Surveillance Middlemen Make it Harder to Track Who's Responsible For Hacks

In August, researchers revealed they had found malware from secretive Israeli hacking company NSO Group on the phone of United Arab Emirates political dissident Ahmed Mansoor. The prime suspect behind the attack was the UAE government.

But according to a recent report on YNet News, NSO was awarded an export license to sell its product to an unnamed "private company in an Arab state," and not directly to a government.

"In the business of surveillance it is common to rely on resellers and local companies who have closer ties to the respective governments," Claudio Guarnieri, technologist at Amnesty International, told Motherboard in an online chat.

These sorts of relationships between surveillance companies are an established part of the industry, which is a complicated web of developers, resellers, and eventually customers. But this risks muddying the waters around who in the chain is responsible for abuses of such technology.

The hazy picture of culpability, where those who develop exploits may be several steps removed from those who deploy them, becomes even more pressing as journalists and activists continue to be targeted with products from surveillance companies.

"If NSO sold its exploits to another company blindly, they lost control over the proliferation of the vulnerabilities, and that is irresponsible and dangerous. Surveillance companies need to accept the responsibility of their actions, have consideration for the human rights implications, and make their sales policies stronger and tighter. Although, personally, I would invite them to do the right thing, and just get those bugs fixed," Guarnieri said.

This NSO example is by no means unique. For example, Italian malware company Hacking Team sourced some of its exploits from French vendor Vupen and Singapore firm Coseinc. Hacking Team would go on to sell its products to countries with abysmal human rights records, such as Ethiopia, Sudan, Saudi Arabia, and the UAE.

Many surveillance companies claim to vet their customers, including NSO. Zamir Dahbash, a spokesperson for NSO, sent Motherboard the company's previous statement on the matter: "The company sells only to authorized governmental agencies, and fully complies with strict export control laws and regulations. Moreover, the company does NOT operate any of its systems; it is strictly a technology company. The agreements signed with the company's customers require that the company's products only be used in a lawful manner. Specifically, the products may only be used for the prevention and investigation of crimes."

When it comes to legal responsibility, selling to a middleman might create some sort of buffer between the company providing the tool and any abuses carried out by the ultimate user of the product.

"NSO Group likely engages in a contractual relationship with the people they ultimately sell to. And in those contracting terms, there might be indemnification provisions," Susan Hennessey, a fellow in national security at the Brookings Institution think tank and former National Security Agency attorney, told Motherboard in a phone call. In other words, if the customer goes on to use the product in a way that harms someone, or contrary to a predetermined agreement, the original seller could be exempt from legal damages.

"That language is actually standard language in most contracts, not just software contracts," Adriel Desautels, CEO of cybersecurity company Netragard, told Motherboard. Netragard used to sell zero-day exploits, including to Hacking Team, but the company closed its acquisition program in July of last year. After more evidence of Hacking Team's malpractice came to light during a catastrophic hack of the company, Netragard said the revelations "proved that we could not sufficiently vet the ethics and intentions of new buyers."

"It is no more easy or difficult to vet a company or a government. If you vet someone and you trust that what you find is true then you work with them. If you find out later that they were dishonest then you stop working with them," Desautels said.

Desautels feels, however, that responsibility for use of the technology ultimately falls to the actor actually deploying it. "This is true in all walks of life. Microsoft, for example, sells an operating system to end users. Should Microsoft have any responsibility if one of those end users uses their operating system to hack someone and cause damage? Of course not."

But NSO and companies like it are not selling technology as innocuous as a normal operating system: They are selling tools that are specifically designed to take over and totally control devices. Indeed, that is part of the point why intrusion software has been labelled as a "dual-use technology" and is scrutinised for export; it can be used in both strongly positive and negative ways. Normal operating systems don't come with that appellation.

Even if NSO did vet its customers, powerful technology clearly ended up in the hands of an oppressive regime, and one with a clear history of abusing surveillance tools.

"At the very least it should be now obvious to them and to everyone, that perhaps it wasn't an appropriate sale," Guarnieri said.

As for the broader moral question of who is responsible for these abuses: "I'm not sure the law has really been able to account for that, or address it in a satisfactory way," Hennessey said.