process on how to check that exploit,” Selmi said, referring to known hacking techniques.
“We more or less know what is normal and what is abnormal,” Selmi said.
Access Now personnel manage communications, often speak the victim's language, and also give victims advice on what to do, such as whether to get another device or take other precautions.
Every case the nonprofit investigates is unique. “It varies from person to person and culture to culture,” Selmi told TechCrunch. “I think we should do more research and involve more people, not just technicians, to know how to deal with these kinds of victims.”
Selmi said the helpline supports similar investigative teams in some parts of the world, sharing documents, knowledge and tools as part of a coalition called CiviCERT, a global network of organizations that can assist members of civil society who suspect they have been targeted by spyware.
Selmi said the network also helps reach journalists and people in places they otherwise wouldn't have access to.
“No matter where they are, [victims] “They have someone they can talk to and report to. Having them speak their language and understand the context was very helpful,” Selmi told TechCrunch.