For more than a decade, makers of government spyware have defended themselves from criticism by insisting that their surveillance technology is intended to be used only against serious criminals and terrorists and in limited cases.
However, evidence gathered from dozens, if not hundreds, of documented cases of spyware abuse around the world shows that none of these arguments are true.
Journalists, human rights defenders, and politicians have been repeatedly targeted in both repressive regimes and democracies. The latest example is a political consultant working for a left-wing politician in Italy, who has been revealed as the country's most recently identified victim of Paragon spyware.
This latest incident shows that spyware is widespread far beyond what is typically thought of as “rare” or “localized” attacks that target just a few people at a time.
“I think there's a misconception at the heart of the conversation about who is targeted by this type of government spyware, which is that if you're targeted, you're public enemy number one,” Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation, who has studied spyware for years, told TechCrunch.
“In practice, it's so easy to target that we've seen governments use surveillance malware to spy on a wide range of people, including relatively minor political opponents, activists, and journalists,” Galperin said.
There are several possible reasons why spyware often ends up on the devices of people it shouldn't theoretically target.
The first explanation is in how spyware systems work. Typically, when intelligence and law enforcement agencies purchase spyware from surveillance vendors such as NSO Group, Paragon, etc., government customers pay a one-time fee to acquire the technology, reducing additional fees for subsequent software updates and technical support.
Upfront fees are typically based on the number of targets a government agency can spy on at any given time. The more targets there are, the higher the price. Previously leaked documents from the now-defunct Hacking Team show that some of its law enforcement and government customers were able to target an unlimited number of devices from several people at once.
While some democracies typically monitor only a small number of targets at once, it was not uncommon for countries with questionable human rights records to have a large number of spyware targets set up at the same time.
Given so many simultaneous targets in a country with such strong surveillance intentions, it is almost certain that governments will target far more people than just criminals and terrorists.
Contact Us Want more information about government spyware? You can contact Lorenzo Franceschi-Bicchierai securely from your non-work device on Signal (+1 917 257 1382) or on Telegram and Keybase @lorenzofb or by email. You can also contact TechCrunch via SecureDrop.
Morocco, the United Arab Emirates (twice) and Saudi Arabia (several times) have all seen a spate of raids targeting journalists and activists over the years. Luna Sandvik, a security researcher who works with activists and journalists at risk of hacking, has compiled a growing list of spyware abuses around the world.
Another reason for the high number of exploits is that, especially in recent years, spyware such as NSO's Pegasus and Paragon's Graphite have made it much easier for government customers to target whomever they want. In reality, these systems are essentially consoles where police and government officials enter phone numbers and the rest happens in the background.
John Scott Railton, a senior researcher at Citizen Lab who has been researching spyware companies and their abuses for a decade, said government spyware poses a “huge temptation for abuse” for government customers.
Scott Railton said spyware “needs to be treated as if it were a threat to democracy and elections.”
A general lack of transparency and accountability also contributes to governments brazenly using this advanced surveillance technology without fear of consequences.
“The fact that we've seen relatively small fish being targeted is particularly concerning because it reflects the relative impunity governments feel in deploying this exceptionally invasive spyware against adversaries,” Galperin told TechCrunch.
There is some good news in terms of victims being held accountable.
Paragon publicly called for severing ties with the Italian government earlier this year, claiming that the country's authorities had refused to cooperate with the company in an investigation into alleged fraud involving spyware.
NSO Group previously revealed in court that it had disconnected 10 government customers in recent years for misusing spyware technology, but did not say in which countries. And it is unclear whether that includes the Mexican and Saudi governments, where countless cases of abuse have been recorded.
On the customer side, countries such as Greece and Poland have launched investigations into spyware abuses. During the Biden administration, the United States targeted some spyware makers, including Cytrox, Intellexa and NSO Group, imposing sanctions on the companies and their executives and placing them on economic blocklists. A group led by Western countries, led by Britain and France, is also trying to use diplomacy to put the brakes on the spyware market.
It remains to be seen whether these efforts will in any way curb or limit what is now a multi-billion dollar global market. Companies happily supply advanced spyware to governments with an endless desire to spy on just about anyone they want to spy on.