After chiding Apple on privacy, Germany says it uses Pegasus spyware

Posted:
in General Discussion edited September 2021
Germany's Federal Criminal Police Office (BKA) purchased access to NSO Group's Pegasus spyware in 2019 after internal efforts to create similar iOS and Android surveillance tools failed.

BKA


The federal government revealed the agreement with NSO in a closed-door session with the German parliament's Interior Committee on Tuesday, reports Die Zeit.

When the BKA began to use Pegasus is unclear. While Die Zeit says the tool was purchased in 2019 and is currently used in concert with a less effective state-developed Trojan, a separate report from Suddeutsche Zeitung, via DW.com, cites BKA Vice President Martina Link as confirming an acquisition in late 2020 followed by deployment against terrorism and organized crime suspects in March.

Officials made the decision to adopt Pegasus in spite of concerns regarding the legality of deploying software that can grant near-unfettered access to iPhone and Android handsets. As noted in the report, NSO's spyware exploits zero-day vulnerabilities to gain access to smartphones, including the latest iPhones, to record conversations, gather location data, access chat transcripts and more.

Germany's laws state that authorities can only infiltrate suspects' cellphone and computers under special circumstances, while surveillance operations are governed by similarly strict rules.

BKA officials stipulated that only certain functions of Pegasus be activated in an attempt to bring the powerful tool in line with the country's privacy laws, sources told Die Zeit. It is unclear how the restrictions are implemented and whether they have been effective. Also unknown is how often and against whom Pegasus was deployed.

According to Die Zeit, Germany first approached NSO about a potential licensing arrangement in 2017, but the plan was nixed due to concerns about the software's capabilities. Talks were renewed after the BKA's attempts to create its own spyware fell short.

In July, a cooperative report from 17 media organizations exposed methods by which Pegasus has been abused by authoritarian governments to spy on human rights activists, journalists and business leaders. The same report noted a leaked list of more than 50,000 phone numbers that are thought to be tied to people of interest for supposed NSO clients.

The findings prompted swift condemnation from Apple and sparked an Israeli inquiry into NSO's business dealings.

Tuesday's news comes less than a month after the Bundestag's Digital Agenda committee chairman, Manuel Hoferlin, declared Apple to be on a "dangerous path" with plans to enact on-device child sexual assault material monitoring. Hoferlin expressed unease over the initiative in a letter to Apple CEO Tim Cook, saying the system undermines "secure and confidential communication" and represents the "biggest breach of the dam for the confidentiality of communication that we have seen since the invention of the Internet," according to a machine translation of the text.

Apple has since postponed the feature's rollout as it gathers feedback on the matter.

Read on AppleInsider

Comments

  • Reply 1 of 18
    I would bet that intelligence services of nearly all developed countries used Pegasus.
    For this reason it is important that there is a strong opposition from within the government.
    One more reason for Apple not to add technologies that enable surveillance (and may be hacked) into iOS.
    I hope that CSAM scanning on the device is now dead.
    edited September 2021 baconstangjahbladerinosaurdarkvader
  • Reply 2 of 18
    ikirikir Posts: 127member
    xyzzy-xxx said:
    I would bet that intelligence services of nearly all developed countries used Pegasus.
    For this reason it is important that there is a strong opposition from within the government.
    One more reason for Apple not to add technologies that enable surveillance (and may be hacked) into iOS.
    I hope that CSAM scanning on the device is now dead.
    have you see how really CSAM works? It is quite impossibile for any government to hack it by definition. And the reason the hash match (which is not a photo scan) happens on device.
    watto_cobrajony0StrangeDays
  • Reply 3 of 18
    ikir said:
    xyzzy-xxx said:
    I would bet that intelligence services of nearly all developed countries used Pegasus.
    For this reason it is important that there is a strong opposition from within the government.
    One more reason for Apple not to add technologies that enable surveillance (and may be hacked) into iOS.
    I hope that CSAM scanning on the device is now dead.
    have you see how really CSAM works? It is quite impossibile for any government to hack it by definition. And the reason the hash match (which is not a photo scan) happens on device.
    For reasons I and others have related elsewhere, not only is it not "impossible for any government to hack it," it seems probable that some government somewhere will, in fact, hack it.

    The database of image hashes is government controlled.  For those who will claim that it's an "independent" organization, no it isn't.  It's government funded, therefore it is government controlled.
    xyzzy-xxxdavdarkvader
  • Reply 4 of 18
    One question about the CSAM database.  Is it publicly available?  Seems as if groups can get look at the database and the phone is tied just to this database, it would be difficult for governments to alter the lists to other types of images as I’m sure privacy groups would be all over undocumented changes to the list. 
  • Reply 5 of 18
    ikir said:
    xyzzy-xxx said:
    I would bet that intelligence services of nearly all developed countries used Pegasus.
    For this reason it is important that there is a strong opposition from within the government.
    One more reason for Apple not to add technologies that enable surveillance (and may be hacked) into iOS.
    I hope that CSAM scanning on the device is now dead.
    have you see how really CSAM works? It is quite impossibile for any government to hack it by definition. And the reason the hash match (which is not a photo scan) happens on device.
    Pegasus enabled governments to put any code on devices just by sending an sms.
    So they could add any images or hashes on your device or manipulate the algorithm to detect other images and not to report to Apple but an intelligence agency.
    Thinking it's impossible to hack by definition is naive.
    It would be much more secure for the user if this scan would only happen in the cloud.
    davbaconstang
  • Reply 6 of 18
    ikir said:
    xyzzy-xxx said:
    I would bet that intelligence services of nearly all developed countries used Pegasus.
    For this reason it is important that there is a strong opposition from within the government.
    One more reason for Apple not to add technologies that enable surveillance (and may be hacked) into iOS.
    I hope that CSAM scanning on the device is now dead.
    have you see how really CSAM works? It is quite impossibile for any government to hack it by definition. And the reason the hash match (which is not a photo scan) happens on device.
    For reasons I and others have related elsewhere, not only is it not "impossible for any government to hack it," it seems probable that some government somewhere will, in fact, hack it.

    Awesome statement with no basis in fact whatsoever.
    watto_cobrajony0
  • Reply 7 of 18
    Pretty sure that Fandroid phones do not need to be hacked- they are Google spyware out of the box.

    The use by governments of spyware on personal devices without court oversight and public accountability is a formula for all kinds of trouble. Our laws are supposed to be designed to protect us from self incrimination and it would seem that planting spyware on someone’s device would violate that.

    Beyond that, if you can plant spyware on a phone you can plant photos or other files on a phone that you then “discover” and use as evidence against someone. The potential for abuse is substantial.

    I get that Apple is under intense pressure by the Police and National Security State to turn our devices into Orwell’s Telescreen - pocket edition, but scanning files without cause is simply not an acceptable thing.
    xyzzy-xxxdavbaconstangwatto_cobra
  • Reply 8 of 18
    For reasons I and others have related elsewhere, not only is it not "impossible for any government to hack it," it seems probable that some government somewhere will, in fact, hack it.

    Awesome statement with no basis in fact whatsoever.
    Just get informed about what Pegasus was able to do with any iPhone by just sending a sms – this should be fact enough ...
    davjahbladedarkvader
  • Reply 9 of 18
    hexclockhexclock Posts: 1,066member
    ikir said:
    xyzzy-xxx said:
    I would bet that intelligence services of nearly all developed countries used Pegasus.
    For this reason it is important that there is a strong opposition from within the government.
    One more reason for Apple not to add technologies that enable surveillance (and may be hacked) into iOS.
    I hope that CSAM scanning on the device is now dead.
    have you see how really CSAM works? It is quite impossibile for any government to hack it by definition. And the reason the hash match (which is not a photo scan) happens on device.
    The list of things once deemed impossible that are now possible is truly immense. 
    darkvader
  • Reply 10 of 18
    ikir said:
    xyzzy-xxx said:
    I would bet that intelligence services of nearly all developed countries used Pegasus.
    For this reason it is important that there is a strong opposition from within the government.
    One more reason for Apple not to add technologies that enable surveillance (and may be hacked) into iOS.
    I hope that CSAM scanning on the device is now dead.
    have you see how really CSAM works? It is quite impossibile for any government to hack it by definition. And the reason the hash match (which is not a photo scan) happens on device.
    For reasons I and others have related elsewhere, not only is it not "impossible for any government to hack it," it seems probable that some government somewhere will, in fact, hack it.

    The database of image hashes is government controlled.  For those who will claim that it's an "independent" organization, no it isn't.  It's government funded, therefore it is government controlled.
    It’s controlled by 2 NGO’s and in fact it does not matter, even if the government slipped in some hashes, there will be a human review by Apple where it will be noted that the images reported are not child abuse CSAM images … 
    It really is a shame that in the end Apple will do server side scanning like all the rest and so by doing so will know much more about you than the system they made that made it so that for 99% of the people nothing would be flagged at apple and there privacy would not have been compromised … just because over 50% just don’t have a clue or got mislead with the totally wrong search warrant type where police can search your home, anyway it’s of the books … as is iCloud full end to end encryption, which this technology was laying the foundation for.
    jony0
  • Reply 11 of 18
    UNTIL, of course, a host nation - say - the Chinese government - passes a LAW stating in order to "protect the privacy of its citizens"; organizations using any technology to scan photos (such as what Apple proposed) must compare to a database hosted on servers that physically reside within the host country borders, and this database content must be vetted by said government, to "prevent false accusations"  - then - if an issue is found through AI, the human review team, which also must be housed within the host country borders, must be conducted under the supervision of Chinese Government Officials, all this again, to "protect" any potential false accusations. This "Government Vetted" Database could then include hashes of identifying groups they wish ill upon, opposition partiies, or whatever, then a "hit" on their phone will give the host government all the reason it needs to put these "good guys" in prison for a very long time. 

    Apple cannot say, we do not have the technical capability - because they Apple just created it. The back end is is just a search and comparing hashes with a database of known data - The Chinese Government could easily demand that for iPhones sold / registered for use in China Apple must to point to a different database for comparison. The Chinese Government could then manipulate the database to identify whatever they want and the human reviewers could very well be either 1) employees of the Chinese GOV who support the efforts, or 2) fearful of saying anything because of possible retaliation. 

    It doesn't have to be China - insert "Putin" - "Lukashenko" of Belrus, or any dictator you care -

    As it is now - Apple doesn't provide that capability - because it doesn't exist, but, once the capability is created - it can be abused, doesn't need to be hacked. Just controlled.  For all that Apple says that it will refuse - it really only "refuses" when it is the FBI demanding they do something, they often make adjustments favoring the Chinese Government, otherwise, they'd get kicked out of the country. In these cases such as, blocking free speech, or apps that enable free communication outside Chinese controlled channels, Apple bows to the demands of the government in the name of "obeying local law of the land. Apple cannot even drop it in a future iOS release if it starts to be abused, because this corrupt government can just say, any updated iOS Version that doesn't support this kind of search is not secure and cannot be rolled out in their country until it does. Nothing Apple can do about it. 

    So, that what happens when local law of the land is corrupt and can easily be turned to bad outcomes. 

    So - no matter the noble purposes behind the effort - a lot of really, really bad things can come out of it. 

    Apple should NOT move forward. 
    muthuk_vanalingambeowulfschmidt
  • Reply 12 of 18
    crowleycrowley Posts: 10,257member
    Merk182 said:
    UNTIL, of course, a host nation - say - the Chinese government - passes a LAW stating in order to "protect the privacy of its citizens"; organizations using any technology to scan photos (such as what Apple proposed) must compare to a database hosted on servers that physically reside within the host country borders, and this database content must be vetted by said government, to "prevent false accusations"  - then - if an issue is found through AI, the human review team, which also must be housed within the host country borders, must be conducted under the supervision of Chinese Government Officials, all this again, to "protect" any potential false accusations. This "Government Vetted" Database could then include hashes of identifying groups they wish ill upon, opposition partiies, or whatever, then a "hit" on their phone will give the host government all the reason it needs to put these "good guys" in prison for a very long time. 

    Apple cannot say, we do not have the technical capability - because they Apple just created it. The back end is is just a search and comparing hashes with a database of known data - The Chinese Government could easily demand that for iPhones sold / registered for use in China Apple must to point to a different database for comparison. The Chinese Government could then manipulate the database to identify whatever they want and the human reviewers could very well be either 1) employees of the Chinese GOV who support the efforts, or 2) fearful of saying anything because of possible retaliation. 

    It doesn't have to be China - insert "Putin" - "Lukashenko" of Belrus, or any dictator you care -

    As it is now - Apple doesn't provide that capability - because it doesn't exist, but, once the capability is created - it can be abused, doesn't need to be hacked. Just controlled.  For all that Apple says that it will refuse - it really only "refuses" when it is the FBI demanding they do something, they often make adjustments favoring the Chinese Government, otherwise, they'd get kicked out of the country. In these cases such as, blocking free speech, or apps that enable free communication outside Chinese controlled channels, Apple bows to the demands of the government in the name of "obeying local law of the land. Apple cannot even drop it in a future iOS release if it starts to be abused, because this corrupt government can just say, any updated iOS Version that doesn't support this kind of search is not secure and cannot be rolled out in their country until it does. Nothing Apple can do about it. 

    So, that what happens when local law of the land is corrupt and can easily be turned to bad outcomes. 

    So - no matter the noble purposes behind the effort - a lot of really, really bad things can come out of it. 

    Apple should NOT move forward. 
    You paint a hypothetical future picture where a government is evil and determined to do evil, and Apple is compliant and subservient, yet also paint a current picture where the government is equally evil and determined and yet plucky Apple have a get out card of "we do not have the technical capability".  

    It just doesn't add up.  

    If China or another bad actor wants this ability and has the will to pursue it, and they certainly know that it's possible, then they can pass the law at any time.  Whether the capability is currently deployed or not is not a shield.
    jony0StrangeDays
  • Reply 13 of 18
    crowleycrowley Posts: 10,257member
    The world you imagine is one where a mask mandate could be met with "we don't currently have any masks deployed so cannot possibly meet this requirement".  Sorry fella, that doesn't fly.
    jony0
  • Reply 14 of 18
    igorsky said:
    ikir said:
    xyzzy-xxx said:
    I would bet that intelligence services of nearly all developed countries used Pegasus.
    For this reason it is important that there is a strong opposition from within the government.
    One more reason for Apple not to add technologies that enable surveillance (and may be hacked) into iOS.
    I hope that CSAM scanning on the device is now dead.
    have you see how really CSAM works? It is quite impossibile for any government to hack it by definition. And the reason the hash match (which is not a photo scan) happens on device.
    For reasons I and others have related elsewhere, not only is it not "impossible for any government to hack it," it seems probable that some government somewhere will, in fact, hack it.

    Awesome statement with no basis in fact whatsoever.
    Based on 40 years of software development, I'm pretty confident of my "awesome" statement.
  • Reply 15 of 18
    crowley said:
    The world you imagine is one where a mask mandate could be met with "we don't currently have any masks deployed so cannot possibly meet this requirement".  Sorry fella, that doesn't fly.
    Unfortunately, we are moving into a reimagined Fascist world where the concept of the People demanding Govt establish Control is becoming very real. The cat is out of the bag for CSAM because Apple has already announced it has developed the code. Likewise, freedom of choice re COVID-19 is fast being eroded toward nonexistent Worldwide. What is next? IMHO we are well along the path towards global fascism and another “Dark Age”
    muthuk_vanalingam
  • Reply 16 of 18
    crowleycrowley Posts: 10,257member
    crowley said:
    The world you imagine is one where a mask mandate could be met with "we don't currently have any masks deployed so cannot possibly meet this requirement".  Sorry fella, that doesn't fly.
    Unfortunately, we are moving into a reimagined Fascist world where the concept of the People demanding Govt establish Control is becoming very real. The cat is out of the bag for CSAM because Apple has already announced it has developed the code. Likewise, freedom of choice re COVID-19 is fast being eroded toward nonexistent Worldwide. What is next? IMHO we are well along the path towards global fascism and another “Dark Age”
    I’d advise you to read up on what happened under actual fascism, because the fascists weren’t overly concerned with child abuse or protecting public health. You’ve got yourself all backward and you’re prioritising entirely the wrong set of freedoms.
  • Reply 17 of 18
    temperor said:
    It’s controlled by 2 NGO’s and in fact it does not matter, even if the government slipped in some hashes, there will be a human review by Apple where it will be noted that the images reported are not child abuse CSAM images … 

    For now they will be reviewed by Apple.  Until some government somewhere decides that for the safety of all their citizens, such a sensitive operation cannot be left in the hands of a private corporation, especially a greedy, money hungry one like Apple, decides to legislate that operation be turned over to the government, for the safety and security of all, of course.

    And Apple, being o so considerate as to follow all local laws and regulations, will bend over and turn it over to them.
    edited September 2021 muthuk_vanalingam
Sign In or Register to comment.