Israel Gives Blacklisted Spyware Companies The Go-Ahead To Help It Track Israeli Hostages
Decades of somewhat-restrained conflict between Israel and Palestine erupted into war again at the beginning of the month. Islamist militant group Hamas followed rocket strikes with a physical invasion, the latter of which included the massacre of hundreds of Israeli civilians. Israeli civilians were also tortured and mutilated.
Hamas also allegedly kidnapped around 200 Israelis, including 30 children. I say allegedly" because that's what Hamas claims, not because I don't believe Hamas is willing and able to kidnap 200 Israelis.
This horrific string of events has resulted in the Israeli government cautiously welcoming a couple of its most notorious resident tech companies back into the fold... at least for now. Here are more details from Gwen Ackerman and Marissa Newman for Bloomberg:
Israel's security services are pulling in spyware companies, including the maker of the controversial Pegasus software, to help track hostages in the Gaza Strip, people familiar with the matter said.
NSO Groupand Candiru, both of which are blacklisted by the US, are being asked to quickly upgrade their spyware capabilities to meet needs laid out by the country's security forces, according to four cybersecurity industry sources and an Israeli government official. They, together with several other software firms, are collaborating on the requests and largely offering their services for free, said the people, who asked not to be identified because of they weren't authorized to comment on military operations.
The Commerce Department blacklist - which followed weeks of negative coverage stemming from the apparent leak of targets" of NSO customers - led to the Israeli government finally placing limits on who its native malware tech firms could sell to. This reversed the longstanding partnership in which the Israeli government helped NSO and others secure contracts with a variety of known human rights abusers in the Middle East.
It was a severely dysfunctional form of diplomacy, one that blew up in NSO Group's face. Israel's government suffered some collateral damage, having assisted a bunch of its former employees (most spyware firms in Israel were formed by former Israeli intelligence operatives) in making the world a worse place for everyone. The leaked list showed a lot of NSO customers weren't using its powerful Pegasus spyware to track down dangerous criminals and terrorists. Instead, they were using it to spy on critics, journalists, legal advocates, political opponents, and anyone else who might somehow inconvenience those in power.
The fallout led to the government creating some distance between itself and the companies it had indirectly helped to create and directly helped to succeed.
Though Israel has never publicly severed ties with NSO and Candiru, theIsrael Defense Forcesdismissed some of their employees from military reserve duty after the firms were sanctioned in the US for helping authoritarian regimes track journalists and dissidents.
That gap has been closed a bit in recent weeks. Candiru states that it is volunteering the use of its spyware to help locate and track Israeli captives. The same thing goes for NSO.
NSO has the advantage. It's Pegasus spyware is a zero-click exploit, which means it only needs to be sent to the phones of kidnapped citizens. It doesn't require any interaction from the recipient.
While this may be capable of locating phones, it won't necessarily locate people. No one kidnapped by Hamas would be allowed to keep their phone. However, their captors are certainly in possession of their phones and, in many cases, already have access to their contents. As long as the phones are useful to Hamas, the use of this spyware will allow the government to track the captors. If the phones have been disposed of for exactly this reason - i.e., the possibility they may be converted Israeli government surveillance devices - this effort will go nowhere.
That doesn't mean it's not worth trying. And it presents a case study for actually useful, non-harmful deployments of powerful cell phone exploits. This is the sort of situation where citizens would welcome government intrusion, and that's when governments should be prepared to do things like this.
Obviously, it's not a great way to make money. Both companies appear to be providing their spyware for free. No local company would want to appear to be making a buck on their fellow citizens' misery... at least not in cases like these. That they're willing to help their own government engage in domestic surveillance for truly harmful reasons shows what they're willing to do for a buck, but they can be altruistic when the situation calls for it.
It's very possible malware like NSO's Pegasus exploit has helped law enforcement locate kidnapped people before. Great! But that has been the exception, rather than the rule. And the companies pitching in here know you can't make good money helping out worthy causes or refusing to sell to autocrats or pulling the plug on contracts the moment any questionable uses are discovered.
So, we have what we have here: a worthwhile use of powerful spyware that will always be an anomaly, no matter how often exploit supplies like this are investigated, curtailed, or blacklisted. Hurting powerless people will always be more profitable than helping them. NSO and its competitors will live on, supplying autocrats with tools to silence criticism and stifle dissent. Because that's where the money actually is.