Yet More Evidence of Gross Misuse of NSO Group Spyware In Mexico

The Citizen Lab’s investigation into the abuse of commercial spyware in Mexico continues with yet more troubling findings. Today, we are releasing a new report that affirms two additional individuals’ phones were targeted with Israeli-based NSO Group’s sophisticated Pegasus spyware technology.  

As in some of the prior cases we researched, the individuals in question — Karla Micheel Salas and David Peña — are lawyers representing family members of individuals involved in horrific targeted killings.  Specifically, this case concerns the torture and murder in July 2015 of Nadia Vera and Rubén Espinosa, an activist and journalist respectively, alongside three of their acquaintances.  There were also reports of sexual assault and torture against some of the victims prior to the murders.

Vera and Espinosa had been critical of the then governor of the Mexican state of Veracruz, Javier Duarte, and had received numerous threats in the course of their work. Under Duarte’s reign as governor, Veracruz became the most dangerous place in Mexico for journalists, with 17 killed during his term. Facing numerous and ongoing threats, Vera and Espinosa fled Veracruz to Mexico City, hoping the distance would protect them. Unfortunately, they (along with three people present at the scene: Yesenia Quiroz Alfaro, Mile Virginia Martin, and Alejandra Negrete) were brutally murdered.

Protests followed the Mexico City Attorney General’s investigation into the murder, which was widely perceived as inadequate.  The families of the slain individuals contracted Salas and Peña to push for an investigation.  In September and October 2015, Salas and Peña received text messages containing what we confirmed were links to the NSO Group’s exploit infrastructure which, if clicked on, would have silently infected their phones, allowing the operators to surreptitiously track their movements, phone calls, emails, and SMS’s, as well as record their voices and take pictures. (Watch Citizen Lab’s John Scott-Railton describe how NSO’s spyware works in this video).

While part of the story of these cases concerns the brutal environment for journalists in Mexico, the other part concerns the gross abuse of highly sophisticated surveillance technologies sold by companies like NSO Group.

In spite of the fact that Mexico was widely known to be a country struggling with corruption and abuse, and in spite of the well-known targeting of journalists, advocacy groups, lawyers and others using extrajudicial means, NSO Group went ahead and sold its technology to the Mexican government.  Clearly, there is a serious control problem around commercial spyware that needs to be urgently addressed lest such cases continue to mount.  Indeed, as we outline in our latest report, investigative reporting in the context of Panama has revealed that the former president of Panama, Ricardo Martinelli, used $13.5 million worth of NSO Group services to illegally spy on more than 150 opponents, including several U.S. citizens in the U.S. Embassy and in the United States proper.  Panama authorities are seeking to extradite Martinelli from the United States, where he fled from these charges.

One way to prevent such abuses is to encourage ownership groups to exercise greater due diligence over companies like NSO Group.  Over the last several weeks, it has been reported that the US-based investment firm Blackstone Group is exploring partial acquisition of the NSO Group.  Last week, Citizen Lab wrote to Blackstone Group with a detailed list of questions they should consider prior to the sale, as well as others concerning corporate social responsibility measures they should adopt, should the purchase go through. We hope these questions serve as a baseline for an industry that has yet to develop the type of mature due diligence practices as found in mining, oil, textiles, and other industries (however flawed those may still be).

Meanwhile, we fully expect to find more cases of the abuse of NSO Group technology, not just in Mexico but in other jurisdictions, where corrupt public officials with access to their spyware illegitimately turn it on those who present obstacles to their unscrupulous aims.

As before, the Citizen Lab’s research into Mexican surveillance has been led by senior researcher John Scott-Railton, working in close consultation with our partners in Mexico, R3D, SocialTic, and Article 19.

Read the report here: https://citizenlab.ca/2017/08/lawyers-murdered-women-nso-group/

 

Letter to Blackstone Group Regarding Possible Acquisition of NSO Group

For the last year, Citizen Lab has written five separate reports that document extensive abuse of, and lack of controls around the use of spyware manufactured by the Israeli cyber warfare company, NSO Group.   

These reports are part of a larger interest we have at the Citizen Lab in the lack of controls around the spyware market, from weak or nonexistent export controls of countries in which spyware companies are headquartered, to opaqueness around the market for cyber security, to an absence of due diligence on the part of companies themselves to know their clients.

A growing number of our reports has shown how the products and services of this largely unregulated market end up facilitating abuses in which journalists, human rights defenders, and others end up being targeted by powerful software ostensibly limited to governments to fight terrorists and investigate crime.

In a previous publication, my colleague Sarah McKune and I outlined a checklist of measures that could be taken to reign in the abuse of commercial spyware.  As part of that more comprehensive approach, we have suggested that the industry should be encouraged to adopt “voluntary yet genuine accountability frameworks and human rights-oriented policies and practices.”

To that end, we are today sending a letter to the Blackstone Group, an American private equity, asset management, and financial services firm in the process of considering acquiring a large stake in the NSO Group.  

Should Blackstone Group’s acquisition of NSO Group proceed, we hope our letter will encourage them to exercise stronger due diligence over NSO Group’s sales, and help ensure that the company itself better manages the end-uses of its products.

Read the letter here: https://citizenlab.ca/2017/07/open-letter-to-blackstone-possible-nso-acquisition/

PDF here: https://citizenlab.ca/wp-content/uploads/2017/07/Blackstone_open_letter_NSO_group_citizen_lab.pdf

 

A World Without Liu Xiaobo

Liu Xiaobo died of cancer last week.  A veteran of the 1989 Tiananmen Square protests, and one of the authors of the Charter 08 manifesto advocating for democratic reform, Liu was China’s first Nobel Peace Prize winner.

In spite of Liu’s advocacy for non-violent change, Chinese authorities sentenced Liu in 2009 to eleven years’ imprisonment for “inciting subversion of state power.”

Last month, Chinese authorities acknowledged Liu had contracted cancer.  Liu made an appeal to leave the country to receive outside medical treatment, an appeal that was backed by numerous governments, international organizations, and NGOs.  Apparently concerned that Liu would speak out against the regime, Chinese authorities denied the request.  On July 13, 2017 Liu Xiaobo succumbed to cancer.

The passing of Liu Xiaobo is a very sensitive event for the Chinese Communist Party.  The 1989 Tiananmen Square protests grew out of the mourning of the death of another person advocating for greater government transparency and reform, Hu Yaobang.

Concerned that martyrdom around Liu may spur similar collective action, as well as being concerned about saving face, the kneejerk reaction of China’s authorities is to quash all public discussion of Liu, which in today’s world translates into censorship on social media.

In our latest report, entitled “Remembering Liu Xiaobo: Analyzing censorship of the death of Liu Xiaobo on WeChat and Weibo,” we document the full extent of China’s heavy hand.

Our experiments show that the scope of censorship of keywords, images, and search terms related to Liu Xiaobo on two of China’s most popular social media platforms, WeChat and Weibo, has greatly increased since his passing.

Prior to his death, Liu’s name, in combination with a selection of other keywords perhaps related to his illness or political rights, might trigger censorship.  Afterwards, we found that simply including his name alone was enough to trigger blocking of messages.

We also found that images related to Liu, such as those commemorating his passing, were blocked on WeChat after his death, including images shared in one-to-one chats — the first time we have observed that phenomenon.

As with our prior WeChat research, we confirmed that the censorship is undertaken without any notification to the users, and only applies to users with accounts registered to mainland China phone numbers.  For example, we show that images of Liu posted to an international user’s WeChat feed was visible to other users abroad, but hidden from users with Chinese accounts.

For Weibo, we analyzed search term blocking and confirmed that the platform maintains a blanket ban on searches for Liu Xiaobo’s name. Indeed, searching just his given name, “Xiaobo”, is enough to trigger censorship in English and both Simplified and Traditional Chinese

Freedom of speech is the antithesis to one-party rule.  Dictators throughout history have forced embarrassing truths into the shadows, typically by imprisoning those who speak it, and have scrubbed dissidents from history books, photographs, and other mass media.

The social media censorship we document in our latest report is but the latest manifestation of this authoritarian tendency, and underscores why careful evidence-based research is so essential to the progress of human rights.

Read the full report here: https://citizenlab.ca/2017/07/analyzing-censorship-of-the-death-of-liu-xiaobo-on-wechat-and-weibo/

The New York Times: https://www.nytimes.com/2017/07/17/world/asia/liu-xiaobo-censor.html

Global Voices: https://globalvoices.org/2017/07/17/censorship-after-death-chinese-netizens-quietly-mourn-nobel-laureate-liu-xiaobo/

International Investigation Into Mexican Mass Disappearance Under Surveillance

The Mexican surveillance scandal in which the Citizen Lab is involved now widens substantially.

Our latest report confirms that a phone belonging to an international group of experts from several countries assembled by the Inter-American Commission on Human Rights (known as the GIEI), charged with investigating the 2014 Iguala Mass Disappearance, was targeted with infection attempts using spyware developed by the NSO group, an Israeli “cyber warfare” company.

The infection attempts we documented took place in early March 2016, shortly before the publication of GIEI’s final report on their investigation.

For those who do not know, the 2014 Iguala Mass Disappearance refers to a horrific episode in which 43 students from the Ayotzinapa Rural Teachers’ College were disappeared while travelling to Mexico City to participate in an event commemorating yet another tragic episode in Mexico, the Tlatelolco Massacre. The Mexican government’s inadequate response to the mass disappearance, and suspicions that Mexican government agencies themselves were implicated, led to calls for the creation of the independent international investigation.

While carrying out their investigations, the GIEI experts faced numerous threats and harassment, and eventually a public falling-out with the Mexican attorney general’s office. Just prior to the release of their public report in March 2016, we determined that a phone belonging to the investigators was targeted with SMS messages containing links to NSO Group exploit infrastructure.

While we cannot definitively attribute the targeting we discovered to a particular Mexican government agency or individual, it is highly significant that leaked documents show numerous Mexican government agencies, including the Mexican attorney general’s office itself, purchased NSO Group spyware.

This latest report of ours adds to the growing number of cases clearly showing the abuse of commercial spyware in the context of Mexico.   So far we have positively determined that technology sold by an Israeli-based company ostensibly restricted to governments for anti-terror, criminal, and national security investigations has been used instead to target health scientists and anti-obesity activists, anti-corruption NGOs, journalists (and their family), opposition politicians, and now members of an independent international inquiry into the massacre of 43 students.

These findings will undoubtedly deepen the surveillance crisis in Mexico.  But what’s going on in that country is symptomatic of a much wider global problem. Surveillance companies are making millions selling their products to governments that lack oversight and public accountability who are then turning these powerful and highly invasive tools on civil society to further their corrupt aims.

Addressing this problem will require a comprehensive policy response across multiple domains, from the domestic to the international.  My colleague Sarah McKune and I have outlined recommendations to bring more accountability to the commercial spyware trade in the form of a checklist, which can be found here.  We hope our documentation of cases of abuse such as these will inspire such comprehensive responses.

We are grateful for the cooperation of the GIEI experts, and our Mexican colleagues, R3D, SocialTic, and Article19, without whom this investigation could not be undertaken.

Read the full report here: https://citizenlab.org/2017/07/mexico-disappearances-nso/

More Than Meets the Eye

Every day we hear warnings not to open attachments, click on links, or enter our credentials into websites that do not look trustworthy.  But what if they do look legit?  How do we tell?

Our latest report shows not only the lengths to which an espionage operation will go to fool users, but it also provides a good example of how difficult it may be for the average user to discern one from the other.

Authored by the Citizen Lab’s Jakub Dalek, Geoffrey Alexander, Masashi Crete-Nishihata, and Matt Brooks, our report, entitled “Insider Information: An intrusion campaign targeting Chinese language news sites,” details a campaign of reconnaissance, phishing, and targeted malware at the heart of which are carefully-crafted mimics of several prominent Chinese-language news websites.

Our investigation began when staff members of China Digital Times — a popular China-focused news portal founded by UC-Berkeley professor and prominent human rights activist Xiao Qiang — began receiving unsolicited emails with promises of controversial material.  The emails contained a link to what appears to be the legit China Digital Times website. However, it is not.  The operators behind this campaign had copied the entire website and then hosted it on a slightly altered domain.   Instead of “chinadigitaltimes.net” the operators used the domain “chinadagitaltimes.net.”

Can you spot the difference?  

If you noticed the substitution of “a” for “i” in the word digital, you are correct!

Other than the misspelled domain, the legitimate and fake news websites are identical, with one additional key difference: the operators also coded a few lines of javascript into the fake news domain that trigger a popup window asking the visitor to enter in their email and password into a fake WordPress login page.  Had the targets done so, they would have then been redirected back to the legitimate China Digital Times website, oblivious to the fact that their credentials to administer the website were successfully stolen by the operators, allowing them to effectively manage and edit the legitimate website itself.

By analyzing the server used to host the fake website, Citizen Lab researchers were also able to identify several other fake websites that used content from Chinese language news websites that the operators had also mimicked, presumably for phishing.  We also found that some of the servers controlled by the operators were used to stage malware.

It is noteworthy that all of the fake websites our researchers discovered in this campaign are meant to mimic news websites that publish content critical of the Chinese government.  It is possible the operators behind this campaign are “hackers for hire” — typical of the way in which a lot of cyber espionage is outsourced in China.  However, we are unable to positively attribute this campaign to a specific state agency.

I expect we will see more cases such as these in which legitimate news sites are doctored and manipulated to push disinformation or facilitate cyber espionage.  With each of us bombarded with data from social media on a daily basis, discerning “fake” from “real” or “malicious” from “benign” will become more ever more challenging and time-consuming. Cases such as these illustrate the importance of educating users, especially those working in high-risk areas such as investigative journalism, about the importance of integrating information security and digital hygiene into their daily routines.

One final note in this regard: hats go off to China Digital Times staff not only for spotting the malicious emails but also for sharing them with Citizen Lab for further analysis, which led to the discovery of the wider campaign.  Cooperation of this sort is essential for research to progress, and for journalists and the entire human rights community to be aware of the type of threats they mutually face.

Mexico Wages Cyber Warfare Against Journalists, and their minor children

For years, Citizen Lab has been sounding alarms about the abuse of commercial spyware. We have produced extensive evidence showing how surveillance technology, allegedly restricted to government agencies for criminal, terrorism, and national security investigations, ends up being deployed against civil society.

Today’s report not only adds to the mountain of such evidence, it details perhaps the most flagrant and disturbing example of the abuse of commercial spyware we have yet encountered.

Working with Mexican civil society partners R3D, Social Tic, and Article 19, our team — led by John Scott Railton — identified more than 75 SMS messages sent to the phones of 12 individuals, most of whom are journalists, lawyers, and human rights defenders. 10 are Mexican, one was a minor child at the time of targeting, and one is a US citizen.

These SMS messages contained links to the exploit infrastructure of a secretive Israeli cyber warfare company, NSO Group.  Had they been clicked on, the links would activate exploits of what were, at the time, undisclosed software vulnerabilities in the targets’ Android or iPhone devices.  Known in NSO Group’s marketing as “Pegasus”, this exploit infrastructure allows operators to surreptitiously monitor every aspect of a target’s device: turn on the camera, capture ambient sounds, intercept or spoof emails and text messages, circumvent end-to-end encryption, and track movements.

We first encountered NSO Group in August 2016 when UAE human rights defender Ahmed Mansoor shared with Citizen Lab researchers suspicious SMS messages he received containing links to NSO infrastructure. When we published our report on Mansoor, we had some evidence of targeting in Mexico that subsequently led to a follow-up report earlier this year on the use of NSO’s surveillance technology to target Mexican health advocates and food scientists.

The targeting we outline in our latest report, which runs from January 2015 to August 2016, involves a much wider campaign. It includes 12 individuals who share a common trait:  investigations into Mexican government corruption, forced disappearances, or other human rights abuses. All of the individuals who cooperated in our research consented to be named in the report. The August 2016 endpoint coincides with the time of our disclosure to Apple about NSO’s exploits, which led to the shutdown of NSO’s infrastructure (or at least that particular phase of it).  

Among the noteworthy aspects of this latest case are the persistent and brazen attempts by the operators to trick recipients into clicking on links.  Each of the targets received a barrage of SMS messages that included crude sexual taunts, alleged pictures of inappropriate, threatening, or suspicious behavior, and other ruses.  Many received fake AMBER Alert notices about child abductions as well as fake communications from the US Embassy in Mexico.

What is most disturbing is that the minor child of one of the targets — Emilio Aristegui, son of journalist Carmen Aristegui — received at least 22 SMS messages from the operators while he was attending school in the United States.  Presumably these attempts to infect Emilio’s phone were intended as a backdoor to his mother’s phone. But it is also possible the operators had a more sinister motivation.  The attempts to infect both Carmen and Emilio took place at the same time Carmen Aristegui was investigating a major corruption scandal involving the President of Mexico.

Our report makes it clear that the NSO Group, like competitor companies Hacking Team and FinFisher, is unable or unwilling to control the abuse of its products.  Time and again, companies like these, when presented with evidence of abuse, effectively pass the buck, claiming that they only sell to “government agencies” to use their products for criminal, counterintelligence, or anti-terrorism purposes.  The problem is that many of those government clients are corrupt and lack proper oversight; what constitutes a “crime” for officials and powerful elites can include any activity that challenges their position of power — especially investigative journalism.

Mexico is a case in point.  Ranked by the Economist’s Intelligence Unit as a “flawed democracy”, Mexico’s government agencies are riven with corruption.  Mexico is one of the most dangerous places to be a journalist not only because of violence related to the drug cartels but also because of threats from government officials.   As Reporters Without Borders notes, “[w]hen journalists cover subjects linked to organized crime or political corruption (especially at the local level), they immediately become targets and are often executed in cold blood.”

In spite of these glaring insecurity and accountability issues, the NSO Group went ahead and sold its products to multiple Mexican government agencies, according to leaked documents reported on in the New York Times.  Other leaked documents show that Mexico was at one time another commercial spyware company’s (Hacking Team) largest single country client.  Should it come as any surprise that these powerful surveillance technologies would end up being deployed against those who aim to expose corrupt Mexican officials?

What is to be done about these abuses? In a recent publication, Citizen Lab senior researcher Sarah McKune and I outlined a “checklist of measures” that could be taken to hold the commercial spyware market accountable, including application of relevant criminal law. It is noteworthy in this regard that while in the United States, the minor child Emilio Arestigui received SMS messages purporting to be from the US Embassy.  Impersonating the US Government is a violation of the US Criminal Code, and the targeting may very well constitute a violation of the US Wiretap Act.  At the very least, it is a violation of diplomatic norms.  How will the United States Government respond?

NSO Group is an Israeli company, and thus subject to Israeli law.  In the past, Israel has prided itself on strict export controls around commercial surveillance technology.  Yet this latest example shows yet again the ineffectiveness of those controls.  Will Israeli lawmakers tighten regulations around NSO Group in response?

Among the checklist of measures McKune and I identified is the importance of evidence-based research on the commercial spyware market to help track abuses and raise awareness.  It is important to underline that the work undertaken in this report could not have been done without the close collaboration between Citizen Lab researchers and Mexican civil society groups, R3D, SocialTic, and Article 19.   Collaborations like these are essential to exposing the negative externalities of the commercial spyware market, documenting its harms, and shedding light on abuse.

I suspect it will not be the last collaboration of this sort.

Read the full report, “Reckless Exploit: Journalists, Lawyers, Children Targeted in Mexico with NSO Spyware,” authored by John Scott-Railton, Bill Marczak, Bahr Abdulrazzak, Masashi Crete-Nishihata, and me, here: https://citizenlab.org/2017/06/reckless-exploit-mexico-nso

 

From Russia, with Tainted Love

I am pleased to announce a new Citizen Lab report, entitled “Tainted Leaks: Disinformation and Phishing With a Russian Nexus.” The report is authored by the Citizen Lab’s Adam Hulcoop, John Scott-Railton, Peter Tanchak, Matt Brooks, and myself, and can be found here.

Our report uncovers a major disinformation and cyber espionage campaign with hundreds of targets in government, industry, military and civil society. Those targets include a large list of high profile individuals from at least 39 countries (including members of 28 governments), as well as the United Nations and NATO. Although there are many government, military, and industry targets, our report provides further evidence of the often-overlooked targeting of civil society in cyber espionage campaigns.  Civil society — including journalists, academics, opposition figures, and activists — comprise the second largest group (21%) of targets, after government.

Other notable targets include:

  • A former Russian prime minister
  • A former U.S. Deputy Under Secretary of Defense and a former senior director of the U.S. National Security Council
  • The Austrian ambassador to a Nordic country and the former ambassador to Canada for a Eurasian country
  • Senior members of the oil, gas, mining, and finance industries of the former Soviet states
  • United Nations officials
  • Military personnel from Albania, Armenia, Azerbaijan, Georgia, Greece, Latvia, Montenegro, Mozambique, Pakistan, Saudi Arabia, Sweden, Turkey, Ukraine, and the United States, as well as NATO officials
  • Politicians, public servants and government officials from Afghanistan, Armenia, Austria, Cambodia, Egypt, Georgia, Kazakhstan, Kyrgyzstan, Latvia, Peru, Russia, Slovakia, Slovenia, Sudan, Thailand, Turkey, Ukraine, Uzbekistan and Vietnam

While we have no “smoking gun” that provides definitive proof linking what we discovered to a particular government agency (a common challenge in open source investigations like ours) our report nonetheless provides clear evidence of overlap with what has been publicly reported by numerous industry and government reports about Russian cyber espionage. This overlap includes technical details associated with the successful breach in 2016 of the email account of John Podesta, the former chairman of Hillary Clinton’s unsuccessful presidential campaign.

As is often the case with Citizen Lab research on targeted threats, our report began with a “patient zero” — in this case, the prominent journalist, David Satter.  Satter is a well-known author on Russian autocracy. He was banned from Russia in 2013 for his investigative reporting on corruption and abuse of power associated with the Putin regime.  In October 2016, Satter’s Gmail account was successfully phished.  Documents stolen from his account then appeared on the website of CyberBerkut, a self-described pro-Russian hacktivist group.   Using the genuine documents obtained with Satter’s consent, our report details the disinformation campaign that was orchestrated around his stolen emails to give the false impression that Satter was part of a CIA-backed plot to discredit Putin and his adversaries and engineer a “colour revolution.”  The disinformation was also aimed at providing a false association between Satter, western NGOs, and prominent Russian opposition figures, most notably the prominent Russian anti-corruption activist, Alexei Navalny.

A very detailed technical analysis of the infrastructure and methods used in the phishing attack on Satter, led by Citizen Lab’s Adam Hulcoop, then allowed us to unravel and ultimately identify a much larger group of over 200 individuals across 39 countries targeted by the same operators.  Not since our Tracking Ghostnet report in 2009 do I recall us discovering such an extensive list of high-profile targets of a single cyber espionage campaign.

Why target civil society? For many powerful elites, a vibrant civil society is the antithesis to their corrupt aims.   In the case of Russia, the motivations behind cyber espionage are as much about securing Putin’s kleptocracy as they are geopolitical competition.  It often matters just as much for the Kremlin to know what critical exposé is going to be published on Putin’s inner circle, or what demonstration is going to be organized in the streets of St. Petersburg, as it does what happens in corporate boardrooms or government headquarters abroad. This means journalists, activists, and opposition figures — both domestically and around the world — bear a large burden of the spying.

Our report also offers a detailed glimpse of the new frontier of digital disinformation.  Tainted leaks, such as those analyzed in our report, present complex challenges to the public.  Fake information scattered amongst genuine materials — “falsehoods in a forest of facts” as Citizen Lab’s John Scott-Railton referred to them —  is very difficult to distinguish and counter, especially when it is presented as a salacious “leak” integrated with what otherwise would be private information.

Russia has a long history of experience with what is known as dezinformatsiya, going back even to Soviet times.  The prospect of a country with its superpower resources engaging in systematic “tainted leak” operations generated with data stolen by affiliated cyber criminal “proxy” groups is daunting.  Even more daunting is the prospect that the model of its success will breed similar campaigns undertaken by other governments.  To the extent it is both cheap and effective, and provides plausible deniability when outsourced to the shady underworld, it will almost certainly inspire other governments to follow suit.

With digital insecurity and data breaches now a pervasive and growing problem, it is highly likely digital disinformation operations are going to become widespread. Indeed, we could be on the cusp of a new era of superpower-enabled, digital disinformation.  The public’s faith in media (which is already very low), and the ability of civil society to do its job effectively, will both invariably suffer as collateral damage.

Our hope is that in studying closely and publishing the details of such tainted leak operations, our report will help us better understand how to recognize and mitigate them.  We also hope that in highlighting the large number of civil society members targeted in yet another cyber espionage campaign, the “silent epidemic” can be properly addressed by policymakers, industry, and others.

One final note concerning notification: we chose not to identify targeted or victimized individuals without their consent in order to protect their privacy.  Instead, we have notified the email service provider and relevant Computer Emergency Response Teams.

Report URL: https://citizenlab.org/2017/05/tainted-leaks-disinformation-phish/

 

We Chat (But Not about Everything)

Imagine if your favourite social media application silently censored your posts, but gave you no information about what topics are censored.

Imagine if everything seemed fine as you posted message after message and image after image, for days on end with no issues, but then occasionally one of your posts would simply not appear without explanation.

And what if the messages or images you are prevented from posting sometimes seem connected with a controversial political issue, but other times not?  Perhaps it’s deliberate, you might guess. Perhaps it’s just you and your bad Internet connection?  Who can say for sure?

Unfortunately this Kafka-esque situation is the reality for well over a billion users of WeChat and Sina Weibo, two of China’s largest social media applications and among the largest in the world.

Our new report provides detailed evidence from systematic experiments we have been performing on WeChat and Sina Weibo to uncover censorship on each of the the applications.  As with prior reports on each of the applications, we are interested in enumerating censored topics — a difficult question to answer since neither of the companies is transparent about what they block.

For our latest research, we focused on censorship of discussions about the so-called “709 Crackdown.” This crackdown refers to the nationwide targeting by China’s police of nearly 250 human rights lawyers, activists, as well as some of their staff and family, since July 9, 2015, when lawyers Wang Yu (王宇) and her husband Bao Longjun (包龙军) were forcibly “disappeared.”  The 709 Crackdown is considered one of the harshest systematic measures of repression on civil society undertaken by China since 1989, and is the subject of much ongoing international media and human rights discussion.  

Unfortunately, as our experiments show, a good portion of that discussion fails to reach Chinese users of WeChat and Weibo. Our research shows that certain combinations of keywords, when sent together in a text message, are censored. When sent alone, they are not.  So, for example, if one were to text 中国大陆 (Mainland China) or 王全璋的妻子 (Wang Quanzhang’s Wife) or 家属的打压 (Harassment on Relatives) individually, the messages would get through.  Sent together, however, the message would be censored.  The Citizen Lab’s Andrew Hilt’s has created a visualization showing these keyword combinations here: https://citizenlab.org/709crackdownviz

In addition to a large number of censored keyword combinations our tests unearthed, we also discovered 58 images related to the 709 Crackdown that were censored on WeChat Moments for accounts registered with a mainland China phone number. (For accounts registered with a non-mainland China phone number, on the other hand, the images and keyword combinations go through fine). This is the first time we have documented censorship of images on a social media platform, and we are continuing to investigate the exact mechanism by which it takes place.

The purpose of Citizen Lab’s research on applications like WeChat and Weibo is to better understand and bring transparency to restrictions such as these. We live in a world in which our choices and decisions are increasingly determined by algorithms buried in the applications we use.  What websites we visit, with whom we communicate, and what we say and do online are all increasingly determined by these code-based rules.  Whether those algorithms are fair or not, whether they respect human rights, whether they make mistakes or not, are all questions that can only be answered if the algorithms can be properly examined.

Unfortunately, many social media hide their algorithms, either for proprietary and financial reasons (they want to protect the “secret sauce” that earns them money) or for political reasons (their algorithms are used to enforce restrictions on speech and they don’t want their customers to know about it).  Our research aims to break through that obfuscation and bring such algorithms to account.

Generally speaking, the algorithms that drive social media censorship or surveillance can operate in one of two ways: either on the client side — meaning, inside the application on your device; or on the server side — meaning, inside one of the company’s computers that runs the service.  Typically, to investigate the former, we rip the application apart — “reverse engineer” it — and subject it to various tests to determine what the algorithm does beneath the surface.

For server-side rules, on the other hand, whatever censorship or surveillance is going on happens inside the company’s infrastructure, making it more challenging to interrogate the rules.  Both WeChat and Weibo perform censorship and surveillance on the server side, so we had to undertake detailed experiments using combinations of keywords and images drawn from news stories and fed into the applications systematically to zero in on what’s filtered.  You can read about these experiments in the full report here: https://citizenlab.org/2017/04/we-cant-chat-709-crackdown-discussions-blocked-on-weibo-and-wechat/

Our report serves as a reminder that for a large portion of the world, social media act as gatekeepers of what they can read, speak, and see. When they operate in a repressive environment like China, social media can end up surreptitiously preventing important political topics from being discussed.  Our finding that WeChat is now also systematically censoring images as well as text opens up the daunting prospect of multi-media censorship and surveillance on social media.

Taming the “Wild West” Commercial Spyware Market

Today, my colleague Sarah McKune and I co-authored an article, entitled “Who’s Watching Little Brother? A Checklist for Accountability in the Industry Behind Government Hacking.”  A blog post about the report can be found here, and the article is available in PDF here.

The report outlines a “checklist” for regulating the commercial spyware market.  As we have reported on numerous occasions as part of Citizen Lab’s research, there is ample evidence of growing abuses surrounding the commercial spyware market. In spite of the pledges made by some in the industry — that self-regulation works, that they are just following “local laws” — we have shown how companies like Finfisher, Hacking Team, and NSO Group supply their products and services to governments that use them to target journalists, human rights defenders, and even anti-obesity activists. We have tracked the proliferation of some of these services to some of the world’s most autocratic regimes.  It is obvious that these abuses are going to grow unless something is done to mitigate these trends.

Unfortunately, debate until now about what to do about these abuses has revolved in binary form around either export controls or an unregulated wild west.  In our article, we develop instead a checklist for a “web of constraints” around the industry that involves multiple strategies and different mechanisms, including application of existing laws.  We hope that these checklist provides a helpful roadmap for policymakers and others who want to do something about the excesses of this industry and we look forward to feedback.

Read the article here: https://citizenlab.org/wp-content/uploads/2017/03/citizenlab_whos-watching-little-brother.pdf [PDF]

 

 

Mexico, NSO Group, and the Soda Tax

I am pleased to announce a new Citizen Lab report, entitled “Bitter Sweet: Supporters of Mexico’s Soda Tax Targeted With NSO Exploit Links,” authored by John Scott-Railton, Bill Marczak, Claudio Guarnieri, and Masashi Crete-Nishihata.

The full report is here:  https://citizenlab.org/2017/02/bittersweet-nso-mexico-spyware/

New York Times has an exclusive here: https://www.nytimes.com/2017/02/11/technology/hack-mexico-soda-tax-advocates.html

In recent years, the research of the Citizen Lab and others has revealed numerous disturbing cases involving the abuse of commercial spyware: sophisticated products and services ostensibly restricted in their sales to government clients and used solely for legitimate law enforcement.

Contrary to what companies like Hacking Team, Gamma Group, NSO Group and others claim about proper industry self regulation, we have repeatedly uncovered examples where governments have used these powerfully invasive tools to target human rights defenders, journalists, and legitimate political opposition.

To this list, we can now add research scientists and health advocates.

The “Bitter Sweet” case has its origins in a prior Citizen Lab investigation — our Million Dollar Dissident report, in which we found that a UAE-based human rights defender, Ahmed Mansoor, was targeted by UAE authorities using the sophisticated “Pegasus” spyware suite, sold by Israeli cyber warfare company, NSO Group.

As part of that report, we published technical indicators — essentially digital signatures associated with the NSO Group’s infrastructure and operations — and encouraged others to use them to find evidence of more targeting.  When we published our report in August 2016, we knew there was at least one Mexican targeted — a journalist — and so suspected there might be some targeting there.

Shortly after the publication of our report, Citizen Lab was contacted by Access Now, which had received a request for assistance on its digital helpline from two Mexican NGOs working on digital rights and security, R3D and SocialTIC.  Together, we worked to track down suspicious messages received by Mexicans, which led us to the Bitter Sweet case.

The title of our report refers to the fact that all of those whom we found targeted in this campaign were involved in a very high-profile “soda tax” campaign in Mexico. A soda tax is part of an anti obesity effort to add taxes to lower consumption of sugary drinks and sodas.  Although many in Mexico are behind the campaign, some in the beverage industry and their stakeholders are obviously not.

In the midst of controversy around the soda tax campaign, at least three prominent research scientists and health advocates received similar (in some cases, identical) suspicious SMS messages that included telltale signs of NSO Group’s attack infrastructure. Had any of them clicked on the links, their iPhones would have been silently compromised, allowing the perpetrators to listen in on their calls, read their emails and messages, turn on their camera, and track their movements — all without their knowledge.

What is most remarkable about the targeting are the steps the perpetrators took to try to trick the scientists and advocates to click on the links.  For example, one of the targets, Dr. Simon Barquera, a well respected researcher at the Mexican Government’s Instituto Nacional de Salud Pública, received a series of increasingly inflammatory messages.  The first SMSs concerned fake legal cases in which the scientist was supposedly involved.  Those following got more personal: a funeral, allegations his wife was having an affair (with links to alleged photos), and then, most shocking, that his daughter, who was named in the SMS, had been in an accident, was in grave condition, and that Dr. Barquera should click a link to see which hospital emergency room into which she was admitted.

While we can’t attribute this campaign to a particular company or government agency, it is obvious those behind the targeting have a stake in getting rid of the soda tax, and that points to the beverage industry and their investors and backers in the Mexican government. It is important to point out that Mexico is on record purchasing NSO Group’s services and NSO Group itself asserts it only sells to legitimate government representatives.  But clearly the NSO’s “lawful intercept” services are not being used in Mexico to fight crime or hunt terrorists, unless those who are advocating against obesity are considered criminal terrorists. We feel strongly that both the Mexican and the Israeli governments (the latter approves exports of NSO products) undertake urgent investigations.

Finally, our report shows the value of careful documentation of suspicious incidents, and ongoing engagement between researchers, civil society organizations, and those who are targeted by malicious actors who wish to do harm.  The epidemic of targeted digital attacks facing civil society will require an all-of-society defence.  The cooperation shown on this investigation by Citizen Lab researchers, Access, R3D, and SocialTIC is a model of how it can be done.