ISS World: The surveillance industry convenes in Prague

ISS World
The sale of spyware to authoritarian governments, illegal exports, and business practices on the fringes of legality are the unifying elements among some ISS sponsors. (Source: IMAGO / agefotostock)

Lawsuits from Facebook and Apple for spying on their users, trade sanctions imposed by the U.S. government for spying on journalists and activists – to call the image of Israeli company NSO Group “tarnished” would be a major understatement. Apple called the company employees “amoral mercenaries” in the lawsuit. Nevertheless, the company is currently acting as the main sponsor of one of the largest surveillance trade fairs in the world. In addition to NSO, the sponsor and guest list also includes other providers of electronic surveillance technology that have already made the headlines for violating the law.

The trade fair will be held Dec. 7-9 in Prague. Organizer TeleStrategies describes it as “the world’s largest gathering of Regional Law Enforcement, Intelligence and Homeland Security Analysts, Telecoms as well as Financial Crime Investigators responsible for Cyber Crime Investigation, Electronic Surveillance and Intelligence Gathering.”

The agenda includes presentations and workshops by security researchers, law enforcement and surveillance technology vendors. Many presentations are open only to law enforcement and government agencies and are designed to introduce officials to the products and services offered by the 120 exhibitors. Some of the overarching themes: “Lawful Wiretapping,” “Social Network Surveillance,” and “Investigating DarkWeb, Bitcoin, Altcoin and Blockchain Transactions.”

United against fundamental rights

The industry meeting is not only controversial because of its main sponsor, NSO. The other sponsors also include controversial companies such as FinFisher, Candiru and Voyager Labs. Apart from the fact that they are industry giants, they share accusations of violating fundamental and human rights or export laws.

The companies’ customer lists include authoritarian countries such as Saudi Arabia and Thailand, but also EU states such as Germany. Intelligence agencies and security authorities around the world use the products not only for law enforcement, but also to investigate and monitor journalists, opposition figures, politicians and activists.

NSO Group

NSO Group is currently in the spotlight like no other company in the industry. Its Pegasus software has been used, among other things, to monitor activists and journalists from Hungary (in German), Bahrain (in German), Mexico and many other countries without being noticed. A list of 50,000 potential spying targets for Pegasus that became public in July included high-ranking politicians and even heads of state (in German) from around the world, in addition to numerous opposition figures and media figures. As became known last weekend, employees of the US State Department (in German) were also spied on.

On the ISS World website, the company profile sounds much more innocuous: NSO offers a “portfolio of high-value operational and analytical tools” to “detect and prevent crime and terror and maintain national security.” At the show, NSO is giving a seminar called “A New Era: Strategic Drone Strikes.” NSO offers “Eclipse,” a drone defense system designed to locate and take control of foreign drones.

At least the U.S. government has since drawn conclusions from the revelations and placed NSO on its sanctions list. The reason given was that NSO’s activities run counter to “the national security or foreign policy interests of the United States”. Without a special permit, US companies are thus prohibited from selling certain technologies to NSO.

The Federal Criminal Police Office (BKA), on the other hand, continues to be an NSO customer (in German); it only purchased a modified version of Pegasus in the fall of 2020. According to its own information, the BKA had also coordinated the purchase of the spy software with the Federal Office for Information Security (BSI).

Another sponsor: Candiru

Along with NSO, Candiru, also from Israel, landed on the U.S. sanctions list and is another ISS World sponsor. The company offers “High-value cyber intelligence technologies,” according to a description on the show website, and advertises, “Our product portfolio enables strategic extraction of valuable data points from target devices on all major operating systems.” The company named itself after a blood-drinking parasitic fish.

Candiru offers spyware for all major (mobile) operating systems. In 2020, the Israeli newspaper Haaretz reported on internal company documents that provided information about the products. According to them, programs like “Sherlock” can infiltrate PCs and Android phones unnoticed and extract data. Among other things, it should be possible to tap into the microphone and camera. The software is also said to be able to read information from social media accounts and apps.

Researchers at the Citizen Lab at the University of Toronto found Candiru’s programs on more than 750 fake websites. They were modeled after Internet presences of non-governmental organizations such as Amnesty International or Black Lives Matter. The fake sites mimicked the Internet presences of women’s rights organizations, activist groups, health organizations, and news media, and carried misleading labels such as “Amnesty Reports,” “Refugee International,” “Woman Studies,” “Euro News,” and “CNN 24-7.” When the websites were accessed, users’ systems were infected with Candiru’s spyware. The Guardian wrote at the time, “The findings suggest that a secretive and little-known company with a wide global reach could be helping governments hack and monitor people in civil society.”

Candiru sells its products only to government customers, which are said to include authorities in Uzbekistan, the United Arab Emirates and Saudi Arabia. Candiru software has been used to attack people in Israel, Spain, England, Iran, and other countries, according to a joint investigation by Microsoft and Citizen Lab. Among the more than 100 victims Microsoft identified were human rights activists, dissidents, journalists, politicians and embassy employees.

At the show, Candiru will give the seminar “Zero-Click Attacks: The Holy Grail”.

Fake Facebook accounts and mass surveillance

Other well-known names on the list of sponsors are Voyager Labs, FinFisher and Trovicor:

Voyager Labs rose to dubious notoriety in late November when internal documents from the Los Angeles Police Department (LAPD) proved a collaboration with the company. The Voyager Labs software tested by the agency can monitor social media accounts unnoticed and even claims to be able to predict which people might commit a crime in the future.

However, the program does not only scan suspects, but also their contacts. As a result, large numbers of bystanders are targeted and spied on.

According to the report by the Brennan Center for Justice, the spyware reacts particularly to common religious or Muslim topics and evaluates them as a general indicator of a willingness to use violence. Experts involved in the analysis of the documents doubted the reliability of the program and alleged discrimination and prejudice against certain groups.

The fact that the surveillance program also creates fake Facebook accounts for this purpose angered Facebook’s parent company Meta. Following the revelations, Meta wrote an open letter to LAPD chief Michel Moore and called on the agency to stop all activities on Facebook that involve the use of fake accounts, impersonating people and collecting data for surveillance purposes.

Export hit FinSpy

According to the company’s description, FinFisher helps “state law enforcement agencies and intelligence services to identify, locate and convict serious criminals”. The spy software “FinSpy” can be used, for example, to read out address books on smartphones, but also to record telephone conversations and chats. The company also produces the state Trojan for the German Federal Criminal Police Office. Since 2015, exports of surveillance software to countries outside the European Union have required a license, similar to arms exports. However, the software has repeatedly been found in countries outside the EU in the past. For example, the FinSpy software was used against (in German) Turkish opposition members in 2017. Security experts had found this during software analyses (in German).

Organizations such as the Society for Civil Liberties, Reporters Without Borders and the European Center for Constitutional and Human Rights then filed a lawsuit against the CEOs in 2019. Since then, the Munich I public prosecutor’s office and the Customs Investigation Bureau have been investigating the Munich-based company and searched its offices (in German) in October 2020.

The company has repeatedly hit the headlines because its software has been used by authoritarian regimes against opposition figures in places such as Egypt under President Husni Mubarak and Bahrain.

“Enemy of the Internet”

Negative press coverage is also nothing new for the Munich-based company Trovicor, which specializes in telecommunications surveillance. Among other things, Trovicor has been accused in the past of maintaining surveillance centers in Bahrain that monitor and censor online communications. The organization Reporters Without Borders declared the company an “enemy of the Internet” in 2013. In 2015, Privacy International accused Trovicor of helping the Pakistani government build surveillance infrastructure.

The coverage peaked in 2015 when it was revealed that the Munich-based firm had played a central role in the expansion of government internet surveillance in Ethiopia.

At ISS World, Trovicor will present, among other things, the seminar “Advanced Analysis of Internet Mass Activity.” The company touts having “more than 20 years of experience working with governments around the world” and providing “end-to-end monitoring and intelligence solutions for more than 35 governments around the world.”

Democratic states must react

The list of legally and ethically controversial sponsors and participants of the ISS Word Europe could be continued. It is not clear to outsiders which (potential) customers these companies will meet. The only thing that is clear is that they are mostly representatives of state security agencies and intelligence services.

Meanwhile, pressure is mounting on democratic governments to take action against companies like NSO, Candiru & Co: A total of 81 organizations – including Access Now, Amnesty International, Human Rights Watch and Reporters Without Borders – as well as independent experts wrote an open letter last week calling on the EU to impose sanctions on NSO. They said the EU must ban the use and trade of NSO technologies until effective human rights protections are in place. A response is still pending. (hcz)