Who's Making Spyware, Who's Buying It And How It's Being Used
AILSA CHANG, HOST:
This month in All Tech Considered, we look at who's spying on us and how they're doing it.
(SOUNDBITE OF ULRICH SCHNAUSS' "NOTHING HAPPENS IN JUNE")
CHANG: Today, we take this scenario - a WhatsApp call from an unknown number pops up on your phone. You don't answer it. But that actually doesn't matter because you've already been hacked. And this hacker can now monitor every call, every text, every email. In fact, they can even use your phone's microphone and camera to record you. Nicole Perlroth is a cybersecurity correspondent for The New York Times, and she joins us now to discuss who is making this technology and how governments are often their biggest clients. Welcome.
NICOLE PERLROTH: Thanks for having me, Ailsa.
CHANG: So I know that you've been reporting on this technology for quite some time now. And then just last week, WhatsApp sued one of the companies that makes the spyware. The company's called NSO Group. Tell us a little bit about this company and what happened to instigate this lawsuit.
PERLROTH: So a couple of years ago, NSO was really dragged into the spotlight - we'd never heard of them before - when their spyware was found on the phone of an Emirati human rights activist, Ahmed Mansoor So for the last two years, researchers and journalists have been tracking the use of NSO's spyware all over the world. But last week, what happened was WhatsApp came out and said that they had uncovered evidence that NSO's spyware had been used on some 1,400 WhatsApp users, including a group of about 100 journalists, human rights activists, human rights lawyers, religious leaders in a class of targets that looks like the spyware is readily being abused.
CHANG: And where are these targets? Are they all over the world?
PERLROTH: They're all over the world. We know they're in Bahrain. We know they're in Mexico. We know they're in the UAE just based on the country code numbers of the WhatsApp numbers that were targeted. But then over the weekend and late last week, a number of about two dozen human rights lawyers, former journalists, peace activists in India came forward and said that they had been notified by WhatsApp that their phones were being spied on using this spyware.
CHANG: Wow, so this spans several continents. And what are the legal rules that might hold a company like NSO Group responsible for what its customers, what these governments do with the spyware it purchases?
PERLROTH: It's really a black hole. NSO Group says it gets governments based on their human rights records before it will sell its spyware to them just because it is such a powerful hacking and surveillance tool. But once that spyware gets into government's hands, it's really impossible for NSO Group to have any insight into how its spyware is used or abused by some of its clients.
CHANG: Yeah. I read that NSO Group says it sells this spyware on the explicit condition that the spyware can only be used to investigate criminals or terrorists. But realistically, there is no way NSO Group can enforce how its product is being used ultimately, right?
PERLROTH: That's right. And they've said really the only times that they're able to investigate abuses is when it comes up in the press or by reports by privacy activists and researchers. And even when it discovers instances of abuse, it really has no way to just shut down that spyware. It can only really wean its government clients off slowly by denying them software updates and patches and that kind of thing.
CHANG: Wow. I suppose we should also mention that NSO Group is just one of a number of digital spying outfits that sells these kinds of tools. Do we know who else might be selling this?
PERLROTH: I'm told that there are dozens, if not hundreds of companies selling similar products and capabilities to NSO Group whose names we've never heard of. Many of them exist around the Beltway and sell exclusively to the U.S. government or our closest allies. But increasingly there is a huge market abroad for these tools, especially in countries in the Middle East that don't necessarily have the cyber talent that we have here in the West but certainly have the resources to buy into these capabilities.
CHANG: Nicole Perlroth is a cybersecurity correspondent for The New York Times. Thank you very much for joining us.
PERLROTH: Thanks so much for having me.
CHANG: And we should note - Facebook, which owns WhatsApp, is among NPR's recent financial supporters. Transcript provided by NPR, Copyright NPR.