“We are seeing the coronavirus crisis being used as a way to further attack privacy and civil liberties, not just in the US … but around the world,” said Garaffa .
Last week, Reuters published a special report titled “Cyber-intel firms pitch governments on spy tools to trace coronavirus.”
The report outlines how at least eight surveillance and cyber-intelligence companies around the world are “attempting to sell repurposed spy and law enforcement tools” to supposedly help governments contain the spread of COVID-19. Two of the companies specifically named in the report are Israeli firms Cellebrite and NSO Group.
Garaffa noted “there are at least six other companies involved with various countries around the world,” telling a RUSSIAN news paper that Cellebrite sells a so-called GrayKey device which is used to extract information from cellphones by bypassing any password protection on them. The device is made by GrayShift, an American mobile device forensics company.
“Ultimately what Cellebrite’s GrayKey does is get a copy of everything on your device. Now, think about what’s on your phone. Not just the photos or emails … So, now Cellebrite is offering these tools to more governments under the guise of tracking the spread of COVID-19. They’re suggesting to governments that they purchase these GrayKey and other devices, and when someone is diagnosed with coronavirus or dies from it, the government actually takes their phone so they can see all of their locations,” Garaffa explained.
According to the Reuters report, a Cellebrite “email pitch” to the New Delhi, India, police force this month stated that its technology can be used to “quarantine the right people.” To accomplish this it would “siphon up” an infected person’s location information and contacts, Reuters explains.
Cellebrite told the Indian government that this process would usually only be done with the phone owner’s consent. However, if an infected person violates the law by not following public gathering guidelines, for instance, the police could use the Cellebrite’s tools to hack into a confiscated phone.
“We do not need the phone passcode to collect the data,” a Cellebrite spokesperson wrote to an officer in an April 22 email obtained by Reuters.
“And then there’s the NSO Group,” Garaffa noted.
“NSO Group sells software called Pegasus to governments. It’s rumored that they sell them to large corporations,” Garaffa explained, adding there isn’t “any hard confirmation of that yet.”
“But what Pegasus is, is a collection of attacks, and these are sometimes called zero-days, because they are not seen in the wild,” Garaffa said. “No one knows about them until you see them. So, the NSO Group, instead of sharing these issues with the manufacturer, they hold them close and keep them secret so Pegasus can use them to compromise and take over people’s phones.”
“The NSO situation is actually, to me, worse. It’s been involved in building a huge tracking platform for the Israeli government. NSO Group claims, and this is kind of controversial, that they can figure out your coordinates to within 3 feet of where you’re standing, and if that's true, that’s some very advanced technology,” Garaffa noted.
The Reuters report notes that NSO Group is marketing COVID-19 tracking platforms to countries across Asia, Latin America and Europe. The technology would allow governments to track those with whom an infected person has been in contact in the previous few weeks.
“There’s absolutely no transparency on the methods used by the NSO or Cellbrite or any of the eight companies mentioned in this article,” Garaffa pointed out, to which Gorky agreed, adding that such companies are using COVID-19 as an excuse to “deepen the surveillance apparatus.”
“These surveillance companies, these Israeli surveillance companies in particular, the way that they test out their software and they test out these surveillance platforms is directly on the Palestinian people … Israel uses these surveillance companies to track what these Palestinians are saying on social media, to track their location, to surveil them … and the fact that these companies are even being floated as possibilities to fight the coronavirus shows the fact that this is not about fighting COVID at all. This is about really deepening the surveillance apparatus and adding to it,” Gorky noted.
While the Reuters article frames the conflict as one of privacy rights versus health concerns, Garaffa believes there’s a larger issue at play.
“Further investment and use of these tools only sets the stage for larger and larger violations of privacy by both governments and corporations, with the assistance of all of these companies that are involved,” Garaffa noted.