29 January 2020

The Bezos Hack and the Dangers of Spyware in the Hands of Autocrats

Candace Rondeaux 

The stunning allegation this week that Saudi Crown Prince Mohammed bin Salman hacked the phone of Amazon’s Jeff Bezos, according to a report by United Nations investigators, may come as a shock to some. But for most people tracking the rise of Saudi Arabia’s de facto ruler over the past five years, it’s business as usual. From his disastrous proxy war in Yemen to the killing of Washington Post journalist Jamal Khashoggi in the Saudi consulate in Istanbul in 2018, the young crown prince, known as MBS, has demonstrated time and again his hubristic belief that there are no limits to his power.

What is more shocking is that anyone truly believes that another investigation into Saudi malfeasance will curb the use of spyware by autocratic governments against their perceived critics at home and abroad. To be sure, for the sake of accountability, the FBI should heed the call by U.N. experts Agnes Callamard and David Kaye to open an investigation into how the heir to the Saudi kingdom apparently used Israeli-made spyware to breach the personal phone of the world’s richest man, who owns a leading American newspaper and runs one of the world’s most valuable publicly traded companies. But in the grand scheme of things, investigating the hack of Bezos’ phone might not make all that much difference in preventing these kinds of abuses.


Instead, the best defense against dangerous surveillance technology is to treat the spyware that MBS deployed against Bezos the same way that the U.N., the United States and others deal with weapons of mass destruction: regulate it as much as possible and insist on more global oversight.

Since rising to power in 2015, first as Saudi Arabia’s defense minister and soon after as crown prince, MBS has worked assiduously to burnish his strongman credentials by waging an aggressive information war against his critics and perceived adversaries inside and outside the kingdom. Yet President Donald Trump’s White House has repeatedly bent over backward to shield MBS from censure despite multiple instances of his involvement in well-documented human rights abuses, most notoriously Khashoggi’s murder.

Of course, such deference to Saudi Arabia predates Trump in Washington, which will no doubt remain in thrall to the false god of foreign policy expedience that rewards the likes of MBS with sweetheart defense deals and White House visits, all in the name of stability and security in the Middle East. While Congress has taken the rare step of criticizing MBS and trying to punish Saudi Arabia’s behavior, both over Khashoggi’s killing and the war in Yemen, it has shown little to no capacity or will to rein in tech firms whose spyware MBS has used to stifle dissent.

Firms like the NSO Group, the maker of the Pegasus spyware that MBS reportedly deployed against Bezos and Saudi dissidents, already profit handsomely from the insatiable appetite of autocrats, oligarchs and powerful tycoons to target their critics and perceived adversaries. This devil’s bargain extends around the world. In 2018, it was revealed that Black Cube, the same Israeli private security firm that disgraced Hollywood mogul Harvey Weinstein hired to intimidate and harass his #MeToo accusers, tried to target Obama administration officials in a phishing campaign designed to discredit them and the Iran nuclear deal.

The best defense against dangerous surveillance technology is to treat it like weapons of mass destruction: regulate it as much as possible and insist on more global oversight.

Yet no serious action has been taken by legislators in Washington to constrain firms like the NSO Group and Black Cube from targeting U.S. citizens, residents and firms that otherwise enjoy privacy protections under U.S. law. Congress has remained all but silent, in fact, about the role of Israel and Saudi Arabia—America’s two most important Middle Eastern allies—in deploying tech to stifle the media, target critics and snuff out honest democratic debate.

In Israel, defense tech exports are generally governed by a 2007 national law designed to prevent the sale of weapons to governments implicated in committing atrocities and under U.N. arms embargo. But application of the law seems selective at best, to put it charitably, and the country has a long history of selling military hardware to regimes with questionable human rights records—although Israel is by no means unique in that regard. Meanwhile, Saudi Arabia has recently become one of the world’s leading importers of arms and military technology, according to the Stockholm International Peace Research Institute.

Given the impact on global security, what can be done about these state-sponsored attacks on private citizens and companies? In a novel bid, Amnesty International has tried to push Israeli courts to revoke the export control license for NSO Group’s spyware. Meanwhile, a separate lawsuit brought by Facebook against the Israeli tech firm hint at how legal tactics might pave the way for more strategic restrictions on dual-use technology that aids in deploying weaponized narratives. In August 2018, Amnesty International released a 20-page report detailing how the Saudi government used NSO Group’s Pegasus spyware to tap into the WhatsApp account of an Amnesty staffer working to track human rights developments in Saudi Arabia. A little less than a year later, Amnesty’s Israeli chapter filed a lawsuit calling for the Israeli government to bar NSO Group from selling Pegasus outside Israel. Soon after, WhatsApp and its parent company, Facebook, filed a lawsuit that alleged the NSO Group helped foreign governments hack and monitor around 1,400 WhatsApp users in 20 different countries, among them journalists, diplomats, dissidents and human rights activists. The NSO Group, which was founded by veteran Israeli intelligence agents, has denied the charges and has vowed to vigorously defend its interests in court.

It remains to be seen whether U.S. federal anti-hacking laws are sufficient to the task of constraining and deterring other spyware companies in the future. In an ideal world, the legal action against the NSO Group would at a minimum encourage the company’s leadership to rethink its international sales and marketing strategy. The lawsuits might also serve as a warning to other tech firms hoping to cash in from autocrats like MBS.

At the more strategic level, though, what is really needed is upgrading existing international protocols in a way that prevents the likes of MBS from deploying surveillance tech against ordinary citizens, the media and human rights defenders. Dozens of countries signed on to such an approach in 2013. when they added new surveillance and intelligence-gathering tools, as well as IP network surveillance systems and equipment, to the category of restricted dual-use goods that fall under the oversight regime of the Wassenaar Arrangement, a non-binding multilateral set of guidelines that calls for export controls on conventional arms and new technologies.

But even those steps may not be enough, as the University of Toronto’s Citizen Lab has also pointed out. The United States, the European Union and other governments interested in defending democracy are going have to move aggressively in the next few years to pass legislation that gives citizens, firms and organizations targeted by state-sponsored information warfare a path to legal redress for breaches of privacy and defamation. The failure to legislate solutions leaves any protections to the whim of the tech industry.

Ironically, better oversight could be good news for white hat tech firms looking to expand their market share and edge out Facebook by enhancing the public’s ability to even the playing field against malign actors. Tech firms like Facebook that are already struggling to convince their shareholders and the public that they can act with integrity ought to take more serious steps to show more leadership against interlopers like MBS. Otherwise, big tech should be prepared for the day when the public backlash against spyware-wielding autocrats becomes too costly for their shareholders to bear and market reality ultimately bites.

No comments: