Ideas - How spyware abusers can hack your phone and surveil you
Episode Date: April 15, 2025We are all vulnerable to digital surveillance. None of us are safe as there’s little protection to prevent our phones from getting hacked. Mercenary spyware products like Pegasus are powerful and so...phisticated, marketed to government clients around the world. Cybersecurity expert Ron Deibert tells IDEAS,”the latest versions can be implanted on anyone's device anywhere in the world and as we speak, there is literally no defense against it.” Deibert is the founder of the Citizen Lab at the University of Toronto, a group of tech-savvy researchers who dig into the internet, looking for the bad actors in the marketplace for high-tech surveillance and disinformation. In his new book, Chasing Shadows, Cyber Espionage, Subversion, and the Global Fight for Democracy, he shares notorious cases he and his colleagues have worked on and reveals the dark underworld of digital espionage, disinformation, and subversion.
Transcript
Discussion (0)
When a body is discovered 10 miles out to sea, it sparks a mind-blowing police investigation.
There's a man living in this address in the name of a deceased.
He's one of the most wanted men in the world.
This isn't really happening.
Officers are finding large sums of money.
It's a tale of murder, skullduggery and international intrigue.
So who really is he?
I'm Sam Mullins and this is Sea of Lies from CBC's Uncovered, available now.
This is a CBC Podcast.
Welcome to Ideas.
I'm Nala Ayed.
There's spyware that can watch our every move, listen to every conversation, go rummaging
through our files and photos, and we never even know about it.
Spyware, tools designed to catch criminals, terrorists, and other dangers to our society.
Those same tools can be used against innocent people.
They can be used against you, against me.
That's the digital universe we live in today.
Basically every aspect of social media is
oriented around gathering up as much information from customers as possible in order to target them with advertisements.
Anybody who works for any state intelligence agency worth its salt would look at that and go, oh yes, let's get going. What can we do?
Two decades ago, a young professor at the University of Toronto
started to look at the new world of internet technology
and what it meant for security.
Very quickly he realized that it was the Wild West out there,
with few checks and balances to protect us from digital intrusion
into our daily lives.
Technology was moving faster than the law so he decided to do something about it.
Governments are doing counterintelligence, businesses are even doing it, but who's watching
out for journalists, who's watching out for human rights activists, for NGOs out there?
Ron Debert started the Citizen Lab at the University of Toronto. watching out for human rights activists, for NGOs out there.
Ron Debert started the Citizen Lab at the University of Toronto, a group of tech-savvy
researchers who dig into the internet, looking for the bad actors in the marketplace for
high-tech surveillance and disinformation.
Today, the Citizen Lab is one of the world's leading institutions in protecting us ordinary
citizens in the dangerous one of the world's leading institutions in protecting us, ordinary citizens,
in the dangerous waters of the internet.
Ron Deibert has a new book out.
It's called Chasing Shadows, Cyber Espionage, Subversion and the Global Fight for Democracy,
telling some of the story of the Citizen Lab and the more notorious cases he and his colleagues
have worked on. Today on Ideas, my conversation with Ron Deibert at the Toronto Reference Library.
Thank you very much. It's really wonderful to be here.
It's a huge honour to be the one to interview you here at the library, Ron.
It's been long in coming, long in coming and really an honour.
Fantastic. Likewise, it's a great honour for me too, always.
Ron, I want to start at the beginning with you.
In this book, you recount incredible, breathtaking stories
about the work that CitizenLab and you have undertaken over the last couple of decades.
But it's also in part a memoir.
I wonder if you could tell us where your interest
in the field of cybersecurity actually began.
Well, there's a kind of funny origin story actually.
I tell a bit about it in the book
where I was starting my PhD,
which I did at the University of British Columbia.
And I, at that time, I was very headstrong,
determined to be a Sovietologist.
I was really into Soviet foreign policy.
I was teaching myself Russian.
I was interested in military and strategic affairs globally.
And I applied to the program, I got in.
I went to see the professor at the University of
British Columbia who was the Sovietologist in the department, Paul Morantz.
And I'll never forget to me, I went in, I'm like,
well, what I'd like to do is specialize in this
obscure area of Kremlinology, and he said,
Ron, the Berlin Wall has just collapsed,
I think you better find a new area to study.
And I was completely devastated.
It was like my entire reason for being.
Wow.
So I took a day to grieve about it.
And then I went to see another professor, Mark Zacher.
And I sat down with him and he said to me,
no one's looking at, the way he phrased it was,
the telecommunications revolution
and its impact on international security and this really grabbed me. This was a time when
it was so stunning like things were happening so fast and people drew very simple causal arrows they said you know more information technology. We're going to bypass all of the intermediaries,
all the traditional broadcasters.
We're gonna be able to speak to each other one-on-one.
And I remember experiencing that,
being able to chat with somebody
on the other side of the planet
and think this is revolutionary.
This is profoundly cool.
So most people assume there'd be vast,
liberatory consequences of all of this, but I had come up with the topic from a
security background and I realized there was a lot of classified stuff going on.
Governments were very adept at tapping telecommunications networks, so I was
looking at this a bit skeptical.
I was thinking maybe there's more to the story
than people are letting on.
If everyone's connected to these computers
and sharing all their intimate details,
what's to stop people from eavesdropping
and looking at the other side of it?
And that's kind of how I approached the subject.
Just jumping right ahead to the founding of the Citizen Lab, how hard a sell was it to
found the actual lab?
Well, again, there was really fortunate, I got a call out of the blue from a program
officer at the Ford Foundation, whose name at the time was Anthony Romero, still is Anthony
Romero, is the president of the American Civil Liberties Union now back then he was a program officer at the Ford Foundation so
I got this call to go to New York and originally they wanted to hire me as a
program officer I didn't want to do that I didn't want to give other people grant
money I want to grant money for myself to do my own thing so he said okay write
up a proposal and I literally wrote up the proposal for the Citizen Lab.
In it, I explained my vision,
which was to create an interdisciplinary lab,
to bring together researchers,
especially who had technical skills
that I didn't necessarily have all that well,
and perform what I described as counterintelligence for
civil society. So the idea there was governments are doing counterintelligence
and intelligence, businesses are even doing it, but who's watching out for
journalists, who's watching out for human rights activists, for NGOs out there and
that's the proposal I put forward and to my shock they agreed to
do it. Within the University of Toronto, I don't think anyone really noticed until suddenly
we were splashed on the newspapers after a few years. And then it's too late for them
to shut it down.
Yes. Is there any sense in which you think that the story of the Citizen Lab was ever
going to unfold
anywhere but Canada?
Back then I wasn't thinking that way.
Again, it was all just aspirational and I didn't really know what will this amount to
other than a couple years of work.
But in hindsight now, definitely it's obvious to me now more than ever that you couldn't do something like this outside of Canada.
There was a period of time when I was really advocating for there to be more citizen labs
around the world and I was going around proselytizing and actually trying to help set up a few
institutes and centers that were modeled on the citizen Lab. And it just, it didn't take hold in a lot of places.
And I think it's clearly because of the phenomenon is so risky.
And within the University of Toronto, I will say this, all joking aside,
I've never once had anybody in administration from the president on down ever say to me, can you tone it down
a little bit?
Or maybe you don't want to alienate that country because we have a lot of students.
Never have I heard that from them.
I'd be curious what you did here when, maybe I'll just back up and say that the first time
our worlds intersected was when, in fact, you were looking at Canadian companies specifically
and you were looking at Canadian companies specifically and you
were looking at their ability to sell technology to countries around the world
that would filter technology, censor political criticism and also
undesirable topics online and I just wonder as a Canadian how that how that
sat with you knowing that there are Canadian companies selling technology
around the world that censored political opponents of autocratic regimes?
Well, it didn't sit with me well at all, but I think it was also important to establish
that we would identify Canadian companies or call out the Canadian government.
To this day, I think that's still very important because people assume,
oh, you're a Canadian organization, you're probably gonna shy away from calling things out
in your home territory when in fact,
we've never been shy about doing that.
And in that case, that was NetSweeper,
I think you're referring to?
Correct, yeah.
Canadian company that supplies
internet censorship technology
or internet filtering technology.
They use a more anodyne way of describing what they do, which is basically just blocking access to websites.
So there's a benign version of that. You don't want, for example, maybe in library settings,
you don't want people viewing certain websites, I don't know, or in elementary schools, certainly.
So that company started out servicing that market
and then they quickly realized there's a market also
within non-democratic countries for that technology,
not within private settings or in a library or a school,
but for our country as a whole.
Everywhere from India to Yemen to...
All over the place.
I think we ended up dozens of countries were using internet service providers in those
countries were using NetSweepers technology to filter access to LGBTQ content, to human
rights content, whatever.
And this company was just trucking along doing this, making good money.
And we developed a way to actually interrogate the
internet using network measurement techniques to identify NetSweeper installations.
And of course, when we first encountered each other, I think it was around the time, shortly
afterwards, they sued myself and the University of Toronto.
3.5 million dollars.
Million dollar lawsuit. Toronto. 3.5 million dollars. You talk about
CitizenLab being counterintelligence for civil society. In your mission you say
that at the CitizenLab, our open quote, our mission is to serve the public
interest, not subvert it. And then as you say, your counterintelligence for civil
society. Isn't that the government's job?
Yeah, in part it is, I think it should be,
but the reality is the way governments are constituted,
especially, you know, we have a whole segment
of the world's governments that are dictators,
despots, authoritarian regimes,
and most of the world is sliding in that direction.
But even within liberal democracies, the priority has always been around, for example, if you're
interested in cyber security, which is obviously a topic that relates to this, if you listen
at governments, when they talk about it, it's mostly to do with attacks on government infrastructure
or attacks on the private sector. So when it comes to all of these other, you know, refugees, immigrants, support groups, NGOs, journalists,
they're kind of hung out to dry.
And that's a problem as far as I'm concerned.
So we try to raise awareness about it through the research
and hopefully come up with ways that prompt governments
to do something about it.
There was a time when you actually thought about the mission of the Citizen Lab as more
technical in nature.
You say as part of a global observation network dedicated to documenting threats to a free
and secure internet.
But that changed completely when you went on a trip to Guatemala, post-war Guatemala
in the early 2000s
And I wonder it was after 36 years of Civil War in Guatemala
I wonder if you could explain what it is that you learn there that reshaped your thinking about the the mission that you were
Conducted yeah that that there's a that's actually my favorite chapter of the book because it was such a formative
Experience for me and and some of my staff at the time.
And you're right, we did conceive of what we're doing as like, you know, I was deliberately
thinking of the lab's approach to doing research as borrowing from state intelligence agencies,
and especially the technical side.
And it's kind of metaphorical, it's kind of not. The idea was, okay, we're going to watch the watchers and use a variety of technical
methods to lift the lid on the internet. And so in my mind, I was thinking just of
this leveraging technical means to do the work that we do, snooping on the
governments and so forth. But when I was in Guatemala, it dawned on me principally meeting the people who
were working for the human rights organizations,
especially folks who are doing
forensic examinations for war crimes investigations and genocide investigations.
The threats they experienced on a daily basis were profound,
very disturbing, very frightening and
At the same time the internet wasn't a big
Issue then it wasn't it wasn't like they were dependent on it
And it wasn't the principal vector through which threats were coming at the people
So, you know, you don't to put it crudely
You don't need to spy on someone's email when
you can break into their headquarters, beat them up and take all the files. And so meeting
these people and understanding their experiences really made me think about the importance
of the lab being a victim-centric organization is the way we thought about it. Putting humans
first. And, you know And the technical part is still,
it gets a lot of the attention for what we do
for good reason.
Some incredibly talented forensic experts
and technical experts at the lab,
but the human dimension is the most important of what we do.
So a victim-centered organization or centric organization,
but not activist.
Not activist, no. Can you just tease out the difference? The reason, but not activist. Not activist, no.
Can you just tease out the difference?
The reason I say not activist is that often gets a bad name,
especially for those who are not necessarily sympathetic
to what you're doing, and they're looking
for ways to discredit you.
So if you say you're an activist organization,
and I'm not putting down activists,
maybe in different life I would be one in a different.
And I'm not either, to be clear.
Yeah.
It's more that if you say it that way,
then people will look upon the research
as somehow tainted or biased.
And it's very important in this area
to have evidence first and put the evidence first.
So if you read a typical citizen law report,
they're actually very dry.
It's not like the book.
That's why I had such fun.
I can attest to that actually.
You can attest to that.
I can attest to it, yeah.
But they're that way for a reason.
They have to be very clinical.
They have to be very precise.
Every word is carefully measured.
And of course, we work with a lot of advocacy
and activist organizations with whom we collaborate regularly.
And they do excellent work.
Amnesty International, Access Now, Human Rights Watch,
those are all part of our community.
But we see our role as kind of like an intelligence agency
for a state.
The intelligence agencies have
a role to just present the evidence. Here's what we are seeing. And there are profound
public ramifications of the work that we do. The most important, I would say, the most
satisfying to me have been the number of times we've actually captured these very expensive,
sophisticated exploits that are used to hack into people's phones that the manufacturers of the phones aren't
aware of. We do these responsible disclosures, they do emergency security
patches and that affects you know everyone in this room. It affects
billions of people, their practical security. But speaking of activists, they
are often the ones who come to you
What are these with these tips?
Yeah journalists and activists and they're the subjects and they are the subjects which we'll get to in a minute
But could you talk about what happens like let's say I give you a call and say hey, there's something weird happening with my phone
Where does the process how does it unfold from there? It is the fun part for me. I'm glad you asked that
So very similar to like if you went to a university
medical research center and enrolled
or a psychology program,
you have to be read through an informed consent process.
So the first thing I do is walk you through
the consent process, which takes a few minutes.
I'm explaining to you the type of data
that you're going to share with me.
And typically what we do is, like I see you have an iPhone
there, and I would ask you to generate a crash log.
What's a crash log, sorry?
Like it's, if you ever have something crash on your device
and it says, would you like to send this bug report
to Apple or whatever?
So that's what that's for.
I walk you through a few steps on how
to generate that yourself.
So it's a file that has all of these processes that
are going on behind the scenes in your phone.
And then I send them to my team, and we analyze them.
And what we are looking for are either anomalies,
or more importantly, matches with fingerprints that we've developed
for some of the world's most notorious
mercenary spyware firms.
I've been doing that sort of thing
hundreds, maybe thousands of times now,
and it's actually the best part of the job.
We've set up spyware checking booths, for example. Recently I did one at the
Global Investigative Journalism Conference and there's like 2,000 investigative journalists there.
That's a perfect spot for us to do this because there's likely going to be at least somebody there
whose phone has been hacked. So when you do that analysis and usually we can give results back in like half an hour.
Sometimes you tell people like I'm sorry to tell you this but your phone has been
under surveillance. Sometimes that process of actually coming back with the
results to someone is also fraught security wise like actually reporting
back to an activist in another country is not as straightforward as it sounds.
What does that what does that say about our means of communication in this time? Like just
how trustworthy they are. It's almost like a paradox around all of this
because you're, especially if you're not with somebody physically, if you're
connecting with them remote you have to first figure out how to get them off
that device that you think is under surveillance,
that's very tricky. Of course, people's first instinct is to delete everything. People freak
out quite naturally, like, what the heck? You know, and they delete their phone. For
us, that's bad, though. As investigators, you want to preserve the evidence and make
sure that you deal with it in a way, especially because you want ultimately
some of these victims may want to sue the companies, sue a foreign government that's
hacking their phone. So you have to make sure you have a proper chain of custody around
it all. There's quite a lot involved in that part of it.
One of those activists who came to you is a poet, a blogger, and an activist, an Emirati one. His name is Ahmed Mansour.
We don't have enough time tonight to go through it, but it is in the book. It's a riveting story,
so that's a good reason to pick it up. But I do want to ask you this. He alerted you to a
vulnerability that literally affected every iPhone in the world. And several organizations, including yours,
remind us repeatedly of how he saved our security
and prevented our data from being exposed.
He is still in a jail in the UAE today.
And I wondered.
Horrible treatment.
Yeah, and I would venture to say that most Canadians
could not name him.
How does that sit with you as the head of CitizenLab and someone who works in this field,
that someone who's so pivotal to all our security is unknown and still languishing
in prison?
Yeah, it's a...
I mean, I'm not sure how I feel about it.
I mean, I can understand why he's not a household name and actually there are many
more like him. Another one that comes to mind actually for this audience, because we're
in Canada, Loujain Al-Hatul. Very similar. This is several years, six years after Ahmad
Mansour is the person you're speaking about. Same thing, we discovered her phone was hacked with Pegasus spyware and that was a vulnerability that was affecting all
Apple devices and at first she requested to remain anonymous, going back to the
research ethics part of it, if a victim says I don't want to be identified we
have to respect that. She did at first, again there, that affected every Apple user around, and not just iPhones, Mac OS, iPads, everything.
She was, maybe you know, famous for being a woman's rights activist, advocating for a woman to drive, be able to drive a car without a chaperone in Saudi Arabia.
For that activism, which just obviously seems like such a basic right, it's crazy that there
would have to be someone advocating for that at all, but that was her cause.
Because of that, she was harassed, detained, imprisoned, horribly tortured.
I spent hours interviewing her about her experiences, and to this day she's under country arrest
in Saudi Arabia.
Not as bad as Ahmad Mansour, who is in a horrible prison in the UAE, and from all that I've
heard, which is very little because not a lot of news gets out, he's routinely
tortured. So that, you know, what it does for me, I will say, is it makes me angry,
but it also makes me more determined than ever to keep doing what we're doing. Because
what I see behind all of that are bullies. And I think, you know, getting back to what started the Citizen Lab, and this goes even
before what drives me to do what I do, I realize, A, I have a problem with authority.
I went to a Catholic elementary school in East Vancouver, and I got the strap a few
times and so I guess I should thank the nuns in part.
But also I just can't stand bullies.
I just don't like people who are bullies and especially bullies who get away with stuff.
And when I look at Mohammed bin Salman and of course, you know, the person will get to
it I'm sure.
We will.
We will.
You know, these are bullies.
These are just bullies and they shouldn't be allowed to do what they do.
So I have a platform, I have tenure
at a prestigious university, amazing team around me.
When I think about, well, what can I do to stop it?
It's exposing what they're doing, outing them,
and I'm sure it pisses them off.
Well, I know it does.
On ideas, you're listening to my conversation
with Ron Deibert, founder of the Citizen Lab
at the University of Toronto.
It's one of the world's foremost centers for researching the misuse of digital technology
and raising the warning flags for threats to our privacy and safety. I'm Nala Ayed.
I'm Sarah Trelevin and for over a year I've been working on one of the most complex stories I've
ever covered. There was somebody out there who was faking pregnancies.
I started like warning everybody.
Every doula that I know.
It was fake.
No pregnancy.
And the deeper I dig, the more questions I unearth.
How long has she been doing this?
What does she have to gain from this?
From CBC and the BBC World Service, The Con, Caitlin's baby.
It's a long story, settle in.
Available now.
A Palestinian law professor in Britain
sees odd activity on his phone.
Messages seem to be coming in,
but there are no messages to be found.
What's going on?
He calls this Citizen Lab.
A human rights activist in the Emirates gets an unfamiliar email
with a tempting link to information about prison abuse.
Should he click it?
He calls the Citizen Lab.
In Canada, an activist against the Saudi regime clicks on a link to track his mail
and inadvertently downloads an app that searches through his files and contacts.
He doesn't know about the Citizen Lab, but the lab finds out and the lab calls him.
Ron Deibert's new book, Chasing Shadows, has all these stories and more.
The moral, if there is one, is that none of us is safe from digital intrusion into our lives and there are few
barriers, little protection against great harm being done.
Here's the conclusion of my conversation with Ron Diebert, founder of the Citizen Lab at
the University of Toronto.
I wanted to sort of zoom out a little bit and just take you back in time a little bit
to a time when we thought that social media might actually be a convening
Influence on society it had a far more promising future
It was supposed to be a force of good providing kind of an address for freedom of speech and liberty
In your book you quote an Israeli intelligence officer saying that social media allows you to reach virtually anyone and to play with their minds
You could do whatever you want. You can be whoever you want.
It's a place where wars are fought, elections are won,
and terror is promoted.
There are no regulations.
It is a no man's land.
Was the exploitation of social media in some sense inevitable?
100%.
I mean, if you just looking at how it's how it's set up and
especially the business model of surveillance capitalism, basically you
know every aspect of social media and a lot of the technology that surrounds us
even outside of social media is oriented around gathering up as much information
from customers as possible in order to target them
with advertisements.
Anybody who works for any state intelligence agency worth its salt would look at that and
go, oh yes, let's get going.
What can we do?
And how do we exploit this?
You have an infrastructure that's invasive by design, insecure, security's an afterthought.
Zuckerberg had that phrase, move fast and break things.
So data breaches are common.
All of this is just perfect for the exploitation
around cyber espionage, but also increasingly
disinformation and psychological operations,
influence operations, all of those things.
It's now we're living in some dystopian world that is almost like if you're in a laboratory setting
you try to come up with something perfect for that, that would be a vehicle for it. You couldn't imagine something better.
That's not that it's a conspiracy or anything like that.
Yeah, I've always been curious though about what you think, whether it's, you've just sort of
described the difficulty of resisting using such technology, which is so revelatory because people
use it so intimately. But is it the technology? Is it a function of the technology that we're in
this space that we're in now? Or Is it us or is it the technology?
Well, I think stepping back, maybe a lot of this would have been inevitable simply because
of the intensity of interactions with people and information exchanges.
I remember the internet before social media and it was constructed differently.
I think social media is important because of the underlying business
model. This idea of turning users into raw material from which you can extract data,
monitor everything they do, give things away apparently for free when in fact you're just
constantly the livestock for their data farms basically, that whole business model has thoroughly
perverted the public sphere and I think is responsible for a lot of the problems
we see, some of the toxic mess that is out there. If we could get rid of that
business model, I don't think it's really easy, it's not likely going to happen
anytime soon, but I think it's the root of a lot of the problems that we're seeing around social media.
So staying with this kind of the same theme, there are a couple of ways that we make
ourselves or we become vulnerable to the problems that you talk about in this book.
One is self-inflicted because as you say we willingly give out this data online
and the other is damage performed against us by those who might wanna attack us
for our political beliefs or other beliefs.
So starting with the self-inflicted problem,
what have we done wrong?
And do we actually have any agency to reverse it?
Yeah, that's a really good question.
I don't think it's fair to blame people
for what's going on because keep in mind that this is highly addictive technology. It's designed to play
upon your emotions and to tap into human frailties and cognitive biases and the
way it's done through most of those social media platforms is really just
simple A-B experiments on the scale of billions of people.
So if you have, imagine you control a system
and the machines are all doing this, of course,
and it's like, let's put this content in front of somebody.
Do they keep engaged?
Does it excite them?
Can we look at their retinas and see if, you know,
this really gets them activated?
Or does this content do it better?
If you keep doing that simple A-B experiment, unfortunately human nature being what it is,
the crap rises to the surface.
And that's why you see what you see on X and on Facebook and so forth.
Now there was a period of time, starting around 2016, first Donald Trump election,
and then certainly with the pandemic,
where the companies were required
to put some brakes on that.
Everyone kind of recognized, oh, this is a problem.
And they all made this attempt
to create trust and safety teams.
And I know some of the people who worked for them,
whether they were successful or not,
I would say it's a jury still out on that.
But what I can say now is that the brakes are all off.
It's all gas.
You know, those companies laid off their trust
and safety teams, which is going to amplify
all of the problems that we're discussing.
But more importantly for me anyway,
it's going to really accelerate a lot of the sharper harms
that we see around targeted espionage. Because those companies did have programs in place
to protect people or collaborate with groups like ours. It seems strange that the Citizen Lab might
collaborate with WhatsApp or Facebook even or Apple. I should say we don't take money
from any of those companies
and we're very critical of them as you can hear from me
but there are times pragmatically
when you have to work with those teams
on patching vulnerabilities or encouraging them
to take steps to investigate threats you know
are moving through their platforms.
Just on that point generally, how receptive are those organizations to
your well-researched criticisms or suggestions for fixes?
So the big companies like Apple, Microsoft, Google, etc.,
you can't characterize them in monolithic ways because they're very big.
They're more like governments
and they have many different departments
and within those companies there are
threat intelligence teams.
And those people actually, you know,
they could easily work for the Citizen Lab
and in fact some people who've worked for those companies
have come to work for me because they appreciate the mission,
they can do public good research,
and they're very talented researchers. So it's a very professional, cordial, respectful kind of back
and forth. The disclosures we talked about before, that's very important to them because if we're
finding out about some exploit that is targeting all iPhone users and we disclose it to them and they patch that, that's good for Apple. They don't want
that going around. So they're motivated to do something about it. In Ahmad Mansur's
case in 2016, I can remember he sent us text messages August 11th. We analyzed
them, we wrote up a report, did a responsible disclosure to Apple. August
28th our report came out and Apple issued emergency security patches for all Apple users.
That's like two weeks, so very fast.
That's profound.
One of the groups that you talk about at length, both in public and in your book, is the Israel-based NSO group.
Never heard of them.
You write, this is a bit of a paragraph, but let me read it.
You write that the group is like a microcosm of the world in which we now live,
unprincipled billionaires dodging taxes and regulatory oversight,
looking to cash in on the national security money-making machine,
ruthlessly manoeuvring to undermine anything or anyone who might get in
their way and assassins who will slip a nerve agent into your tea at your London hotel,
the coup de grâce. You do point out that it's one of many, there are other organizations,
but what is it about NSO in particular that makes them a symbol of how things have kind of gone
wrong in the way we handle or regulate certain kinds of technology.
NSO is not that unique in terms of what they do.
So they sell a very sophisticated mercenary spyware product called Pegasus that is marketed
to government clients around the world.
And that type of spyware is extremely powerful. So the latest versions can be implanted
on anyone's device anywhere in the world,
and as we speak, there is literally no defense against it.
If we're lucky, we can catch that in the wild,
as I've talked about, and do a quick disclosure
to one of the companies, and they'll patch it.
But those companies, then the firms like NSO group, they just turn around
and they develop or purchase new exploits, which are basically
flaws in the phones that you are all dependent on.
The most recent versions are known as zero click.
So with Ahmad Mansour, he sent us text messages
and he didn't click on them.
But we could see from the text message that it contained domains that we knew were associated with NSO Group's infrastructure,
and we actually clicked on those links in the laboratory setting, infected our own device.
In order to implant the spyware, you'd have to trick somebody into doing something like that,
clicking on a link,
opening an attachment.
The latest versions require nothing of that.
So one minute your phone's seemingly fine, it's on your bedside table, the next it's
not fine.
And it's funneling data to a bunker in Riyadh, Saudi Arabia, thanks to companies like NSO
Group.
The reason they're special, I think, is they made a strategic choice after the Amman Mansour report.
So that was 2016.
Prior to that, they were pretty much invisible.
They never spoke to the media.
They didn't have a website.
They sold their stuff at military and intelligence trade
shows that are not open to the public.
But when we published our report about them, they decided we're going to speak to the media.
And they tried to defend what they were doing. And they're quite notorious for that reason.
The rationale they give for their technology and the services they provide is,
we only sell to governments
to enable them to fight serious matters of crime
or terrorism.
As I always say, as a political science instructor,
any first year political science student would see through
that and identify the problem right away.
For most of the governments around the world,
you're a criminal, I'm a terrorist,
Lujain Alahatul's a criminal, Ahmad Mansour's
a terrorist, it's all arbitrary. So if there are no safeguards, governments are going to
use this, as we have shown in report after report, to go after anyone they consider irritants
to their illegitimate rule.
And is that kind of setting the tone for future companies to act in the same way?
Like what kind of precedent is NSO Group setting for people in the area?
That's an interesting question. So they face pretty serious consequences because of the spotlight on them.
They were subjected to US sanctions, both company sanctions and I believe individual sanctions,
although those aren't publicized.
We do know the United States sanctioned individuals
involved in this marketplace probably included principles
of that company, they just don't publicize them.
And so their market value dropped by about a billion dollars
after they were put on the sanctions list
and I'm sure that upset them greatly.
But other companies I think probably took the opposite lesson. They said okay NSO speaking up, getting caught,
getting exposed, that's bad for our business, let's do it differently. And
actually as we speak just last week we published a report on yet another
mercenary spyware firm, yet another one with Israeli origins called Paragon.
And with a Canadian connection this time.
There's a Canadian connection too.
They were marketing themselves as being the anti-NSO group.
We're a clean spyware company, we're abuse proof.
You know, we vet our clients very closely.
Well, lo and behold, we discovered that their
technology was being used in Italy to spy on a journalist, migrant support groups, and
a priest in Italy, which I thought was very interesting. Who would want to spy on a priest
and why? Think about the confessional. That's what I was saying. When you want to get inside
a priest's phone, when the priest is in confessional. That's what I was saying. When you want to get inside a priest's phone,
when the priest is in confessional and you're all.
And a quick comment on just where
the Canadian connection is?
Yeah, the Canadian, as we were doing the research,
we discovered through really ingenious work by Bill Marczak,
who's our lead technical researcher,
that we identified some IP addresses
that mainline right back to the Ontario Provincial
Police Headquarters. And so that was interesting. As an aside, I'm well aware that police forces
in this country use this technology. We had not been able to find any documented evidence
of abuse,
but I, through court records that have come to light,
through disclosures that have happened,
it's obvious that we have a big spyware abuse problem in this country.
I don't want to freak people out because I hope that law enforcement in this country
is mostly doing this within the guardrails,
but a couple of things make me a bit concerned.
One is we've got a long history of abuse of law enforcement in this country.
Look at the history of the RCMP and Indigenous communities in this country.
Enough said.
Secondly, who's watching them?
Are we confident in oversight in this country?
We have very good privacy commissioners, but I'm not sure they're staffed all that well as they should be, in my opinion.
And oversight bodies in parliament, I don't think are all that well structured or necessarily
competent enough to keep watch on what these agencies are doing.
And they also have their own curious acronym I discovered they're using for spyware.
They didn't call it spyware, they call it on-device interception tools, ODITs.
So they go to a judge, well, we'd like a warrant.
What are you going to do?
Well, we're going to use something called an ODIT.
And the judge might go, OK, that's fine, without knowing that that ODIT means they
can take over a device, read every email, every text message,
even those that are encrypted, turn on the camera, turn on the microphone, follow people
around, go back in time, see where they've been as long as that phone's been activated,
who they've been communicated.
This is godlike capabilities and I don't, I suspect judges don't quite understand what
they're giving permission for. So the Citizen Labs still has a bright future
ahead for the coming years. Lots of work to do still. As long as we exist. Yeah. I do
want to stay with with Canada for a moment and talk about a past example. The
story of Omar Abdulaziz. His phone was hacked and it was understood to
be by Saudi Arabian forces. You were surprised that in Canada, quote, not one of the exchanges
I received in my access to information request regarding this case, expressed alarm or indignation
that Saudi Arabia was spying on a Canadian permanent resident. It was as if that part was ignored altogether.
Is there something in modern geopolitics, do you think,
that renders states unable to take a principled stand
on something like this?
Yes, especially in cases like this.
Canada, actually at the time we did that,
this is 2018, we uncovered the fact that Saudi Arabia had hacked
this Canadian permanent residence phone, who turned out by the way to be a very close friend
of Jamal Khashoggi, and we know what happened to him.
He was killed in an embassy in Turkey.
The day after our report was published, and I only found out that Omar and Jamal were friends because,
as I tell on the book, we publish our report on Omar October 1st. The next morning he said,
Jamal has gone missing. I'm very afraid. I was like, who's Jamal? And then I turned on the news
and I saw, oh my God, they had been communicating for months over WhatsApp, thinking it was private,
communicating for months over WhatsApp thinking it was private, doing all sorts of pro-democracy activism and advocating against Mohammed bin Salman.
The whole time we discovered Saudi Arabia was eavesdropping.
And I should say, subsequently, both Citizen Lab and Amnesty International determined that
the entire inner circle around Jamal Khashoggi,
all of them had their phones hacked with Pegasus spyware.
But the remarks you're talking about had to do with the reaction of the Canadian government.
I actually did an access to information request to see what type of communications were happening
behind the scenes, and it was surprising how little it seemed to me relevant
stakeholders in government were concerned about the fact that Saudi
Arabia was undertaking espionage on a Canadian permanent resident. It was all
about kind of damage control and I think at the time it had to do with Canada's
relationship with Saudi Arabia and arms exports to Saudi Arabia.
Those are the type of calculations
that usually happen all the time in international affairs.
Human rights typically takes a backseat.
You know, I've been advocating throughout
my entire professional life for human security.
To quote our former Foreign Affairs Minister,
Lloyd Axworthy, which I think is a very noble idea,
but national security trumps human security.
We see it time and again.
And I think it's the same as why wouldn't Canada
and other countries condemn Israel
for a lot of the things that are going on,
or this industry, and I think it's the same thing there.
There's a lot of-
So is it perhaps the case that maybe, you know,
national interest in trade, for example, trump kind of moral considerations? Of course they do, yeah. I think it's the same thing there. So is it perhaps the case that maybe national interests
in trade, for example, trump kind of moral considerations?
Of course they do.
Yeah, there are considerations about that all the time
that are factored into these decisions.
You write that it's, quote, it's conventional
to divide the world into regime types,
authoritarian versus democratic, for example.
But the, and this is a specific example,
but I think we can draw it out to kind of broaden
the argument.
You say the extensive involvement of the US and Israeli personnel in the United Arab Emirates
demonstrates how questionable those divisions between authoritarian and democratic can be.
That's a chilling proposition.
How much do you think what democracies do in the name of security
threats actually contributes to the erosion of democracy?
Well I think a lot. I think there is a vestige from the Cold War that still
lingers on which is that you have these very well-resourced intelligence
agencies that operated in the shadows and in most countries around
the world they still have that luxury of doing what they do without public
oversight, without accountability, without transparency. Sure there's some oversight
mechanisms here and there but generally they're pretty weak to abs... you know
largely absent and these these agencies actually, you know,
they do some important work.
I don't want to disparage them all.
But they also do some nasty stuff.
And that nasty stuff normalizes.
It starts to spread and everyone starts doing it.
And of course, the big problem now is that you have many countries
that are on paper liberal democr, sliding into authoritarianism. Crisis in the US is the most poignant example right now.
It's some kind of cruel techno-fascism
that's emerging down there.
But even, you know, when I wrote those words,
I was thinking about the contrast between
how I was taught as a graduate student,
studying world politics and international relations,
it's very conventional to have these categories,
like there are these type of states
and these type of states.
And what I was looking at didn't match that.
It was like, you know, you have these contractors
coming from these agencies, CIA, NSA, whatever,
working for authoritarian regimes.
How does that align with that picture?
It's muddies the waters altogether.
I just got the nod that we have just a few minutes left.
So quick couple of questions for me left.
There are state actors who say out loud all the time,
as you said, that they are the ones in danger
of being subverted and that's why they need these tools
of surveillance that they deploy.
Is that
convincing in any sense for you? Yeah I can kind of see the argument I think it
has some merit. There are people in my community that think the tools that I'm
describing should be banned altogether. That there shouldn't be this capability
out there. It's like the nuclear capability of surveillance and a lot of people that I respect say we should ban...
There's no way that this could be deployed in a way that isn't a violation of international
human rights law.
I'm more practically minded about it.
I think that's not realistic.
I don't think we could ever ban it.
So instead, I think if governments are going to use this, we need to make sure people are
watching them. And that's the key to me is to have guardrails in place that involve independent agencies
from both above and below.
What the Citizen Lab does is from below.
Imagine if there was a Citizen Lab in every country doing this sort of thing and you had
oversight bodies that were really robust and could actually inspect what's going on.
I think there would be far less harm from this industry
and maybe they would use it in ways that it's advertised.
As we've discussed Ron, your Citizen Lab,
your career has kind of unfolded along
with geopolitical events.
First you were focused on China,
then you shifted to the Middle East
with the Arab Spring. I'm wondering how you think the change down south, you know, you
use the words techno-fascist. I'll describe it as this newfound synergy between the world's
biggest democracy and big tech. How does that affect the work of the Citizen Lab going forward?
You know, I'm actually not all that surprised.
There's that famous quote from Maya Angelou,
when people tell you who they are, believe them.
They've all been telling us this for many, many years, and here we are.
That doesn't make it any more pleasant though.
We're seeing routine attacks on the media, on democratic institutions, corruption, just straight
out unashamed, venal corruption, it's unbelievable to see that sort of thing
going on and cruelty, just cruelty and of course bullying behavior. So it's a
nightmare, it's really horrible to see this happening. And for a group like ours, it's a game changer.
You know, multiple levels. Like, we just outed this firm Paragon, which I talked about already.
They have a U.S. office, and the people who make up that company's executives are all former CIA people.
At some point somebody down there might decide to target a group like us.
They're already going after universities in a pretty wholesale way in the United States.
So what would that look like?
That's the discussion that I'm having with my colleagues now.
How do we factor in this new threat actor?
This happens to be the world's superpower?
In your book you constantly remind us
of the degree to which your own life
has kind of been upended by the work that you do
and how hard it must be to just be like a normal person.
So for example, you write after I check in at a hotel,
I assume the room may be bugged,
so I find an excuse to request a change to a different room.
I use the hotel only to sleep and shower.
It's hard not to think about what that must do to you
in the long run.
And I'm just wondering whether that you think
is a sustainable way of living.
It is for me and I think it is for my colleagues
because we're all in this together
and the staff enters into this with eyes wide open.
And when you start dealing with people who are real victims,
you know, I've got it easy actually compared to someone
like Loujain Al-Hatool or Ahmad Mansour.
And you develop a camaraderie, a kinship,
and it's part of the bargain.
To do this, you have to do it
and you have to take it seriously.
And it's one of the things I'm really proud of,
of our team is how seriously we take those risks.
And the reason is not so much to protect me or each other
as it is to protect the victims
and the subjects of our research.
The last thing I wanna do is inadvertently cause harm.
The book ends on a hopeful note.
It says, you say, with the world in such turmoil,
it's easy to overlook the progress against cyber
espionage that we have made.
After years toiling alone, the Citizen Lab
is now part of a growing community
that is conducting the type of digital accountability
investigations that we pioneered.
A less optimistic person might say, you've strengthened the defenses, but now there's
a tsunami coming at us.
Just a final thought of what's the answer to that.
What I've seen is when we started doing this research on targeted espionage, we were really
alone.
For like 10 years we were doing this.
But then over time other organizations started doing what we do.
It feels really good to be part of a community.
And I think that's a good model.
I think if we all stand up to bullies and collaborate,
cooperate on local levels, otherwise, you know, what's the alternative?
Do we just give up? Do we go
hide in a hole somewhere? I don't want to do that. Then you're letting the
bullies win. And I'm fortunate to have a platform to be able to do what we do. So
as long as I'm breathing, that's what I'm gonna do. Ron, thank you so much. Thank
you, and I appreciate it.
Thank you, Naya. Appreciate it. Thank you. Thank you.
Thank you.
On Ideas, you've been listening to Chasing Shadows, a conversation with Ron Deibert,
founder of the Citizen Lab at the University of Toronto.
Our thanks to Sergio Elmer and his staff at the Toronto Reference Library.
Ron Deibert's most recent book, Chasing Shadows, Cyber Espionage, Subversion and the Global Fight for Democracy, is published by Simon and Schuster.
This program was produced by Philip Coulter.
Our web producer is Lisa Ayuso.
Our technical producer is Danielle Duval. Our technical producer is Danielle Duvall.
Our senior producer is Nika Lelouchic.
The executive producer of Ideas is Greg Kelly.
And I'm Nala Ayed.
For more CBC podcasts, go to cbc.ca slash podcasts.