Posts Tagged ‘cyber security’

Frontline’s Guide to Secure Group Chat and Conferencing Tools

July 21, 2020

With teams increasingly working remotely during COVID-19, we are all facing questions regarding the security of our communication with one another: Which communication platform or tool is best to use? Which is the most secure for holding sensitive internal meetings? Which will have adequate features for online training sessions or remote courses without compromising the privacy and security of participants?

Front Line Defenders presents this simple overview which may help you choose the right tool for your specific needs.

FLD Secure Group Chat Flowchart

Download PDF of the flow chart

Note:

  • With end-to-end encryption (e2ee), your message gets encrypted before it leaves your device and only gets decrypted when it reaches the intended recipient’s device. Using e2ee is important if you plan to transmit sensitive communication, such as during internal team or partners meetings.
  • With encryption to-server, your message gets encrypted before it leaves your device, but is being decrypted on the server, processed, and encrypted again before being sent to recipient(s). Having encryption to-server is OK if you fully trust the server.

Why Zoom or other platforms/tools are not listed here: There are many platforms which can be used for group communication. In this guide we focused on those we think will deliver good user experiences and offer the best privacy and security features. Of course none of the platforms can offer 100% privacy or security as in all communications, there is a margin of risk. We have not included tools such as Zoom, Skype, Telegram etc. in this guide, as we believe that the margin of risk incurred whilst using them is too wide, and therefore Front Line Defenders does not feel comfortable recommending them.

Surveillance and behaviour: Some companies like Facebook, Google, Apple and others regularly collect, analyse and monetize information about users and their online activities. Most, if not all, of us are already profiled by these companies to some extent. If the communication is encrypted to-server owners of the platform may store this communication. Even with end-to-end encryption, communication practices such as location, time, whom you connect with, how often, etc. may still be stored. If you are uncomfortable with this data being collected, stored and shared, we recommended refraining from using services by those companies.

The level of protection of your call depends not only on which platform you choose, but also on the physical security of the space you and others on the call are in and the digital protection of the devices you and others use for the call.

See also:

Caution: Use of encryption is illegal in some countries. You should understand and consider the law in your country before deciding on using any of the tools mentioned in this guide.

Criteria for selecting the tools or platforms

Before selecting any communication platform, app or program it is always strongly recommended that you research it first. Below we list some important questions to consider:

  • Is the platform mature enough? How long has it been running for? Is it still being actively developed? Does it have a large community of active developers? How many active users does it have?
  • Does the platform provide encryption? Is it end-to-end encrypted or just to-server encrypted?
  • In which jurisdiction is the owner of the platform and where are servers located? Does this pose a potential challenge for your or your partners?
  • Does the platform allow for self-hosting?
  • Is the platform open source? Does it provide source code to anyone to inspect?
  • Was the platform independently audited? When was the last audit? What do experts say about the platform?
  • What is the history of the development and ownership of the platform? Have there been any security challenges? How have the owners and developers reacted to those challenges?
  • How do you connect with others? Do you need to provide phone number, email or nickname? Do you need to install a dedicated app/program? What will this app/program have access to on your device? Is it your address book, location, mic, camera, etc.?
  • What is stored on the server? What does the platform’s owner have access to?
  • Does the platform have features needed for the specific task/s you require?
  • Is the platform affordable? This needs to include potential subscription fees, learning and implementing, and possible IT support needed, hosting costs, etc.

The document then proceeds to give more detailed information related to each tool/service listed in this guide

Signal – https://signal.org/

Delta Chat – https://delta.chat/

Wire – https://wire.com/

Jitsi Meet – https://jitsi.org/jitsi-meet/

BigBlueButton – https://bigbluebutton.org/

Whereby – https://whereby.com

Blue Jeans – https://www.bluejeans.com/

GoToMeeting – https://www.gotomeeting.com/

Facetime / iMessage –https://www.apple.com/ios/facetime

Google Meet – https://meet.google.com/

Duo – https://duo.google.com/

WhatsApp – https://www.whatsapp.com/

Video calls, webinar or online training recommendations

Video calls recommendations: In the current situation you will undoubtedly find yourself organizing or participating in many more video calls than before. It may not be obvious to everyone how to do it securely and without exposing yourself and your data to too much risk:

  • Assume that when you connect to talk your camera and microphone may be turned on by default. Consider covering your camera with a sticker (making sure it doesn’t leave any sticky residue on the camera lens) and only remove it when you use the camera.
  • You may not want to give away too much information on your house, family pictures, notes on the walls or boards, etc. Be mindful of the background, who and what is also in the frame aside from yourself? Test before the call by, for example, opening meet.jit.si and click on GO button to get to a random empty room with your camera switched on to see what is in the picture. Consider clearing your background of clutter.
  • Also be mindful who can be heard in the background. Maybe close the door and windows, or alert those sharing your space about your meeting.
  • Video call services may collect information on your location and activity, consider using a VPN (see Physical, emotional and digital protection while using home as office in times of COVID-19 guide).
  • It is best to position your face so your eyes are more or less at the upper third of the picture without cutting off your head. Unless you do not want to reveal your face, do not sit with your back to a light or a window. Daylight or a lamp from the front is the best. Stay within the camera frame. You may want to look into the lens from time to time to make “eye contact” with others. If you are using your cellphone, rest it against a steady object (e.g. a pile of books) so that the video picture remains stable.
  • You may want to mute your microphone to prevent others hearing you typing notes or any background noise as it can be very distracting to others on the call.
  • If the internet connection is slow you may want to switch off your camera, pause other programs, mute the microphone and ask others to do same. You may also want to try sitting closer to the router, or connecting your computer directly to the router with an ethernet cable. If you share internet connection with others, you may ask them to reduce extensive use of internet for the duration of your call.
  • It it very tempting to multitask especially during group calls. But you may very soon realise that you are lost in the meeting and others may realize this.
  • If this is a new situation for you or you are using a new calling tool, you may want to give yourself a few extra minutes to learn and test it prior to the scheduled meeting to get familiar with options like turning on/off the camera and the microphone, etc.
  • If possible, prepare and test a backup communication plan in case you will have trouble connecting with others. For example, adding them to a Signal group so you can still text chat or troubleshoot problems on the call. Sometimes it helps to have an alternate browser installed on your computer or app on the phone to try connecting with those.

If you would like to organise a webinar or online training, you can use tools outlined above in the group communication. Some of best practices include:

  • Make sure that you know who is connected. If this is needed check the identities of all people participating by asking them to speak. Do not assume you know who is connected only by reading assigned names.
  • Agree on ground-rules, like keeping cameras on/off, keeping microphone on/off when one is not speaking, flagging when participants would like to speak, who will be chairing the meeting, who will take notes – where and how will those notes be written and then distributed, is it ok to take screenshots of a video call, is it ok to record the call, etc.
  • Agree on clear agendas and time schedules. If your webinar is longer than one hour, it is probably best to divide it into clear one-hour sessions separated by some time agreed with participants, so they have time to have a short break. Plan for the possibility that not all participants will return after a break. Have alternative methods to reach out to them to remind them to return, like Signal/Wire/DeltaChat contacts for them.
  • It is easiest to use a meeting service that participants connect to using a browser without a need to register or install a special program, one that also gives the webinar organiser the ability to mute microphones and close cameras of participants.
  • Prior to the call, check with all participants whether they have particular needs, such as if they are deaf or hard of hearing, if they are visually impaired or blind, or any other conditions which would affect their participation in the call. With this in mind, ensure that the selected platform will accommodate these needs and to be sure, test the platform beforehand. Simple measures can also improve inclusion and participation in your calls, such as turning on cameras when possible, as it can allow for lip-reading.
  • Encourage all participants to speak slowly and to avoid jargon where possible, as the working language of the call is most likely not everyone’s mother tongue language. Naturally, there will be moments of silences and pauses, embrace them. They can help to support understanding and can be helpful for participants who are hard of hearing, interpreters and will also aid assistive technology to pick up words correctly.

https://www.frontlinedefenders.org/en/resource-publication/guide-secure-group-chat-and-conferencing-tools

The Ups and downs in sueing the NSO Group

July 20, 2020

Written By Shubham Bose

facebook

While AI stranded in its effort in Israel [https://humanrightsdefenders.blog/2020/07/15/amnesty-internationals-bid-to-block-spyware-company-nso-fails-in-israeli-court/ ] a federal US court has passed an order allowing WhatsApp to move forward with its case against the Israeli company for allegedly targeting 1,400 users with malware in 2019. According to reports, it is believed that spyware produced by the Israeli firm NSO Group was used to target various groups of people around the world, such as journalists, human rights defenders, and even politicians. [see: https://humanrightsdefenders.blog/2019/10/30/nso-accused-of-largest-attack-on-civil-society-through-its-spyware/

Judge Phyllis Hamilton, in her ruling on the cases, stated that she was not convinced by NSO Group’s claims and arguments that it had no hand in targeting WhatsApp users. Moving forward in the trial, the NSO Group might be forced to reveal its clients and make the list public.

The judge also added that even if NSO was operating at the direction of its customer, it still appeared to have a hand in targeting WhatsApp users. As per reports, a WhatsApp spokesperson said the Facebook-owned venture was pleasd with the court’s decision and will now be able to uncover the practices of NSO Group.

Even in the face of criticism from privacy advocates, the company has claimed that law enforcement agencies are facing difficulties due to the proliferation of encrypted messaging apps like WhatsApp.

The law firm King & Spalding has reportedly been hired by the NSO group to represent them. Among the company’s legal team is Rod Rosenstein, Trump administration’s former attorney general. The NSO Group has reportedly had multiple government clients like Saudi Arabia, Mexico, and the United Arab Emirates who have used spyware to target political opponents and human rights, campaigners.

https://www.republicworld.com/world-news/us-news/whatsapp-lawsuit-against-israeli-firm-nso-group-given-green-light-by-u.html

Anti-Censorship initiative with free VPN accounts for human rights defenders

July 15, 2020

On 14 July Business-Wire reported that the VPN company TunnelBear has partnered with NGOs to give away 20,000 accounts (these NGOs inlcude Access Now, Frontline Defenders, Internews, and one other undisclosed participant).

This program aims to empower individuals and organizations with the tools they need to browse a safe and open internet environment, regardless of where they live. The VPN provider is encouraging other NGOs or media organizations across the world to reach out if they too are in need of support. “At TunnelBear, we strongly believe in an open and uncensored internet. Whenever we can use our technology to help people towards that end, we will,” said TunnelBear Cofounder Ryan Dochuk.

TunnelBear’s VPN encrypts its user’s internet traffic to enable a private and censor-free browsing experience.

By undergoing and releasing independent audits of their systems, adopting open source tools, and collaborating with the open source community, TunnelBear has proven itself to be an industry leader in the VPN space and a valuable private sector partner within the internet freedom movement. Internews is happy to support TunnelBear in extending its VPN service to the media organizations, journalists, activists, and human rights defenders around the globe who can benefit from it,” said Jon Camfield, Director of Global Technology Strategy at Internews.

Contact: Shames Abdelwahab press@tunnelbear.com

See also: https://humanrightsdefenders.blog/2020/06/23/trump-now-starts-dismanteling-the-open-technology-fund/

https://www.businesswire.com/news/home/20200714005302/en/TunnelBear-Kicks-Anti-Censorship-Initiative-Free-Accounts-Activists

Amnesty International’s bid to block spyware company NSO fails in Israeli court

July 15, 2020

Amnesty International’s bid to block spyware company NSO Group’s international export licence has been shut down in a Tel Aviv court, apparently due to a lack of evidence, reported several media, here in the New Statesman of 14 July 2020. [see: https://humanrightsdefenders.blog/2019/09/17/has-nso-really-changed-its-attitude-with-regard-to-spyware/ ]

The case argued that the Israeli defence ministry should revoke the group’s export licence in light of numerous allegations that its phone-hacking Pegasus spyware has been used by governments (including Mexico, Saudi Arabia, Morocco and the UAE) to spy on civilians including an Amnesty International employee, human rights activists, lawyers and journalists..

The district court judge Rachel Barkai wrote in a statement that there was not enough evidence to “substantiate the claim that an attempt was made to monitor a human rights activist”. She wrote that in reviewing materials provided by the Ministry of Defence and Ministry of Foreign Affairs, she was persuaded that export licences were granted as part of a “sensitive and rigorous process”, and closely monitored and revoked if conditions were violated, “in particular in cases of human rights violations.”

Amnesty International decried the court’s decision. Danna Ingleton, acting co-director of Amnesty Tech, said in a statement: “Today’s disgraceful ruling is a cruel blow to people put at risk around the world by NSO Group selling its products to notorious human rights abusers. […] The ruling of the court flies in the face of the mountains of evidence of NSO Group’s spyware being used to target human rights defenders from Saudi Arabia to Mexico, including the basis of this case – the targeting of one of our own Amnesty employees.

NSO said: “Our detractors, who have made baseless accusations to fit their own agendas, have no answer to the security challenges of the 21st century. Now that the court’s decision has shown that our industry is sufficiently regulated, the focus should turn to what answer those who seek to criticise NSO have to the abuse of encryption by nefarious groups.”

The NSO Group is currently embroiled in another lawsuit brought by WhatsApp, which alleges that Pegasus spyware was used to hack more than a thousand of the messaging platform’s users. [see: https://humanrightsdefenders.blog/2019/10/30/nso-accused-of-largest-attack-on-civil-society-through-its-spyware/]

https://tech.newstatesman.com/security/amnesty-international-nso-group-export-licence

Trump now starts dismanteling the Open Technology Fund

June 23, 2020

Raphael Mimoun wrote in Newsweek of 22 June 2020 an opinion piece “Dictators are Besieging Internet Freedom—and Trump Just Opened the Gates”. It is a detailed piece but worth reading:

raph-m

Last week, the Trump administration started dismantling one of the US government’s most impactful agencies, the Open Technology Fund, which supports projects to counteract repressive censorship and surveillance around the world.

The Open Technology Fund, or OTF, is relatively new, founded in 2012 as a program of the government-backed Radio Free Asia. In 2019, it became an independent non-profit reporting to the US Agency for Global Media (USAGM). Since its founding, the organization has funded dozens of projects now part of the toolkit of millions of rights advocates and journalists around the world. But OTF is now under attack: the new leadership of USAGM, appointed just weeks ago, fired the leadership of all USAGM entities, including OTF, dismissed OTF’s independent and bipartisan board of directors, and is threatening to hollow out OTF altogether….

Many of those tools help those who most need it, where surveillance, censorship, and repression is most acute. Just last month, Delta Chat declined a request for user data from Russia’s communication regulator—because the security architecture developed with OTF support meant it did not have any data to handover. FreeWechat, which publishes posts censored by the Chinese government on the app WeChat, has been visited over 7 million times by Chinese-speakers. Dozens more OTF-funded tools enable millions to evade surveillance by autocratic governments and access the open internet, from Cuba to Hong Kong and Iran.

OTF’s work is critical to human rights defenders and journalists, but it brings privacy and security far beyond those groups. OTF only supports open-source projects, meaning that the code used must be available for anyone to view and reuse……….

But OTF’s work on internet freedom isn’t limited to funding technology development. The organization takes a holistic approach to internet freedom, providing life-saving training and capacity-building to groups directly targeted by cyberattacks, harassment, and violence: LGBTQI advocates in Indonesia, journalists in Mexico, civic activists in Belarus, or exiled Tibetan organizations. OTF also funds events bringing together researchers, technologists, policy-makers, and advocates. Those gatherings—whether global like the Internet Freedom Festival or focused on specific countries or regions like the Iran Cyber Dialogue, the Vietnam Cyber Dialogue, or the Forum on Internet Freedom in Africa–have been transformative. They have helped build a tight community in a space where trust is hard to achieve. Without such events, many of the projects, tools, and collaborations to circumvent censorship and counter surveillance would not exist.

See also: https://www.theverge.com/2020/6/23/21300424/open-technology-fund-usagm-circumvention-tools-china-censorship-michael-pack

https://www.newsweek.com/open-technology-fund-trump-dismantling-1512614

After NSO, now Indian based hacking group targets NGOs

June 10, 2020

A multi-year investigation by Citizen Lab has unearthed a hack-for-hire group from India that targeted journalists, advocacy groups, government officials, hedge funds, and human rights defenders.

A lot has been written about the NSO group and human rights defenders [see: https://humanrightsdefenders.blog/tag/nso-group/], now another case of cyber insecurity has come up:

Jay Jay – a freelance technology writer – posted an article in Teiss on 9 June 2020 stating that Citizen Lab revealed in a blog post published Tuesday that the hack-for-hire group’s identity was established after the security firm investigated a custom URL shortener that the group used to shorten the URLs of phishing websites prior to targeting specific individuals and organisations. Citizen Lab has named the group as “Dark Basin“.

“Over the course of our multi-year investigation, we found that Dark Basin likely conducted commercial espionage on behalf of their clients against opponents involved in high profile public events, criminal cases, financial transactions, news stories, and advocacy,” the firm said.

It added that the hack-for-hire group targeted thousands of individuals and organisations in six continents, including senior politicians, government prosecutors, CEOs, journalists, and human rights defenders, and is linked to BellTroX InfoTech Services, an India-based technology company.

….The range of targets, that included two clusters of advocacy organisations in the United States working on climate change and net neutrality, made it clear to Citizen Lab that Dark Basin was not state-sponsored but was a hack-for-hire operation.

…As further proof of Dark Basin’s links with BellTroX, researchers found that several BellTroX employees boasted capabilities like email penetration, exploitation, conducting cyber intelligence operations, pinging phones, and corporate espionage on LinkedIn. BellTroX’s LinkedIn pages also received endorsements from individuals working in various fields of corporate intelligence and private investigation, including private investigators with prior roles in the FBI, police, military, and other branches of government.

The list of organisations targeted by Dark Basin over the past few years includes Rockefeller Family Fund, Greenpeace, Conservation Law Foundation, Union of Concerned Scientists, Oil Change International, Center for International Environmental Law, Climate Investigations Center, Public Citizen, and 350.org. The hack-for-hire group also targeted several environmentalists and individuals involved in the #ExxonKnew campaign that wanted Exxon to face trial for hiding facts about climate change for decades.

A separate investigation into Dark Basin by NortonLifeLock Labs, which they named “Mercenary.Amanda”, revealed that the hack-for-hire group executed persistent credential spearphishing against a variety of targets in several industries around the globe going back to at least 2013…

https://www.teiss.co.uk/indian-hack-for-hire-group-phishing/

https://thewire.in/tech/spyware-rights-activists-lawyers-citizen-lab

https://scroll.in/latest/964803/nine-activists-most-of-them-working-to-release-bhima-koregaon-accused-targets-of-spyware-amnesty

Also: Hack-for-hire firms spoofing WHO accounts to target organisations worldwide

NSO versus Whatsapp continues in court

May 5, 2020

WhatsApp logo is seen displayed on a smart phone screen on 11 December 2019 [Ali Balıkçı/Anadolu Agency]

WhatsApp logo is seen displayed on a smart phone screen on 11 December 2019 [Ali Balıkçı/Anadolu Agency]

The NSO Group has always maintained its innocence insisting that its spyware is purchased by government clients for the purpose of tracking terrorists and criminals and that it had no independent knowledge of how those clients use its spyware. This claim is contradicted by court documents in WhatsApp’s lawsuit filed last year against the Israeli firm. While bringing the lawsuit, WhatsApp said in a statement that 100 civil society members had been targeted and called it “an unmistakable pattern of abuse”. New documents seen last week indicate that servers controlled by NSO Group and not its government clients, as alleged by the Israeli firm, were an integral part of how the hacks were executed. “NSO used a network of computers to monitor and update Pegasus after it was implanted on users’ devices,” said WhatsApp, “these NSO-controlled computers served as the nerve centre through which NSO controlled its customers’ operation and use of Pegasus [software used to hack computers and phones].”NSO Group is also accused by WhatsApp of gaining “unauthorised access” to its servers by evading the company’s security features.

n the ongoing legal battle between Facebook and software surveillance company NSO Group, the social media giant is trying to get NSO Group’s legal counsel dismissed because of an alleged conflict of interest. In a court filing made public this week, Facebook asked a federal judge to disqualify law firm King & Spalding from representing NSO Group because the firm previously represented Facebook-owned WhatsApp in a different, sealed case that is “substantially related” to the NSO Group one. King & Spalding, an Atlanta-based firm with a range of big corporate clients, has denied there is a conflict of interest, according to the filing.“Any attorney defending this suit would love to have insight into how WhatsApp’s platform and systems work,” the court filing states. “And King & Spalding has that insight—because it was once WhatsApp’s counsel.”The dispute with Facebook is one of multiple legal battles currently facing NSO Group. Amnesty International is trying to get an Israeli court to revoke NSO Group’s export license in Israel, citing Pegasus’s alleged role in humans rights abuses. [see: https://humanrightsdefenders.blog/2019/09/17/has-nso-really-changed-its-attitude-with-regard-to-spyware/]https://www.amnesty.org/en/latest/news/2020/06/nso-spyware-used-against-moroccan-journalist/

https://www.cyberscoop.com/nso-group-lawsuit-whatsapp-conflict-of-interest-king-spalding/

Israel’s NSO Group accused of ‘unmistakable pattern of abuse’ in hacking case

Amnesty accuses Facebook of complicity in Vietnamese censorship

April 22, 2020

On 21 April, Reuters reported that Facebook has begun to significantly step up its censorship of “anti-state” posts in the country. This follows pressure from the authorities, including what the company suspects were deliberate restrictions placed on its local servers by state-owned telecommunications companies that caused Facebook to become unusable for periods of time. The next day Amnesty International demanded that Facebook reverses immediately its decision.  “The revelation that Facebook is caving to Viet Nam’s far-reaching demands for censorship is a devastating turning point for freedom of expression in Viet Nam and beyond,” said William Nee, Business and Human Rights Advisor at Amnesty International. “The Vietnamese authorities’ ruthless suppression of freedom of expression is nothing new, but Facebook’s shift in policy makes them complicit.

Facebook must base its content regulation on international human rights standards for freedom of expression, not on the arbitrary whims of a rights-abusing government. Facebook has a responsibility to respect freedom of expression by refusing to cooperate with these indefensible takedown requests.” The Vietnamese authorities have a long track record of characterizing legitimate criticism as “anti-state” and prosecuting human rights defenders for “conducting propaganda against the state.” The authorities have been actively suppressing online speech amid the COVID-19 pandemic and escalating repressive tactics in recent weeks.  “It is shocking that the Vietnamese authorities are further restricting its peoples’ access to information in the midst of a pandemic. The Vietnamese authorities are notorious for harassing peaceful critics and whistleblowers. This move will keep the world even more in the dark about what is really happening in Viet Nam,” said William Nee.

Facebook’s decision follows years of efforts by Vietnamese authorities to profoundly undermine freedom of expression online, during which they prosecuted an increasing number of peaceful government critics for their online activity and introduced a repressive cybersecurity law that requires technology companies to hand over potentially vast amounts of data, including personal information, and to censor users’ posts. “Facebook’s compliance with these demands sets a dangerous precedent. Governments around the world will see this as an open invitation to enlist Facebook in the service of state censorship. It does all tech firms a terrible disservice by making them vulnerable to the same type of pressure and harassment from repressive governments,” said William Nee…

In a report published last year, Amnesty International found that around 10% of Viet Nam’s prisoners of conscience – individuals jailed solely for peacefully exercising their human rights – were jailed in relation to their Facebook activity. In January 2020, the Vietnamese authorities launched an unprecedented crackdown on social media, including Facebook and YouTube, in an attempt to silence public discussion of a high-profile land dispute in the village of Dong Tam, which has attracted persistent allegations of corruption and led to deadly clashes between security forces and villagers.  The crackdown has only intensified since the onset of COVID-19. Between January and mid-March, a total of 654 people were summoned to police stations across Viet Nam to attend “working sessions” with police related to their Facebook posts connected to the virus, among whom 146 were subjected to financial fines and the rest were forced to delete their posts. On 15 April, authorities introduced a sweeping new decree, 15/2020, which imposes new penalties on alleged social media content which falls foul of vague and arbitrary restrictions. The decree further empowers the government to force tech companies to comply with arbitrary censorship and surveillance measures.

See also: https://humanrightsdefenders.blog/2020/02/10/28-ngos-ask-eu-parliament-to-reject-cooperation-deal-with-vietnam-on-11-february/

Re Facebook and content moderation see also the Economist piece of 1 February 2020: https://www.economist.com/business/2020/01/30/facebook-unveils-details-of-its-content-oversight-board

https://www.amnesty.org/en/latest/news/2020/04/viet-nam-facebook-cease-complicity-government-censorship/

Targeting of Digital Rights Defenders in Ecuador, Argentina, and Beyond

December 25, 2019

Danny O’Brien wrote in Electronic Frontier Foundation of 19 December 2019 that “More Than Thirty Human Rights Groups Protest the Targeting of Digital Rights Defenders”.

…And some human rights defenders are technologists: building tools to defend or enhance the practice of human rights, and calling out the errors or lies of those who might misuse technology against its users. At this year’s Internet Governance Forum in Berlin, civil society groups mourned a growing trend around the world: the targeted harassment and detention of digital rights defenders by the powerful. Digital rights defenders includes technologists who work to create or investigate digital tools, and who work to improve the security and privacy of vital infrastructure like the Internet, and e-voting devices. As the declaration, signed by a coalition NGOs notes:

The work digital rights defenders do in defense of privacy is fundamental for the protection of human rights. When they raise awareness about the existence of vulnerabilities in systems, they allow the public and private sector to find solutions that improve infrastructure and software security for the benefit of the public. Furthermore, their work as security advisers for journalists and human rights activists is of vital importance for the safety of journalists, activists and other human rights defenders.

The problem is not confined to, but is particular pressing in Latin America. As 2019 draws to a close, Swedish security researcher Ola Bini remains in a state of legal limbo in Ecuador after a politically-led prosecution sought to connect his work building secure communication tools to a vague and unsubstantiated conspiracy of Wikileaks-related hacking. Meanwhile in Argentina, e-voting activist Javier Smaldone remains the target of a tenuous hacking investigation.

See also: https://humanrightsdefenders.blog/2019/01/08/bloggers-and-technologists-who-were-forced-offline-in-2018/

https://www.eff.org/deeplinks/2019/12/over-thirty-human-rights-groups-protest-targeting-digital-rights-defenders-ecuador

Has NSO really changed its attitude with regard to spyware?

September 17, 2019

Cyber-intelligence firm NSO Group has introduced a new Human Rights Policy and a supporting governance framework in an apparent attempt to boost its reputation and comply with the United Nations’ Guiding Principles for Business and Human Rights. This follows recent criticism that its technology was being used to violate the rights of journalist and human rights defenders. A recent investigation found the company’s Pegasus spyware was used against a member of non-profit Amnesty International. [see: https://humanrightsdefenders.blog/2019/02/19/novalpina-urged-to-come-clean-about-targeting-human-rights-defenders/]

The NSO’s new human rights policy aims to identify, prevent and mitigate the risks of adverse human rights impact. It also includes a thorough evaluation of the company’s sales process for the potential of adverse human rights impacts coming from the misuse of NSO products. As well as this, it introduces contractual agreements for NSO customers that will require them to limit the use of the company’s products to the prevention and investigation of serious crimes. There will be specific attention to protect individuals or groups that could be at risk of arbitrary digital surveillance and communication interceptions due to race, colour, sex, language, religion, political or other opinions, national or social origin, property, birth or other status, or their exercise or defence of human rights. Rules have been set out to protect whistle-blowers who wish to report concerns about misuse of NSO technology.

Amnesty International is supporting current legal actions being taken against the Israeli Ministry of Defence, demanding that it revoke NSO Group’s export licence. In January 2020 an Israeli court ordered a  closed door hearing.

Danna Ingleton, Deputy Program Director for Amnesty Tech, said: “While on the surface it appears a step forward, NSO has a track record of refusing to take responsibility. The firm has sold invasive digital surveillance to governments who have used these products to track, intimidate and silence activists, journalists and critics.”

CEO and co-founder Shalev Hulio, counters: “NSO has always taken governance and its ethical responsibilities seriously as demonstrated by our existing best-in-class customer vetting and business decision process. With this new Human Rights Policy and governance framework, we are proud to further enhance our compliance system to such a degree that we will become the first company in the cyber industry to be aligned with the Guiding Principles.

https://www.verdict.co.uk/nso-group-new-human-rights-policy/

https://www.ynetnews.com/article/HJSNKJAeU