Stories from Citizen Lab: Holding the powerful accountable
A group of us from the AML attended Ron Deibert’s talk at the Art Gallery of Ontario, Toronto, on November 9. Deibert is the Director of The Citizen Lab, an interdisciplinary laboratory based at the Munk School of Global Affairs & Public Policy, University of Toronto, focusing on research, development, and high-level strategic policy and legal engagement at the intersection of information and communication technologies, human rights, and global security. The work is deeply complex, but is fundamentally a technological response to the abuse of power and human rights in the digital age, in which software invented to counter terrorism is used instead to wield power and crush activists fighting for human rights. Deibert described the abuse as an “urgent problem”, an “emergency”, and an “epidemic.”
The talk was an eye-opener, detailing several gritty examples of journalists and activists whose governments have deliberately targeted them through texts infected by spyware from the NSO Group in Israel. Spyware can be surreptitiously embedded into phone apps, but it’s not until the consequences of clicking on it play out that anyone knows it’s there.
So what exactly does Citizen Lab do? Deibert explained that they get samples of this spyware and test how it works by inserting into a phone. They then reverse engineer the software by running it through the Internet. This way, they can find out what governments are using it. One would have to be an expert hacker to even begin to understand the processes here, as it’s clearly more complex than it sounds.
He described the experience of the UAE journalist, Ahmed Mansoor, who received texts apparently with journalistic information on torture. Luckily, he did not click on the URLs, but instead advised Citizen Lab, who in turn diagnosed the spyware. Nevertheless, Mansoor was eventually imprisoned and remains in the UAE, now in poor health.
Deibert outlined similar stories from Mexico: Journalist Rafael Cabrera received a text advising that his daughter had been hospitalized and was in grave condition – clicking would tell him where she was. Who would not click in this situation? Similarly, the young son of a female journalist had his phone targeted. The Mexican journalist Javier Valdez Cardenas was also hacked, and then shot down in the street two years ago. His wife and his employer continued to receive the texts after his death. Since then, Deibert’s team has found 25 more cases of infected phones belonging to activists.
Saudia Arabia has used the spyware against critics of its regime, even within Canada: in this case, Citizen Lab knew that someone in Canada was being targeted and in 2018 narrowed it down to Omar Abdulaziz, a popular You-tuber in Quebec often compared to Stephen Colbert. He was shocked. As it turned out, Abdulaziz had just ordered some protein powder, as he frequently worked out. Soon he was seeing a text that read: “DHL shipment No. 1751455027 is scheduled for delivery on 28/06/2018, Manage delivery at https://su…”. (The click needs to be an irresistible impulse – the user must be immediately motivated to see what is behind the link.) A few days after they contacted Abdulaziz, he replied to the Citizen Lab saying he was concerned about “Jamal”: he had been texting with journalist Jamal Kashoggi through What’sApp?. Of course, the tragic story of Kashoggi’s untimely death is well known.
What’sApp? subsequently cleaned its vulnerable software after Citizen Lab advised them of the hacking, so we are seeing evidence of goodwill in the industry. But then who would ever want their brand to be tainted by spyware stories? Deibert recommends What’sApp? nevertheless, as it has become highly secured now, despite the fact that Facebook uses our data in the interest of commerce.
Deibert recounted further stories of software infection and abuse that continue to this day: spyware espionage in no less than 45 countries, including Ethiopia and Rwanda. In the case of the latter, Rwanda tracks emigrants with spyware, and mobilizes ‘death squads’ in other countries.
So, technologies are being misappropriated in the service of terrorism instead of the betterment of humankind. Did we think that because we created something magical, we would change the world into a magical place?
What can we as citizens do, then, to fight this abuse?
Here are some options Deibert outlined:
-International regulation? – it sounds fine, but today we have more authoritarian regimes, so even global governance is in crisis. Do they want regulation?
-Export controls? Where are the motivations to control this technology? It is in the best interests of many governments as it offers a great potential. Even the Israeli government regulates export of the spyware: “There is a quid pro quo”.
-Corporate social responsibility? This is unreliable, as it is too profitable for them. Again, it offers too much potential to control the actions of citizens who act against governments’ interests. An example is Yana Peel, former CEO of the Serpentine Galleries in London, UK (a showcase for experimental artists). She was ordered to resign when it was discovered that she is a shareholder in the NSO group.
-Litigation: this might be the best option. Facebook sued the NSO group over the spyware and had What’sApp overhauled to remove the flaw that facilitated the spyware. An audience member asked him whether citizens could launch class action suits against these groups, because how else can we hold them to account?
Deibert summarized the status of these issues and Citizen Lab’s role and goals within the big picture:
– Their ethics are very high. Human rights organizations like them. Public safety people like them. But the more success they have, the more careful they have to be. They have been targeted by potential enemies of their work, for example, inquiries by people from Black Cube intelligence in Israel, masquerading as authentic interest in Citizen Lab.
-They are trying to build and spread more centres like themselves, particularly in urban universities – like NYU for example.
-The dark side of available spyware is that now anyone can use it for anything, for example, abusive spouses can use it against their spouses.
-The irony is that movements such as the Arab Spring and Snowden’s work brought on abuses of privacy. Right away, other governments ramped up their paranoia; there was a lucrative market for spyware. The technology we invent is not neutral once we invest it with ideology.
The takeaway from all this is certainly NOT to throw away your tech – that is not the point here. We need our phones, and this technology. But we must improve our digital defenses. The answer is education.
The Citizen Lab offers knowledge not just to those who are anxious about security, but as an essential tool to all citizens. Click here for their resources page: https://citizenlab.ca/category/research/tools-resources/.
You can go to Access my Information to determine what data companies collect from you and what they do with it: https://citizenlab.ca/category/research/tools-resources/access-my-info/
Citizen Lab has also launched the “Security Planner” for improving your online safety: https://securityplanner.org/#/
“World War 3 is a guerilla information war with no division between military and civilian participation.” (Marshall McLuhan)
What is public education doing to prepare its young citizens for a future that is sure to be more challenging than the present? What must we do to convince them that Marshall McLuhan’s prediction is here and threatens our freedom?
Here are some Extensions and Activities for older Elementary and Secondary students:
-What does “digital citizenship” mean in a global village?
-How might we hold governments and corporations accountable for human rights abuses?
-Research “Netsweeper”, a Canadian company whose software has been used in a variety of ways (to combat terrorism/to invade privacy of those the government disagrees with). How might we as Canadians be contributing to a less secure/less democratic online and offline world?
-Use Security Planner to assess your own security. What stands out? Have the class work in partners to present their top three security tips/useful advice from the security planner.
-Privacy is enshrined as a human right but everyone has a different idea about what that means. Research how privacy became a part of the UN’s declaration of human rights. Why was privacy considered to be so important? What are some of the problems that occur when privacy is threatened? What are your values when it comes to privacy?
-Examine and discuss the AML’s End User License Agreements (EULAs) as they relate to you: https://aml.ca/resources/end-user-license-agreements/
by Michelle Solomon and Carol Arcus, Directors-AML