Cyber Surveillance, Digital Subversion, and Transnational Repression
Ronald Deibert is a professor of political science at the Munk School of Global Affairs at the University of Toronto and the Director of the Citizen Lab. He recently gave the 18th annual Seymour Martin Lipset Lecture at the National Endowment for Democracy. Its title was “Digital Subversion: The Threat to Democracy.” His article, “Subversion Inc: The Age of Private Espionage” in the most recent Journal of Democracy is based on this lecture
So, if your aim is to get inside someone’s device without their permission and gather up information, you could do that using a very sophisticated commercial spyware technology like Pegasus. The latest iteration of it employs zero click technology meaning that it can target and insert itself on any device without the owner of that device even knowing or being tricked into clicking on a link. That’s very powerful, because there is no defense against it. - Ronald Deibert
How Black Cube tried to infiltrate Citizen Lab
How autocrats continue to repress political dissidents overseas
The privatization of espionage and spycraft
The link between surveillance capitalism and private espionage
What liberal democracies can do to defend civil society
Thank you for listening to the Democracy Paradox: A podcast on democracy, democratization, and world affairs. Each week you’ll learn about big picture insights to better understand political issues and events. These are complex ideas that might be unfamiliar so, I’ve provided a complete transcript at democracyparadox.com.
You can also support the podcast at Patreon for as little as $5/month. Supporters have access to bonus material like this week’s conversation with Corey Nathan. Corey is host of the podcast Talkin’ Politics & Religion Without Killin’ Each Other. His podcast is an enjoyable listen with some surprising guests from Bill Kristol to Anthony Scaramucci. It’s a thoughtful approach to controversial topics. So, take a listen to Talkin’ Politics & Religion Without Killin’ Each Other and become a patron to support Democracy Paradox. You’ll also get the chance to listen to bonus content with guests like Corey Nathan.
Today’s guest is Ronald Deibert. Ron is a professor of political science at the Munk School of Global Affairs at the University of Toronto, but he’s best known as the Director of the Citizen Lab. Anybody who studies cyber espionage, commercial spyware or internet censorship likely knows about Citizen Lab. They are at the forefront of many of these issues.
This past December, Ron gave the annual Seymour Martin Lipset Lecture at the National Endowment for Democracy. It’s title was “Digital Subversion: The Threat to Democracy.” You can read his recent article, “Subversion Inc: The Age of Private Espionage” based on his lecture in the most recent Journal of Democracy. We refer to his article a few times in this conversation along with his most recent book Reset: Reclaiming the Internet for Civil Society.
Our conversation goes beyond social media to consider ideas like transnational repression and digital mercenaries that challenge how we think about international relations. So, let’s get started. Here is my conversation with Ronald Deibert…
Ron Deibert, welcome to the Democracy Paradox.
Thank you. Great to be here.
Well, Ron, just the other day, I was listening to a friend of yours, Ronan Farrow, on The New Yorker Radio Hour and he was talking about modern spyware. He actually mentioned Citizen Lab a few times, but it also reminded me of an interaction that both of you had with a private surveillance organization, Black Cube. So, many of us know the story behind Ronan Farrow. But I don’t think the interaction that your organization, citizen lab, had with Black Cube is as well known. Can you kind of just give us the story of how Black Cube tried to infiltrate Citizen Lab, because I think it explains how surveillance is often in the hands of private actors?
Sure. Yeah. So, it’s a fascinating story. A little disturbing to be at the center of it for sure and actually there is a crossover with Ronan Farrow’s experience. The stories intersected at a certain point. So, basically back a few years ago, one of our staff was contacted by somebody approaching them about a topic that had nothing to do with his work at the Citizen Lab, but interested him personally and was invited to lunch to talk to this person about support for Syrian refugees. This is something where this staff member had some background.
As they were talking over lunch, my staff member became increasingly concerned that something was wrong. The person seemed to be steering the conversation towards the work at the Citizen Lab by asking questions about why we are interested in NSO group. Do we have some ulterior motive? Where do we get our funding, et cetera? The whole time he was talking to him, he was also positioning a pen curiously in his direction. So, the staff member came back, reported this to me and some others on our research team and based on what information was given to the staff member, like the business card and LinkedIn profile of this person, we quickly surmised that this was a fictitious identity.
So, we were doing background research a couple of weeks later and, coincidentally, a second staff member of mine experienced a reach out in the very same manner. So, this time we let it play out. We had several conversations with the person that we recorded and a lunch was arranged at a Manhattan restaurant which was set up by us in coordination with the Associated Press to catch this person in the act. So, halfway through the conversation, similar sort of thing, the person was asking leading questions, positioning a microphone, et cetera. While that was going on, we were recording that person and halfway through the lunch started asking questions and the person fled from the room.
It turned out that this person was working for Black Cube. So, their cover was exposed. They obviously are no longer doing the same job any longer. The story was written up and widely covered in the press. It turns out that one of the people who was actually at that lunch, working as a subcontractor for Black Cube, was also at the time in a second case, following and tracking Ronan Farrow for Black Cube. This person had… a crisis of conscience is the best way to describe it and became a whistleblower to Ronan Farrow. So, that’s how those two intersect. Yhat was basically our experience.
Now, do you know why they would want to know more information about you? Maybe that’s the wrong question. Do you know who it is that really wanted to know more information about you? Was it Black Cube itself or do you get the impression that it was really a state actor that was behind it?
I really have no idea who ultimately contracted Black Cube. I can assume that it had something to do with our work on commercial spyware, probably something to do with NSO group. Black Cube was founded by ex-Mossad agents. So, there’s an intersection of national origins there that makes me suspicious. But we really don’t have any information about who ultimately paid them.
Yeah, because one of the things that’s surprising within the work that you do is the way that a lot of these digital surveillance organizations are not necessarily agents of the state. They’re independent organizations that can have their own interests. Thry can be working for other individuals. They can be working for other organizations, can also be working for states, be subcontracted out for them. So, it becomes a sense of digital repression that doesn’t have any boundaries and includes actors that go far beyond states. You mentioned this explicitly in your recent article in the Journal of Democracy where you wrote, “The practices outlined above are inherently transnational and implicate individuals, companies, and institutions in every regime. What we are witnessing are assemblages of authoritarians practices that cut across political borders.” Ron, what does this mean for how we think about digital freedom and authoritarianism?
Yeah, that’s a good question. I think that… You know, I’ve been studying this area now for most of my professional life. For 30 years I’ve been involved in trying to understand the social and political security implications of the internet and I’ve seen the field evolve over time. In the early days, there was a lot of enthusiasm. People were feeling pretty positive that the technology would be liberating. There’s, in fact, a very famous piece in the Journal of Democracy called “Liberation Technology” by Larry Diamond that outlines this thesis and there’s a lot of merit to it. Actually, when you look on the face of it, many, many examples of people using digital technologies do hold governments and private companies accountable, do connect with each other to organize, to mobilize.
But what’s happened over time is the tables have turned. Part of it has to do with the fact that computers and networks, internet networks are two-way streets, if you will. We communicate out, but they also look at us and they are increasingly, especially with social media, designed to monitor us. And generally speaking, the entire ecosystem is insecure and that means that it has become a very convenient tool for those who want to do some sort of malfeasance to use the internet for that purpose. What’s happened is we’ve seen this real explosion of the spread of transnational repression practices tied to digital technologies, because of the way in which the architecture is constructed and how the devices that we carry around with us at all times are highly invasive, but insecure and poorly regulated.
So, we see extraordinary abuses and, of course, the people in the institutions that want to control people or that want to undermine democracy or institutions of public accountability have a lot of resources at their disposal. There are a lot of wealthy people in the world. A lot of oligarchs that are flaunting their wealth and using that wealth to circumvent laws to operate in gray areas. Once that sort of becomes acceptable, you can understand how they would be led down a path of contracting out with private investigators.
So, that’s coming from the private sector and then governments, of course, have always had an appetite to spy on adversaries, each other, their own citizens, citizens abroad. It’s just that now they have so many more tools and capabilities and resources that enable them to do this. Like I said before, people are kind of set up to be spied on by default. So, it’s like an accidental combination of factors that has led us into this situation.
Now you’ve mentioned the phrase, transnational repression, and that’s something that I think a lot of listeners may not really be familiar with. They may not know what it is or what we mean. Because we think of being in a democratic country as being safe from digital repression especially when we look at Freedom House ratings regarding freedom on the net, we would think if we’re in a country that’s considered free on the net that we’d be safe. Can you tell us a story about a person that you know, Omar Abdulaziz? Can you tell us a little bit about his experience and what it tells us about the concept of transnational repression?
Absolutely. This was a landmark case for us at the Citizen Lab in a number of different ways. We had been researching the command and control infrastructure, essentially the network server set up, of NSO group, one of these mercenary surveillance companies, looking at it as best we could using network scanning methods, traffic flowing in and out of their infrastructure. I won’t get into the weeds on how we’re able to do that. But basically, we had a good idea at any time who their government clients were and where infected devices were checking in from. So, we were particularly interested, this is the summer of 2018, in the Saudi client, what appeared to be the Saudi client using NSO group to hack devices in a number of different countries worldwide. One of them was Canada.
We could see a phone checking in at pretty regular intervals from two different internet service providers in the Quebec region. So, somebody’s device in Canada was hacked. We knew roughly where they were. But we had no idea who it might be. So, one of our senior researchers, Bill Marczak, who leads a lot of the technical work that we do in this area, brilliant person. He and I were discussing what we might do to investigate this further. And he said, ‘You know, we could just go to Quebec. I could travel there and we could develop a short list of people and just with their consent, ask them some questions.’ And that’s precisely what we did.
Omar Abdulaziz at the time was a very prominent critic of Saudi Arabia. He had fled Saudi Arabia to Canada and was granted permanent residency in this country in 2014. He ran a YouTube show, which was kind of a Stephen Colbert show of the Gulf. Very funny. It was making fun of Mohammed bin Salman. I was precisely the type of thing that the Saudi regime doesn’t like. So, we met with him and checked his phone and realized he had been targeted with NSO spyware. He had accidentally clicked on a link, which infected his phone. On October 1st, 2018, we published our report called ‘How the kingdom came to Canada.’
The very next day, Omar contacted me with a text and said, ‘I’m very scared. Jamal has gone missing.’ Jamal Khashoggi, the Washington Post journalist that was executed the very day after our report was published. It turns out that Jamal and Omar had been communicating for months over WhatsApp and they assumed those communications were secure. WhatsApp is end-to-end encrypted. They were talking about how to mobilize people against the Saudi regime, et cetera and it’s quite likely that the surveillance on Omar’s phone was instrumental in the decision to execute Jamal Khashoggi. This is a great example of digital transnational repression.
So, we all know what repression looks like in authoritarian context. So, you live in Saudi Arabia. Police come knocking at your door because you said something that they consider a crime or you did something that they consider to be a crime and they throw you in jail. They torture you, whatever. You have very few places to hide when you’re inside a country. People like Omar flee abroad. For that reason, they come to a country like Canada and they’re like, ‘Whoo-hoo! I’m free! I can live in Canada and thank God I’m away from those tyrants.’
But the fact of the matter is governments can intimidate, harass, repressed people abroad. They have done it for centuries. You can think of many examples where governments have organized some kind of secret crew to go abroad undercover. Maybe murder somebody abroad. But it takes a lot of effort. It’s very risky. It can easily be exposed. It obviously requires physical proximity. With digital technologies, all of those constraints are removed. Sitting in a bunker in Riyadh, Saudi Arabia, thanks to NSO group, can get inside Omar’s device. Once you’re inside his device, it’s actually even more effective than physical surveillance.
You know, if you imagine I’m sitting outside Omar’s apartment. He’s living in Montreal. I’m in a car, eating my burgers and sipping my Cokes, waiting for him to come out of his apartment and then I’m going to go in. I’m going to plant a bug in his room. I might capture snippets of conversations here and there when he happens to be in the room. Of course, it’s very risky because now I’m breaking a law and kind of physically entering his premises without permission.
But with surveillance technology on his device, I can listen to every phone call. I can read every email. I can intercept every text message, even those that are encrypted. I can turn on video and audio capture. So, if he has a meeting anywhere, I can eavesdrop on that meeting as if I’m there. I can track his location because the phone is effectively a tracker. It’s a GPS by design. So, you have this extraordinarily powerful invasive technology. The mere knowledge that that exists, casts a chilling effect over civil society. When people heard about Omar’s story, they were frightened and reasonably so. Omar himself, I believe, has been traumatized by the knowledge that the surveillance on this device perhaps led to the decision to execute Jamal Khashoggi, his close associate.
So, digital transnational repression is not only very effective directly. It also has these indirect impacts on people’s psychological state and emotional wellbeing which happens to be the title of our recent report on this topic, “Psychological and Emotional War.” We did an extensive study of transnational repression in Canada and found that people fleeing from abroad to this country were experiencing this new type of control method that’s quite insidious and is transnational in nature.
I’ve got a lot of questions that come out of this situation. The first one that I’ve got would be what did they actually do with all of this information?
Well, one example that comes to mind actually is quite old now, relatively speaking, more than 10 years. It comes from a research project that we did on Chinese espionage against Tibetan organizations and the office of his holiness, the Dalai Lama. So, we were part of the team that published this report called “Ghost Net.” It was a real landmark for us. The first report we ever did on cyber espionage. They weren’t using very sophisticated tools. This was pretty basic social engineering. Get inside people’s accounts and then insert malware and be able to do what we’ve just described. Well, it turns out that people who work for the Office of the Dalai Lama were learning that his itinerary was being preemptively disrupted.
So, he would have travel plans to go abroad, to meet with officials to raise awareness about the Tibetans and the Chinese government would preemptively get ahead of those meetings and pressure the officials not to meet the Dalai Lama. And they’re like, ‘Well, how do they know that I’m going to meet person X?’ Part of the reason had to do with, ‘Well, they actually hacked all of your itinerary. So, they knew what you’re doing, perhaps even before you did, because they had your secretary’s email.’ That’s a good example of some of the ways in which this type of intelligence can be used to disrupt civil society and neutralize political opposition.
You can also imagine other more nefarious things. Once you have access to somebody’s device, it’s not inconceivable that you could plant falsely incriminating information. It would be very difficult to disprove. So, if I hacked your phone and I put on your phone horrible images that are illegal and then called the cops and they grab your phone, suddenly you’re like, ‘Whoa, these aren’t mine! I never saw them before.’ ‘Well, why are they on your phone? How did they get there?’ ‘I don’t know.’ That’s exactly the type of thing that could happen. In fact, there’s a case in India where an activist’s phone was hacked in this manner. Falsely incriminating data was put on the phone and that information was used to try this person as a terrorist under Indian laws.
So, you know, you can anticipate meetings of people, you can plant falsely incriminating information, you can find out where someone is going and kidnap them or murder them, all sorts of things. It’s very powerful. I think the fact that the market is mostly unregulated, it’s kind of Wild West right now. It’s really daunting to think about those two in combination: extremely powerful technologies in the hands of autocrats, despots, and even democracies as we’re finding out with a report on Spain that we just produced and then very poor regulation. That’s a dangerous combination.
So, Omar clicked on a link to be able to download the spyware. How easy is it to obtain spyware? Are there other ways that are even more likely that you’re going to download different types of spyware and how pervasive is it really?
Well, there is a spectrum of surveillance tools that range from very sophisticated to not sophisticated at all that can accomplish the same ends. So, if your aim is to get inside someone’s device without their permission and gather up information, you could do that using a very sophisticated commercial spyware technology like Pegasus. The latest iteration of it employs zero click technology meaning that it can target and insert itself on any device without the owner of that device even knowing or being tricked into clicking on a link. That’s very powerful, because there is no defense against it. If you’re running an operating system where Pegasus is active against it, there’s nothing you can do and that’s the latest iteration of Pegasus that we’ve seen.
The companies like NSO group claim they only sell it to governments. Let’s take them at their word for now. But even assuming it’s restricted just to governments, that doesn’t give me much solace because there are so many governments in the world that are nasty, brutal, despotic regimes, especially their security agencies in countries where there’s no oversight or whatever. But then on the less technologically sophisticated side of the spectrum, we’ve seen many, many examples of people succumbing to the same problems, but with very simple techniques that trick them.
The Russians in their hack of the DNC, which we remember from 2016. How was that done to John Podesta’s email? Basically, he received a fake Google security warning. All that takes is a bit of Photoshop skills and he was directed to a website that the operators had set up that looked like a Google login page. And he entered in it his credentials. They took his credentials and they were able to vacuum up his email inbox. It’s as simple as that. Had he had two factor authentication enabled perhaps the 2016 election would have turned out completely differently. But he did not. So, there are less sophisticated ways to get at the same thing, if you will.
How pervasive is it? Is it something where Pegasus is on many people’s phones and they just don’t realize it? Is it very limited and targeted just to people of interest whether they be people in civil society or whether it be even democracies looking at people who really are criminals? How pervasive is this type of stuff?
Well, I think one way to answer that question is thinking about it in terms of different layers. So, at a much lower layer that’s broader in scope of potential victims is the world of cyber-crime. There’s just a lot out there. It’s kind of like thinking about it as the equivalent of a digital flu or virus. If you connect to the internet and you’re using insecure browsers, chances are you might be affected by it. It’s really just accidental or random. You’re not necessarily targeted. But at higher levels is the more sophisticated spyware that costs a lot of money and that tends to be restricted by contracts that limit the number of targets.
So, if you’re Saudi Arabia and you’re contracting with NSO, they’ll say, ‘Okay, we’ll sell you this.’ You’re given a license and as far as I understand, there’s a certain limit or threshold of targets that you can use. Of course, a lot of these government clients have deep pockets, so they don’t care too much about the budget. But it’s just that those are more precious resources. You don’t want to use them frivolously.
Although we’ve seen lots of cases where dozens of people have been targeted. In Spain right now and the number of Catalan victims is really jaw-dropping -over 60. But most of those targets are targets of interest or relations of targets. We saw parents of targets had their phones hacked in the case of Pegasus in Spain. Because for one reason or another, they couldn’t get at the primary target. So, you get at their relations. Off-center targeting, we call it. So, even if you’re not doing anything, your brother might be an activist, well, you might be targeted because of your communications with your brother. We did see, for example, Jamal Khashoggi, in addition to Omar Abdulaziz, both his wife and his fiancé had their phones hacked separately. Both of those were confirmed by Amnesty International and Citizen Lab, another example of relational targeting.
So, I think for the sophisticated stuff, you can take some solace in the fact that unless you’re doing something that is really provocative to somebody in a position of power or you’re closely related to somebody who is, you’re probably going to be okay. We get a large volume of inquiries at the Citizen Lab from people who ask, ‘How do I know if I’ve been targeted with Pegasus?’ Well, probably not likely unless you’re doing something that is contentious in the manner that we just described.
So, we’ve been talking about transnational repression where somebody like Omar who’s a dissident is living in Canada and Saudi Arabia is trying to use spyware to follow him and track him and understand what he’s doing. Within Saudi Arabia itself or in the case of China or Russia or any autocratic nations, they have a number of citizens who are doing different things that they might see as undermining the regime. Do they use spyware internally and do they use it much more pervasively than they would in a manner that might be transnational trying to track dissidents who’ve left the country?
That’s hard for us to say, because we’re seeing slices of things. Spyware is used domestically and internationally. It’s used by governments to spy on citizens within their own territory, but it’s also used by them to spy on dissidents abroad, journalists abroad, lawyers abroad, and other governments abroad. Another well-known not so secret fact of this industry is that it’s marketed to help governments to investigate serious matters of crime and terrorism, but it’s a tool of state-on-state espionage. You may have heard that, just to give one example, we discovered that there was a hacked device in 10 Downing Street that we disclosed to the UK authorities. We reckon that was the UAE government client. So, states spy on other states. States spy on their own citizens and they spy on people abroad.
When it comes to domestic repression, most states have other techniques they can use. You know, if you’re in an authoritarian regime, police can simply come knock on your door. So, it may be an indication that if it’s very expensive and precious to use, they’ll probably use it mostly on targets abroad, but not exclusively. In El Salvador we had a case where more than 35 people had their phones hacked or targeted with Pegasus. Most of those people are living in El Salvador and if you think about it from the government’s perspective, from a person working for the security agencies, it’s pretty addictive to be able to see what people are typing and what they’re reading.
I can just imagine putting myself psychologically in their place and how it would be tempting once you start to keep going after people. Because it’s human nature, right? People are curious about what their adversaries are up to.
Now you mentioned El Salvador. Their president is Bukele who has real reputation for being tech savvy. I mean, he recently tried to introduce Bitcoin as a currency.
Powered by volcanoes.
Yes and videotapes himself playing video games and does all kinds of different stuff to portray himself as not just tech savvy, but even cool. Is it more likely for younger autocrats, like Bukele, like MBS to be able to use these digital technologies, because they’re more in tune with them or is it really just widely used regardless of the autocrats age or how savvy they are with technology?
Yeah, that’s a really interesting question. And I read an article on Bukele, actually in the Journal of Democracy by Manuel Meléndez-Sánchez where he referred to him as a new type of millennial authoritarian. It just got me thinking that that’s really interesting because I think most people have an impression of dictators as plotting old men basically. You know, you don’t imagine somebody like Putin as really well adept at the latest digital technologies where somebody like Bukele might be, because they’re younger.
It’s just something that goes along with the demographics. People who have grown up in a world of social media and are very fluent with how applications work and so on, they might be more attempted to get involved in it, attracted to the technology and so forth. I think there’s something to that. That actually is quite scary to contemplate, because obviously with demographic shifts with younger autocrats we might see more of this happening.
Now Citizen Lab was obviously targeted by Black Cube and we don’t know why we can kind of infer that it’s due to the work that you do, but we don’t know the specific reasons why it was targeted. But it does raise the question, that it’s not just citizens of these autocratic regimes that are living as dissidents that are victims of transnational repression. How common is it for an autocratic nation like Russia or China or Saudi Arabia or any other to target somebody who’s really a citizen of a democratic country that doesn’t have a direct tie to them, but might be hyper-critical.
Well, I think it’s something that we should be concerned about and it might become more common. The reason I say that is I’ve noticed a real deterioration of norms lately. Things that used to be out of bounds now are increasingly acceptable or, you know, flagrantly violated. If you think about the way in which Russia went about poisoning people and really doing it in a way where it’s almost as if they didn’t care, if they were caught. Things like that make me really worried. What concerned me about the Black Cube incident here in Canada was our government did not say anything at all to condemn it when it happened. I think that’s a really dangerous non-action to take. Because when you say nothing, you essentially invite more.
I really believe strongly that the government has an obligation, if it truly believes in values of human rights and democracy and stands up for the type of work that we do. They should have strongly condemned it, because the next person might say, ‘Well, really no one cared that we did it and maybe that was a known goal. The next time we’ll be more careful.’ There should be a real strong message saying, ‘Hey, you can’t do that here to this group that’s in our top university in the country.’ I wonder if the same thing happened to us and we were at Harvard university would the US administration have just let it slide. I don’t think so. I think there would have been a pretty forceful statement. So, I’m disappointed in Canada for that reason.
But back to your question. Yeah, I think we’re seeing norm erosion. You can see it globally and that’s something that all of us who work on these topics should be concerned about. You know, when you travel abroad, it’s a bit trickier these days. It’s also hard to put our finger on what exactly we should do, because like we’ve been saying, this is transnational. It’s not something that is completely domestic.
Now you just pointed out one thing that Canada could have done, which is just to speak out. But in your recent article, “Subversion, Inc: The Age of Private Espionage,” “Something novel is happening and the implications for liberal democracy, human rights, and the rule of law are disturbing. Our age has become one of privatized subversion in service of kleptocracy, authoritarianism, and despotism.” And what’s remarkable about that line is that you’re not saying that it’s just authoritarian countries where that’s happening, but it’s also in democracies. And it begs the question, what is it that we can really do in democracies to be able to fight back? Is it simply cutting ourselves off from a country like Russia that is purely kleptocratic like we’ve been doing during the war in Ukraine or is it something more that we should be doing?
Yeah, that’s also a really tough question to answer. Fortunately, I think it’s not like we have to invent some new strategy. For me the answer is doubling down on the pillars of liberal democracy that we know and have relied on in the past. I think we’ve kind of taken them for granted and have seen them erode over years. In some cases, deliberately by design as part of efforts to scale back government or deregulate it.
So, we need, first of all, to prioritize human rights as the cornerstone of liberal democracy. I think that’s kind of been overlooked. Like we forget, what it is that we’re securing in this country and your country. Actually, it’s a particular vision of a set of values. It’s not about making money. And there was a period of time or the last several decades where it’s kind of been lost what our respective systems of government are about is to ensure a particular way of governing ourselves where rights and values are at the core. So, that’s why the rhetoric is important. Why it’s important for senior government officials to reiterate.
But then, of course, you need to go further and you need to have a kind of system set up where human security is prioritized. For example, I think it tends to be the case when you just look at government’s attitudes towards cybersecurity, the strategy seemed to be focused almost entirely on businesses that have intellectual property or protection of government networks themselves as opposed to thinking about citizens and securing citizens from what we’ve been talking about. That’s not even part of the dialogue when it comes to cyber security. But the way I look at it, this is probably the biggest risk to global civil society right now. So, we need a bit of reorientation of how we think about certain topics and then we need to get back to fundamentals on the rule of law. So, holding people accountable when they violate the law.
If you take the case of Omar Abdulaziz that we talked about that is a violation of Canadian law. Saudi Arabia hacked his phones. Not allowed. It’s a crime. So, what do we do about it? Well, we should try to hold them accountable. People say, ‘Well, Saudi Arabia, they’re way over there. You know, we can’t do it.’ Well, Omar could if Canada passed a law that enabled him to sue Saudi Arabia in Canada. And why don’t we go further. Pass a law that allows person like Omar to sue NSO Group for being complicit in this. Such laws would be pretty simple to pass and it would enable someone to hold foreign actors accountable.
Right now, you have Apple and WhatsApp both suing NSO Group in US courts. And the case is quite instructive. So, NSO Group is trying to defend itself saying, ‘Hey, we’re just helping foreign governments. So, we should have sovereign immunity just like the governments do.’ And, of course, WhatsApp and apple, they’re saying, you know, that’s crazy. It’s going to the Supreme Court now actually. But the refinement of laws that would enable bad actors to be held accountable in liberal democratic jurisdictions are important. We could talk more about export controls and various type of regimes that could be constructed internationally to better control this marketplace.
To give you one example, the Commerce Department in the United States recently put NSO group on a deny list. This means they can’t do business with Americans and vice versa. That’s a huge blow to that company. After that happened, Moody’s downgraded their credit rating almost immediately and the company is facing insolvency. Now that’s the type of thing that has real meaning and if it were coordinated among multiple countries where they all did the same thing, we might be able to clean up some of the worst messes of this industry.
So, all of this has to do with liberal democracies, getting their houses and coordinating internationally. Then hopefully you broaden the sphere of liberal democratic countries internationally. We’ve regressed from that. I think after the Cold War, we kind of thought game over. It’s the end of history. Let’s just party on and make money. People forgot that you have to tend to these. These systems are not there as if designed in nature. They’re human constructs. They need tending to and shepherding.
So, another thing that I noticed from your work is that many of these third-party contractors are oftentimes based in democracies like Israel. One of the companies that you mentioned in your book was based in India. So, it’s not that the actual surveillance is happening from a country like Saudi Arabia or from a country like El Salvador. Oftentimes, these smaller countries that don’t have surveillance capacity are contracting with companies in democracies to do the surveillance. So, I think that we’ve got much broader control than oftentimes that we think we do because we’re not going directly at autocratic countries. I mean, we would be in ways. But the ones doing the actual surveillance work are oftentimes on our home turf.
That’s exactly right and actually you could broaden that out a bit and say that what we see is a very large service industry that includes surveillance technologies, but also includes services like reputation management, legal services, real estate, money laundering services, banking, financial support, much of it based in the West that enables autocrats and kleptocrats and dictators to enrich themselves, solidify their rule domestically, and engage in transnational repression abroad. That’s why I said in the “Subversion, Inc” article that this is not a good country, bad country problem.
There are so many parts of the support network for authoritarianism that are based in the West in countries like the United States, Canada and so forth. I think your question is also interesting in this regard, it actually presents an opportunity because we have levers then that we can exercise to rein in some of the problems that we’re seeing with things that we can control in our own backyard.
So, when I think about private espionage, I can’t but connect it to the surveillance economy that somebody like Shoshana Zuboff writes about. Where she’s thinking about social media, like Facebook and Twitter, and you’ve written about that as well. Is private espionage really just an extension of the surveillance economy or is it something else entirely?
I think it’s better to think of it as something else, but it’s very much built upon surveillance capitalism. You know, I’m a social scientist and I’ve studied history and international relations my entire professional life and one of the things that I’ve observed and think about often is I don’t believe in master variables or that there’s one simple explanation for everything. Except contingencies often happen. Accidents happen. Things take off in unexpected directions and I think that’s what’s happened here. We’ve had this really remarkable innovation in the business model of the internet with social media that really took off with Google and Facebook and this idea of being able to extract value by monitoring people and what they’re doing on their platforms in exchange for giving them something for free which is all about targeted advertising.
But that sets up an environment, if you will, that is also very easy to exploit for people who happen to be spies. Because when everybody carries around with them a device like this, that’s designed to extract as much data from you. If you can get inside that device, you can learn a lot.
And actually, the first time I thought about this was with respect to the Snowden disclosures. When I looked at those disclosures what I saw was less the United States or other governments building their own surveillance systems as they were piggybacking off of the collection efforts of the commercial sector. They were going to Facebook, they were going to Microsoft, they were going to Twitter, et cetera, and piggybacking off of them. It makes total sense. Why build it when someone’s built it for you and does it much better? So, they’re doing all of this by design, not to spy on people for political purpose. But accidentally. It turns out that’s very convenient for those who want to spy on you for political purposes.
So, it’s really remarkable when I look at your work from a little bit of a distance. Because when I first read your book, I don’t think I completely got it. I started to understand it better when I read your recent article, but it really took a lot of interviews for me to really put together the idea that the world is changing dramatically in the way that – I don’t want to say that states don’t matter – but that you have so many different actors involved and surveillance has become something that’s part of the economy.
So, you have lots of private companies doing it just as part of their business model. But then you also have many different states that previously wouldn’t have had the resources to do any kind of surveillance that are now in the surveillance game thanks to third-party contractors that have almost democratized it in a way. When we look at the world today, how should we really think about it? When we think about international relations and we think about international politics, what’s really changed? Is this a completely different world that we live in today or is this something that’s still based on the old rules, but we just apply new technologies to them?
Yeah, that’s a really interesting question, Justin. You know, I was trained as a political scientist. I did my PhD in international relations. I did about as deep a dive as you could do into the basics of IR theory. I taught introduction to international relations at the undergraduate level and the PhD level. You know, I was looking at that whole world and the language and the concepts and the theories. Then as the Citizen Lab started to mature, I started realizing there was a huge disconnect. So, over in the academic world, it’s all about these states that are like billiard balls. Some are big. Some are small. We can kind of predict how they might behave, divided into these territorially distinct units, yada, yada, yada.
Then over here, I was seeing something that looked more like a James Bond movie to me. States still matter, obviously. But states are made up of people. People move in and out of government. There’s a lot of organized crime that’s not really talked about in international relations. The topic of subversion, which I wrote about in the Journal of Democracy, is almost entirely understudied and underappreciated except for a few historians. And yet, to me it’s the principle, way by which power is exercised today, or one of them anyway, especially by authoritarians. So, we better understand it.
So, I feel like the international study of the world we live in kind of went down this alleyway and ended up in a virtual world. A world that makes sense to them and them only, but doesn’t really capture the world we live in. The world we live in is organized in a completely different way. How do we understand it? How do we think about it? I don’t know. I mean, I think that part of it has to do with the fact that the world has shrunk and even though we are still organized into territorially sovereign units, the reality is for the last hundred years or so, we’ve really been living in a single compressed political space.
Those sovereign states are more like compartments that people that are more affluent are able to manipulate and step around in various ways and use them to their benefit to circumvent the rule of law in one jurisdiction by placing resources or locating certain aspects of what they’re doing in other countries that are more amenable to them. Often you see people getting hold of the machinery of government and using it for personal enrichment. If you think about the Sheikh of Dubai, for example, who used Pegasus to spy on his wife as part of a UK child custody proceedings, it’s a great example of personal appropriation of state assets for personal enrichment and power. A typical thing for a kleptocracy to do.
So, I think we need to rethink how we study world politics given the world that we live in, especially as liberal democracy is in decline and these new norms are surfacing now that hold out the prospect for a pretty bleak future, unless we get our act together. And I’m saying all of this with a kind of backdrop understanding that we face some pretty serious existential risks as a species. So, we better get our act together because otherwise this will be all moot.
So, Ron, in your book Reset, you wrote, “We have a once in a lifetime opportunity to reset. We can reclaim internet for civil society.” And you were writing that book, or publishing that book, in the midst of the pandemic and it even referenced the pandemic. It was this idea that maybe we have an opportunity to reset during that period. Did we miss our opportunity to reset our relationship to technology?
Well, it didn’t happen in the way I thought it might, because at the height of the pandemic we had a couple of different things going on. One was people really quickly embrace the technology, but then we also saw the downsides of it all and the ugly sides of it. There was at that time a real percolating thing happening about, ‘Geez, we need to do something with social media and the internet.’ A lot of governments around the world had struck commissions investigating how to regulate social media. But I feel like the wind has kind of been taken from the sales of all of that. Now we’re trying just to get back to normal. So, I think that window may have passed in a way I hoped it wouldn’t have.
But we’re moving in one direction. Opportunities close, but other ones emerge and I wouldn’t be doing what I’m doing, if I didn’t think there was some hope that even people listening to this broadcast might say, ‘Hey, you know what, that’s interesting. I might try to do something.’ Because it’s all about collective will. If we all get our act together and start thinking in a like-minded fashion that these sorts of things are bad for us all if we allow them to happen and here’s how we can fix them. If we all just come to some basic agreement like that the world would be a better place. Of course, that’s a tall order to ask.
Well, thanks so much for joining me. I really loved your book, Ron. I’ve loved a number of your articles and what I love most is the work that you guys do at Citizen Lab has a real purpose, has real meaning and has real impacts. But what you’re able to bring to that through your background in political science and international relations is to really put that into a context. I’m so impressed with how you’re able to do that and I think it really has influence on so many other thinkers in terms of how we’re thinking about the world today and how we’re thinking about democracy.
Well, that’s, that’s very nice of you to say. So, Justin, I’ll just close by saying that the group that I work with here is so inspiring. I’m just so lucky to be surrounded by very talented people and my job, I see, as keeping the lights on, keeping everything in the straight and narrow lane, and making sure we don’t go offsides. But also part of my role is to try to articulate the broader vision around what we’re doing and I love being in a position where I’m able to do that. So, I’m glad it resonated with you.
By Ronald Deibert
Appeared on fml.lol