Submit your essay to the AI-Cybersecurity Essay Prize Competition by January 2, 2025.
The AI-Cybersecurity Essay Prize Competition

Spyware are still having a ‘ball’ despite a decade of warnings

Journalists and civil society organisations have been sounding the alarm on spyware for over a decade, yet very little has been done to counter the growing threat
Main Top Image
This image was created with the assistance of Midjourney

On November 7, Binding Hook published an article by Sophie in ‘t Veld arguing—correctly, I might add—that spyware is a clear and present danger to our democracies. Having led the European Parliament’s yearlong investigation into spyware, in ‘t Veld is well acquainted with the tools and their impact on victims around the world, not to mention the vendors, the NGOs who expose them, and the actors who knowingly spread disinformation about their research.

In ‘t Veld says that the only upside to this spyware debacle “is that it is covered with the correct amount of urgency by some of the finest journalists in Europe.”

“With many parliaments unaware of the problem and courts too slow or unable to push back, much now depends on the Fourth Estate. It is up to the press to keep the fire burning until more politicians wake up to the danger”, she writes.

But the fire has been burning for over a decade and not much has been done to curb the threat, despite the efforts of numerous journalists, technologists, and security researchers. Few seem to be paying attention—the notable exceptions being in ‘t Veld and some of her colleagues in Europe, along with a team of US government officials in Washington.

Early signs

An early warning was sounded in 2009 when Chris Soghoian, then a graduate student at Indiana University, quietly recorded panels at a surveillance trade show and published the tapes on his blog. The Intelligence Support Systems World Conference—commonly known as ISS World—made its debut “in 2002 with less than 50 attendees”, according to a 2017 article by CyberScoop. Since then, the conference has expanded with events in all corners of the world, gathering “thousands of prominent spies, police, hackers and powerful bureaucrats together to spend money on some of the latest and greatest in retail spying kits.”

Soghoian, now Senior Advisor for Privacy and Cybersecurity in the Office of Senator Ron Wyden, wrote the audio revealed that a US telecommunications company had shared customer location data with law enforcement “8 million times between September 2008 and October 2009.” In publishing the recordings, Soghoian not only showed the need for surveillance oversight in the United States—a few years before the Snowden disclosures—but also made the public aware of ISS World and the companies that attend the events. ISS World even picked up the nickname ‘Wiretapper’s Ball’ among its critics. (Soghoian removed the files a couple of days later, writing on his blog that an executive at TeleStrategies, the firm organising ISS World, claimed he had violated copyright law.)

Two years later, when asked to comment for a Guardian article on ISS World and the sale of surveillance technology, Soghoian explained he believed “[t]he level of secrecy around the sale of such technology by [W]estern companies… is cause for alarm.” He’s not alone.

A rising tide of reporting

In 2012, Privacy International, the Guardian, and the Wall Street Journal published a database containing the names of all attendees at six ISS World events held in Washington, Prague, and Dubai between 2006 and 2009. Eric Kind (at the time, “Eric King”), then head of research at Privacy International, told the New Republic that “Western companies were going ‘out of their way’ to aid authoritarian regimes.” Trevor Timm, then with the Electronic Frontier Foundation, added that “it’s getting worse and the longer we wait to do something the worse it will get.”

The two digital rights organisations both called for government intervention, though with different approaches. While Privacy International argued for the need to regulate the export and sale of surveillance technology, the Electronic Frontier Foundation told the European Parliament that it should not regulate the technology itself, but how it was used by the customers. Other initiatives to use export controls to prevent the proliferation of commercial spyware have also arisen.

But the years passed, and the spyware abuse has continued unabated.

In 2013, Citizen Lab reported that FinFisher spyware from the Anglo-German company Gamma Group had been used against opposition members in Ethiopia. In 2014, Bahrain Watch detailed how the same tool had been used to target “some of the country’s most prominent lawyers, activists and politicians”. Several years later, in 2018, the Guardian reported that four victims had filed a lawsuit against the company, arguing that Gamma Group knew the authorities in Bahrain would use the software “to crack down on protests during the Arab spring.” The case is slowly making its way through the UK court system. In 2016, Amnesty International revealed that spyware from the Italian company Hacking Team had been used to target a citizen media project in Morocco four years earlier.

MIT Tech Review reported in 2021 that senior executives at French Amesys had “been indicted for the company’s sale of surveillance software to authoritarian regimes in Libya and Egypt that resulted in the torture and disappearance of dissidents.” The charges came ten years after the Wall Street Journal published evidence that the company’s surveillance technology had been used against Libyans. While some charges were dropped last year, the investigation into the executives is ongoing.

And then there’s NSO Group and Intellexa, two other companies whose spyware, Pegasus and Predator respectively, have been used to target hundreds of members of civil society for years. Citizen Lab, which has researched cyber mercenaries for over a decade, disclosed the first known victim of Pegasus spyware in 2016 when it detailed the targeting of human rights defender Ahmed Mansoor. The New York Times reported in 2019 that Mansoor had also been targeted with spyware from FinFisher, Hacking Team, and DarkMatter. Mansoor is not the only person to have been targeted with spyware from different vendors.

Where do we go from here?

Human rights defenders and policymakers keep calling for a moratorium on the sale of spyware. Researchers still analyse infected devices and expose attacks around the world. Apple, which last year launched an opt-in feature called Lockdown Mode to defend against sophisticated spyware, still notifies individuals whose iPhones may have been targeted by state-sponsored actors.

Meanwhile, ISS World persists in parading well-known vendors like Candiru and Memento Labs—the reborn Hacking Team—and, yes, NSO Group and Intellexa at convention centres worldwide. While ISS World in Washington just wrapped up on November 9, the companies will next showcase their surveillance tools in Dubai in February, followed by Prague in June—this time with NSO as the lead sponsor.

The fire is still burning, and journalists and NGOs are doing everything in their power to sound the alarm at every turn. How long until politicians wake up?

Terms and Conditions for the AI-Cybersecurity Essay Prize Competition

Introduction

The AI-Cybersecurity Essay Prize Competition (the “Competition”) is organized by Virtual Routes (“Virtual Routes”) in partnership with the Munich Security Conference (“MSC”). It is sponsored by Google (the “Sponsor”). By entering the Competition, participants agree to these Terms and Conditions (T&Cs).

Eligibility

The Competition is open to individuals worldwide who are experts in the fields of cybersecurity and artificial intelligence (“AI”). Participants must ensure that their participation complies with local laws and regulations.

Submission Guidelines

Essays must address the question: “How will Artificial Intelligence change cybersecurity, and what are the implications for Europe? Discuss potential strategies that policymakers can adopt to navigate these changes.”

Submissions must be original, unpublished works between 800-1200 words, excluding footnotes but including hyperlinks for references.

Essays must be submitted by 2 January 2025, 00:00 am CET., through the official submission portal provided by Virtual Routes.

Only single-authored essays are accepted. Co-authored submissions will not be considered.

Participants are responsible for ensuring their submissions do not infringe upon the intellectual property rights of third parties.

Judging and Awards

Essays will be judged based on insightfulness, relevance, originality, clarity, and evidence by a review board comprising distinguished figures from academia, industry, and government.

The decision of the review board is final and binding in all matters related to the Competition.

Prizes are as follows: 1st Place: €10,000; Runner-Up: €5,000; 3rd Place: €2,500; 4th-5th Places: €1,000 each. The winner will also be invited to attend The Munich Security Conference

Intellectual Property Rights

The author retains ownership of the submitted essay.

By submitting the essay, the author grants Virtual Routes exclusive, royalty-free rights to use, reproduce, publish, distribute, and display the essay for purposes related to the Competition, including but not limited to educational, promotional, and research-related activities.

The author represents, warrants, and agrees that no essay submitted as part of the essay prize competition violates or infringes upon the rights of any third party, including copyright, trademark, privacy, publicity, or other personal or proprietary rights, breaches, or conflicts with any obligation, such as a confidentiality obligation, or contains libellous, defamatory, or otherwise unlawful material.

The author agrees that the organizers can use your name (or your pseudonym) and an image of you in association with your essay for purposes of publicity, promotion and any other activity related to the exercise of its rights under these Terms.

The organizers may remove any essay-related content from its platforms at any time and without explanation.

The organizers may block contributions from particular email or IP addresses without notice or explanation.

The organizers may enable advertising on its platforms and associated social media accounts, including in connection with the display of your essay. The organizers may also use your Material to promote its products and services.

The organizers may, at its sole discretion, categorise Material, whether by means of ranking according to popularity or by any other criteria.

Data Protection

Personal information collected in connection with the Competition will be processed in accordance with Virtual Routes’ Privacy Policy. Participants agree to the collection, processing, and storage of their personal data for the purposes of the Competition.

Liability and Indemnity

Virtual Routes, MSC, and the Sponsor will not be liable for any damages arising from participation in the Competition, except where prohibited by law.

Participants agree to indemnify Virtual Routes, MSC, and the Sponsor against any claims, damages, or losses resulting from a breach of these T&Cs.

General Conditions

Virtual Routes reserves the right to cancel, suspend, or modify the Competition or these T&Cs if fraud, technical failures, or any other factor beyond Virtual Routes’ reasonable control impairs the integrity or proper functioning of the Competition, as determined by Virtual Routes in its sole discretion.

Any attempt by any person to deliberately undermine the legitimate operation of the Competition may be a violation of criminal and civil law, and, should such an attempt be made, Virtual Routes reserves the right to seek damages from any such person to the fullest extent permitted by law.

Governing Law

These Terms and Conditions are governed by the laws of the United Kingdom, without regard to its conflict of law principles. Any dispute arising out of or in connection with these Terms and Conditions, including any question regarding its existence, validity, or termination, shall be referred to and finally resolved by the courts of the United Kingdom. The participants agree to submit to the exclusive jurisdiction of the courts located in the United Kingdom for the resolution of all disputes arising from or related to these Terms and Conditions or the Competition.