Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
SURVEILLANCE SOFTWARE THREATENS PRIVACY
1. SURVEILANCE SOFTWARE
INTRODUCTION
Modern information environment is already saturated with massive amounts of
data and malicious monitoring. Digital devices, software and sensors are everywhere
as each of us has mobile digital devices on a 24-hour basis that create a continuous,
mobile network of digital information around us and wherever we move to. Our
reliance on digital technology beyond its benefits has created vulnerabilities that can
potentially be exploited by various entities for their own gain.
The evolution of digital Social Media platforms into powerful and highly
intrusive social machines has contributed to the creation of the environment of
"Surveillance Capitalism" within which we act, co-exist and in which user behavior is
monitored in return, on the one hand the free access to various services and
applications, and on the other the capitalization and exploitation, in various ways, of
the produced individual data. This model dominates not only Social Media but the
entire digital ecosystem forcing digital platforms to create an intrusive, relentless logic,
accurately approximating our digital behavior patterns.
DIGITAL SECURITY
The European Cybersecurity Agency (ENISA) has listed digital surveillance
among the top ten emerging cybersecurity threats for 2030.
The produced software, although it has improved in terms of cyber-security, still has
weaknesses, as a result of which malicious users (hackers, groups, companies, states,
etc.) exploit these vulnerabilities for their own benefit (money, reputation, power,
malicious intentions, etc).
The result is the production of high "value" tracking software that is used to
serve a variety of nefarious or nefarious purposes.
More specifically the latest versions of tracking software can access a target's device
without any visible signs of tampering. That is, without having to trick the target into
taking an action (clicking) on a link.
2. This means that any malicious user (hackers, groups, organizations, states, etc)
will be able to use spyware (Pegasus, Predator, etc) to infiltrate with little effort
(traditional malware, Social Engineering, phishing, etc) and/or invisible (advanced
spyware) on users' devices. Users practically cannot defend themselves effectively,
since at their level and for the sake of practicality-usability they can adopt limited
protection measures such as using two-factor authentication or a password manager,
or using an application such as signal for the exchange of messages
Unfortunately, although the perpetrators use the latest technology software
(taken from the future) so that with one or no simple action they can penetrate the
victim's devices without his knowledge, the controls and monitoring mechanisms
belong to past centuries.
There are many types of malware (viruses, trojan horses, digital worms, etc.),
which can be installed on users' digital media in many ways (attacks):
1. Phishing: involves tricking users into revealing sensitive information
(passwords, account numbers or personal data).
2. Clickjacking: involves tricking users into acting (clicking) on a hyperlink or
button.
3. Zero click attacks: This attacks take advantage of a zero day vulnerability in
the system without requiring any intervention from users who are usually unaware of
these attacks and therefore unable to deal with them or mitigate their effects .
4. Drive-by download attacks: Launched from infected websites, allowing
malicious users to infiltrate, access, control and collect large amounts of information
from digital devices. An evolution of these attacks are the Watering hole attacks, in
which the attacker finds websites known to be visited by users of the target digital
system, infects them with software aimed at obtaining information about the users and
the digital system, waiting until some users visit the page and become infected.
SURVEILLANCE
Historically, intelligence agencies had the same targeting regarding the type of
information they were looking for, but they used "traditional" surveillance techniques
(agents, photos, “bugs”, etc) to obtain it, which were mostly scattered, quite laborious
and very primitive.
Digital monitoring and surveillance has removed many of the physical
limitations giving agencies enormous "invisible" surveillance capabilities.
Monitoring can be categorized as follows:
1. Traditional (Classic): Deliberate, systematic and sustained surveillance of
individuals and groups, focusing effort on personal information for purposes of
influence, management, protection or direction.
2. Modern: Evolution of traditional surveillance by using sophisticated means
overcoming space-time, quantitative and other limitations of traditional surveillance.
3. 3. Targeted: Addresses specific persons of interest.
4. Mass-Diffuse: It is directed indiscriminately to large groups of people or
even to the entire states, affecting private life, data protection, people’s individual
rights (freedom of speech, association, assembly) and the democratic institutions of
society and especially of participatory deliberative democracy which guarantees three
fundamental aspects: private autonomy of citizens, democratic status of the citizen,
independence of a public sphere.
Of particular importance is the issue of targeted espionage through spyware,
which is more concerning because of the level of intrusiveness. For an entity
(government agency, etc) to be able to penetrate a digital device is a qualitative
evolutionary leap in the capabilities of government surveillance and control, given that
most governments around the world do not have the proper institutional checks and
balances to prevent abuse power.
In essence, covert surveillance creates the impression of a Panopticon effect,
which puts pressure on individuals to behave in accordance with what they believe is
expected of them, as they are under the mere possibility of being monitored and
'punished'.
SURVEILANCE SOFTWARE
Spyware compromises digital devices enabling covert pervasive surveillance,
the unnecessary implementation of which affects a range of human rights such as
privacy, data protection, human individual rights (freedom of speech, association,
assembly) as well as democratic institutions of society and especially of participatory
deliberative democracy.
In this perspective the use of spyware can affect political participation and
ultimately the electoral process itself not only because the targeted users feel
compelled to refrain from participating in interactions with political content,
expressing their honest opinions and socializing with others for political purposes but
also because the collected information, possibly manipulated, may be used to carry
out smear campaigns against undesirable candidates or to take other actions that
reduce their chances of success in elections.
The cyber intervention of surveillance software in the electoral process through
the extraction of private information from the devices of the victims, allows the first
step for the so-called "doxing", i.e. gaining unauthorized access to digital systems and
user accounts (e-mail, MKS, etc. ), extracting non-public data, and then leaking the
data to the public.
Material obtained through monitoring software can enable two types of
malicious doxing:
Strategic hacking: Selective leaking of material on matters of public interest,
with the aim of promoting friendly interests (party, political, etc.).
4. Altered leaks (disinformation): Deliberately incorporating false or misleading
information into a larger body of genuine confidential data leaked to the public.
SPY SOFTWARE-EXAMPLE PEGASUS
Surveillance software such as Predator, Pegasus, QuaDream, Candiru and Karkadann
have the ability to:
1. Make attacks with or without action (click).
2. Gain full access to the targeted devices.
3. Leave little or no traces of their action.
After gaining full access the software performs:
1. Initial Data Export
Export information already available on the device such as: SMS and calendar files,
contact details, call history, email messages, instant messages, browsing history.
2. Passive surveillance
Real-time collection of new information (as above) as well as location tracking via cell-
id.
3. Active Surveillance
Features of the target device are used to perform further activities such as: location
tracking using GPS, recording voice calls-ambient sounds, file recovery, taking photos,
saving screenshots.
4. Additional actions
Modifying the content of the device, creating and storing fake messages or other
documents, sending fake messages, impersonating the owner of the device, gaining
access to the owner's digital or physical assets and possibly conducting transactions in
the owner's name, placing false evidence of crimes or other illegal activities on the
device.
According to the Pegasus Project targets of the software were:
• Members of the Arab Royal Family
• 64 Entrepreneurs
• 84 Human Rights Activists
• 600+ political and government officials
• 189 Journalists
Also a list of 50,000 phone numbers was leaked appearing to belong to people who
had been selected as potential surveillance targets:
• Terrorists and known criminals.
• Business executives.
5. • Religious figures.
• University students.
• NGO employees.
• Union and government officials (Presidents, Prime Ministers, Ministers.
• 100 Journalists, including editors and executives of leading publications.
According to a report to the European Parliament several countries (Hungary-France-
Spain-Finland-Poland-Belgium) have been accused of abusive use of surveillance
software such as Pegasus with victims including journalists, politicians, academics,
prosecutors, lawyers and government officials .
NATIONAL SECURITY
The concept of national security has a broad and not clearly defined meaning. The use
of spyware is usually justified by invoking national security, which is more closely
related to the idea of National Defense, but whose extended use should be avoided,
understood restrictively, and distinguished from the concept of internal security, which
has a wider scope that includes the prevention of risks to individual citizens (terrorism,
serious and organized crime
On Sep 21, EU Justice Commissioner Didier Reynders denounced the abusive
invocation of National Security, condemning in full the alleged attempts by the
national security services of several states to illegally obtain information about political
opponents through their phones. In the same vein, the UN Human Rights Council has
recognized that many states have used counter-terrorism powers as a cynical legal
pretext to limit freedom of expression, legalize torture and other forms of ill-treatment,
and intimidate minorities, activists and the opposition.
The EU Agency for Fundamental Rights has found that this concept (National Security)
is relatively undefined and understood in different ways in different legal systems,
generally national security cannot include activities that aim to:
• Unfavourably influence political opponents;
• Affect democratic processes, such as elections, or government functions, such as
justice and administration;
• Intervene in the media;
• Target human rights activists;
• Suppress criticism and dissent;
• Provide special advantages to favoured businesses or industries; or
• Benefit or harm members of groups defined by religion, political opinion, nationality,
race, gender or other categories of people who may be subject to discrimination.
Of course, the fact that the competence of National Security has not yet been
transferred by the Member States does not imply that the acts performed in the
6. exercise of this competence are excluded from the scope of Union law. This principle
has been confirmed by the CJEU in several cases (Schrems I-II, Quadrature du Net of
2020, SpaceNet and Telekom Deutschland 2022) in which the EU ruled on matters
concerning the monitoring and management of digital personal data.
ENFORCEMENT OF THE LAW
While national security activities are excluded from the scope of the main acts
of EU data protection law, this is not the case for law enforcement activities which fall
within the scope of the Law Enforcement Directive, which, according to with Art 1 par
1, governs the processing of personal data by competent authorities for the purposes
of the prevention, investigation, detection or prosecution of criminal offenses or the
execution of criminal penalties, including protection against threats to public security
and prevention their.
The use of surveillance software for law enforcement purposes must be
considered on a case-by-case basis, taking into account multiple factors: the
seriousness of the crime or security risk to be investigated or prevented, the limitations
under which system functions are used, and the applicable national law
LEGAL
Surveillance activities must be assessed in accordance with both UN (Human
Rights Treaties, International Covenant on Civil and Political Rights) and EU (EU Charter
of Fundamental Rights, European Convention on Human Rights) international law. of
Man, etc).
The use of spyware is a threat to fundamental rights and fundamental principles
of EU law, such as (representative-deliberative) democracy and the rule of law.
The European Court of Human Rights has found that secret surveillance violates
"private life" but also sometimes "home" and "correspondence" and thus raises an issue
under Article 8 of the European Convention on Human Rights.
National security activities may justify restrictions on fundamental rights, but
for such restrictions to be lawful, they must meet the conditions of legality, necessity,
proportionality, legitimacy, balancing and consistency with democracy.
Such interference can only be justified if the conditions laid down in Article 8(2)
are met, i.e. when the interference is provided for by law and is a measure which, in a
democratic society, is necessary for national security, public safety, economic well-
being of the country, the defense of order and the prevention of criminal offences, the
protection of health or morals, or the protection of the rights and freedoms of third
parties […].
Due to Snowden revelations, the Parliamentary Assembly of the Council of
Europe, in its resolution 2045, stated that surveillance practices by states put at risk
7. human rights, which are "the cornerstones of democracy" and whose " breach without
adequate judicial review poses also endangering the rule of law".
EPILOGUE
We should recognize that there are serious threats to people's safety and well-
being, and for this reason states have agencies (law enforcement, security services,
armed forces, etc.) tasked with maintaining security (private, national, etc. ).
In fact, we need well-equipped, well-trained security services that respect
human rights, but on the other hand we cannot have a situation where law
enforcement and secret services operate without oversight and institutional checks
and balances, which seems to be happening in many of the countries in Europe that
have been involved in scandals related to the Pegasus program.
The surveillance and mass domestic surveillance of a segment, at least a
segment of the population, by one or more security services, without any proper
guarantees or oversight and certainly without transparency or accountability, is very
dangerous for liberal democracy which is likely to begin to slip. towards
authoritarianism, and this is certainly a concern for every citizen of any country.
Although there are legislative frameworks in place at the state and international
level, they are clearly inadequate for the kind of monitoring that is available, creating
the need to invest in strong modern and independent mechanisms of restraint and
oversight to prevent abuse of power, preserve the liberal democracy and moving
forward, principles that have their roots in ancient Greece, in the idea of the separation
of powers and counterweights, are at the heart of liberal democracy. And we have to
remind people that we can't take them for granted.
The Russian invasion of Ukraine showed that despite the digital evolution we
still live very much in a physical world, where conventional businesses can cause
appalling losses to human life and infrastructure. In this specific conflict, although it
was expected, no confrontation of any kind was observed in the field of Cyberspace,
while on the contrary, the conflict was extensive in the information environment and
especially in the fields of Strategic Communication, disinformation, propaganda,
spreading messages.