After chiding Apple on privacy, Germany says it uses Pegasus spyware
Germany's Federal Criminal Police Office (BKA) purchased access to NSO Group's Pegasus spyware in 2019 after internal efforts to create similar iOS and Android surveillance tools failed.
The federal government revealed the agreement with NSO in a closed-door session with the German parliament's Interior Committee on Tuesday, reports Die Zeit.
When the BKA began to use Pegasus is unclear. While Die Zeit says the tool was purchased in 2019 and is currently used in concert with a less effective state-developed Trojan, a separate report from Suddeutsche Zeitung, via DW.com, cites BKA Vice President Martina Link as confirming an acquisition in late 2020 followed by deployment against terrorism and organized crime suspects in March.
Officials made the decision to adopt Pegasus in spite of concerns regarding the legality of deploying software that can grant near-unfettered access to iPhone and Android handsets. As noted in the report, NSO's spyware exploits zero-day vulnerabilities to gain access to smartphones, including the latest iPhones, to record conversations, gather location data, access chat transcripts and more.
Germany's laws state that authorities can only infiltrate suspects' cellphone and computers under special circumstances, while surveillance operations are governed by similarly strict rules.
BKA officials stipulated that only certain functions of Pegasus be activated in an attempt to bring the powerful tool in line with the country's privacy laws, sources told Die Zeit. It is unclear how the restrictions are implemented and whether they have been effective. Also unknown is how often and against whom Pegasus was deployed.
According to Die Zeit, Germany first approached NSO about a potential licensing arrangement in 2017, but the plan was nixed due to concerns about the software's capabilities. Talks were renewed after the BKA's attempts to create its own spyware fell short.
In July, a cooperative report from 17 media organizations exposed methods by which Pegasus has been abused by authoritarian governments to spy on human rights activists, journalists and business leaders. The same report noted a leaked list of more than 50,000 phone numbers that are thought to be tied to people of interest for supposed NSO clients.
The findings prompted swift condemnation from Apple and sparked an Israeli inquiry into NSO's business dealings.
Tuesday's news comes less than a month after the Bundestag's Digital Agenda committee chairman, Manuel Hoferlin, declared Apple to be on a "dangerous path" with plans to enact on-device child sexual assault material monitoring. Hoferlin expressed unease over the initiative in a letter to Apple CEO Tim Cook, saying the system undermines "secure and confidential communication" and represents the "biggest breach of the dam for the confidentiality of communication that we have seen since the invention of the Internet," according to a machine translation of the text.
Apple has since postponed the feature's rollout as it gathers feedback on the matter.
Read on AppleInsider
The federal government revealed the agreement with NSO in a closed-door session with the German parliament's Interior Committee on Tuesday, reports Die Zeit.
When the BKA began to use Pegasus is unclear. While Die Zeit says the tool was purchased in 2019 and is currently used in concert with a less effective state-developed Trojan, a separate report from Suddeutsche Zeitung, via DW.com, cites BKA Vice President Martina Link as confirming an acquisition in late 2020 followed by deployment against terrorism and organized crime suspects in March.
Officials made the decision to adopt Pegasus in spite of concerns regarding the legality of deploying software that can grant near-unfettered access to iPhone and Android handsets. As noted in the report, NSO's spyware exploits zero-day vulnerabilities to gain access to smartphones, including the latest iPhones, to record conversations, gather location data, access chat transcripts and more.
Germany's laws state that authorities can only infiltrate suspects' cellphone and computers under special circumstances, while surveillance operations are governed by similarly strict rules.
BKA officials stipulated that only certain functions of Pegasus be activated in an attempt to bring the powerful tool in line with the country's privacy laws, sources told Die Zeit. It is unclear how the restrictions are implemented and whether they have been effective. Also unknown is how often and against whom Pegasus was deployed.
According to Die Zeit, Germany first approached NSO about a potential licensing arrangement in 2017, but the plan was nixed due to concerns about the software's capabilities. Talks were renewed after the BKA's attempts to create its own spyware fell short.
In July, a cooperative report from 17 media organizations exposed methods by which Pegasus has been abused by authoritarian governments to spy on human rights activists, journalists and business leaders. The same report noted a leaked list of more than 50,000 phone numbers that are thought to be tied to people of interest for supposed NSO clients.
The findings prompted swift condemnation from Apple and sparked an Israeli inquiry into NSO's business dealings.
Tuesday's news comes less than a month after the Bundestag's Digital Agenda committee chairman, Manuel Hoferlin, declared Apple to be on a "dangerous path" with plans to enact on-device child sexual assault material monitoring. Hoferlin expressed unease over the initiative in a letter to Apple CEO Tim Cook, saying the system undermines "secure and confidential communication" and represents the "biggest breach of the dam for the confidentiality of communication that we have seen since the invention of the Internet," according to a machine translation of the text.
Apple has since postponed the feature's rollout as it gathers feedback on the matter.
Read on AppleInsider
Comments
For this reason it is important that there is a strong opposition from within the government.
One more reason for Apple not to add technologies that enable surveillance (and may be hacked) into iOS.
I hope that CSAM scanning on the device is now dead.
The database of image hashes is government controlled. For those who will claim that it's an "independent" organization, no it isn't. It's government funded, therefore it is government controlled.
So they could add any images or hashes on your device or manipulate the algorithm to detect other images and not to report to Apple but an intelligence agency.
Thinking it's impossible to hack by definition is naive.
It would be much more secure for the user if this scan would only happen in the cloud.
The use by governments of spyware on personal devices without court oversight and public accountability is a formula for all kinds of trouble. Our laws are supposed to be designed to protect us from self incrimination and it would seem that planting spyware on someone’s device would violate that.
Beyond that, if you can plant spyware on a phone you can plant photos or other files on a phone that you then “discover” and use as evidence against someone. The potential for abuse is substantial.
I get that Apple is under intense pressure by the Police and National Security State to turn our devices into Orwell’s Telescreen - pocket edition, but scanning files without cause is simply not an acceptable thing.
It really is a shame that in the end Apple will do server side scanning like all the rest and so by doing so will know much more about you than the system they made that made it so that for 99% of the people nothing would be flagged at apple and there privacy would not have been compromised … just because over 50% just don’t have a clue or got mislead with the totally wrong search warrant type where police can search your home, anyway it’s of the books … as is iCloud full end to end encryption, which this technology was laying the foundation for.
Apple cannot say, we do not have the technical capability - because they Apple just created it. The back end is is just a search and comparing hashes with a database of known data - The Chinese Government could easily demand that for iPhones sold / registered for use in China Apple must to point to a different database for comparison. The Chinese Government could then manipulate the database to identify whatever they want and the human reviewers could very well be either 1) employees of the Chinese GOV who support the efforts, or 2) fearful of saying anything because of possible retaliation.
It doesn't have to be China - insert "Putin" - "Lukashenko" of Belrus, or any dictator you care -
As it is now - Apple doesn't provide that capability - because it doesn't exist, but, once the capability is created - it can be abused, doesn't need to be hacked. Just controlled. For all that Apple says that it will refuse - it really only "refuses" when it is the FBI demanding they do something, they often make adjustments favoring the Chinese Government, otherwise, they'd get kicked out of the country. In these cases such as, blocking free speech, or apps that enable free communication outside Chinese controlled channels, Apple bows to the demands of the government in the name of "obeying local law of the land. Apple cannot even drop it in a future iOS release if it starts to be abused, because this corrupt government can just say, any updated iOS Version that doesn't support this kind of search is not secure and cannot be rolled out in their country until it does. Nothing Apple can do about it.
So, that what happens when local law of the land is corrupt and can easily be turned to bad outcomes.
So - no matter the noble purposes behind the effort - a lot of really, really bad things can come out of it.
Apple should NOT move forward.
It just doesn't add up.
If China or another bad actor wants this ability and has the will to pursue it, and they certainly know that it's possible, then they can pass the law at any time. Whether the capability is currently deployed or not is not a shield.
And Apple, being o so considerate as to follow all local laws and regulations, will bend over and turn it over to them.