For more than a decade, dozens of journalists and human rights activists have been targeted and hacked by governments around the world. Cops and spies Ethiopia, Greece, Hungary, India, MexicoPoland, Saudi Arabiaand United Arab Emiratesamong other things, they have used sophisticated spyware to compromise the phones of these victims, who at times have also faced real-world violence with intimidation, harassment and extreme caseseven murdered.
In recent years, in the fight to protect these highest-risk communities, a group of a dozen digital security experts, based primarily in Costa Rica, Manila and Tunisia, among others, have played a key role. They work for the New York-based nonprofit Access Now, specifically for her Digital Security Helpline.
Their mission is to be the go-to group of people journalists, human rights defenders and dissidents can go to if they suspect they’ve been hacked, such as by mercenary spyware made by companies like NSO Group, Intellexa or Paragon.
“The idea is to provide this 24/7 service to civil society and journalists so they can reach out whenever they have a… cyber security incident,” Hassen Selmi, who leads the incident response team at the Helpline, told TechCrunch.
According to Bill Marczaka senior researcher at the University of Toronto’s Citizen Lab who has been researching spyware for nearly 15 years, Access Now’s Helpline is a “front line” for journalists and others who may have been targeted or hacked with spyware.
The helpline has become a critical funnel for victims. So much so that when Apple sends its users a so-called “threat alert” notifying them that they’ve been targeted with mercenary spyware, the tech giant has long referred victims to Access Now researchers.
Speaking to TechCrunch, Selmi described a scenario where someone receives one of these threat alerts and where Access Now can help victims.
“Having someone who could explain it to them, tell them what they should do, what they shouldn’t do, what this means … That’s a big relief for them,” Selmy said.
According to several digital rights experts who have researched spyware cases and have spoken to TechCrunch in the past, Apple is generally taking the right approach, even if it looks like a trillion-dollar tech giant offloading its responsibility to a small group of nonprofit employees.
Apple’s mention of notifications, Selmi said, was “one of the biggest milestones” for the helpline.
Selmi and his colleagues now review about 1,000 cases of suspected government spyware attacks annually. About half of those cases turn into real investigations, and only about 5 percent of those, about 25, result in a confirmed case of spyware infection, according to Mohammed Al-Maskati, director of the helpline.
When Selmi started doing this work in 2014, Access Now was only investigating about 20 cases of suspected spyware attacks per month.
At the time, there were three or four people working in each time zone in Costa Rica, Manila, and Tunisia, locations that allowed them to have someone online throughout the day. The team is not that big now, with less than 15 people working for the helpline. The helpline has more people in Europe, the Middle East, North Africa and the sub-Saharan region, since those are hotspots for spyware cases, according to Selmi.
The increase in cases, explained Selmi, is due to various circumstances. First, the helpline is now more well-known, so it attracts more people. Then, as government spyware goes global and becomes more available, there are potentially more cases of abuse. Finally, the helpline team has made greater outreach to potentially targeted populations, finding cases of abuse that they might not have found otherwise.
Contact us
Have you received a notification from Apple, Google or WhatsApp about spyware targeting? Or do you have information about spyware manufacturers? We would love to hear from you. From a non-working device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382 or via Telegram and Keybase @lorenzofb or via email.
When someone contacts the helpline, Selmi told TechCrunch, researchers first confirm receipt and then do an initial check to see if the person who contacted them is within the organization’s mandate, meaning they belong to civil society — and not, for example, a business executive or lawmaker. The investigators then evaluate the case in triage. If a case is a priority, investigators ask questions such as why the person believes they were targeted (if there was no alert) and what device they have, which helps determine what kind of information investigators may need to collect from the victim’s device.
After an initial, limited check of the device performed remotely over the Internet, helpline operators and investigators may ask the victim to send more data, such as a full backup of their device, to do a more thorough analysis looking for signs of intrusions.
“For every known type of exploit that has been used in the last five years, we have a process on how to check that exploit,” Selmi said, referring to known hacking techniques.
“We pretty much know what’s normal and what’s not,” Selmy said.
Access Now operators, who manage communication and often speak the victim’s language, will also advise the victim on what to do, such as whether to get another device or take other precautions.
Every case the nonprofit reviews is unique. “It’s different from person to person, from culture to culture,” Selmi told TechCrunch. “I think we need to do more research, get more people involved — not just technicians — to know how to deal with these kinds of victims.”
Selmi said the helpline also supports similar research groups in some parts of the world by sharing documentation, knowledge and tools, as part of a coalition called CiviCERTa global network of organizations that can help members of civil society who suspect they have been targeted by spyware.
Selmi said this network also helped reach journalists and others in places they otherwise couldn’t reach.
“Wherever they are, [victims] they have people they could talk to and report,” Selmi told TechCrunch. “Having these people speak their language and know their surroundings helped a lot.”
