Invasive Tech: When State Surveils Like A Pro

Remember the homing beacon, periscope, clothing brush communicator and cigarette case binoculars from early James Bond flicks? These diverse gizmos, as suave as the man himself, always put the fictional British Secret Service agent on top of the spy game. His real-life counterparts today have it much easier. Their devices are more like interceptors that can mine personal details and other data.

Invasive surveillance devices are the in thing for repressive regimes, which use them against dissenters at will. The most commonly used interceptor equipment is the IMSI catcher, which logs the 15-digit international mobile subscriber identity of the phone it targets to a fake mobile phone tower. Once connected, the stealthy device can monitor location, text messages, photos and videos, call history, and website activity of the hacked phone. It can allow someone else to turn on the phone’s microphone or webcam, take photos, and record phone calls. Third-party apps such as WhatsApp also comes under its radar.

A lucrative side business

The transfer of surveillance technology to developing countries and monarchies is now a lucrative side business of arms trade in the US and UK. According to 360 Market Updates, the IMSI catcher market size is expected to reach USD 211.9 million by the end of 2026, recording a compound annual growth rate of 9.65% during 2021-26. This tremendous growth prospect is fuelled mostly by demands from governments around the world on the premise that such technologies help them trace criminals easier. But there are issues related to the very definition of a ‘criminal’. If a regime chooses to act against a person by wrongfully claiming him to be a criminal, it will be nothing short of an act of vengeance. Besides, there is no guarantee that the data collected for a specific and reasonable purpose will not be used to threaten human rights. Abuse of such data archives by insiders is another possibility.

In recent years, the UK government has particularly drawn criticism for granting export licenses to British firms to sell invasive surveillance equipment worth millions of pounds to authoritarian regimes. “All of the equipment being sold falls into the category of ‘arms and controlled goods’ that can only be exported out of the country with the approval of the UK government,” according to The Independent. Saudi Arabia, Egypt, the UAE, Pakistan, Bahrain, and many more have bought such devices in what could be termed a digital rights disaster in the making.

Pakistan has in fact institutionalized its surveillance in the name of the COVID-19 pandemic. “The ISI has given us a great system to track and trace… It was originally meant for terrorism, but now it has come in useful against the coronavirus,” Prime Minister Imran Khan was quoted as saying in April last year by Slate.com. “A government official has confirmed on Twitter that the call records of more than 250,000 people diagnosed with COVID-19 have been used to identify close contacts who may have been infected,” the report says, while deciphering how track and trace system allows the ISI to collect information, which is then passed on to the police. The health department and other agencies come into play only afterwards in this system, whose technology or method of monitoring is still unclear. Unsurprisingly, the UK export license data for the preceding three months reveal that an unnamed British company was granted the right to export interception devices to Pakistan.

Some case studies

When invasive technology is used in the wrong contexts, it becomes a crime. One such case is the murder of Saudi dissident-journalist and Washington Post columnist Jamal Khashoggi at the Kingdom’s consulate in Istanbul in 2018. While a United Nations report blamed the grave act on the Saudi state, Israeli company NSO Group has been facing lawsuits in multiple jurisdictions for allegedly selling its notorious Pegasus spyware to the Saudis, who used it to target Khashoggi.

According to research by the University of Toronto-based Citizen Lab, Saudis used Pegasus to hack the phone of Khashoggi’s friend Omar Abdulaziz and to gain access to WhatsApp chats between them about their plans for social media activism against the Saudi monarchy. Despite the series of lawsuits filed against it, the NSO, which is co-owned by UK-based investment fund Novalpina Capital, continues to get business, though it has slowed down in recent times due to pandemic-related travel restrictions.

Pegasus works by sending an exploit link, which installs the spyware to the mobile phone if the target user clicks on that link. The first reports of Pegasus spyware emerged in 2016 when UAE-based rights activist Ahmed Mansoor was targeted with an SMS link on his iPhone 6. The same year, Mexican human rights activist Santiago Aguirre’s phone was penetrated by Pegasus. Aguirre is a plaintiff, along with a Qatari citizen, in two lawsuits filed against the NSO and another Israeli firm Circles Technologies, wherein it is alleged that both the companies kept surveillance on 159 members of the Qatari royal family and senior government officials.

Even Bangladesh, which does not recognize Israel and prohibits trade with it, has purchased Israeli equipment in 2018 through a Bangkok-based middleman, according to documents obtained by Al Jazeera’s Investigation Unit. Neighboring India came under Pegasus attack in 2019, when WhatsApp was exploited to target journalists and human rights activists. Facebook later sued the NSO Group for using WhatsApp servers in the United States and elsewhere to spread malware to 1,400 mobile phones.

Another snooping business giant, the US-based Verint Systems sells Vantage monitoring centers that enable interception, monitoring, and analysis of target and mass communications over virtually any network. Verint devices have been put to good use in Botswana to prevent poaching, but that is an exception rather than the rule. Some of the spyware markets in Africa are in the most destabilized countries. For example, the United Nations had in 2016 warned about the dangers hidden behind the use of spyware technology in South Sudan for eavesdropping on opponents of the regime, much before it was found to be true. In 2017, the Citizen Lab reported that PC 360, a spyware from Israel’s Cyberbit – a wholly-owned subsidiary of Elbit Systems – was used in Ethiopia against dissidents living in the US and Britain. The Citizen Lab also tracked Cyberbit employees carrying infected laptops around the world, apparently providing demonstrations to the Royal Thai Army, Uzbekistan’s National Security Service, the Philippines Presidential Palace, and Zambia’s Financial Intelligence Centre. More such demos are thought to have been provided in France, Serbia, Nigeria, Rwanda, Kazakhstan, and Vietnam.

The North Macedonian politics witnessed an upheaval that eventually brought curtains down on the 10-year reign of the country’s largest right-wing party VMRO-DPMNE in 2015 when leaked tapes of intercepted conversations were made public by Zoran Zaev, the present Prime Minister and then leader of the opposition. Apparently, the IMSI catchers that Macedonian security services employed were imported to the country by Gamma International UK following its license approval by the UK government.

Though firms like NSO Group deal only with the state, it does not differentiate between a democratic setup and an authoritarian regime. Also, good cash returns mean companies are not much bothered about whom the buyers are or how they plan to use the device. To this effect, they don’t have much control over the device once it is sold. Findings by human rights groups such as Privacy International and Amnesty International, besides projects like the Citizen Lab, reveal just the tip of the iceberg. There has been enough data to suggest that governments see a massive potential in invasive technology to create comprehensive dossiers on any person of their choice. Most spyware tech firms claim their products aid in action against criminals and terrorists. The big question here is do we prefer a state that does not differentiate between a terrorist and an ordinary citizen protesting on the street. The answer is a definite no.