We spoke with Claudio Guarnieri, a cybersecurity expert and head of Amnesty International’s Security Lab, about the kinds of spyware used in the Middle East for social control and data tracking. He said the use of sophisticated state spyware has become “almost routine.”
How much has the situation changed in the last 10 years regarding the use and spread of these tools?
The use of spyware and other forms of cyber attack is steadily increasing, in the Middle East as elsewhere in the world. The increasing ubiquity of encryption in communications—for example, WhatsApp, as well as Signal—has perhaps been the most important factor. While it is good that our communications are more secure than ever, it has also inevitably influenced the growing popularity of more invasive tools, such as spyware, to be able to “make up” for the inadequacy of more traditional eavesdropping. Cases involving phones and computers “infected” with state spyware are now almost commonplace, especially against journalists and human rights activists working in high-risk areas.
Among the practices adopted, there is phishing, which has allowed the targeting of hundreds and thousands of activists, journalists, political opponents in recent years. How does it work, how widespread is it and how effective is it?
Phishing is a very common form of attack that aims to gain illegitimate access to online accounts belonging to the victim, such as email and social media. Typically, the attacker tries to trick the victim into logging in on a login page that looks like the original service, thus obtaining their password. It may sound simple, but in our work we often observe more determined attackers spending up to months creating fake identities, infiltrating online communities, creating links via social media, before eventually executing the attack without arousing the slightest suspicion. This is by far the most common tactic, and the cheapest, and yet quite an effective one, and therefore often used on a large scale.
In recent years, a much sought-after product has been Pegasus by the Israeli NSO, used by various governments in the region, as we have seen in Morocco and the case of controlling local journalists. How widespread is the “pooling” of such tools, and which are the regional and European companies most present in the Middle East with their products?
The use of spyware like Pegasus is now almost routine. They are sophisticated and expensive tools, but nonetheless cheap for governments, police forces, military, and intelligence agencies around the world. In the Middle East, especially in North Africa and the Persian Gulf, their use is almost a tradition, and many cases of journalists, activists and dissidents spied on with this spyware have come to light since 2011, during the protest movements in the region, and continue coming up today. At the time, the Italian Hacking Team and the German FinFisher were the most known producers; today, NSO is perhaps maintaining its grip on the top spot, but it is an industry that exists in the shadows, in which dozens and dozens of companies operate.
Is online surveillance considered a violation of international law?
The illegitimate use of online surveillance can be a violation of the human rights to privacy and freedom of expression. If these tools are not used within a restrictive legislative framework, with appropriate controls and authorizations, and if they become tools to control dissent, the risks of abuse are very high.
Is it possible to understand the extent to which online surveillance is now integrated into government systems of social control, alongside “older” practices, and whether its use has led to concrete effects (closure of newspapers or NGOs, arrests and convictions)?
It is important to understand that online surveillance is not a phenomenon in itself, but is often part of more complex mechanisms of repression. I would like to recall the cases of activists and journalists like Ahmed Mansoor in the Emirates, Omar Radi and Maati Monjib in Morocco, all victims of spyware and imprisoned for their dissent to this day. Their surveillance has run side by side with judicial persecution, smear campaigns in the state press, as well as disinformation orchestrated through troll networks and bots on social media. Over the years, we’ve seen everything from the use of GPS tracking to pinpoint the location of activists to harass and assault, to the use of spyware to film journalists’ intimate moments through a webcam as blackmail to shut down their newspapers. Pretending that these technologies are just harmless investigative tools is just a way to stick your head in the sand.
