Governments around the world are using surveillance software that taps into individual smartphones, taking screenshots, reading email and tracking users’ movements, according to security experts and civil liberties groups.
The rise of so-called spyware comes as electronic communications have become more encrypted, frustrating law enforcement and governments’ surveillance efforts.
Over the past several years, private companies have begun selling advanced software that first appears as a text message with a link. When a person clicks on the link, the phone becomes infected. A third party can then read emails, take data and listen to audio, as well as track users’ movements.
The companies that sell this spyware exclusively to government agencies insist that the software must be used only in a legal manner, to fight crime and terrorism. However, security researchers and civil liberties groups contend that some governments use the programs to track human rights activists, journalists and others.
A recent story in The New York Times focused on activists and journalists in Mexico who have received text messages and emails with links that, if clicked on, would infect their devices with spyware. In some cases, the messages appeared to come from legitimate sources, such as the U.S. Embassy.
The Mexican government says it does not target activists, journalists and others with spyware unless it has “prior judicial authorization.”
In recent years, there’s been a rise in software sales in what is known as the “lawful intercept” market, said Mike Murray, vice president of security intelligence at Lookout, a mobile security company based in San Francisco, California.
Countries that can’t make their own surveillance software can now buy sophisticated surveillance tools, Murray said.
“What’s new is the enthusiasm [from] nation-states. ... It’s a capability they always wished they had. Now they have it,” he added.
Lookout, which makes security software and services, receives monthly information from more than 100 million phones in 150 countries. It has seen spyware “in every kind of contentious place around the world,” Murray said.
The use of nation-state spyware used to be limited to a handful of governments, said Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation, a nonprofit digital rights group. But now that the price of the spyware has come down, countries can spend a few hundred thousand dollars to get the same capability.
Galperin spent three weeks in Mexico last year training activists. One tip she gives: Users who are not certain that a link in email or a text message is safe should forward it to a separate account, such as Google’s Gmail or Google Docs, to prevent infection.
“We should be very concerned,” Galperin said. “Surveillance malware is incredibly powerful. You have full control of the machine. You can see everything the user can see, and do everything the user can do.”