Hello. It looks like you’re using an ad blocker that may prevent our website from working properly. To receive the best Tortoise experience possible, please make sure any blockers are switched off and refresh the page.

If you have any questions or need help, let us know at memberhelp@tortoisemedia.com

Tech States Sensemaker

Huge spyware leak raises questions for Big Tech

Wednesday 21 July 2021

Recent leaked data revealing the widespread use of the NSO Group’s controversial Pegasus spyware raises serious questions for the tech states – and their role in the cyber-surveillance ecosystem


Here’s what you need to know this week: 

  • State affairs: The NSO leak asked serious questions of the tech states

State by state:

  • Facebook disbanded CrowdTangle in a blow for data transparency
  • Tencent obtained a patent for the inheritance of digital items
  • Google’s Sundar Pichai sidestepped questions about tax avoidance
  • Amazon’s Jeff Bezos blasted into space – at a PR cost
  • Apple prepared to launch a “buy now, pay later” service to rival Klarna
  • Microsoft found itself at the centre of a geopolitical cyber-storm

State affairs: Huge spyware leak raises questions for Big Tech

What is a phone? Is it the ultimate consumer accessory: an always-within-reach tool that connects, records and organises our lives? Or is it a surveillance device? That’s the question posed by a huge leak of 50,0000 phone numbers belonging to those marked by Israeli spyware firm NSO Group as “people of interest”.

NSO’s Pegasus spyware can penetrate even the most secure phone, copying its messages, harvesting its photos and recording its calls. An infected phone’s camera can even be used to record its owner. Unsurprisingly, Pegasus is only supposed to be used for criminal and national security investigations. 

But investigative journalists and activist groups with access to the leaked numbers have shown that NSO’s clients use the tech for more nefarious purposes. On the list of potential targets are hundreds of business executives, religious figures, academics, NGO employees and high-level government officials – not to mention fellow journalists and editors. 

This is a global story that will run and run. For this newsletter’s purposes, the leak raises questions about the tech states’ role in the opaque ecosystem of cyber-spying, and whether they are doing enough to protect us.  

  • Is Apple secure? The Cupertino company has long boasted that it operates “the most secure consumer platform in the world”. But technical research by Amnesty International, which had access to the Pegasus data, suggests that the NSO tool can penetrate even the most up-to-date iPhone. Even more worryingly, Apple’s “self-assured hubris” around security might be preventing it from dealing with the problem, according to Patrick Wardle, a former NSA employee and security developer. 
  • Did Amazon do due diligence? AWS, Amazon’s cloud-computing division, shut down infrastructure and email accounts linked to NSO on Monday after the stories started breaking. NSO had switched to using AWS services “in recent months”, Amnesty said. But what checks did Amazon carry out on NSO before offering its services? The involvement of AWS is more surprising because Saudi Arabia may have used NSO spyware to hack Jeff Bezos’s phone in 2020. 
  • Does this support Facebook’s stance on encryption? On Sunday, Will Cathcart, the head of Whatsapp at Facebook, called the Pegasus stories “a wake-up call for security on the internet”. The revelations explained why WhatsApp “continue(s) to defend end-to-end encryption so tirelessly”. The alternative – “deliberately weakening security” – would have “terrifying consequences for all of us,” he said. 

Is Cathcart correct? Do the Pegasus leaks show us the value of end-to-end encryption? One person close to the NSO investigation thinks not. “He’s completely wrong,” they told us. “End-to-end encryption protects communications in transit. In fact, the proliferation of end-to-end encryption post [Edward] Snowden is what created the market for companies that can bypass that by going straight to the device.”
In other words: Cathcart is conflating two different ideas: device security and communication security. NSO’s answer to increased communication encryption “was to bypass encryption by hacking devices.” If anything, Facebook’s stance on this issue has made matters worse.


Apple: Finance

Apple is not thought of as a fintech company but it’s increasingly behaving like one. The iPhone maker is leveraging its popular Apple Pay service to launch a “buy now, pay later” option, rivalling similar services from PayPal and Klarna. The new service, known internally as Apple Pay Later, will be available to anyone with an iPhone and not just users of Apple’s Goldman-Sachs backed credit card. That’s a lot of reach: Apple Pay is already accepted at 85 per cent of all US retailers (shares in BNPL rivals dropped accordingly). It’s not the only way Apple is using finance to solidify its walled garden: last year it acquired technology to allow phones to receive payments by tapping another phone or credit card on its back. 


Microsoft: Cyber-warfare

Microsoft is at the centre of a geopolitical cyber storm after the US publicly accused China of perpetrating a massive hack through the tech state’s Exchange system. Australia, Canada, New Zealand, Japan and Nato also blamed the breach on China’s Ministry of State Security. What was noticeable, however, was the absence of any punitive measures, such as sanctions or diplomatic expulsions by the US. That stands in contrast to Biden’s recent punishment of Russia for cyberattacks such as SolarWinds. Analysts including Dmitri Alperovitch have accused the US of operating a double standard. 


Amazon: Space exploration

Jeff Bezos was blasted into space on Tuesday – a moment of celebration for the entrepreneur who had dreamed of this moment since he was five years old – but a source of PR tension for his company, Amazon. A billionaire jetting off on a rocketship for ten minutes contrasts uncomfortably with the everyday working conditions of Amazon employees, who despite relatively high wages have to stand on their feet for ten hours at a time or – in the case of some delivery drivers – urinate in bottles. Andy Levin, a US representative from Michigan, summed up the mood of Amazon critics with an appeal for workers’ dignity over Bezos’ wealth. But you can be sure this won’t deter the man himself, who wants to move all polluting industries to other planets and make Earth purely “residential”. 


Facebook: Transparent government

Accountability is a huge issue for social media platforms. And yet big tech companies are increasingly removing tools that promote data transparency. First – and this is a particular bugbear for investigative journalists – Facebook scrapped its graph search feature which enabled advanced searches for posts across the platform. Now the tech state has disbanded CrowdTangle, an internally-owned data analytics tool which analysed Facebook trends. Uncomfortably for Facebook, CrowdTangle had revealed the huge popularity of right-wing commentators like Ben Shapiro – and showed that they were getting more engagement on the platform than mainstream news outlets. Some within the company must have thought: this has to go. 


Google: Tax avoidance

AI is the most profound technology that humanity will ever develop and work on. That’s what Sundar Pichai, Alphabet’s CEO, told BBC presenter Amol Rajan, in a fascinating interview last week. Pichai is more comfortable looking forward to the sunny uplands of AI than looking back on Google’s previous transgressions. On tax for instance, he said Google paid most of its tax in the US, where its products are developed; but failed to mention the company’s use of controversial tax structures like the Double Irish and the Dutch Sandwich, which allowed it to avoid billions in non-US taxes by funnelling profits into Bermuda. 


Tencent: Death duties

What happens if you spend hours playing an online video game, amass a huge number of virtual assets, and then….die? Tencent might have the answer. The Chinese tech state has obtained a patent for the inheritance of digital items. It’s not as niche a concept as you think. Apple recently announced a digital legacy service that lets users assign an administrator to access digital data after death. Tencent’s patent is similar, but allows a direct transfer of digital items if previously set out in a will, and applies both to video game assets and other virtual items. With NFTs – non-fungible tokens – now selling for millions of dollars, the concept of a digital inheritance has suddenly become deadly serious. 

Alexi Mostrous
@AlexiMostrous

Luke Gbedemah
@LukeGbedemah