It looks like NSO is backed up by the Israeli government. They say their software is only sold to governments which were previously vetted, but the reality is that most of the time they sell to authoritarian states which monitor and persecute people opposing the regime.
The way this works is that in addition to the more colorful clients, you absolutely need to make sure that you have a sufficient number of clients among law enforcement and security services in countries with a decent(-ish) track record regarding human rights. This way, your products and services are not obviously illegal. You can even tell your employees that your products and services are saving lives because it's actually true.
This strategy mostly works because the major operating system suppliers refuse to implement requested lawful intercept solutions for their consumer products. Instead, we end up with companies that try to fill the gaps, making a business of exploiting security flaws. It's possible for the OS vendors to completely dry this swamp, by offering competing services to law enforcement using the interfaces they already have (automated software updates, for example). The reputable clients would migrate rather quickly. These companies would be left with just the shady clients, making it much more difficult to justify their continued existence.
The OS vendors refuse to implement lawful intercept capability because there is no such thing as a lawful intercept capability. There is only intercept capability for any purpose because ROM bootloaders and secure enclaves cannot vet the lawfulness of a request to subvert their owners. You can make a phone relatively secure against people trying to break into it, but only if it has unique access keys for the owner. If you give any government a second key for intercept capabilities, that key will be a single point of failure for the entire system. Eventually it will leak and your phone password will be effectively useless.
I don't even need to invent a scenario for this: you can buy the TSA master keys off Amazon right now. The only reason why it's not a huge problem is that TSA locks are a special thing you buy and use solely for airline luggage that is already in TSA custody anyway. If you use TSA locks on anything else, however, you're just asking for it to be stolen because the locks don't actually provide any security.
The shady clients will get their hands on any intercept key provided by law enforcement, because it's legally unreasonable for Apple or Google to only provide intercept capability to some of the countries they operate in. e.g. if you give the US and UK a decryption key you also have to give it to Saudi Arabia[0]. Hell, in some countries the shady and legit clients are part of the same government - e.g. you can't give the key to just the FBI but not the NSA or CIA.
[0] The Saudis have one very big lever they can use to force the west to do what it wants: gas prices.
2nd is Saudi Arabia then Russia. However it happens that US is also the largest consumer and their production doesn't meet the demand so they have to import from other countries like Canada and Saudi Arabia
So Saudi Arabia most definitely does have a lever, and so does Russia since the rest of the world including US allies like Japan, South Korea, Australia, NATO countries depend on their lovely black gold to have functioning economies.
I want to add that even if the US produced more oil, we currently don't have enough industrial refining capacity for the type of crude that we produce to meet our demand, so we would still need to rely on foreign imports.
> [...] so does Russia since the rest of the world including US allies like Japan, South Korea, Australia, NATO countries depend on their lovely black gold to have functioning economies.
Have you been following the news for the past two years? Russia's sanctioned up the wazoo. No NATO country is buying Russian oil. India is now their number one costumer.
There is truth in that Europe isn’t buying directly from Russia. However plenty are buying from countries are buying refined oil products from India (and possibly others) where the source is Russian crude oil.
If the US was like Saudi Arabia where they exported half of their oil, and could supply most of the world at competitive prices, Russia would have really felt the Sanctions.
But right now Russia doesn’t feel the Sanctions. They’re more isolated and Putin’s propaganda has somewhat worked at making the general population anti-west and support the Ukraine invasion.
That is a slippery slope though, because the OS vendors could offer Law Enforcement everything today, and there will be a special request made for a little something extra tomorrow.
The ties to government are a red herring. Hacking into people’s private phones and computer systems is generally immoral and illegal.
It generally continues to be immoral and illegal when governments do it. Except it also becomes more outrageous, because governments are supposed to protect us from this sort of thing.
I don't see why the government doing it would make it more outrageous. If democratically elected leaders pass a law outlining when and how the cops should be able to access private devices, a judge looks over a specific case and signs a warrant, the cops use a hacking tool to catch a terrorist and the evidence is presented in court, this seems like the most excusable use of hacking tools that I can think of.
The government is given power over people in order to protect us from other people and this is one tool to do it. They have cops with guns and soldiers with tanks, they can break in, search and seize, they can lock people in prison. All of these things are tools and it's they way they're used that decides what's immoral or outrageous.
The bigger problem here is that a private company has these tools and can use and sell then with no oversight.
It does if we grant the two the same assumptions. If we assume that serious, unjustified harm would occur by failing to act, and they are in a reasonable position to act… then I’d say a private company is equally justified in doing the same thing. However, you’re assuming the government is justified merely because it’s the government.
Private companies aren't, but in certain circumstances private citizens working for those companies are. In the US (except perhaps Georgia?) if a crazy guy comes into your workplace waving a knife around, you're allowed to disarm him and pin him down on the ground.
Depending on the circumstances, absolutely. Assuming that serious unjustified injury or death would occur if they failed to act, there should be some legal window in which they’re allowed to prevent the harm. Private companies (and individuals) should not be required to stand by helplessly while people are hurt.
Indeed, legally, private individuals and companies are allowed to act in emergencies. For example, I generally should not break into my neighbor’s home. However, I am legally allowed (and morally obligated) to forcibly enter their residence if their house is on fire, or they’re being attacked by a burglar, etc. and I am able to prevent some of the harm.
Of course, if we assume we’re talking about situations where the government needs a warrant, the legality becomes more complicated. At what point does something become an emergency? I would say it’s not an emergency if there is time to inform the government and to let the government prevent the injury. If we assume the government is unwilling or unable to act, then the window for action should expand by some measure.
Exactly. Indeed, in Phoenix v State, 455 So.2d 1024, the Florida Supreme Court implies that a private citizen could request and receive a warrant to arrest a felon. They say the citizen could be excused for failing to obtain a warrant by proving the person arrested was actually guilty.
This is obviously a bad idea, private companies or individuals having the power to arrest people because they want to? Look at the recent few years of history in the US where multiple experienced and distinguished (at least by resume), members of the us govt, senators, reps, tried to subvert an elections, dozens of lawyers told them it was illegal, we have their email and texts telling them. That group still acted to do many illegal actions, lie about it, tried to cover it up. And they still deny any problems with their behavior and choices.
Private companies having arrest rights is just a nonstarter of an idea (putting it kindly).
Maybe it depends on the country, but private companies cant generally get warrants to infringe on people's rights afaik. If justified is interpreted as 'legally justified', then it would make sense that only government agents could be justified to act in this manner. Of course, government agents are known to operate outside the law as well.
I wouldn’t assume that private companies and individuals cannot get warrants.
However, they look very different. The major distinction is that when a private party requests an injunction allowing them to e.g. trespass on their neighbor’s land, the court will require notice and a hearing for the defendant. So, if a chemical plant needs to do earth works on a neighbor’s land to prevent a collapse, etc. the judiciary may well issue an order requiring the neighbor to let the company enter.
Frankly, notice and hearing should probably be required for some criminal warrants too. I can think of a few indictments and arrest warrants that have recently been issued where there is a genuine question as to probable cause and the alleged illegality of the conduct. It’s not fair for people who are not a flight risk to be arrested (and often imprisoned) with no opportunity to defend themselves.
Devil's advocate: we have a reasonable expectation that governments using due process to obtain warrants for criminal investigations have a right to break and enter into digital property or wiretap to catch and prosecute malefactors.
How far do you really expect any tech outfit to vet the legitimacy of the warrants issued?
How about the legitimacy of the government? Most of the abuses are governments which have a long history of abusing their power and it wouldn’t be unreasonable to say that entire countries should not be trusted with sales.
Legitimacy based on what? Recongition by the UN? Lots of governments even predating the UN have been long accused of rights abuses. How many people affected, and proven so by what basis constitutes infractions beyond moral right to be trusted by NSO. I'm asking people to really grapple with this.
My point being that there’s precedent for restrictions - we don’t sell nukes to anyone, and the companies which make advanced weapons systems have to get things like ITAR approvals. What would be especially powerful would be revocation: if a country is found abusing their access to this tool, they are blocked from purchases of any sort for a decade. Unfortunately, given Israel’s current politics it’s extremely unlikely that anything would happen since there’s no way to write a policy which would continue to allow their own usage.
The US has their own version, called the NSA. Available to hire via really simple framing. Guaranteed whomever is caught will be in prison for years just to get a trial to prove they're innocent.
It looks like NSO is backed up by the Israeli government. They say their software is only sold to governments which were previously vetted, but the reality is that most of the time they sell to authoritarian states which monitor and persecute people opposing the regime.