By Branka Marijan
Published in The Ploughshares Monitor Volume 40 Issue 1 Spring 2019
Last December, Bahr Abdul Razzak, a Syrian refugee and a researcher at Citizen Lab, a digital watchdog based at the University of Toronto, received a message on LinkedIn. The message was from Gary Bowman, a South African technology executive based in Madrid. Bowman said that he had come across Razzak’s profile on LinkedIn and was impressed by his efforts to support refugees, as well as his tech background. Bowman wanted to discuss a new tech initiative with Razzak in person. The two agreed to meet at a hotel in Toronto.
At the meeting, Razzak quickly realized that Bowman was not actually interested in discussing refugees or initiatives. Instead, he asked questions about Razzak’s work at Citizen Lab, his views on Israel and Israeli cyber-espionage company NSO Group, and his religious practices.
In the months prior to this meeting, Citizen Lab had revealed that NSO Group software was being used to infect the phones of dissidents, human-rights activists, and journalists all over the world. Most notable was the cell phone belonging to a friend of Jamal Khashoggi, the journalist murdered in the Saudi embassy in Turkey.
Razzak and his colleagues at Citizen Lab quickly discovered that the company Bowman supposedly worked for did not exist. They alerted journalists from the Associated Press and an AP reporter in Spain went to the address of Bowman’s company offices and found no trace of them.
A few weeks later, Razzak’s colleague John Scott-Railton received a message from a director of an agricultural tech firm based in Paris. After a careful search and assistance from AP, Scott-Railton realized that he, too, was being targeted. But Scott-Railton still agreed to meet the French businessman in New York, armed with recording devices and with AP journalists close by. Again, the businessman was most interested in discussing the work of Citizen Lab. The journalists and researchers finally questioned the man openly, but didn’t learn much. They still don’t know who the two men were and why they were so interested in Citizen Lab.
Spies for hire
If this sounds like something out of a le Carré novel, it should be noted that this experience is not unique to Citizen Lab. Many civil society groups and activists—yes, in Canada, as well as in many other countries—have solid grounds for believing that they have been and are still under surveillance—by national security agencies and now, increasingly, by private entities.
In December 2017, The Guardian reported on the widespread surveillance of political groups by corporate intelligence firms. According to Guardian reporters, “the police have claimed that commercial firms have had more spies embedded in political groups than there were undercover police officers.”
The lack of oversight and regulation of these firms raises serious questions about how civil society organizations and ordinary citizens are to protect their freedoms and rights. These questions are just as valid in democratic societies as in the countries in which citizens still struggle to obtain these rights.
In a recent op-ed posted on Al-Jazeera, a corporate spy using the alias Stefan Chase says that many organizations and individuals are engaged in corporate intelligence. According to Chase, finding a spy is as easy as ordering an Uber, as long as you have the cash to pay for the service.
Civil society vulnerabilities
Civil society groups are easy targets for spies. As Lennart Maschmeyer, a PhD candidate at the University of Toronto and a fellow at Citizen Lab, points out, civil society groups lack the resources and tools to protect themselves against such actors and against digital espionage capabilities. Few have the resources and understanding of Citizen Lab.
Maschmeyer reinforces the idea that the targeting of civil society groups is not simply a concern in authoritarian states. But it is certainly the case that private companies are providing spyware to authoritarian regimes. Some of this spyware is sophisticated, allowing governments to track the movements, and gain access to the personal information, of individual activists.
As Maschmeyer notes, the effects of infiltrating civil society organizations are difficult to assess. Financial damage rarely occurs. Rather, individuals and their family members are persecuted in some way; in non-democratic countries they could be arrested. And trust is lost, on many levels—by those directly involved, and within the extended communities to which they belong.
The need for digital literacy and ethics
In some societies, the effects of spying can be prison and even death for those who engage in civil society activities. In many others, the effects are not so extreme. However, when an organization is made to feel insecure, when it doesn’t know which, if any, of its members have ulterior motives, then activism and advocacy work suffer.
It is not easy to prevent your organization from being monitored or infiltrated, especially in this age of algorithms and smartphones. But it is possible to become better aware of cybersecurity capabilities. Up-to-date digital literacy skills are important for everyone today and they are crucial for those involved in advocacy.
Governments must also play their part. Commercial spyware companies, particularly those that sell spyware that is then used to target human-rights activists and other nongovernmental organizations, must be regulated and controlled.
Private companies need to operate under a code of ethics that prohibits sales of surveillance technologies to actors who are likely to use them to cause harm.
The Citizen Lab case provides a stark reminder of the need to protect the rights and freedoms of civil society groups. Not just for the benefit of individuals, but for all of us who value democratic norms.