Cybersecurity technology roams unsupervised. Here’s why that needs to change
On 22 June, Amnesty International, a non-governmental organisation, published a story on Moroccan journalist and human rights defender Omar Radi, whose smartphone was reportedly bugged. Amnesty’s investigation of the case found traces of so-called ‘network injection’—a cyberattack in which an outside actor inserts a program in the target’s device in order to gain access to its content, including email and browsing history.
Network injection attacks are usually carried out by tricking the target into opening malicious links, often sent via SMS and WhatsApp, which then infect the target’s device with malware. According to Amnesty, the spyware program used in the Radi case was Pegasus, developed by an Israeli firm to track COVID-19 cases in Israel.
In Israel, this technique is used with full transparency, and amidst a healthy debate on its benefits and drawbacks. However, it’s worth mentioning that the technique itself can, of course, also be used to track and monitor political opponents. This creates a clear and present danger of authoritarian overreach, as witnessed in China and Russia, for example.
Amnesty accused Moroccan authorities of the attack, a charge which Morocco denied, asking Amnesty for material evidence. As presented by Amnesty, the case itself is a human rights violation due to the use of spyware against a journalist doing his job, since the journalist’s smartphone was tapered with and infected with malware in order to track and survey him.
But the Omar Radi case also reveals a more significant issue, which deserves to be discussed. And yet, for obvious reasons, it is often hidden and avoided in public. Cybersecurity has become more and more relevant in the past 20 years. This is directly related to the growing combined threats of international terrorism, trafficking, and smuggling, which bedevil relations between Europe and its neighbours.
The technology at the core of the Radi case (i.e., spyware used to penetrate phones and other forms of electronic communication) is, by nature, multi-faceted. It can (and is) used by friends and foes alike: terrorists, traffickers, and the agencies trying to combat them. Over the years, this technology has progressed and become much more sophisticated, as well as much harder to trace.
Electronic surveillance is, of course, taking place inside the EU as well, mostly used by state actors. But since the technology has developed and become more user-friendly, it’s also accessible to non-state actors (such as criminal organisations and terrorists). Network injection itself is, in a sense, a ‘tip of the spear technology’ when it comes to tracking technologies. Also, in order to be effective, direct contact with a phone (or some other device) and the network used is necessary.
It’s hardly a surprise that authorities across the board are keen to embrace such ready-to-use technology that can help keep track of what they consider hostile or politically disruptive individuals and organisations. The line between what constitutes genuinely nefarious and dangerous cases, and what does not, should be easy to draw. However, it sometimes isn’t. Accessibility makes various types of spyware tempting to use, even when it’s not necessary. However, when their use by authorities crosses the line, they often create individual casualties in the process.
Simultaneously, the very nature of cyber technology such as spyware makes it ripe for clandestine applications, and therefore not necessarily open to a more public debate.
So, when a case like the Radi one appears, even if it takes place outside the EU, it should be seen as a chance for the Union. It is a chance to discuss and learn from the issue of how cybersecurity, and the technology used to enhance it, ought to be managed, protecting individuals and societies alike, as well as avoiding abuse and malicious overreach.
The issues at stake are critical for the EU as well, since we do have similar technology (oftentimes purchasing the same software), and the balancing act of individual integrity and societal security is linked across borders. There is to date no common EU policy towards these issues. That needs to change, and a way to start is to address the difficult problems tied to integrity and security on an EU-wide level.