Posts Tagged ‘cyber security’

Controversial spyware company promises to respect human rights…in the future

June 19, 2019

This photo from August 25, 2016, shows the logo of the Israeli NSO Group company on a building in Herzliya, Israel. (AP Photo/Daniella Cheslow)

This photo from August 25, 2016, shows the logo of the Israeli NSO Group company on a building in Herzliya, Israel. (AP Photo/Daniella Cheslow)

Newspapers report that controversial Israeli spyware developer NSO Group will in the coming months move towards greater transparency and align itself fully with the UN Guiding Principles on Business and Human Rights, the company’s owners said over the weekend. [see also: https://humanrightsdefenders.blog/2019/02/19/novalpina-urged-to-come-clean-about-targeting-human-rights-defenders/]

Private equity firm Novalpina, which acquired a majority stake in NSO Group in February, said that within 90 days it would “establish at NSO a new benchmark for transparency and respect for human rights.” It said it sought “a significant enhancement of respect for human rights to be built into NSO’s governance policies and operating procedures and into the products sold under licence to intelligence and law enforcement agencies.

The company has always stated that it provides its software to governments for the sole purpose of fighting terrorism and crime, but human rights defenders and NGOs have claimed the company’s technology has been used by repressive governments to spy on them. Most notably, the spyware was allegedly used in connection with the gruesome killing of Saudi journalist Jamal Khashoggi, who was dismembered in the Saudi consulate in Istanbul last year and whose body has never been found.

Last month London-based Amnesty International, together with other human rights activists, filed a petition to the District Court in Tel Aviv to compel Israel’s Defense Ministry to revoke the export license it granted to the company that Amnesty said has been used “in chilling attacks on human rights defenders around the world.”

On Friday the Guardian reported that Yana Peel, a well-known campaigner for human rights and a prominent figure in London’s art scene, is a co-owner of NSO, as she has a stake in Novalpina, co-founded by her husband Stephen Peel. Peel told the Guardian she has no involvement in the operations or decisions of Novalpina, which is managed by my husband, Stephen Peel, and his partners and added that the Guardian’s view of NSO was “quite misinformed.”

And Citizen Lab is far from re-assured:  https://citizenlab.ca/2019/06/letter-to-novalpina-regarding-statement-on-un-guiding-principles/…

https://www.timesofisrael.com/controversial-nso-group-to-adopt-policy-of-closer-respect-for-human-rights/

https://www.theguardian.com/world/2019/jun/18/whatsapp-spyware-israel-cyber-weapons-company-novalpina-capital-statement

Possibility to apply for the African School on Internet Governance scholarships

May 21, 2019

Objectives of AfriSIG. AfriSIG’s primary goal is to give Africans from multiple sectors and stakeholder groups the opportunity to gain knowledge that will enable them to participate confidently and effectively in national, regional and global internet governance processes and debates. AfriSIG seeks also to give fellows the opportunity to participate actively at the AfIGF as speakers, moderators, and rapporteurs. The dates and location of this year’s AfIGF are still to be confirmed.

Curriculum

The School will run throughout six days, and will be structured to include intensive learning and knowledge sharing that covers: An overview of internet governance concepts, issues and institutions; Internet architecture, infrastructure, standards and protocols and management of internet names and numbers; Internet governance and social issues: gender, human rights and development; Cybersecurity, multistakeholder approaches and emerging issues in internet governance such as algorithms and the “internet of things”; The highlight of the school is a practicum in which participants have to tackle an actual internet-related policy challenge and come up with an agreed solution or statement.

Eligibility

The School will accept applications from a wide range of professionals including human rights defenders and NGO leaders.

Costs and Scholarships

Applicants can apply for a scholarship to attend the school. However, given the limited number of scholarships, self-funded and sponsored applicants are encouraged to apply. The full course fee, which covers accommodation, meals, course material, and tuition, is USD 2,000. This excludes travel. Scholarships will cover air travel, shared accommodation and meal costs for the duration of the School. Successful applicants have the option of staying in a single room, but they would need to cover the additional cost themselves. The deadline for applications is Saturday, 1 June 2019.

For more information, visit the AfriSIG website

To apply please complete the form here

Apply for the African School on Internet Governance scholarships

NGOs urge Putin not to sign Russia’s “Sovereign Internet Bill”

April 28, 2019

Participants in an opposition rally in central Moscow protest against tightening state control over the internet in Russia, 10 March 2019
Participants in an opposition rally in central Moscow protest against tightening state control over the internet in Russia, 10 March 2019  Igor Russak/SOPA Images/LightRocket via Getty Images

On 24 April 2019 nine major human rights, media and Internet freedom NGOs, called on Russian President Vladmir Putin, not to sign the so-called “Sovereign Internet Bill” as it will lead to further limitations of already restricted Internet and media freedoms in the country.

The bill (No. 608767-7) amends the laws “On Communications” and “On Information, Information Technologies and Information Protection” and states its aim as enabling the Russian Internet to operate independently from the World Wide Web in the event of an emergency or foreign threat. On 16 April 2019, the Russian State Duma approved the bill in the third reading amid widespread domestic criticism, protests and online campaigning around the country, and on 22 April, the Federation Council, the upper house of the Russian parliament, approved it. If signed by President Vladimir Putin, the bill would enter into force on 1 November 2019.

The bill creates a system that gives the authorities the capacity to block access to parts of the Internet in Russia, potentially ranging from cutting access to particular Internet Service Providers (ISPs) through to cutting all access to the Internet throughout Russia.

The bill gives control over Internet network routing to the state regulator for Telecommunications, Information Technologies and Mass Communications, Roskomnadzor. It provides that the ISPs should connect with other ISPs, or “peer,” at Internet exchange points (IXes) approved by the authorities, and that these IXes should not allow unapproved ISPs to peer. The bill would also create a centralised system of devices capable of blocking Internet traffic. The bill requires ISPs to install the devices, which the government would provide free of charge, in their networks.

Under this system, Roskomnadzor would monitor threats to Russia’s Internet access and transmit instructions to ISPs through the special devices about countering these threats. Cross-border Internet traffic would be kept under close state control. The draft does not specify what the range of instructions would be, but they could potentially include partially or fully blocking traffic both between Russia and the rest of the World Wide Web, and within Russia. Nor does the draft explain how the new equipment will work, or what specifically it will do. It is clear, however, that blocking would result from direct interaction between the government and the ISP and that it will be extrajudicial and nontransparent. The public would not know what has been blocked and why.

The bill states that the new measures will be activated in the event of a ‘security threat’. The draft does not define security threats, and instead gives the government full discretion to decide what would constitute a security threat and what range of measures would be activated using the new system to address a threat.

The bill also states that Russian ISPs remain obligated to filter and block content in accordance with existing Russian law.

Further, the bill creates a national domain name system (DNS) – a system that acts as the address-book for the Internet by allowing anyone to look up the address of the server(s) hosting the URL of a website they are looking for. The bill would require Internet providers to start using the national DNS from 1 January 2021. Forcing ISPs to use the national system will give Russian authorities the ability to manipulate the results provided to the ISP outside the ISP’s knowledge and control. Authorities will be able to answer any user’s request for a website address with either a fake address or no address at all. This not only allows them to conduct fine-grained censorship but will also let the national DNS to redirect users to government-controlled servers in response to any DNS requests instead of to a website’s authentic servers.

These proposals are very broad, overly vague, and vest in the government unlimited and opaque discretion to define threats. They carry serious risks to the security and safety of commercial and private users and undermine the rights to freedom of expression, access to information and media freedom.

The bill contravenes standards on freedom of expression and privacy protected by the International Covenant on Civil and Political Rights (ICCPR) and the European Convention on Human Rights (ECHR), to which Russia is a party. Both treaties allow states to limit freedoms to protect national security but impose clear criteria for such limitations to be valid. The UN Special Rapporteur on freedom of expression, commenting on the ICCPR, has reiterated that these limits should be “provided by law, which is clear and accessible to everyone,” and be predictable and transparent.

Human Rights Watch, ARTICLE 19 and other undersigned organisations are extremely concerned that the changes introduced in the bill threaten human rights and freedoms in Russia. Open, secure and reliable connectivity is essential for human rights online, including the rights to freedom of expression, information, assembly, privacy and media freedom. The bill could pose a threat to the Internet’s rights-enabling features if access to the World Wide Web is wholly or partially cut off, or if arbitrary blocking and filtering of content is carried out. It would facilitate state surveillance and curb anonymity online. It also risks severely isolating people in Russia from the rest of the world, limiting access to information and constraining attempts at collective action and public protest. The Bill’s negative impact on the freedom of expression will also affect the rights of journalists and media to work freely.

The adoption of the bill should be seen in the context of other Russian legislation that severely undermines protection of freedom of expression and privacy online and fails to meet international human rights standards. These include:

. The 2016 ‘Yarovaya Law,’ which requires all communications providers and Internet operators to store metadata about their users’ communications activities, to disclose decryption keys at the security services’ request, and to use only encryption methods approved by the Russian government. It was adopted to allegedly counter ‘extremism’ but in practice, it creates a backdoor for Russia’s security agents to access Internet users’ data, traffic, and communications.

. In 2017, Federal Law 327-FZ made amendments to the ‘Lugovoi Law’ (Federal Law FZ-398, 2013) that gave the General Prosecutor or his/her deputies a right to block access to any online resource of a foreign or international NGOs designated ‘undesirable’; and, to ‘information providing methods to access’ the resources enumerated in the ‘Lugovoi Law’, i.e. including hyper-links to old announcements on public rallies not approved by local authorities.

. The recent March 2019 bills mandate blocking and penalizing websites that publish what authorities deem to be “fake news” and “insult” to authorities, state symbols, and what the legislation vaguely describes as Russian “society.”

The President of the Russian Federation should reject the bill. The Russian Government should also review other Internet related legislation, abolish the above listed laws and bring its legal framework to full compliance with international freedom of expression standards.

ARTICLE 19

Civil Rights Defenders

Committee to Protect Journalists

Human Rights Watch

International Federation for Human Rights (FIDH)

International Media Support

International Partnership for Human Rights

Norwegian Helsinki Committee

PEN International

Reporters without Borders

https://www.ifex.org/russia/2019/04/24/sovereign-internet-bill/

https://www.hrw.org/news/2019/04/24/joint-statement-russias-sovereign-internet-bill

Big Brother Awards try to identify risks for human rights defenders

February 24, 2019

Novalpina urged to come clean about targeting human rights defenders

February 19, 2019

In an open letter released today, 18 February 2019, Amnesty International, Human Rights Watch and five other NGOs urged Novalpina to publicly commit to accountability for NSO Group’s past spyware abuses, including the targeting of an Amnesty International employee and the alleged targeting of Jamal Khashoggi. [see also: https://humanrightsdefenders.blog/2016/08/29/apple-tackles-iphone-one-tap-spyware-flaws-after-mea-laureate-discovers-hacking-attempt/]

Danna Ingleton, Deputy Director of Amnesty Tech, said: “Novalpina’s executives have serious questions to answer about their involvement with a company which has become the go-to surveillance tool for abusive governments. This sale comes in the wake of reports that NSO paid private operatives to physically intimidate individuals trying to investigate its role in attacks on human rights defenders – further proof that NSO is an extremely dangerous entity.

We are calling on Novalpina to confirm an immediate end to the sale or further maintenance of NSO products to governments which have been accused of using surveillance to violate human rights. It must also be completely transparent about its plans to prevent further abuses.

This could be an opportunity to finally hold NSO Group to account. Novalpina must commit to fully engaging with investigations into past abuses of NSO’s spyware, and ensure that neither NSO Group nor its previous owners, Francisco Partners, are let off the hook.”

The signatories to the letter are:

  • Amnesty International
  • R3D: Red en Defensa de los Derechos Digitales
  • Privacy International
  • Access Now
  • Human Rights Watch
  • Reporters Without Borders
  • Robert L. Bernstein Institute for Human Rights, NYU School of Law and Global Justice Clinic, NYU School of Law

https://www.amnesty.org/en/latest/news/2019/02/spyware-firm-buyout-reaffirms-urgent-need-for-justice-for-targeted-activists/

https://www.amnesty.org/en/latest/research/2019/02/open-letter-to-novalpina-capital-nso-group-and-francisco-partners/

Jigsaw designed software (“Outline”) for self-controlled VPNs

March 21, 2018

HOTLITTLEPOTATO

A VIRTUAL PRIVATE NETWORK (VPN), that core privacy tool that encrypts your internet traffic and bounces it through a faraway server, has always presented a paradox: Sure, it helps you hide from some forms of surveillance, like your internet service provider’s snooping and eavesdroppers on your local network. But it leaves you vulnerable to a different, equally powerful spy: Whoever controls the VPN server you’re routing all your traffic through.

To help solve that quagmire, Jigsaw, the Alphabet-owned Google sibling that serves as a human rights-focused tech incubator, will now offer VPN software that you can easily set up on your own server—or at least, one you set up yourself, and control in the cloud. And unlike older homebrew VPN code, Jigsaw says it’s focused on making the setup and hosting of that server simple enough that even small, less savvy organizations or even individual users can do it in minutes.

Jigsaw says that the free DIY proxy software, called Outline, aims to provide an alternative to, on the one hand, stronger anonymity tools like Tor that slow down web browsing by bouncing connections through multiple encrypted hops around the world and, on the other hand, commercial VPNs that can be expensive, and also put users’ private information and internet history at risk.

The core of the product is that people can run their own VPN,” says Santiago Andrigo, the Jigsaw product manager who led Outline’s development. “You get the reassurance that no one else has your data, and you can rest easier in that knowledge.”

..A Swedish NGO, Civil Rights Defenders, has been testing Outline since last fall with the group of sensitive internet users it works to protect, who include journalists, lawyers, human rights defenders and LGBT communities in 18 repressive regimes around the world. ..

https://www.wired.com/story/alphabet-outline-vpn-software/

https://www.androidauthority.com/outline-censorship-vpn-847999/

see also: https://humanrightsdefenders.blog/2017/01/10/security-without-borders-offers-free-security-help-to-human-rights-defenders/

European Parliament votes to restrict exports of surveillance equipment

January 22, 2018

Members of the European Parliament have voted to curb export of surveillance equipment to states with poor human rights records, following mounting evidence that equipment supplied by companies in Europe has been used by oppressive regimes to suppress political opponents, journalists and campaigners. MEPs in Strasbourg agreed on 17 January to extend EU export controls to include new restrictions on the export of surveillance equipment, including devices for intercepting mobile phones, hacking computers, circumventing passwords and identifying internet users. The proposals also seek to remove encryption technologies from the list of technologies covered by EU export controls, in a move which aims to make it easier for people living in oppressive regimes to gain access to secure communications which can circumvent state surveillance.

Dictators spy on their citizens using EU cyber-surveillance. This must stop. The EU cannot contribute to the suffering of courageous activists, who often risk their lives for freedom and democracy,” said MEP Klaus Buchner, European Parliament rapporteur. “We are determined to close dangerous gaps in the export of dual-use goods and call on member states to follow suit.”

The proposed changes to the EU dual use export control regime are likely to face opposition from the defence industry and governments, as the European Parliament, and the European Commission prepare to negotiate their implantation with Europe’s 28 member states.

European technology companies, including UK firms, have supplied equipment that  has been used for arresting, torturing, and killing people in Iran, Egypt, Ethiopia, and Morocco, according to the European Parliament. An investigation by Computer Weekly revealed that the UK government had approved export licences to Gamma International (UK) to supply mobile phone interception equipment, known as IMSI catchers, to Macedonia, when the regime was engaged in a massive illegal surveillance operation against the public and political opponents.

And the UK’s largest arms manufacturer, BAE Systems, has exported equipment capable of mass internet surveillance to countries that campaigners say regularly commit human rights abuses, including Saudi Arabia, Qatar, Oman, Morocco and Algeria. An overwhelming majority of MEPs supported reforms to the EU’s export control regime, which will require member states to deny export licences if the export of surveillance technology is likely to lead to a serious impact on human rights in the destination country. The proposed changes, backed by 571 votes to 29 against, with 29 abstentions, will impose tough requirements for EU governments.

Member states will be required to assess the likely impact of surveillance technology on citizens’ right to privacy, freedom of speech, and freedom of association, in the destination country before they grant  export licences – a significant step up from current levels of scrutiny.

The proposed rules contain safeguards, however, that will allow legitimate cyber-security research to continue. Companies exporting products that are not specifically listed will be expected to follow the OECD’s “due diligence” guidelines, if there is a risk they could support human-rights violations.

Improved transparency measures will require member states to record and make data on approved and declined export licences publicly available, opening up the secretive global trade in surveillance technologies to greater public scrutiny.

http://www.computerweekly.com/news/252433519/European-Parliament-votes-to-restrict-exports-of-surveillance-equipment

Commercial spyware out of control and becoming threat to human rights defenders

December 6, 2017

Read the rest of this entry »

BBC investigation on Arab States and import of cyber-surveillance tools

June 16, 2017

On 15 June 2017 the BBC came out with a special report on “How BAE sold cyber-surveillance tools to Arab states’A dancer tucks his Apple iPhone next to his traditional Omani dagger during a welcome ceremony in Muscat, Oman (5 November 2016).

A year-long investigation by BBC Arabic and a Danish newspaper [Dagbladet Information] has uncovered evidence that the UK defence giant BAE Systems has made large-scale sales across the Middle East of sophisticated surveillance technology, including to many repressive governments. These sales have also included decryption software which could be used against the UK and its allies. While the sales are legal, human rights campaigners and cyber-security experts have expressed serious concerns these powerful tools could be used to spy on millions of people and thwart any signs of dissent. The investigation began in the small Danish town of Norresundby, home to ETI, a company specialising in high-tech surveillance equipment. ETI developed a system called Evident, which enabled governments to conduct mass surveillance of their citizens’ communications. A former employee, speaking to the BBC anonymously, described how Evident worked. “You’d be able to intercept any internet traffic,” he said. “If you wanted to do a whole country, you could. You could pin-point people’s location based on cellular data. You could follow people around. They were quite far ahead with voice recognition. They were capable of decrypting stuff as well.”

 

Image copyright GETTY IMAGES

A video clip accompanying the article is to be found on the website of the BBC (see link below) and it features Ahmed Mansoor, the 2015 Laureate of the Martin Ennals Award.[https://humanrightsdefenders.blog/2017/03/21/ahmed-mansoor-mea-laureate-2015-arrested-in-middle-of-the-night-raid-in-emirates/]

One early customer of the new system was the Tunisian government. The BBC tracked down a former Tunisian intelligence official who operated Evident for the country’s veteran leader, President Zine al-Abidine Ben Ali. “ETI installed it and engineers came for training sessions,” he explained. “[It] works with keywords. You put in an opponent’s name and you will see all the sites, blogs, social networks related to that user.” The source says President Ben Ali used the system to crack down on opponents until his overthrow in January 2011, in the first popular uprising of the Arab Spring. As protests spread across the Arab world, social media became a key tool for organisers. Governments began shopping around for more sophisticated cyber-surveillance systems – opening up a lucrative new market for companies like BAE Systems. In 2011, BAE bought ETI and the company became part of BAE Systems Applied Intelligence. Over the next five years, BAE used its Danish subsidiary to supply Evident systems to many Middle Eastern countries with questionable human rights records (such as Saudi Arabia, the UAE, Qatar, Oman, Morocco and Algeria).

 

“I wouldn’t be exaggerating if I said more than 90% of the most active campaigners in 2011 have now vanished,” says Yahya Assiri, a former Saudi air force officer who fled the country after posting pro-democracy statements online.  “It used to be that ‘the walls have ears’, but now it’s ‘smartphones have ears,‘” says Manal al-Sharif, a Saudi women’s rights activist who also now lives abroad. “No country monitors its own people the way they do in the Gulf countries. They have the money, so they can buy advanced surveillance software.” [see also: https://humanrightsdefenders.blog/2013/12/13/five-women-human-rights-defenders-from-the-middle-east/]

Manal al-Sharif
Manal al-Sharif says Gulf states have the money to buy advanced surveillance equipment‘Responsible trading’

….The BBC has obtained a 2015 email exchange between the British and Danish export authorities in which the British side clearly expresses concern about this capability with reference to an Evident sale to the United Arab Emirates. “We would refuse a licence to export this cryptanalysis software from the UK because of Criteria 5 concerns,” says the email. [“Criteria 5” refers to the national security of the UK and its allies.]…Despite British objections, the Danish authorities approved the Evident export…..

…….Dutch MEP Marietje Schaake is one of the few European politicians prepared to discuss concerns about surveillance technology exports. She says European countries will ultimately pay a price for the compromises now being made. “Each and every case where someone is silenced or ends up in prison with the help of EU-made technologies I think is unacceptable,” she told the BBC. “I think the fact that these companies are commercial players, developing these highly sophisticated technologies that could have a deep impact on our national security, on people’s lives, requires us to look again at what kind of restrictions maybe be needed, what kind of transparency and accountability is needed in this market before it turns against our own interest and our own principles.

Source: How BAE sold cyber-surveillance tools to Arab states – BBC News

https://twitter.com/hashtag/freeahmed