Why are so many people hacked by government spyware?

For more than a decade, government spyware makers have defended themselves against criticism by saying that their surveillance technology is intended to be used only against serious criminals and terrorists, and only in limited cases.

However, evidence collected from dozens, if not hundreds of documented cases of spyware abuse around the world, shows that none of these arguments are valid.

Journalists, human rights activists and politicians have been repeatedly targeted in both repressive regimes and democratic countries. The most recent example is a political consultant working for left-wing politicians in Italy, who emerged as a recently confirmed victim of the country’s Paragon spy program.

This latest case shows that spyware is spreading beyond what we typically consider to be “infrequent” or “limited” attacks targeting just a few people at a time.

“I think there is some misunderstanding at the heart of the stories about who is being targeted by this kind of government spyware, which is that if you are being targeted, you are public enemy number one,” Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation, who has studied spyware for years, told TechCrunch.

“In fact, given the ease of targeting, we have seen governments use malicious surveillance software to spy on a wide range of people, including political dissidents, activists, and relatively junior journalists,” Galperin said.

There are many reasons why spyware often ends up on the devices of people who, in theory, should not be targeted.

The first explanation lies in the way spyware systems work. Generally, when an intelligence or law enforcement agency purchases spyware from a surveillance vendor — such as NSO Group, Paragon, and others — the government customer pays a one-time fee to acquire the technology, then discounts additional fees for future software updates and technical support.

The upfront fee is usually based on the number of targets the government agency can spy on at any given time. The higher the number of targets, the higher the price. Previously leaked documents from the now-defunct Hacking Team show that some police and government agents can target anywhere from a handful of people to an unlimited number of devices at once.

While some democratic countries typically have a smaller number of targets they can monitor at once, it was not uncommon to see countries with questionable human rights records have a very large number of simultaneous spyware targets.

Giving such a large number of simultaneous targets to countries with such a strong desire for surveillance ensures that governments will target a much larger number of people beyond just criminals and terrorists.

Morocco, the UAE (twice) and Saudi Arabia (several times) have been caught targeting journalists and activists over the years. Security researcher Rona Sandvik, who works with activists and journalists at risk of being hacked, curates an ever-growing list of spyware misuse cases around the world.

Another reason the number of breaches has been on the rise, especially in recent years, is that spyware — like NSO’s Pegasus or Paragon’s Graphite — makes it extremely easy for government agents to successfully target anyone they want. In practice, these systems are essentially consoles where police or government officials type in the phone number, and the rest happens in the background.

Government spyware carries “significant temptations for abuse” for government agents, said John Scott-Railton, a senior researcher at The Citizen Lab who has investigated spyware companies and their abuses for a decade.

Scott-Railton said spyware “needs to be treated as a threat to democracy and elections.”

A general lack of transparency and accountability has also contributed to governments brazenly using this sophisticated surveillance technology without fear of repercussions.

“The fact that we saw relatively small fish being targeted is particularly concerning because it reflects the relative impunity the government feels in deploying this exceptionally invasive spyware against opponents,” Galperin told TechCrunch.

When it comes to victims getting accountability, there is some good news.

Paragon publicly severed ties with the Italian government earlier this year, arguing that the country’s authorities had refused to help the company investigate alleged violations related to its spyware.

NSO Group previously revealed in court that it had disconnected 10 government customers in recent years over misuse of its spyware technology, although it declined to identify the countries. It is unclear whether these include the Mexican government or Saudi Arabia, where there are countless documented cases of abuse.

On the customer side, countries such as Greece and Poland have launched investigations into spyware breaches. During the Biden administration, the United States targeted some spyware makers such as Cytrox, Intellexa, and NSO Group by imposing sanctions on the companies – and their executives – and placing them on economic embargo lists. A group of Western countries led by the United Kingdom and France are also trying to use diplomacy to curb the spyware market.

It remains to be seen whether any of these efforts will in any way curb or limit what has now become a multi-billion dollar global market, where companies are more than happy to supply advanced spyware to governments with a seemingly endless appetite to spy on almost everyone they want.