Reports of former U.S. intelligence officers helping the United Arab Emirates spy on journalists and government critics should inspire some serious introspection among Western government leaders who want to compromise citizen cybersecurity in the name of fighting crime and terrorism.
Reuters reported yesterday that a handful of former United States intelligence officers, including former National Security Agency (NSA) analysts, have been working for a clandestine team in the UAE to help the authoritarian government spy on its enemies and rivals. The targets included not just rival foreign government officials (like Qataris) but human rights activists critical of the government. The targets even included Americans.
"I am working for a foreign intelligence agency who is targeting U.S. persons," former NSA analyst Lori Stroud told Reuters. "I am officially the bad kind of spy." Stroud left the NSA in 2014—partly due to her role in recommending whistleblower Edward Snowden as a contractor to the NSA in 2013 and what ultimately followed—and went to work for the UAE.
She joined a program called Project Raven, which she initially thought would be defensive counterterrorism efforts intended to protect the UAE from hackers and threats. Then she very quickly learned otherwise. This was an aggressive program to infiltrate and hack the UAE's enemies.
Project Raven exploited a security flaw with iPhones that allowed them to install malware on it without the user knowing or even having to do anything. The tool, named Karma, didn't allow snooping on the calls themselves, but did allow hackers to collect photos and location information and harvest saved passwords.
It should not come as a surprise that the UAE is attempting to hack into the phones of dissidents and activists. Apple actually released an emergency update for its iPhones in 2016 because of malware tools the UAE had been using to try to breach the phone of a human rights advocate in the country.
The Reuters report provides us with another reason why voters should reject government calls to compromise cybersecurity in the name of fighting crime and terrorism.
To be specific, I'm referring to the constant insistence by government officials and law enforcement leaders that phones and online communication platforms and apps should have some sort of back door, or mechanism for the government to bypass encryption. In America, in the United Kingdom, and in Australia, we have political leaders and heads of law enforcement and intelligence operations insisting that tech companies must help them compromise security to keep criminals and terrorists from "going dark"—using encrypted communications to hide from surveillance.
Privacy experts and tech companies habitually warn these leaders that you cannot compromise cybersecurity in such a way that only the "right" people have access to the communications of only terrorists. Any key that can be used to bypass encryption is inevitably going to find its way into the wrong hands and be used against good people. These bad actors could be criminals looking to engage in identity theft or scams. Or they could be dangerous governments like the UAE looking to punish human rights activists with the help of American alumni of the NSA.
Somebody alert Australia's Parliament that their anti-encryption legislation could actually kill people.