First let me say that I have no right or wrong answer for this, just want to see each of you weigh in.
In light of the news around an Israeli company developing malware to facilitate the UAE snooping on human rights activists, how far would you be willing to go if you ran the IT Security company that created this malware?
Here’s a link to the story in case you don’t recall. http://foreignpolicy.com/2016/08/25/the-uae-spends-big-on-israeli-spyware-to-listen-in-on-a-dissident/
I feel that the NSO Group is crossing the line from an ethical standpoint. I personally don’t believe that the Pegasus software that they created and attempted to use for the UAE aligns to NSO Group’s mission is “to make the world a safer place by providing authorized governments with technology that helps them combat terror and crime.” To me they are enabling the Emirates to violate the fundamental human right of privacy. If I ran this security company, our values would be built on integrity. The products and services we offered would be designed to protect private and confidential data, not expose it.
The NSO Group claims its “mission is to make the world a safer place by providing authorized governments with technology that helps them combat terror and crime.” I believe this is not entirely true, and the company was offered enough money by the UAE to assist with monitoring human-rights activists and report information back to the government. It is reported that the NSO had a $10-$15 million contract with the UAE. Was that enough money to make NSO abandon its company mission? Most likely. I think for the right price, and the right situation, where the company puts no one in their native country in harm, its software can be bought and used on almost anyone in the world.
Honestly, I wouldn’t be very comfortable at all selling this malware. Any government in the world can buy this malware and make a case that they are doing it for the “safety” of the public or to counter the terrorists. However, the reality is they will use this malware to further whatever agenda they have. If there is a strong enough case to try and get this malware on someone’s phone who you think will be an accomplice to a terror attack, go arrest them or something. Giving this type of weapon out will open Pandora’s box and allow even more of these types of tools created and sold, which would probably end up getting in the hands of terrorists, which this malware was apparently created to spy on.
I think most organizations find themselves in a similar struggle where they have a core mission or objective to make something good while maintaining good intentions they end up with an internal struggle where the engineers/developers have goals to achieve success by designing or developing something to be used for “good” while on the other hand the people that run the company and are supposed to bring in business are incentivized by money or sometimes other factors. I imagine the developers of this firm only meant for this to be used for the right reasons, but when an opportunity to make a lot of money came up it was much harder for leadership to turn it down. It is also possible that in some cases like this the true intentions of the use are not fully disclosed or known.
That’s a great question. The PC answer is that no one ever wants to violate human rights or someone’s personal freedoms. In this case, the UAE used this technology to spy on a human rights activist. let me ask another question, what if this company came to the United States Government and said to them, we have a program that can give you access to MR. X, the world’s most dangerous terrorist? Let’s assume Mr. X is the mastermind behind a terrorist organization that has killed thousands of people around the world. With this phone hack, you’ll be able to locate him and capture him. Does that change anything?
We all want black and white answers, but they don’t exist. Not only is there grey areas, but there are many different shades of black and white answers too.
Personally, for me, it’s a dangerous slope. And maybe this ties back to another post on here about the US courts ruling on the FBI using hacking software. The courts will decide if there is evidence for this type of “search”.
Good point Scott. In the case of Mr. X, I probably would be supportive of law enforcement or our government using this phone hack with the appropriate warrant. I still don’ t think I would be supportive of my own security company developing this because of the vulnerability threatens the privacy of all users of that phone model.. You really raised how much of a grey area this is with your illustration.
Great point Scott. The response is clearly not black and white. NSO was simply creating a product that people wanted. Businesses exists to make profit, otherwise they will not exist. Whether if it was in their own interest or public interest, they walked away with a substantial sum of money.
The problem exists after the sell of the product. The same moral/immoral compass that drove the company to create Pegasus may not be the same for the people they sold it to. The intended use of the product may not be how it’s actually being used.
If I had to technical prowess to create such a program for say the US Government, would I do it? If I can say with 100% confidence that it will be used as I intended than yes, but it will probably not be the case.
This is a tough question to answer because as a head of the NSO group you could potentially see that a malware to monitor a person’s phone could do some good. However, if it landed in the wrong hands it could effect millions of people across the world. This ultimately goes to show that even though Apple devices are deemed relatively safe. This is similar to the issue that arose earlier in the year with the case versus Apple and the FBI when they were demanding a “back door” to their devices. Tim Cook said that a “back door” is the equivalent to “cancer for the iPhone” meaning that if a hacker were to obtain this “back door” he could essentially get into every iPhone in the world. Selling a malware for a price could eventually lead to someone obtaining this unbeknownst to the NSO group’s knowledge.
I’m not comfortable with this malware. I think that creating software like this opens Pandora’s box as to the use and misuse of such software. Once one reason for intruding people’s privacy so brashly is justified, people will push for another reason why the malware should be acceptable. People already have enough to worry about with the NSA, we don’t need software companies developing malware on top of that. Thankfully, companies such as Apple have taken a firm stance on user safety and confidentiality. Hopefully, companies like these will make efforts to patch vulnerabilities and maximize the privacy of their users.
NSO Group which created the malware crossed the ethical line because they sold the malware to anyone who is willing to pay. For this kind of IT Security companies, there should be a regulation or law sets up for who and where and why they can sell malwares. As people are always saying, if power goes to wrong place, it will be tragedies. In addition, for Ahmed Mansoor, the Emirati government violated his confidentiality and rights. They imprisoned him in another form. It is hard to find solid evidences to prove that the Emirati government hired NSO Group to attack Mansoor. However, it was the third time that he was targeted by malware written by a private intelligence firm. He should have done something to protect his privacy like implement apps that help him to detect malware, don’t click in any links that is risky and etc.
I think Pegasus goes too far from ethical hacking. Even though Pegasus states that all their products are used for making the world a safer place by preventing and investigating crime, what it actually did violated the privacy of Mansoor. I think if Pegasus provides services to countries for only surveilling terrorists, such as Osama bin Laden, it will be fine. I would believe that the original intention of Pegasus is to prevent and investigate crime like it stated, but Pegasus and its technologies would be used for inappropriate persons, such as dissidents who are not potential terrorists, Mansoor in this case. To Pegasus, it may be hard to determine whether the person they required to surveil is a potential terrorists or not, because it may relate to a country’s confidential information. Therefore, it is hard to judge whether Pegasus is doing the right thing because it highly depends on the countries hired it. In this case, UAE crossed the line of doing right things for a safer world.
Excellent question, the first thing I would have to consider is the mission of my business. If my business is to produce malware that allows someone to gain access to hardware and secure information undetected I would go as far as the law would allow before crossing into the criminal realm. Therefore, I have to take the emotional element out of the equation and focus on the business at hand. The sole purpose of my business is to hack and be the best at it. Going into this type a business I already knew who my potential clients would be and what they are looking for so the line has been drawn in the sand from day one (legal vs. Illegal). Gun manufacturers don’t produce guns for criminals but the risk is there for the guns to end up in the hands of criminals.
The manner that Pegasus was used in this case is wrong and unethical. I think these situations are difficult to judge and cause so much controversy because you never know what a company like NSO intentions really are. Tools like this can be very powerful in stopping terrorism around the world but it sends a completely different message when you are receiving billions of dollars from a government that wants to use this exploit on journalists and activists. My challenge of running an IT security company like this would be determining who the “good guys” really are and the responsible use of this knowledge and research. I personally would want to work with governments that shared my same views against terrorism and wanted to use these tools to prevent it. I would also want to work with Apple and other companies to help prevent this from happening to innocent users even if that compromises the exploit.