For more than a decade, makers of government spyware have defended themselves from criticism by saying their surveillance technology is intended to be used only against serious criminals and terrorists, and only in limited circumstances.
However, evidence gathered from dozens if not hundreds of documented cases of spyware abuse around the world shows that none of these arguments are true.
Journalists, human rights activists and politicians have been repeatedly targeted in both repressive regimes and democratic countries. The latest example is a political consultant working for left-wing politicians in Italy, who emerged as the country’s most recently confirmed victim of the Paragon spyware.
This latest case shows that spyware is proliferating far beyond the scope of what we typically think of as “infrequent” or “limited” attacks that target only a few people at a time.
“I think there’s some misunderstanding at the heart of the stories about who gets targeted by this kind of government spyware, which is that if you get targeted, you’re public enemy number one,” Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation, who has studied spyware for years, told TechCrunch.
“In fact, because targeting is so easy, we’ve seen governments use surveillance malware to spy on a wide range of people, including relatively small political opponents, activists and journalists,” Galperin said.
There are several reasons why spyware often ends up on the devices of people who, in theory, shouldn’t be targeted.
The first explanation lies in the way spyware systems work. Generally, when an intelligence or law enforcement agency buys spyware from a surveillance vendor—such as NSO Group, Paragon, and others—the government customer pays a one-time fee to acquire the technology and then deducts additional fees for future software updates and technical support.
The advance is usually based on the number of targets the government agency can spy on at any given time. The more targets, the higher the price. It was previously leaked documents by the now-defunct Hacking Team show that some of its police and government clients could target anywhere from a handful of people to an unlimited number of devices at once.
While some democratic countries typically had fewer targets they could surveil in one go, it was not uncommon to see countries with questionable human rights records with extremely high numbers of concurrent spyware targets.
Giving countries with such strong appetites for surveillance such a large number of simultaneous targets guarantees that governments would target many more people outside the scope of criminals and terrorists.
Contact us
Do you have more information about government spyware? From a non-working device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382 or via Telegram and Keybase @lorenzofb or via email. You can also contact TechCrunch via SecureDrop.
Moroccothe United Arab Emirates (twice), and Saudi Arabia (several times), have all been caught targeting journalists and activists over the years. Security researcher Runa Sandvik, who works with activists and journalists at risk of being hacked, curates an ever-expanding list of spyware abuse cases around the world.
Another reason for the high number of abuses, especially in recent years, is that spyware — such as NSO’s Pegasus or Paragon’s Graphite — makes it extremely easy for government clients to successfully target whomever they want. In practice, these systems are essentially consoles where police or government officials type in a phone number and the rest happens in the background.
John Scott-Railton, a senior researcher at The Citizen Lab, who has investigated spyware companies and their abuses for a decade, said government spying software poses a “tremendous temptation for abuse” for government clients.
Scott-Railton said spyware “must be treated as the threat it is to democracy and elections”.
A general lack of transparency and accountability has also contributed to governments brazenly using this sophisticated surveillance technology without fear of consequence.
“The fact that we’ve seen the targeting of relatively small fish is particularly troubling because it reflects the relative impunity the government feels in deploying this highly invasive spyware against adversaries,” Galperin told TechCrunch.
When it comes to victim accountability, there is some good news.
Paragon flagged its public severing of ties with the Italian government earlier this year, claiming that the country’s authorities refused the company’s help in investigating abuses allegedly involving its spyware.
The NSO Group previously disclosed in court that it had disconnected 10 government customers in recent years for abusing its spyware technology, although it declined to say which countries. And it’s unclear whether that includes the Mexican or Saudi governments, where there have been countless documented cases of abuse.
On the customer side, countries like Greece and Poland have launched investigations into spyware abuses. The United States, during the Biden administration, targeted some spyware makers such as Cytrox, Intellexa and NSO Group, imposing sanctions on the companies – and their executives – and putting them on financial blacklists. Also, a group of mostly western countries led by the United Kingdom and France they are trying to use diplomacy to put the brakes on the spyware market.
It remains to be seen whether any of these efforts will in any way limit or curtail what is now a multibillion-dollar global market, with companies supplying advanced spyware to governments with a seemingly endless appetite to spy on just about anyone they want.
