What would you do if your iPhone was targeted by "state-sponsored attackers" 1 iLaw. 2022. “Parasite that Smiles: Pegasus Spyware Targeting Dissidents in Thailand.” Freedom of Expression Documentation Center | ศูนย์ข้อมูลกฎหมายและคดีเสรีภาพ. https://freedom.ilaw.or.th/en/report-parasite-that-smiles ? Yingcheep Atchanont, the Director of iLaw, a Thai human rights and legal watchdog organization, recalls his shock with when he received a warning email from Apple in November 2021.
“I didn’t believe that this was actually happening. I don’t think they are looking for something from me because I didn’t do anything. (...) It was so shocking to me that the government could take control of my phone – it is a bigger violation of my privacy than a policeman watching my house.”
Several of his colleagues received the same email and they sought help from The Citizen Lab 2 Scott, John, Bill Marczak, Irene Poetranto, Bahr A. Razzak, Sutawan Chanprasert, and Ron Deibert. 2022. “GeckoSpy: Pegasus Spyware Used against Thailand’s Pro-Democracy Movement.” The Citizen Lab. https://citizenlab.ca/2022/07/geckospy-pegasus-spyware-used-against-thailands-pro-democracy-movement/ , whose forensic investigations confirmed that Yingcheep was among 30 identified targets in Thailand. Their phones were revealed to be infected with Pegasus, a military-grade, zero-click spyware that enables its deployers to hack into any iPhone or Android smartphone, retrieve messages, access location data, cameras and microphones. All 30 targets were associated with the pro-democracy movement in Thailand. Since the discovery, Yingcheep and 8 of his colleagues filed a civil lawsuit against NSO Group, the company behind Pegasus. He has also filed criminal lawsuits against the Thai government, police and army 3 Joedo, Dania, and Irene Poetranto. 2023. “Pegasus Spyware in Southeast Asia – New Naratif.” New Naratif. https://newnaratif.com/pegasus-spyware-in-southeast-asia/ . Yingcheep’s experience with unlawful surveillance is far from isolated. Globally, spyware, facial recognition cameras, AI-enabled policing and predictive software are sold and marketed as essential products for security and counterterrorism. As these highly-sophisticated technologies are exchanged transnationally, they are a key feature within the expanding arsenals of tools used in state-led campaigns of oppression. However, the capabilities for repression inherent within these tools prove to be an increasing threat to democracy and human rights. In the 21st century, cyberweapons are profoundly more destabilizing – comparatively cheap, easily distributed, deployed with little to no accountability.
“The world today is run by a transnational class of gangsters. That’s the way I think about it, like kleptocracy globally.” Ron Deibert, a Canadian professor of political science, a philosopher, and director of Citizen Lab
Governments and NSO Group have claimed that Pegasus is used solely for the purposes of fighting crime and terrorism. However, in a leaked list of 50,000 phone numbers 4 “Who's on the List – The Pegasus Project.” n.d. OCCRP. Accessed December 1, 2023. https://cdn.occrp.org/projects/project-p/#/ that were “selected for targeting”, many human rights defenders and almost 200 journalists were on the list. This exposé fueled public outrage and compelled the United States to blacklist NSO Group—driving the firm to the brink of bankruptcy. Despite the ban, the US federal government has not abandoned spyware. Instead, Cellebrite is the US federal government’s technology of choice 5 Hvistendahl, Mara, and Sam Biddle. 2022. “U.S. Government Is an Eager Buyer of Phone-Cracking Tech.” The Intercept. https://theintercept.com/2022/02/08/cellebrite-phone-hacking-government-agencies/ . Reported to be less invasive, Cellebrite’s flagship product, the Universal Forensic Extraction Device (UFED) enables the breaking into encrypted phones and other devices – for a cheaper price. The US Drug Enforcement Administration, on the other hand, employs Graphite to remotely break into encrypted messaging platforms, such as WhatsApp, Signal, Facebook Messenger and Gmail. The EU has also been criticized for its failure to crackdown on this industry in spite of its image as the gold standard of data protection. A report ‘Predator Files’ 6 Amnesty International. 2023. “The Predator Files: Caught in the Net.” Amnesty International. https://www.amnesty.org/en/documents/act10/7245/2023/en/. published in October 2023, condemned the “Intellexa alliance”, a complex network of companies that develops highly invasive spyware products including Predator, which used in at least 25 countries. Intellexa themselves 7 Roussi, Antoaneta. 2023. “How Europe became the Wild West of spyware.” POLITICO.eu. https://www.politico.eu/article/how-europe-became-wild-west-spyware/ leverage upon the EU’s positioning as the global guarantors of data protection, by advertising itself an “EU based and regulated company”. However, the EU has failed to put any meaningful check on the “Intellexa alliance”. Entities associated with the alliance operate from various countries including Greece, Ireland, France, Germany, the Czech Republic, Cyprus, Hungary, Switzerland, Israel, North Macedonia, and the UAE. All of whom have enabled the continued violation of human rights in their failure to crackdown upon the production and export of such softwares. Despite these nation states’ obligation to protect human rights in accordance to international human rights law, their failure to act is evidence that many states have little interest in respecting, let alone protecting human rights, when it comes to surveillance.
“My guess is that most governments would only be willing to regulate the export and use, because give me a reason why states would give up this ridiculously powerful tool?”
David Kaye, the former United Nations Special Rapporteur on the Promotion and Protection of the Right to Freedom of Opinion and Expression between 2014 and 2020
For both state and private entities, the sheer profitability and power that this industry is generating gives states little incentive to crack down on these weapons. Many of the governmental clients purchasing these tools are authoritarian regimes including the Philippines, Panama, Kenya, and Mexico, where spyware has reportedly been in use since 2011. Those producing and profiting of these technologies – often based in liberal democracies such as Israel, Europe and the United States – have only been exposed for their use of these technologies on their own population. Often described as “Patient Zero,”8 Fallorina, Rossine, Jose M. Lanuza, Juan G. Felix, Ferdinand Sanchez II, Jonathan C. Ong, and Nicole Curato. 2023. From Disinformation to Influence Operations: The Evolution of Disinformation in Three Electoral Cycles in the Philippines. N.p.: Internews. https://internews.org/resource/from-disinformation-to-influence-operations-the-evolution-of-disinformation-in-three-electoral-cycles/. the Philippines’ 2016 elections acted as the testing ground for many surveillance and disinformation tactics that were llinked to Brexit and the Trump campaign 9 Combinido, Pamela and Curato, Nicole. "2. Curing “Patient Zero”: Reclaiming the Digital Public Sphere in the Philippines" In From Grassroots Activism to Disinformation: Social Media in Southeast Asia edited by Aim Sinpeng and Ross Tapsell, 19-42. Singapore: ISEAS Publishing, 2020. https://doi.org/10.1355/9789814951036-003 . Tactics included an unprecedented level of online harassment against newsrooms, journalists and human rights defenders. Xinjiang, an autonomous territory in northwest China, is a “frontline” test-bed for data-driven surveillance” 10 Qiang, Xiao. 2023. “China has turned Xinjiang into a zone of repression — and a frightening window into the future.” Washington Post. https://www.washingtonpost.com/opinions/global-opinions/china-has-turned-xinjiang-into-a-zone-of-repression--and-a-frightening-window-into-the-future/2019/02/23/780092fe-353f-11e9-854a-7a14d7fec96a_story.html?utm_term=.7c3a06ff399d , where experimental technologies of mass surveillance are imposed onto the Uyghur and Turkic Muslim population. The Integrated Joint Military Operations Platform (IJOP) 11 Australian Strategic Policy Institute. “How mass surveillance works in Xinjiang.” n.d. The Xinjiang Data Project. Accessed December 1, 2023. https://xjdp.aspi.org.au/explainers/how-mass-surveillance-works-in-xinjiang/ uses algorithmic prediction to sort people based on their likelihood of “extremism” and selects individuals for imprisonment, indoctrination or surveillance. An eerily similar system is deployed in Israel to target Palestinians. “Red Wolf” is a facial recognition system that uses illegitimately acquired biometric data to monitor and control Palestinians’ movements around the city. It is part of an expanding arsenal of military-run surveillance systems that including “Wolf Pack”, an extensive database containing all available information on Palestinians in the territory, and “Blue Wolf”, the mobile app that Israeli forces use to instantly access into the “Wolf Pack”. The lack of basic human rights protections and recourse to justice places these already-oppressed groups as prime targets to experiment new technology on.
What protections exist?
When victims do attempt to seek justice in the face of potential violations, they are confronted with a myriad of challenges. In Yingcheep’s case, Thai courts were reluctant about the civil lawsuit as such cases have no precedence and judges are unfamiliar with the technology. Even if they did win the case, victims are unlikely to receive compensation as NSO Group had already declared bankruptcy. The victims of spyware are also often activists and minority groups; individuals who are unable to face the financial burden, safety threats and added persecution of long, tumultuous legal battles against corporations and governments. So why go through the hassle? For Yingcheep, pursuing this case is critical as it would set historic precedence, not only in Thailand but also for others in Southeast Asia.
“I just want to see some official mechanisms saying that the government is doing something wrong, very wrong against us. Just something to confirm that this should not keep going at all.”
Yingcheep Atchanont, the Director of iLaw
People everywhere are living in an increasingly digital world where surveillance is ubiquitous and sometimes, expected. However, the violation of rights are often invisible – even to the victims themselves. As core government functions become rapidly digitized under the guise of providing essential public services, this matter is not limited to a select few individuals or even countries. Instead, it is a call to pushback against the abuse of power that violates human rights everywhere.
