Israeli spyware company NSO Group used the phone location data of thousands of people for its Covid-19 tracking application, according to University of London researchers cited by Techcrunch.
Track the spread of the virus
Known for its Pegasus spyware sold to many states, NSO Group has developed a tool to help governments track the spread of the virus. This software, called “Fleming”, makes it possible to see where a user was at a given moment, who he met, where and for how long, “without compromising the privacy of individuals”, promised the company during a demonstration.
But last May, a cybersecurity researcher revealed to the U.S. media outlet that he had found an unprotected database storing thousands of geographic coordinates apparently used by NSO Group to demonstrate how Fleming works. Techcrunch reported the problem to the company that secured said base. She claimed, however, that the stored location data was “not based on real and authentic data.” An assertion contradicted by investigations carried out by several Israeli media.
Obtaining data from brokers
According to journalists, to “train its system”, NSO Group would use telephone location data obtained from advertising platforms. Tehilla Shwartz Altshuler, a privacy researcher who attended a demonstration of the offending software said the Israeli startup told her the data was obtained from data brokers. They sell access to vast amounts of aggregated location data collected from apps installed on millions of phones.
To settle this case, Techcrunch commissioned a group of researchers from Forensic Architecture at the University of London, specializing in the violation of human rights. Published on Wednesday, their work concludes with a “probable” use of real geolocation data to develop Fleming. For example, NSO Group allegedly violated the privacy of 32,000 people in Rwanda, Israel, Bahrain, Saudi Arabia and the United Arab Emirates – countries using the software.
All data is not fictitious
The researchers analyzed a sample of location data, looking for patterns they expected to find if the system worked with real data, such as a concentration of people in large cities. They also found “spatial irregularities” that are necessarily associated with real data, such as star-shaped patterns. “The data set is probably not ‘dummy’ or computer generated but rather reflects the movement of real individuals, possibly acquired from telecommunications operations or a third-party source,” the scientists concluded.
Gary Miller, mobile network security expert and founder of cybersecurity firm Exigent Media, came to the same conclusion. “If you take a scatter plot of the cell phone locations at a time T, there will be consistency in the number of points in the suburbs versus the urban locations“He explains. He goes on to say that even though the data is anonymous, it can be used to find a person’s home or place of work.”A lot of details can be learned about individuals just by looking at geographic movement patterns.“, he warns.
A mix of different sources
For his part, John Scott-Railton, researcher at the Citizen Lab in Toronto, specifies that the data used by Fleming probably comes from a “mix of direct GPS data, nearby Wi-Fi networks and in-phone sensors“. So, “if you look at ad data, like the data you buy from a broker, it looks a lot like this“, he continues. It makes sense, he concludes, because using simulated data for a contact tracing system would be”counterproductive“, because NSO Group wanted “train (Fleming, editor’s note) on data that is as real and representative as possible“.
Israeli society has rejected these accusations. “We have not seen the study and are wondering how these conclusions were drawn. Nonetheless, we stand by our previous answer dated May 6, 2020. The demo material was not based on real and authentic data relating to people infected with Covid-19, “said a spokesperson. Techcrunch clarifies that the previous comment from NSO Group did not refer to individuals with the virus.
WhatsApp complaint supported by Microsoft, Google and Cisco
Although these revelations are disturbing, they are unfortunately not surprising. NSO Group is involved in numerous scandals. The company is notably facing a lawsuit led by WhatsApp, owned by Facebook, which accuses it of exploiting a flaw in its messaging system to infect 1,400 phones with the Pegasus spyware. Journalists and human rights activists are said to be affected. Last December, a coalition of companies, made up of Microsoft, Google, Cisco and VMware, joined the lawsuit.