The NSO Group, known for its “Pegasus” software for monitoring smartphones and stealing information, breached the privacy of at least 32 individuals in countries such as Rwanda, Israel, Bahrain, Saudi Arabia and the United Arab Emirates, according to several entities and researchers from security.
According to the information released, the NSO Group presented in April this year a new software called “Fleming” that, according to the company, allows to monitor the progress of the Covid-19 in communities and cities of interest. Fleming's idea is to feed on smartphone location data to visualize the movement of people infected with the new coronavirus (Sars-Cov-2). The group says that this "helps governments make public health decisions without compromising individual privacy".
In May, however, a security researcher told the Techcrunch website that he found an exposed database - that is, without protection or even a password - that stored thousands of data points used by the NSO Group for the previous demonstration. The website, in turn, reported the failure to the company, which promptly reinforced the security of the database, but said that the information contained therein was not real data.
However, despite the group's information, Israeli media sources said the data they found was acquired by the company, which bought it from digital advertising platforms ("data brokers") to train the software. At the request of Techcrunch and other media, then, experts at Forensic Architecture, a division investigating human rights abuses by the University of London, analyzed the material and concluded that the information was based on data from real people.
Forensic researchers analyzed a sample of the exposed data, looking for patterns comparable to models based on data from real people, such as the concentration of devices in large centers and the time it took for these devices to travel from one point to another.
"The spatial 'irregularities' in the sample - a common signature of real moving trails - corroborate our conclusion that this is real information," said the researchers. “Therefore, this database is most likely not a 'dummy' [name given to 'lying' information] or computer-generated information, but rather a reflection of the movements of real people, possibly acquired from telecommunications operators or another outsourced source ”.
“Spatial irregularities” are small patterns of movement generally associated with real and concrete information, such as star-shaped graphics that denounce the attempt of a triangular satellite to position a smartphone in the midst of very tall buildings.
Another researcher heard by Techcrunch, Gary Miller, founder of Exigent Media, also concluded that the data used by the NSO Group was from real people: “If you take a piece of a smartphone location at any time of the day, you will find consistency with the number of points identified in suburban versus urban areas, ”he said.
Grupo NSO denied the accusations saying that the material presented does not have any type of personal identifier for individuals. “We have not seen this supposed assessment and we have to ask how these conclusions were reached. In any case, we maintain our previous position: the demonstration material was not based on real and genuine data related to individuals infected with Covid-19, ”said a company spokesman.
“As our previous statement said, the data used for the statements did not contain any personal identifiers. And, as also previously communicated, this demonstration was based on obscured information. The Fleming system is a tool that analyzes information offered by the end user to assist health-related decision makers during the global pandemic. Grupo NSO does not collect data from the system, nor does it have access to collected information ”, he added.
It is not the first time that the group's name has made headlines worldwide for alleged espionage and breach of privacy: last week, a zero day iMessage failure allowed hackers to make use of Pegasus software, licensed by the company, to hack and steal personal information from the iPhones of more than 30 journalists. In 2018, the same Pegasus was used by the government of Saudi Arabia - a client of the NSO Group - to track communications from the journalist and Washington Post correspondent, Jamal Khashoggi - the journalist ended up being tortured and murdered for his criticisms of Saudi politicians at an embassy in the country in Turkey.