Privacy vs. Security in a Brave New World
— Pegasus spyware and the problem of electronic mass surveillance for human rights and democracy
By Mag. David Kainrath
Recent revelations about the Pegasus spyware are just the latest in a long row of disconcerting news of digital mass surveillance. At the heart of the problem lies the technological possibility for governments and companies to put everyone under complete electronic surveillance and thereby violate the human right to privacy. Apart from the severe loss of personal freedom that every individual suffers who is a victim of electronic spying, a political question looms: How much privacy are we prepared to sacrifice for security from threats?
Much of the controversy around the latest set of revelations is about the fact that technology for electronic surveillance has been sold to so-called “oppressive regimes”. But why are western governments and companies at the cutting edge of the development of digital surveillance technology, which has the potential to violate the human right to privacy of its own citizens, if they truly value freedom and democracy? Is it only because their companies happen to be technologically advanced enough, or are there political factors too?
Let’s start at the beginning of the latest surveillance scandal. A group of investigative reporters revealed that Israeli company NSO Group developed a method to hack any smartphone, both IPhone and Android, and give the attacker full control over all functions of the hacked phone. This means that no communication that ever took place on that phone is private anymore. The attacker can access all data and metadata that is stored on the phone, regardless of whether the owner of the phone used encryption such as messaging software Signal and Telegram or not. In addition, the attacker can also use the phone’s sensors, such as microphone, GPS location and camera, to spy on the victim of the hack in real-time, without the victim noticing it.
To add insult to injury, it appears that NSO Group sold the software to a long list of governments with a questionable record on human rights, such as the United Arab Emirates and Saudi Arabia, who supposedly used it to spy on innocent members of civil society as well as political opponents. Public outrage has rightly erupted about this treacherous practice. Why sell this powerful technology to governments and organizations with a known record of human rights abuses? Why provide them with these advanced spying tools, which they probably couldn’t develop on their own? This is certainly a justified moral question which needs to be asked. It certainly evokes the suspicion that for the right amount of cash, all the values that enlightened humanity holds dear, are for sale.
The NSO Group itself has indeed been bought and sold several times. In 2014, the American private equity firm Francisco Partners bought the company for $130 million. In 2015 Francisco was seeking to sell the company for up to $1 billion. The company was officially put up for sale for more than $1 billion in June 2017, roughly ten times what Francisco originally paid in 2014. At that time, NSO had almost 500 employees, up from around 50 in 2014. On August 1, 2018, the Human Rights Group Amnesty International accused NSO Group of helping Saudi Arabia spy on a member of the organization’s staff. Citizen Lab researchers reported in October 2018 that they were being targeted by undercover operatives connected to NSO. In response to an Associated Press report, NSO denied any involvement. In early February 2019, one of the operatives targeting Citizen Lab researchers was identified as Aharon Almog-Assouline, a “former Israeli security official living in the Tel Aviv suburb of Ramat Hasharon. On February 14, 2019, Francisco Partners sold a 60% majority stake of NSO back to co-founders Shalev Hulio and Omri Lavie, who were supported in the purchase by Novalpina Capital. Hulio and Lavie invested $100 million, with Novalpina acquiring the remaining portion of the majority stake, thus valuing the company at approximately $1 billion. The day after the acquisition, Novalpina attempted to address the concerns raised by Citizen Lab with a letter, stating their belief that NSO operates with sufficient integrity and caution. (See https://en.wikipedia.org/wiki/NSO_Group)
Cyber security experts also point to the fact that while probably being the most advanced spyware product available on the market, Pegasus and NSO Group are far from being the only players on this market. Apparently, an entire industry of electronic surveillance products exists in the shadows, comprising many different companies from many different countries. However, this discussion risks distracting the attention of the public from the systemically more important question of why we develop technology for electronic mass surveillance at all. Electronic mass surveillance by definition contradicts the human right to privacy and undermines democracy. Why then are we discussing the “follow-up question” of who should and should not have this technology rather than the original question of why it is being developed and whether it should be deployed in the first place? It doesn’t appear that any kind of consensus has been reached on the original question.
Let’s recall that Article 12 of the UN’s Universal Declaration of Human Rights which asserts that privacy is a human right. Arbitrary interference with someone’s privacy is considered an infringement of human rights. When corporations and governments can freely interfere with your privacy, it brings them a step closer to being able to infringe on speech or other rights. Many governments ban certain speech, certain religions, certain relationships, certain protests, and certain transactions that other countries consider obvious human rights to be able to do. In other words, under Article 12, people have a right to privacy, and only under the context of reasonable suspicion of a crime should governments be able to take lawful measures to gather information to prove the crime.
Electronic mass surveillance such as Pegasus simply provides tools (to whoever can pay for them) that are orders of magnitude more powerful than all of the previous means available to governments and law enforcement agencies. It also makes ignoring or circumventing the legal safeguards that citizens in democratic countries should have so much easier, undetectable, and basically risk-free for the transgressor. Under such circumstances, fears arise over a possible dystopian Orwellian future where nothing is private anymore.
Famous whistleblower Edward Snowden stated in an interview with the British newspaper The Guardian, that it makes almost no difference in effort and in cost whether 500, 50,000 or 50 million people are put under electronic surveillance. It all happens at the push of a button. This statement suddenly makes it very clear that we are not only dealing with a political question – the extent and limits to the right of privacy that every citizen should have – but quintessentially with a question of disruptive technological innovation and how societies should deal with it. (See Permanent Record (2019), Edward Snowden, p. 82 ff)
A comparison with the historical example of the German Democratic Republic colloquially referred to as East Germany clarifies the point. The East German Ministry of State Security, STASI, deployed one of the largest, most intrusive and comprehensive surveillance apparatuses known in history in order to monitor their citizens’ every move. The political question of whether such extensive surveillance is necessary, justifiable and desirable, is very clear. Apart from the political ramifications, however, what is often forgotten is that mass surveillance in East Germany was also massively expensive and represented a huge burden on the economy of that country. In order to spy on its roughly 16 million citizens, the east German STASI relied on an army of almost one million agents and informants. They needed to have offices, equipment, infrastructure, and salaries in order to spend an unfathomable number of hours, only to maintain their surveillance network. All these people and all the resources assigned to them could have been used in productive sectors of the economy in order to improve the income and welfare of the country.
In light of the economic costs, it becomes clear that the decision taken by many countries at the time not to have such an extreme surveillance apparatus was not only morally virtuous but also economical. If we compare the results, the amount of knowledge generated about the activities of every single individual, we can confidently state that present-day IT giants like Google, know much more about their customers (i.e. everyone of us) than the East German Stasi could have ever dreamed knowing about their citizens(See Permanent Record (2019), Edward Snowden, p. 82 ff). With the help of modern IT, mass surveillance can be done at a fraction of the cost. All you need to establish mass surveillance is the IT infrastructure that is being used for other profitable economic purposes anyway, and a small number of highly trained computer experts who develop the software and operate the system. Herein lies the disruptive innovation that challenges our societies. If it becomes so relatively “cheap and easy” to do, can it really be expected of any politician or corporate leader, however democratically minded, to resist the siren calls of enormous power and endless profits?
The lack of any real, substantial and fact-based social discourse about the extent and nature of electronic mass surveillance we want in our societies and instead focusing on “oppressive regimes” using these technologies, is perhaps indicative of the amount of damage and corrosion that has already been inflicted on our cherished liberal democracies.
Framed in this way, it is apparent that the discussion of mass surveillance includes two aspects, the political one and the aspect of disruptive technological innovation. The discussion only makes sense when both aspects are covered. The technological side of the debate should include topics such as encryption, pseudonymization and anonymization, but also the right of access to the internet, the “right to be forgotten”, individual data sovereignty, etc. essentially establishing the “rules of the game” and making it more costly and difficult to violate the digital rights of individuals.
Consideration should also be given to protect privacy by law and perhaps even subsidize efforts to improve it, in a decentralized, fair and open-source manner. The political side of the discussion on the other hand is concerned with the old question of the trade-off between security and privacy, albeit in a new technological paradigm. For instance, how much privacy are the members of a given society prepared to sacrifice in order to protect themselves from security threats such as terrorism. The precise answer to this question will probably look different in every country. It depends on many factors. How big is the threat of terrorism or civil unrest in a given country? How much does a population trust its authorities not to abuse the powers given to them? What are the historical experiences with privacy and cultural values ascribed to it?
Given the profound implications of these questions, the related discussion should accompany us for quite some time to come. While the results of the discussions are yet to be seen, at least two rules of engagement should guide us in their course:
- The question of electronic mass surveillance strongly impacts the lives of everyone, and it is simply too important for the decisions about it to be taken by a small clique of computer geeks, self-appointed “experts” and intelligence agencies. It should be taken with the broadest possible mandate instead.
- Rather than pointing fingers at other countries and interfering in their internal processes, countries should rather be respectful with each other while “bringing their own house in order”.
About the Author:
Mag. David Kainrath, political scientist from Vienna, Austria. He holds a master’s degree from Lund University in Sweden with specialization in European Union affairs, Energy and Environment policy. Speaking five languages, he lived and worked in several countries including Sweden, Norway, USA, France, Belgium, plus a year in Minsk, Belarus. Mr. Kainrath is a member of board of the Austrian-Belarusian Friendship Association, a bilateral friendship organization which works to support social, cultural and people-to-people relations between Austria and Belarus.