A recent news story is serving as a stark reminder that this is still occurring with harmful surveillance technologies. A third-party vendor in the Middle East has reportedly used a fresh SS7 vulnerability to continuously track people’s phone locations. For years, governments have defended their use of spyware and other exploitative technologies on the grounds that they only target serious criminals. The truth is not that simple. Civil society under threat Spyware is being more regularly deployed against civil society members such as journalists and activists.
For the first time ever, researchers have proved that two journalists were hacked with Paragon spyware, a tool infamous for its destructive and invasive spy-features. This episode speaks to the larger issues around the surveillance technologies proliferated by the military-industrial complex to violate civil rights and civil liberties. NSO Group, a prominent player in the surveillance industry, has been implicated in multiple instances where its customers have used spyware operations to violate privacy rights.
The now-understood attack allows the surveillance vendor to further deceive phone operators into disclosing the location of cell subscribers. The technique produces extremely granular geolocation data, tracking people to the closest cell tower. In the case of dense urban environments, this could reduce where someone is down to a couple hundred meters. Notably, Enea, a cybersecurity firm, observed that the vendor targeted “just a few subscribers,” emphasizing the selective nature of this surveillance operation.
Although this attack works against some phone carriers, it doesn’t work everywhere. Some phone companies have deployed firewalls and other cybersecurity protections to defend against SS7 vulnerabilities. Reality is that the global cell network is a complete patchwork with no coordination or uniformity. Consequently, some carriers are better protected than others, particularly in the United States.
Alarmingly, Saudi Arabia has already been highlighted as having terrorized dissidents by exploiting flaws in SS7. This would enable the foreign country’s embassy to surveil the foreign country’s citizens living in the U.S. This surprise comes in line with the U.S. Department of Homeland Security’s own findings. In 2017, they revealed that nations such as China, Iran, Israel, and Russia take advantage of these vulnerabilities to surveil U.S. subscribers.
“We may be witnessing an escalation in the use of these technologies globally, with governments leveraging them for more than just criminal investigations,” said cybersecurity expert Mc Daid. “They would not be discovering and using them if they were not successful somewhere.”
The consequences of these changes go far beyond a single privacy breach. They raise fundamental questions about how governmental powers should intersect with technological advancements in surveillance. The distinctions between appropriate law enforcement uses and creepy, invasive surveillance of American citizens is becoming increasingly hazy. The examples above demonstrate a clear need for improved regulations and enforcement.