Two weeks ago, an Arab human rights activist was targeted in a hack. Clicking on a web link would have given hackers full access to his iPhone, and using this technology they could track his movements, see his chat messages, and even take pictures using his camera. So this week, like hundreds of millions of other iPhone users, I protected myself by updating my iOS.
All of this seems like the standard inconveniences of life in a digital age. Yet hidden inside this details is a potentially transformative story about the shifting social contract between governments, businesses, and the people.
The attack was sophisticated, taking advantage of a previously unknown flaw in iPhone software, a so-called “zero day” exploit (as in, “it’s been zero days since we found out about it”). The hack was neither cheap nor easy, and the software – apparently purchased by the United Arab Emirates (UAE) to spy on pro-democracy dissidents – is estimated to have cost about $1M on the open market.
Let’s take a moment to follow the international path between creation of the exploit and deployment of the patch.
The exploit was created by an Israeli company called the NSO Group. The company’s customers are not consumers or corporations, but nation-states: it produces an “activity monitoring solution exclusively for the use of government, law enforcement, and intelligence agencies”. While based in Israel, the company is now owned by a San Francisco private equity group, who bought it in 2014 after getting approval from the Israeli Ministry of Defense.
NSO appears to have secured a contract with the UAE for use of the hack, and their associated tracking services. The UAE, in turn, tried to use the software to track Ahmed Mansoor, a dissident who it previously arrested and imprisoned. As this was the third time the UAE had tried to hijack Mansoor’s electronics, he quickly recognized their “please click this link” trick, and asked for help.
Mansoor sent a screenshot of the link to a Canadian think tank that specializes in human rights and electronics surveillance. Once the Canadians confirmed that the link enabled a zero-day exploit by loading it onto a test iPhone, the think tank sent corrupted phone to a San Francisco-based security firm for analysis. The two organizations then alerted Apple, who within just 10 days had repaired the security flaw and sent an OS update to people like me.
It looked something like this:
So how was law enforcement involved in these actions? Well, it was the government of the UAE who attempted (and botched!) the hack in the first place. And it is Israeli and other law enforcement agencies worldwide who, by buying NSO’s product, fund the R&D necessary to make this hack available in the first place.
Yet as interesting as it is to analyze how governments were involved in this malicious code, it’s even more interesting to note how they weren’t.
There was no government involved in detecting the hack. There was no government involved in creating a defense. There was no government involved in deploying the solution. As can be seen from the map, there is in fact no government entity with jurisdiction over the terrain of the events, which span the globe.
Instead, the entire response was coordinated by an NGO and the private sector. And it worked.
Historical metaphors are delicate, but this feels like the civil structure of Silk Road trading. Security does not flow from a central authority in the digital world, so we join a trade caravans, choosing the biggest (e.g., Apple, Google) if we value safety above all else, or choosing smaller, more nimble groups if we have enough local knowledge to guarantee safe passage. Oh, and occasionally we make bad choices, and get ransacked by bandits.
This feels unsettling, because we are used to security being provided by a nation-state. Yet the geographic barriers that define today’s nation-states have diminished in importance, if not vanished entirely, in the electronic world. Which is what lets an Arab government using software written by a US-owned Israeli company have its hacking attempt foiled by a Canadian academic group collaborating with a San Francisco consultancy and a global multinational corporation.
The world has gotten a lot more complicated. And the existing political structures, defined centuries ago by geography, may have trouble keeping up.