Today, Explained - Democratizing spying
Episode Date: February 14, 2023“Zero-click spyware” is making it easier for governments to get their hands on individuals’ personal data. New York Times investigative reporter Mark Mazzetti says that when it comes to spyware,... the United States is both an arsonist and a firefighter. This episode was produced by Amanda Lewellyn, edited by Matt Collette, fact-checked by Laura Bullard, engineered by Efim Shapiro, and hosted by Sean Rameswaram. Transcript at vox.com/todayexplained Support Today, Explained by making a financial contribution to Vox! bit.ly/givepodcasts Learn more about your ad choices. Visit podcastchoices.com/adchoices
Transcript
Discussion (0)
Everyone's talking about balloons and UFOs in the sky,
but when you talk to people who investigate all the creepy ways we spy on each other,
you know what they're concerned about?
Spyware.
The spyware industry is booming, and it's getting way more sophisticated.
Like, there now exists technology that can hack somebody's phone
without them even needing to click some deceptive link.
There are other, more powerful tools somebody's phone without them even needing to click some deceptive link.
There are other more powerful tools that the Chinese government and other governments around the world have access to, to gain data not only about the U.S. government and missile silos,
but about individuals and their behaviors and their personal lives.
And these are just as important for the discussion
as surveillance tools of a government to spy on other governments.
Spyware everywhere, all at once.
Coming up on Today Explained. The all-new FanDuel Sportsbook and Casino is bringing you more action than ever. Want more ways to follow your faves?
Check out our new player prop tracking with real-time notifications.
Or how about more ways to customize your casino page
with our new favorite and recently played games tabs.
And to top it all off, quick and secure withdrawals.
Get more everything with FanDuel Sportsbook and Casino.
Gambling problem? Call 1-866-531-2600.
Visit connectsontario.ca.
Today explained Sean Ramos from when you want to talk about Spyware, you want to talk to Mark Mazzetti.
He's an investigative reporter for The New York Times.
With all the balloons buzzing around and the UFOs being shot down from the sky, we asked him what's at stake with spyware, which he seems to take a lot more seriously.
What's at stake is the privacy of every single person who carries around a smartphone, and that is billions of people.
And I think a lot of times when you're talking about hacking and cyber war, there is this abstract quality of one giant computer hacking another giant computer or a nuclear reactor in
Iran, things that have really big stakes, but it's, I think, hard to get people's heads wrapped
around it. But if you think about how this weapon works, it's able to invade the phone of every
single person carrying one around. And that's most people these days. And what's on people's
phone? It's your entire life. It's your messages. It's your photos. It's your videos. It's your
chats. It's things that you have deleted already are still accessible to some of these tools. And so it's a new way to think about surveillance. If you think back 10 years and you think about the Edward Snowden disclosures, we were talking about bulk surveillance carried out by the U.S. government, millions and millions of phone calls and metadata stored on giant computers.
This is targeted surveillance.
So it's individual people who are targeted by whomever bought these tools.
But in that way, it's much more relatable.
People can understand the power and what's at stake by sort of explaining that everyone
potentially is a target.
So what are the most sophisticated tools out there right now? Help us understand what this market looks like.
Well for a long time there was pretty much one company that
had a near monopoly on this tool and the company is called NSO and it's an Israeli firm.
They made a hacking tool called Pegasus.
An early part of the 2010s was when Pegasus was developed and they started marketing it.
And what Pegasus offered was this zero-click hacking technology.
What that means is you don't have to get a phishing link on your email or text
and you click on it thinking it's one thing, but it's actually someone trying to invade your phone.
The main challenge for spyware is to find a vulnerability in the targeted phone,
particularly as modern smartphone security protection techniques have developed significantly.
Pegasus managed to advance this capability considerably
to be able to penetrate various kinds of smartphone.
This is a technology that you don't have to do anything
and it can invade your phone and start extracting every bit of data on the phone.
The user receives a call from an unknown caller through the internet
and the phone gets hacked even without answering the phone call. After that, Pegasus spyware is
installed on the targeted phone, taking full control of the device. It's effectively a very
powerful wiretap. It can also be used to spoof messages to read encrypted messages in
fact a lot of the inspiration or the driving force for this type of service
this type of technology comes from the fact that a lot of people are using
end-to-end encrypted communications for turn on the microphone turn on at the
camera and also investigate emails that are on that device as well.
There's one thing I can kind of sort of give as a relatable anecdote here, and that was sort of how NSO got started. I think a lot of us have dealt with our IT staff in our company. And sometimes
when you're having a problem with your laptop, your IT staff will remotely get into your laptop and work on it.
I hate it.
I hate it when they do that.
It's totally creepy.
Right.
And so you can see your mouse moving around and they're clicking on things.
And this was actually how NSO got its start, this sort of very mundane technology tool
which allowed remote access to laptops by IT firms.
Then they sort of re-engineered it. And well, there's a lot more
powerful ways to use this that could be coveted by government users. And that was the ability to
remotely access people's smartphones. Now, of course, 2010 was really when smartphones were
beginning to take off. Of course, the iPhone was introduced not long before that.
And so this is when NSO started seeing its market for its products explode.
But NSO eventually becomes a pretty controversial cybersecurity outfit, yeah?
Yes, that's right. So NSO starts marketing itself to governments around the world
as a law enforcement and intelligence gathering tool for spy services and police services. So
if you buy this tool, Pegasus, you can chase bad guys. You can go after terrorist networks. You can bring down
pedophile networks. You can get drug kingpins. And that was, you know, very alluring for
governments. And the first big client that NSO got was the government of Mexico. And famously,
Pegasus was used in the capture of the notorious drug kingpin El Chapo.
It's been reported that Mexican authorities used Pegasus to capture drug lord Joaquin Guzman,
better known as El Chapo, by tapping the phones of a few people he talked to while he was on the lam.
But in a case we've seen time and time again,
they've used it for its own law enforcement
intelligence gathering purposes, but governments, including the Mexican government, began using
it, expanding the use of Pegasus to go after human rights activists, journalists, dissidents.
It was this powerful tool that could be used for good effect, but could be dramatically abused by governments.
The Mexican government was the sort of first case of that.
And then we started seeing this model play out over the course of a decade.
Jamal Khashoggi thought the messages he sent the fellow Saudi dissident were secure, cloaked in WhatsApp security.
Instead, the messages weren't open book.
So was the entire phone, allegedly infected by Pegasus,
a powerful piece of malware from the Israel-based NSO group.
It led to one scandal after another.
And to your question, this is kind of how NSO and Pegasus got this notorious reputation.
And how long is it before the U.S. relationship with this software, with this firm,
becomes adversarial? I mean, it takes 10 years or so. As we reported, the U.S. government was
quite interested in this technology. In 2018, the FBI purchased a license for Pegasus and installed it in a facility the FBI uses in New Jersey
to sort of test it out, see it, A, kind of like see how it works and see how adversaries might
use it. But over time, as we reported, the FBI began to consider, well, how might we use it?
How could we use Pegasus to go after our targets? How could we use the fruits of Pegasus in our investigations? How
would we represent in court that someone was arrested with the use of spyware? It's not until
the end of 2021, so it's the first year of the Biden administration, when the White House announces...
The U.S. has blacklisted an Israeli company that makes Pegasus spyware, which has allegedly been used by governments to hack into the phones of political rivals, journalists, activists and lawyers.
It puts NSO and another Israeli tech firm called Kandiro on a Commerce Department blacklist, which means that no American tech firms can do business with those two Israeli firms. The idea was to kind of starve those firms.
So, you know, if you're Amazon or you're Dell and you would normally sell to NSO to keep NSO afloat,
laptops, cloud storage, microchips, what have you, they're now banned from selling to NSO.
They announced that there's going to be further steps taken to sort of rein in some of these weapons.
The Congress also acts to restrict American government use of foreign spyware.
The nature of these foreign spyware tools makes them exceptionally hard to track and combat.
And that's precisely why the United States needs to put a greater emphasis on this threat.
So it's not the National Security Agency developing its own hacking tools.
It's the National Security Agency buying off-the-shelf commercial spyware by Israeli firms or firms from another country because they pose potential counterintelligence risks. So what do I mean? If the American government buys an Israeli software, there's concern that if it's installed in U.S. government networks,
there might be some kind of backdoor Trojan horse that could allow that foreign government to sort
of burrow into American computers and extract information. This is the concern inside the U.S.
government right now. So the Biden administration comes in, they say these tools are really dangerous,
they can be used for nefarious purposes, and that's the end of the United States' use of
foreign spyware? If only. It's not, because the United States has kind of been both
arsonist and firefighter in this whole drama. On one hand, they're trying to put out the fires
that have been spreading around the world
with the use of these tools,
but they're also using it.
This is the tension that I think is inherent in the story.
More tension, more Mark, in a moment on Today Explained. says it's never been easier thanks to their digital picture frames. They were named the number one digital photo frame by Wirecutter. Aura frames make it easy to share unlimited photos and
videos directly from your phone to the frame. When you give an aura frame as a gift, you can
personalize it, you can preload it with a thoughtful message, maybe your favorite photos.
Our colleague Andrew tried an aura frame for himself. So setup was super simple. In my case, we were celebrating my grandmother's birthday
and she's very fortunate. She's got 10 grandkids. And so we wanted to surprise her with the
oroframe. And because she's a little bit older, it was just easier for us to source all the images
together and have them uploaded to the frame itself. And because we're all connected over text message,
it was just so easy to send a link to everybody.
You can save on the perfect gift by visiting oraframes.com
to get $35 off Aura's best-selling Carvermat frames
with promo code EXPLAINED at checkout.
That's A-U-R-A frames.com promo code EXPLAINED.
This deal is exclusive to listeners
and available just in time for the holidays.
Terms and conditions do apply. a sportsbook born in Vegas. That's a feeling you can only get with BetMGM. And no matter your team, your favorite player, or your style,
there's something every NBA fan will love about BetMGM.
Download the app today and discover why BetMGM
is your basketball home for the season.
Raise your game to the next level this year with BetMGM,
a sportsbook worth a slam dunk,
an authorized gaming partner of the NBA. BetMGM.com sportsbook worth a slam dunk, an authorized gaming partner of the NBA.
BetMGM.com for terms and conditions.
Must be 19 years of age or older to wager.
Ontario only.
Please play responsibly.
If you have any questions or concerns about your gambling or someone close to you,
please contact Connex Ontario at 1-866-531-2600 to speak to an advisor free of charge.
BetMGM operates pursuant to an operating agreement with iGaming Ontario.
Today Explained, we are back with Mark Mazzetti, Washington correspondent at The New York Times. A minute ago, he told us the United States is trying to play both arsonist and firefighter in the fight against spyware. Sure,
they've sworn off NSO Group, but what about its competitors? We asked Mark,
how many options are out there now for nations that want to do this kind of hacking?
Well, there's enormous opportunity around the globe for this kind of technology because I think as we've also
seen with weapons proliferation over time, if you squeeze in one area, there's going to be
proliferation in others. So I think what we saw with the Biden administration's crackdown on NSO
and another firm, Candiro, experts say, well, that's good. That's potentially a good step. But don't
think that this isn't going to just create opportunities for others. So what we've seen
in another case is there's a firm called Intellexa, which is run by a former Israeli general.
And it has been wrapped up in a scandal in Greece. Where the government is facing mounting pressure
over a phone tapping scandal. It the government is facing mounting pressure over a
phone tapping scandal. It's alleged that the spyware software called Predator was planted
on people's mobile phones, including journalists and the leader of an opposition party. I should
say that the Greek government has denied this, but there has been mounting evidence public that at
least some elements of the Greek government had some knowledge of the use of Predator.
So the reason why this is, I think, significant is one of the things we've reported on is
that the Israeli government kept a really tight control over where Pegasus, the original
tool, got exported.
And in a way, the Israeli government saw this as a weapon like any other,
as a sort of tool of the state. It would sell to governments like India, like Panama, like Mexico.
And gradually, what you saw was those governments turn their foreign policy more towards Israeli
interests when they had been either against Israel or neutral.
Now, in the current context, as Israel and the Israeli government might lose some control,
others enter the vacuum. So when I brought up Intelexa and this former Israeli general,
he's operating outside of Israel. The Israeli government doesn't have control over whom Intellexa sells its
products to. And so you're seeing these weapons kind of get out into the wild. And however you
think of whether Israeli control of those weapons was a good or bad thing, now we're seeing that
sort of regime break down. And I think we're seeing a future where everyone's scrambling to
get control of their own versions of these powerful tools. And how is the United States
playing the arsonist and the firefighter in this moment? How are they using these tools
at present? How do we know? Well, the DEA is using a tool, it's called graphite. It's made
by an Israeli firm called Paragon. And, you know,
we put this question to the U.S. government, put it to the White House and said, okay,
you on one hand said, you know, NSO and its ilk are bad and it's, you know, dangerous to have the
proliferation of these weapons. And yet another part of the U.S. government is using a very similar tool. So what gives?
And the answer is, well, in this case, this other company, Paragon, which makes graphite,
hasn't had its tools used or abused for bad effects. It hasn't been used against
human rights activists, journalists, et cetera, the way Pegasus has.
So we're monitoring closely, but for right now, the U Pegasus has. So, you know, we're monitoring closely,
but for right now, the U.S. government still can use this. So, you know, it's not as if the U.S.
government has taken a firm, hard and fast stance against using this. It's in fact sort of carved out at least one example where it's okay for the U.S. government to use it.
You know, the names of these companies and these tools all sound like they could be villains in sci-fi movies.
Yeah, every firm sounds like a Bond movie.
Yeah, it's like Graphite over at Paragon and Pegasus over at NSO Group and Intellectsa.
I want you to know this is nothing personal.
It's purely business.
What do these firms have in common and what makes them different?
Well, I think that the fascinating thing about this particular sector is how much it was dominated and still to a large degree is dominated by Israel.
As I said, NSO sort of got the ball rolling here. But what you found was a cadre of experts who came out of the Israeli military with
these very special skills to do offensive hacking.
People do their required mandatory military service in Israel and then go out into the
workforce as former spies and military people in the United States do,
and they try to see where their skills are marketable. What they found was they came out
into the market at a time when there was a demand for what they did inside the military.
So Israel kind of, in a way, cornered the market with NSO, Kandiru, other firms to do offensive hacking and a very
specific kind of hacking, which is targeting people's mobile phones. The example I've used
of Intellecta, again, is not inside of Israel, but it's made up of a lot of former Israeli military
hackers and a former top general who Israel can no longer control. So I think that's the one sort
of unifying thread of these companies. Now, I shouldn't say it's all Israeli because there's
been another example of a firm based in the United Arab Emirates called Dark Matter. It's
since changed its name. And one of the interesting things about Dark Matter was that they recruited a lot of American
hackers, former NSA, former CIA people to come to the UAE and basically develop that technology
to run offensive hacking operations against alleged enemies of the UAE. So it's not just
the Israelis that are doing this. There's a lot of Americans who have had these skills they learned in the U.S. government and the spy services who are then, you know, become sort of cyber mercenaries. Now, I should say, you know, the U.S. government is trying to, the best they can, crack down on Americans going overseas and sort of selling their services to foreign governments because, you know, the American government sees this information they hold in their heads kind of as proprietary. You know, you learned this
in the U.S. military, the CIA, the NSA. You can't just sell it to a foreign government,
but it's very difficult to control. It's one hand to say, okay, you can't go sell a tank
to a foreign government, but it's another thing to say, well, you can't go sell knowledge you
have in your head. It's much more difficult to regulate.
Is all that to say that there are no rules around this kind of technology?
The rules are murky. to govern, to regulate how people use this kind of information that they gained in the military
and the intelligence services of the United States and what they can do with it once they're out.
But it's not something that people can easily agree on. And I think that it's going to be very
difficult to certainly have any kind of international regimes governing
this type of activity. Going back to the phenomenon of the fact that governments around
the world are very eager for this information. They're eager for this knowledge. One of the
interesting things about these tools is it's had what we've called this sort of democratization
effect. It's democratized spying. These very advanced surveillance
tools once were in the hand of a very small number of wealthy advanced countries. But now that it's
available commercially to buy sort of off the shelf, governments around the world, small
governments, poor governments, they all basically have access to similar tools.
And, you know, this democratizing of spying is not necessarily a good thing.
I'm glad this story has a happy ending in which we're all doomed.
Let's hope not.
But I think that raising attention to this is important because I think that we're still at the beginning of this.
And I don't want to draw an analogy too far, but sort of the birth of nuclear
weapons and the atomic age created around it a whole set of rules about when would possibly
anyone ever use them. They were so powerful that basically people decided, well, basically you
couldn't use them. Every man, woman, and child lives under a nuclear sword of Damocles,
hanging by the slenderest of threads,
capable of being cut at any moment by accident or miscalculation or by madness.
The weapons of war must be abolished before they abolish us.
Now you have this class of weapons that are so easy to deploy,
with so little consequences for the government that deploys them,
they're in some ways almost more dangerous because they can proliferate so easily.
Now, of course, this has happened for decades, right?
Wiretapping has gone on for a long time.
Governments have used surveillance powers and abused surveillance powers for a very long period of time.
I think that what's different here, of course, is the ease with which they can do it
and that in many cases there aren't real repercussions.
And we've still, to my knowledge, only known of governments using and deploying these tools.
But is there a scenario down the road where you saw criminal organizations, corporations,
private individuals having access to this for non-government use,
I don't think it would be out of the question at all. And I think that's where the awareness
of the power of these tools is important and to have real discussions about, you know,
where this is going. Thank you. Our program today was produced by Amanda Llewellyn. It was edited by Matthew Collette, fact-checked by Laura Bullard,
and buttered up one last time by Afim Shapiro.
It's Today Explained. Thank you.