Pegasus creator NSO Group has a Covid-19 software: Why you should be worried
Many countries are already using surveillance tech to track the spread of the virus, privacy experts are worried that this tech will still be used once the pandemic is over
A lot of surveillance tech companies are now developing software to track coronavirus-infected patients and Israel's infamous NSO Group, the people behind the hacking software Pegasus, is one of them. While the intentions seem noble, privacy experts are worried that these firms have been trying to exploit a crisis to expand their problematic businesses.
The rapidly spreading coronavirus has given governments and surveillance firms a change to ramp up mass surveillance. Many tech companies have taken this opportunity to pitch and develop surveillance tools to help governments track citizens with the aim to stop the virus from spreading.
According to Motherboard, Israel's NSO Group (the people behind the Pegasus spyware) and Cy4Gate (a company that sells surveillance tools from Italy) are actively pitching surveillance tools to their governments and to others around the world.
NSO's and Cy4Gate's softwares are mass surveillance tools that can help governments track all citizens and who they come in contact with. The goal of this contract tracing method is to track the spread of the virus and help governments counter it with quarantines, testing and spreading the right information in the right areas.
Bloomberg has reported that about NSO's Covid-19 tracker that is codenamed Fleming. Motherboard managed to get more details about how it works by talking to a person familiar with the NSO Group who also gave the Motherboard team a walkthrough of the features and a demo of the system in real time.
Motherboard reports that NSO Group has "adapted the user interface and analytical tool that they already had developed to be used alongside its powerful malware known as Pegasus, which can hack into mobile phones and extract data like photos, messages, and phone calls, from them". NSO does not collect location data from phones, it only provides the software to governments, "which then get the location data from telecom companies and ingest it within the software, according to the source".
Cellphone carriers in countries like as Italy, Germany, Austria, as well as Spain, France, Belgium and the UK are already sharing customers' locations with their governments to track the spread of the virus.
Fleming displays the location data on something that looks like "an intuitive user interface that lets analysts track where people go, who they meet, for how long, and where". All the data is "displayed on heat maps that can be filtered depending on what the analyst wants to know". For example, "analysts can filter the movements of a certain patient by their last location or whether they visited any meeting places like public squares or office buildings".
This tool tracks citizens by assigning them random IDs since the goal is to protect people's privacy. However, when needed, the government can de-anonymise these IDs, the source at the NSO Group explained.
There have been several instances of NSO Group's customers (certain countries) abusing these surveillance products to spy on activists and journalists who are anti-establishment. Researchers, who have studied and exposed such cases, are of the opinion that governments should not be adopting such an "invasive surveillance product" that's made by a company known to have worked with governments that "routinely abuse human rights".
"This is an extremely cynical attempt from a notorious spyware company to branch out into mass surveillance," said John Scott-Railton, a senior researcher at the Citizen Lab, part of the Munk School at the University of Toronto.
"Every citizen of the world wants to go back to normal as soon as possible. The gold rush to surveillance technology could easily mean that there is a normal expectation of privacy that we will have a hard time going back to," Scott-Railton added.
Experts are also of the opinion that they are unclear if "systems like these can really make a difference on the ground".
"What happens if we trace people with no ability to help them," Elizabeth M. Renieris, a Fellow at Harvard's Berkman Klein Center for Internet & Society, wrote in a blog post discussing the risks of using invasive surveillance technology to fight the pandemic.
"What if it just doesn't work in some contexts? We especially have to ask these questions where some experimental methods of contact tracing are being entrusted to large for-profit tech companies," Renieris wrote.
Israel's Defense Minister Naftali Bennett tweeted on March 30 that the Israeli government is working on a "world-leading AI system that will give every citizen a grade between 1 and 10 to determine how likely they are to spread the coronavirus and if they need to be tested, but that it hasn't gotten all the necessary approvals yet".
The following day, Israel's news outlet Calcalist reported that Bennet was referring to NSO's software. Benney also mentioned that he was pushing to "let other countries" use the system. The screenshot Bennet tweeted was a picture of the system that looks like the same one the source demoed for Motherboard.
An NSO spokesperson declined to comment when Motherboard reached out to them.
In Italy, Rome-based company Cy4Gate is pitching a system that uses an app to track a user's location via GPS, phone tower data and bluetooth. Called the Human Interaction Tracking System or HITS, Cy4Gate is offering the system for free to Italian authorities.
"It allows the collection, fusion, correlation, processing, analysis and visualization of data that for us are the raw material on a target," Eugenio Santagata, Cy4Gate's CEO, told Motherboard.
"[The target is] the encounter between two subjects who are positive [to coronavirus] in a certain time at a certain place," Santagata added.
"People will voluntarily give consent to being part of the system by downloading the app and enabling it to track their location. And Cy4Gate will anonymize the data and only the governmental agency will be able to de-anonymise it, according to Santagata," Motherboard writes.
Besides Italy and Israel, countries like China, South Korea and the US are making extensive use of surveillance tech to fight the virus. While there is really no knowing yet, when the pandemic will end, privacy experts are worried about the fact that the surveillance that is being put in place now will never really be taken off.
"Long after the last community transmitted case of this pandemic, my fear is that these surveillance mechanisms that are being pitched by unscrupulous companies like NSO will stay on our networks and continue to track our phones. This is one dystopian outcome that we can prevent," Scott-Railton said.