[cp-global] so ... how to address nso group / pegasus

yanosz cp-global at yanosz.net
Sat Dec 25 10:36:52 GMT 2021

Hei folks,

typically, at crypto-parties, we talk about secure messaging, electronic 
mail encryption, private browsing and day-to-day security tools.

Usually, folks entering crypto-parties are concerned about privacy or 
surveillance. They're interested in private communications. Usually, we 
present a tool-canon comprising of tor-browser / tails, signal / OMEMO, 
GPG and browser-extensions, etc.

However, in my perception there's a noticeable change in the quality 
surveillance over the past approx. two years.

For instance, during the Snowden revelations, there was the quote 
("saying") that strong cryptography is one of the few thinks one can 
rely on. Breaking into encrypted communication was not possible on a 
larger, (e.g. nation wide) scale and required some kind of special 
operations tailored to an intelligence agencies' target.

I don't think that this is the case as of today.

For me, it feels like, tools such as NSO's Pegasus became the de-facto 
standard for surveillance and remote forensics:

For instance:

1) Here in Germany, the software was recently purchased by the federal 
policy (BKA) [1,2 - sorry, found no English sources). I think that this 
noticeable, because the BKA is not seen as a secret service, but as a 
regular police agency (big difference here, due to the Nazi-past). The 
purchase was execute by the agency itself (not a parliamentary debate - 
sic). When asked, the minister of the interior made clear that the 
decision was made solely by the vice-deputy of the agency itself. The 
software is understood to be needed by the BKA for routine work. The 
software is in active use today.

2) Pegasus is used by criminals. The Guardian had a report about year 
ago that outlined the capabilities of Mexican drug cartels [3]. Notably, 
this does not solely concern Pegasus, but also tools sold by hacking 
team an other companies.

3) Recently in Poland, Pegasus was used to monitor political activists. 
It was used against Donald Tusk's lawyer. Donald Tusk was a promising 
candidate in the Polish election. He was the the Prime Minister of 
Poland (2007-2014) and the president of the European Council (2014 - 
2019). Notably, by various sources, Pegasus was apparently used in a 
domestic context [5]. I'm not aware any sources linking this incident to 
foreign governments. I think, it's worth pointing out that poland can be 
seen as a western democracy and NATO-member.

Two summarize - the genie is out of the bottle:
- Tools such as Pegasus are available on a global scale, not having any 
scaling problems anymore.
- Tools such as Pegasus are used (or will be used, depending on the 
country) in the police's day-to-day business, as well as by criminals.
- There's global demand for such tools. It's not just the NSO, but also 
hacking team and other vendors (e.g. Gamma group) addressing this 
demand. Prices are likely to decrease due to a) competition and b) still 
easy-to-break end-devices such as Android [6].

In effect, I think that:
a) Protection against such tools is what a crypto-partie's audience 
seeks for. Journalists need ways to protect sources (e.g. meta-data and 
phonebooks) during investigations. Political activists need to 
coordinate out of the opponent's plain sight.

b) It's not worth teaching and pointing out tools that do not protect 
against pegasus (e.g. signal). Tools such as pegasus are the default way 
for day-to-day police work on a global scale.

c) It's not possible to provide tools protecting against Pegasus
"it's a weapon against which there is no defense." [7]

So, what to do at a crypt-party? This is a dilemma.

Greetz, yanosz

[6] https://source.android.com/security/bulletin

More information about the global mailing list