The threat of digital surveillance

Image: Trismegist san/ Shutterstock

The phone numbers were allegedly a list of targets for the spyware programme called “Pegasus”, developed by the NSO Group, an Israeli software and cyber intelligence company. OCCRP’s Pegasus Project enlisted 80 journalists, representing 17 media organisations around the world, to take part in the investigation.

As a result, the OCCRP released a series of stories which highlighted specific targets of this software, some of whom were oblivious to the fact that they were being spied on. The NSO Group, for its part, has denied any wrongdoing, insisting that it sells the software only to governments which are meant to use it for law enforcement and monitoring terrorist activities. Needless to say, the countries abusing this software for invasive purposes were rather more authoritarian than democratic. The list included countries like Azerbaijan, Kazakhstan, Saudi Arabia, Bahrain, but also Hungary – a member of the European Union as well as NATO. Even more troubling, it soon turned out that even more EU countries were using the software. In the end, the OCCRP investigation brings to light the dangers of surveillance technology as it relates to freedom of speech and democracy.

Big brother is watching

Surveillance is nothing new when it comes to authoritarian regimes as it has always been a tool to keep control and maintain order. In the most extreme cases of the totalitarian regimes like Nazi Germany, the Soviet Union (especially under Stalin), or North Korea, surveillance is employed by the regime on a mass scale to locate, control and eliminate any opponent or threat to those in power. One can imagine intelligence agents following an oppositionist, gathering information, creating files, using blackmail or even violence as tools of surveillance. However, these methods are time and resource consuming and can be recognised among the astute targets of surveillance.

Technology has always been a key component of surveillance and the dangers of using technology for oppressive purposes is also well known. In George Orwell’s 1984, published in 1949, the author already imagined what a totalitarian future could look like. The slogan “big brother is watching you” became iconic; and at the same time prophetic. And while the technology to read thoughts – and pursue thought-crimes – thankfully does not exist, many others similar to Orwell’s prediction do, and are used exactly for surveillance purposes. What is more, many of them are not only employed by authoritarian regimes.

One of the more sophisticated technologies that has become extremely popular is facial recognition technology. Privacy International, an NGO which promotes human rights and digital privacy, defines facial recognition as technology used to identify, authenticate, verify or categorise an individual. Agencies using facial recognition technologies capture an individual’s facial image and compare it to databases or watchlists. Facial recognition technologies are used widely by law enforcement agencies in most countries to aid in investigations or locate wanted or missing individuals. We see facial recognition also used by private companies for marketing or as a part of its services – for example Google Photos has sophisticated recognition software which makes it easier to categorise pictures based on a person’s face.

Yet, as individuals are constantly taking selfies and posting them online via social media, the potential for abuse is quite high. In 2020 it was revealed that one company, Clearview AI, had technology which combed every corner of the internet and was building secret profiles of individuals’ faces which could be used for surveillance purposes. Initially the company had claimed that their database was only accessible for law enforcement in North America, however further investigations revealed that it was used by private companies as well as more authoritarian governments such as Saudi Arabia and the United Arab Emirates.

Clearview AI has since claimed that it has cut all ties with non-law enforcement agencies and has made efforts to redeem itself, becoming more transparent regarding the clients it works with. One interesting use of the Clearview AI database has been its cooperation with Ukraine during Russia’s full-scale invasion. On its website, Clearview describes how Ukrainian officials use the database in checkpoint security, locating missing persons, investigating war crimes, identifying the deceased and, above all, recognising Russian infiltrators, soldiers and collaborators.

Watch your step

While facial recognition remains largely a tool to investigate crime in more democratic states, the People’s Republic of China utilises it as a key component of its surveillance activities. In 2019, one Chinese facial recognition company accidentally exposed its database online, giving a glimpse into the scale of China’s population surveillance. The exposure illustrated how the company, SenseNets, based in Shenzhen, kept files on more than 2.5 million people, which included not just faces and names, but also ID card numbers, home addresses, birthdays and all recent locations the company’s software had placed any one of the individuals. The software works in real time; and within 24 hours, the time the database was exposed, the SenseNets programme logged more than 6.8 million locations.

The Chinese government, which has over 540 million surveillance cameras throughout the country monitoring its citizens’ every move, has even used its surveillance technology to directly monitor, rate and punish social behaviour. The infamous “social credit system”, announced first in 2014, is a massive surveillance system which tracks every individual with the aim being touted as a way to keep social order and understand who the government can trust. The system monitors people’s actions in public, how they interact with others and whether they obey simple rules (like crossing the street at a crosswalk). Based on this activity the system provides a score to the individual. While China had hoped to launch the system nationwide in 2020, the pandemic and other setbacks have limited its roll-out. However, some analysts have claimed that the social credit score is used in decisions made for individuals – such as whether they can travel, have access to high-speed internet, own property or receive a loan.

Like many western countries, the Chinese government also used surveillance technologies to monitor COVID-19, but took it one step further in its enforcement of its unpopular zero-COVID policy. Real time data was collected and analysed not only on patients and the localisation of the spread of the virus, but also on those taking part in mass demonstrations calling for an end to the strict health policy. The surveillance takes place online as well, as police monitor group chats on social media – like Telegram, WeChat or Weibo. As Human Rights Watch recently reported, the surveillance of Chinese citizens goes well beyond facial recognition or mobile phone tracking, revealing it to be one of the most sophisticated surveillance regimes in the world, using technology to collect voice samples, DNA, iris scans and even people’s social habits, to have a virtual picture of every individual in society. The data is often used in crackdowns against opposition, as in the abovementioned zero-COVID protests, but also in the repressions against the Uyghurs in the province of Xinjiang.

Who spies on us?

Another key technology which is being used by governments, authoritarian or not, is spyware. This technology aims to exploit vulnerabilities in computers and mobile devices in order to access them and monitor a user’s activities. The most well-known case of spyware is the NSO’s software Pegasus as described at the onset of this article. Pegasus infiltrates a mobile device and is able to monitor all types of communication – including encrypted messaging. The programme monitors keystrokes, which can give access to web activity, text messages and passwords. It also is able to access the device’s microphone and camera – enabling the observer to listen and see what the unwitting user is saying and doing.

The Pegasus Project revealed this new unprecedented level of access and surveillance that governments, mostly authoritarian, are using to suppress opposition, especially among journalists. The investigation highlighted the story of Khadija Ismayilova, an investigative journalist from Azerbaijan, whose iPhone was among the more than 1,000 phone numbers allegedly infected with the Pegasus software from that country. Many of the numbers were directly related to Ismayilova, either her family, friends or colleagues, demonstrating that the government was interested in not just monitoring her and her activities, but also those who were associated with her.

The case was similar for Szablosc Panyi, a Hungarian journalist with Direkt36 – an independent Hungarian investigative journalism platform. In the course of the OCCRP’s investigation, it was discovered that Panyi’s phone number was also on the list obtained by Amnesty International. Panyi’s phone was forensically analysed and it was found that the spyware was present between April and November 2019. The analysis also confirmed that Pegasus was no longer on his phone after that time. In his story published by OCCRP, Panyi admitted that he was not too surprised by the fact he was being monitored. “I wrote many stories on topics related to national security: espionage, arms deals, high-level diplomatic talks with the United States, Russia, or China,” he said at that time. “I came to understand this world and got used to its peculiar atmosphere. From time to time, I was vilified in pro-Orbán media, labelled as an agent of the CIA or George Soros, but I never really cared. I also reconciled myself to the possibility that the Hungarian state could surveil my communications, especially because I received multiple friendly warnings that I could be a subject of surveillance.”

However, the Pegasus saga has not ended since the OCCRP’s bombshell report in 2021. As part of the response to the investigation, the European Parliament set up a special committee “to investigate the use of Pegasus and equivalent surveillance spyware”. Its final report, released in November 2022, states that the NSO Group has sold its Pegasus software to 14 countries in the European Union. Among the cases, the highest profile were Hungary and Poland. The report also notes that the NSO Group revoked the licence from two of the EU countries (Poland possibly one of them) for misuse of the software. The report also provides specific details on how each country came to purchase and utilise Pegasus or other spyware programmes like Predator. The report also describes how European governments used the software and who were their targets and victims. Other countries which were found to use spyware go beyond the usual suspects of Hungary and Poland; it also includes, among others, Spain, Germany, the Netherlands, Belgium, France, Italy and Austria. In the case of Estonia, the report states that Russian officials interfered in Estonia’s use of Pegasus claiming it would be used against Russian phone numbers. Apparently, the Israeli defence ministry blocked Estonia from using Pegasus on Russian numbers for the sake of Israeli-Russian relations.

Digital safety

The European Parliament investigation illustrates that surveillance technology is not only used by authoritarian regimes, but also by democratic governments often in the name but not in the practice of national security. Upon its release last month, the lead member of the European Parliament inquiry, Sophie in ‘t Veld (the Netherlands), stated that “all [EU] member states have spyware at their disposal, whether they admit it or not”. Certainly, citizens need to be more aware of the dangers of digital surveillance technologies, including those used against them by their own states. And while what has been discovered in Europe is certainly a significant scandal, it pales in comparison to the level seen in authoritarian countries like China or Russia. Nevertheless, it does pose a threat to the core of democracy in Europe. “Democracy isn’t about elections. Russia has elections. Democracy is about countervailing power,” the Dutch MEP in ‘t Veld said. “Once it’s gone, democracy ends.”

Public transparency and understanding the risks to democracy is certainly a good first step in the right direction. However, addressing the issue should be done in a more comprehensive and institutional manner. Privacy International, in their testimony to the European Parliament committee, argued that the “transfer of surveillance [technologies] should be made conditional to an appropriate legal framework and effective safeguards – including independent authorisation and oversight procedures, as well as appropriate remedial mechanisms” and that such technologies should also be subject to “an adequate human rights impact and risk assessments”. In other words, the European Union could and should find ways to develop a regulatory framework to protect its citizens from abuses – which would put the EU far apart from authoritarian regimes also using such technologies for control and power.

On the individual level, a greater focus by civil society organisations on digital literacy and personal security can also go a long way in protecting societies before a comprehensive legal framework is adopted. Workshops and programmes for users to teach even simple tips – like regularly updating and resetting mobile devices, or using two-factor authentication – would help promote safety and understanding of risks of cyber-attacks. Without basic knowledge of digital safety, it can be relatively simple for ill-intended groups or individuals to take advantage of easy targets. Hence, like in any other field, strengthening our own security in the digital sphere ultimately strengthens the resilience of democratic societies.

Adam Reichardt is the editor in chief of New Eastern Europe and the co-host of the Talk Eastern Europe podcast. He is also the director of the Warsaw Euro-Atlantic Summer Academy, an annual summer school which focuses on security and digital affairs at the College of Europe in Natolin (Warsaw).

Authoritarianism, cybersecurity, digital, surveillance