Privacy issues loom. Civil liberties advocates fear that virus tracking efforts could open the door to the kind of ubiquitous government surveillance efforts they have fought for decades. Some are alarmed by the potential role of spyware firms, arguing their involvement could undermine the public trust governments need to restrain the spread of the virus.

“This public health crisis needs a public health solution – not the interjection of for-profit surveillance companies looking to exploit this crisis,” said Edin Omanovic, advocacy director for the UK-based civil liberties group Privacy International.

Claudio Guarnieri, a technologist with the human rights organization Amnesty International, said any new surveillance powers embraced by states to combat the virus should be met with “high scrutiny.”

“New systems of control, from location tracking to contact tracing, all raise different concerns on necessity and proportionality,” said Guarnieri.

Cellebrite, for one, said it requires “agencies that use our solutions to uphold the standards of international human rights law.”

Government officials have sought to address such concerns by pointing to the unprecedented nature of the crisis. COVID-19, the respiratory disease caused by the new coronavirus, has so far infected more than 3 million people worldwide, killing over 210,000.

In South Africa, for example, after the government last month announced it would use telecom data to track the movements of citizens infected with COVID-19, a communications minister acknowledged concerns about loss of privacy.

“We do respect that everyone has a right to privacy, but in a situation like this our individual rights do not supersede the country’s rights,” Stella Ndabeni-Abrahams, the communications minister, said at a press conference for South Africa’s COVID-19 command council this month.

The South African Health Ministry declined to comment on details of the program and whether it had contracted with any of the intelligence firms.

A number of countries are developing and deploying COVID-19 contact-tracing apps that do not rely on location data. Instead, these apps, already in use in Singapore, India and Colombia, tap the smartphone connectivity technology Bluetooth to sense and record when other devices are nearby. When someone tests positive for coronavirus, typically, everyone that person made contact with is notified.

Christophe Fraser, an epidemiologist at Oxford University’s Big Data Institute, said this approach, if implemented properly, could save lives and shorten lockdowns. “The idea is to try and maximize social distancing practices of those at risk of infection and minimize the impact on all the other people,” he said.

This app-based approach to contact tracing is considered, by its advocates, as more privacy friendly because people voluntarily download the app and sensitive personal data are visible only to health authorities. This method of containing the disease is the focus of a rare collaboration between Apple Inc and Alphabet Inc’s Google to quickly deploy the Bluetooth-based technology for use in the United States and elsewhere. But the approach relies on widespread adoption of the apps, and its accuracy remains unproven.

Apple says its plan is designed to “help amplify the efforts of the public health authorities” and that “many factors will help flatten [infection] curves — no one believes this is the only one.” A Google spokesman referred to a prior statement, which said “each user will have to make an explicit choice to turn on the technology.”

By contrast, deploying a mass surveillance platform like Intellexa’s means everyone would be under collection right away; no one needs to opt in, nor could anyone opt out. Such a setup can be done remotely in a matter of weeks, said an executive at NSO Group, which is also offering its wares to fight the coronavirus.

Public Health Spy Tech

The surging spyware business is estimated by research firm MarketsandMarkets to be worth $3.6 billion this year.

But the industry has been dogged by legal and ethical concerns. Human rights groups have accused some companies of helping undemocratic governments target dissidents and activists. The companies say they help governments prevent terrorism and capture criminals.

Last year, for example, Facebook’s WhatsApp unit accused NSO Group of helping governments hack 1,400 targets that included activists, journalists, diplomats and state officials. NSO denies the allegations, saying it only provides the technology to government agencies under strict controls and is not involved in operations.

Intellexa’s Dilian fled Cyprus last year after an arrest warrant was issued for him, on accusations that he used a surveillance van to illegally intercept communications in the country. Dilian denies the allegations, returned to Cyprus last month and said he is cooperating with authorities. A Cypriot police spokesman told Reuters the investigation is active.

Now, industry executives, investors and analysts say the coronavirus crisis offers intelligence firms the possibility of billions of dollars in business, while burnishing their reputations.

India is among the courted countries. In April, New York-based Verint Systems asked Indian officials to pay $5 million for a year’s subscription to a host of services designed to track and surveil people with coronavirus. Those included a cellphone tower geolocation platform and a program to monitor social media activity, according to documents seen by Reuters and a person with knowledge of the negotiations. No sale has yet been agreed in India, the source said.

A Verint spokesman declined to answer questions, instead referring to an April 16 press release which said unspecified products were being used by an unnamed country to help respond to COVID-19. India’s Ministry of Interior said it had not purchased a system from Verint.

NSO Group and Intellexa are also both pitching COVID-19 tracking platforms to countries across Asia, Latin America and Europe. Their technology could allow a government to track the movement of nearly every person in the country who carries a cellphone, sucking up a continuous trove of location data. Installed within telecom providers, the technology functions through the analysis of call records, said NSO and Intellexa executives.

When a person tests positive, the systems would allow authorities to input the result, tracking those who made contact with the patient in the past few weeks. Those exposed would receive a text message encouraging them to get tested or self-isolate. NSO said the system’s administrators would not see the identity of individuals.

Revelations in 2013 that the U.S. National Security Agency had collected this kind of mobile phone data about Americans to track national security threats created a storm of controversy and fueled new restrictions on surveillance.

Suzanne Spaulding, a former U.S. intelligence community lawyer and senior Homeland Security official, described this potential COVID-19 tracking approach as “among the most privacy-invasive.” That’s because it “envisions all of the data about everyone’s movements, not just infected individuals and their known contacts, going to the government.”

South Korea, Pakistan, Ecuador and South Africa have all indicated in public statements they were rolling out contact tracing systems using telecom data to track infected citizens, though the details haven’t been released.

South Korean officials say any loss of privacy from surveillance must be weighed against the disastrous economic consequences caused from a long-term shutdown.

“It is also a restriction of freedom when you ban free movement of people in crisis,” Jung Seung-soo, a deputy director at the Ministry of Land, Infrastructure and Transport, told Reuters. The country is not using outside surveillance vendors, the official said.

Intellexa is in the process of installing its system in two Western European countries, Dilian said. He declined to name them.

In an interview with Reuters, NSO employees responsible for the product said the company is piloting the approach in 10 countries in Asia, the Middle East and Latin America, but declined to name them.

Three other Israeli companies, Rayzone Group, Cobwebs Technologies and Patternz, are offering countries coronavirus tracking capabilities. These largely rely on location data gathered from mobile advertising platforms, according to company promotional documents reviewed by Reuters and people familiar with the companies.

Rayzone Group declined to comment. Requests for comment to Patternz went unanswered. Omri Timianker, president and co-founder of Cobwebs Technologies, said his company is working with five governments to help track the spread of the virus, but declined to identify them.

While some experts say advertising data isn’t precise enough to combat the spread of COVID-19, the documents reviewed by Reuters suggest the three firms are marketing technology which they contend can ingest and process advertising data into a form that’s useful for narrowly tracking individuals.

Intellexa’s Dilian said his company’s platform will cost between $9 million and $16 million for countries with large populations. He believes COVID-19 tracking will be just the beginning. Once the pandemic ends, he hopes countries that invested in his mass surveillance tool will adapt it for espionage and security. “We want to enable them to upgrade,” he said.

WhatsApp said it was suing NSO Group over helping unnamed entities hack into phones of roughly 1,400 users.

The Narendra Modi government on Thursday sought a detailed response from WhatsApp over the issue of an Israeli spyware allegedly being used to target Indian journalists and human rights activists through its platform.

WhatsApp has been asked to submit a reply by November 4.

The IT ministry has written to WhatsApp seeking its response on the matter, a senior government official told news agency PTI.

A separate statement from the Ministry of Home Affairs said that media reports that have attempted to malign the government as being responsible for the breach are “completely misleading”. It also added that the Centre would take action against any intermediary for breach of privacy, in an indirect jab at WhatsApp.

On Thursday, Facebook-owned WhatsApp said Indian journalists and human rights activists were among those globally spied upon by unnamed entities using spyware made by an Israel surveillance firm called the NSO Group. 

The Wire’s own reportage indicates that at least 10 lawyers and activists have been potentially affected.

Earlier this week, WhatsApp said it was suing NSO Group over helping unnamed entities hack into phones of roughly 1,400 users. These users span across four continents and included diplomats, political dissidents, journalists and senior government officials.

Is the Narendra Modi government’s response correct? What other aspects of this controversy should we consider? The Wire breaks it down.

Who used it to spy on Indian activists, lawyers and journalists?

This is a tricky question. WhatsApp’s lawsuit lashes out at both the NSO Group and its clients, which allegedly include government agencies around the world as well as private customers.

“Defendants’ clients include, but are not limited to, government agencies in the Kingdom of Bahrain, the United Arab Emirates, and Mexico as well as private entities,” the company’s lawsuit notes.

On its part, the NSO Group’s defence has consistently revolved around two claims. First, that the company doesn’t use its own snooping technology to target any subject. And two, that it sells its software to only government agencies; i.e, it does not have any private customers.

Who, then, would be using Israeli spyware to spy on Indian targets? Bear in mind that a significant chunk of the potential victims appear to be activists or lawyers associated with the Bhima Koregaon controversy.

The Narendra Modi government has tip-toed around this issue quite carefully: both the MHA and IT minister’s statements merely say that the Centre operates strictly as per the provisions of the law and follows established protocols of interception.

“Govt agencies have a well established protocol for interception, which includes sanction and supervision from highly ranked officials in central & state governments, for clear stated reasons in national interest,” IT minister Ravi Shankar Prasad has said.

Government of India is concerned at the breach of privacy of citizens of India on the messaging platform Whatsapp. We have asked Whatsapp to explain the kind of breach and what it is doing to safeguard the privacy of millions of Indian citizens. 1/4 pic.twitter.com/YI9Fg1fWro

— Ravi Shankar Prasad (@rsprasad) October 31, 2019

The price of the NSO Group’s software isn’t cheap: Fast Company reported last year that the company charges its customers $650,000 (Rs 4.61 crore at current exchange rate) to hack 10 devices, in addition to an installation fee of $500,000 (Rs 3.55 crore).

Therefore, the first big question is who used the spyware to target Indian activists, journalists and lawyers? Merely asking for WhatsApp for information it has already disclosed publicly will not get the Indian government anywhere.

The government’s first course of action should be to declare that it is not a client of the NSO Group, which shouldn’t be a problem considering it says follows the law, and then order a probe into the matter.

Was the Pegasus spyware successful in its mission?

The NSO Group’s flagship product is called ‘Pegasus’ and is a form of spyware. The second most important question here is what kind of data was taken or snooped upon from the roughly two-dozen Indians who were targeted. We are in the dark here, primarily because WhatsApp hasn’t disclosed a whole lot of information.

In its message to the potentially affected, WhatsApp has been vague. It merely says that there is a possibility that “this phone number was impacted” and advises users to update the WhatsApp application.

If the affected updated their app quickly, it’s possible that only a  limited amount of data was impacted. Conversely, if this wasn’t done, then it’s likely that the spyware could have had a severely harmful effect.

The most curious actor in this entire sequence of events is a research organisation called ‘The Citizen Lab’, which works out of the University of Toronto. This lab has worked with WhatsApp to not only examine the effects of Pegasus, but also appears to have gone one step further and reached out to help potential victims across the world.

According to The Wire’s reportage, Citizen Lab has reportedly made a series of allegations in its conversations with those affected in India. These include claims that a massive amount of data could have been impacted by the attack and that it was likely carried out by the Indian government.

Are Citizen Lab’s claims endorsed by WhatsApp? This could take us down an interesting rabbit-hole, because it’s possible that both WhatsApp and Citizen Lab have more information on who exactly was using the NSO Group’s spyware in India. Or at least enough information to help an investigation come to a conclusion. 

Is it in WhatsApp’s best interest to disclose this information though, considering it has business interests in India?

What should concerned Indian citizens be doing?

As the Internet Freedom Foundation has noted, there is no existing Indian law that allow the installation of spyware or hacking mobile devices.

Hacking of computer resources, including mobile phones and apps, as noted, is a criminal offence under the Information Technology Act, 2000.

This controversy therefore shows there is an urgent need for surveillance reform that protects Indians against the use of malware, spyware and the creation of vulnerabilities in technologies which offer privacy protection by design. 

“We call on the Government to stand by democratic commitments and reject the use of spyware in their pursuit of social objectives of policing and security. Legislative measures must be introduced in Parliament to uphold the 9 judge bench decision of the Supreme Court of India recognising privacy as a fundamental right. The use of legal or technical means to access data and intercept communications in India must be authorised only in emergency situations, under judicial control and oversight, and with other protections to safeguard our citizens,” the IFF has noted.

India’s political parties across the spectrum should push for these legal safeguards, a process that can be kick-started if enough people ask for them.

Article first published on The Wire.