Spyware merchants: the risks of outsourcing government hacking

An Australian Tax Office (ATO) staffer recently leaked on LinkedIn a step-by-step guide to hacking a smartphone.

The documents, which have since been removed, indicate that the ATO has access to Universal Forensic Extraction software made by the Israeli company Cellebrite. This technology is part of a commercial industry that profits from bypassing the security features of devices to gain access to private data.

The ATO later stated that while it does use these methods to aid criminal investigations, it “does not monitor taxpayers’ mobile phones or remotely access their mobile devices”.

Nevertheless, the distribution of commercial spyware to government agencies appears to be common practice in Australia.

This is generally considered to be lawful surveillance. But without proper oversight, there are serious risks to the proliferation of these tools, here and around the world.

The dangers of the spyware market

The spyware market is estimated to be worth millions of dollars globally. And as Canadian privacy research group Citizen Lab has noted, spyware vendors have been willing to sell their wares to autocratic governments.

There are numerous examples of spyware being used by states with dubious human-rights records. These include the surveillance of journalists, political opponents and human rights advocates, including more recently by the Mexican government and in the United Arab Emirates. In Bahrain, the tools have reportedly been used to silence political dissent.

Commercial spyware often steps in when mainstream technology companies resist cooperating with law enforcement because of security concerns.

In 2016, for example, Apple refused to assist the FBI in circumventing the security features of an iPhone. Apple claimed that being forced to redesign their products could undermine the security and privacy of all iPhone users.

The FBI eventually dropped its case against Apple, and it was later reported the FBI paid almost US$1.3 million to a spyware company, reportedly Cellebrite, for technology to hack the device instead. This has never been officially confirmed.

For its part, Cellebrite claims on its website to provide technologies allowing “investigators to quickly extract, decode, analyse and share evidence from mobile devices”.

Its services are “widely used by federal government customers”, it adds.

Spyware merchants and the Australian Government

The Australian government has shown considerable appetite for spyware.

Tender records show Cellebrite currently holds Australian government contracts worth hundreds of thousands of dollars. But the specific details of these contracts remain unclear.

Fairfax Media has reported that the ATO, Australian Securities and Investment Commission, Department of Employment , Australian Federal Police (AFP) and Department of Defence all have contracts with Cellebrite.

The Department of Human Services has had a contract with Cellebrite, and Centrelink apparently uses spyware to hack the phones of suspected welfare frauds.

In 2015 WikiLeaks released emails from Hacking Team, an Italian spyware company. These documents revealed negotiations with the Australian Security and Intelligence Organisation (ASIO), the AFP and other law enforcement agencies.

Laws and licensing

In Australia, the legality of spyware use varies according to government agency.

Digital forensics tools are used with a warrant by the ATO to conduct federal criminal investigations. A warrant is typically required before Australian police agencies can use spyware.

ASIO, on the other hand, has its own powers, and those under the Telecommunications (Interception and Access) Act 1979, that enable spyware use when authorised by the attorney-general.

ASIO also has expanded powers to hack phones and computer networks. These powers raise concerns about the adequacy of independent oversight.

International control of these tools is also being considered.

The Wassenaar Arrangement, of which Australia is participant, is an international export control regime that aims to limit the movement of goods and technologies that can be used for both military and civilian purposes.

But there are questions about whether this agreement can be enforced. Security experts also question whether it could criminalise some forms of cybersecurity research and limit the exchange of important encryption technology.

Australia has export control laws that apply to intrusion software, but the process lacks transparency about the domestic export of spyware technologies to overseas governments. Currently, there are few import controls.

There are also moves to regulate spyware through licensing schemes. For example, Singapore is considering a license for ethical hackers. This could potentially improve transparency and control of the sale of intrusion software.

It’s also concerning that “off-the-shelf” spyware is readily accessible to the public.

‘War on math’ and government hacking

The use of spyware in Australia should be viewed alongside the recent announcement of Prime Minister Malcolm Turnbull’s so-called war on maths.

The prime minister has announced laws will be introduced obliging technology companies to intercept encrypted communications to fight terrorism and other crimes.

This is part of a general appetite to undermine security features that are designed to provide the public at large with privacy and safety when using smartphones and other devices.

Despite the prime minister’s statements to the contrary, these policies can’t help but force technology companies to build backdoors into, or otherwise weaken or undermine, encrypted messaging services and the security of the hardware itself.

While the government tries to bypass encryption, spyware technologies already rely on the inherent weaknesses of our digital ecosystem. This is a secretive, lucrative and unregulated industry with serious potential for abuse.

There needs to be more transparency, oversight and strong steps toward developing a robust framework of accountability for both the government and private spyware companies.