NSO used real people’s location data to pitch its contact-tracing tech, researchers say – TechCrunch

Spyware maker N.S.O. The group used real phone location data on thousands of untrained people when it demonstrated its new COVID-19 contact-tracing system to governments and journalists, researchers have concluded.

NSO, a private intelligence company best known for developing and Sell ​​governments have access to their Pegasus spyware, The attraction went on the offensive earlier this year to pitch its contact-tracing system, dubbed Fleming, which was intended to help governments track the spread of COVID-19. Fleming is designed to allow governments Location data feeds from cell phone companies Visualizing and tracking the spread of the virus. NSO has many News outlet Each demo of Fleming, which the NSO says helps governments make public health decisions “without compromising personal privacy”.

But in May, a security researcher told TechCrunch that he found an exposed database storing thousands of location data points used by the NSO to explain how Fleming works – the same performance that reporters had seen weeks earlier.

TechCrunch reported a clear security lapse to the NSO, which quickly secured the database, but said the location data was “based on real and not real data.”

NSO claims location data was not genuine From the report In Israeli media, which stated that the NSO used phone location data obtained from advertising platforms, known as data brokers, to “train” the system. Academic and privacy expert Tehila Schwartz Altshuler, who was also given a demo of Fleming, said the NSO told him that the data was obtained from data brokers, aggregating location data collected from apps installed on millions of phones. Sell ​​access to vast numbers.

TechCrunch asks researchers Forensic architecture, Goldsmith, an academic unit at the University of London Study and investigates human rights abuses, for inspection. Researcher Published their findings on Wednesday, Concluding that the data exposed was based on actual phone location data.

Researchers said that if the data is genuine, the NSO “violates the privacy” of 32,000 individuals in Rwanda, Israel, Bahrain, Saudi Arabia and United Arab Emirates – Countries that are allegedly customers of NSO spyware.

Researchers analyzed a sample of exposed phone location data by looking for patterns expected to be viewed with location data of real people, such as the concentration of people in major cities, and in traveling from one person to another Measuring time taken. . Researchers also found spatial irregularities that would be associated with actual data, such as a star-like pattern caused by a phone that tries to pinpoint the location accurately when the line of sight on a satellite was high in buildings. Is interrupted by

“Spatial regular irregularities in our sample ‘- a common signature of real mobile location tracks – supports our assessment that this is real data. Therefore, the dataset is neither ‘dummy’ nor computer-generated data, but rather reflects the movement of real individuals, presumably derived from telecommunications carriers or a third-party source, “the researchers said.

Researcher Built maps, graphs and visualizations To explain the findings of the individuals whose location data were fed in the NSO’s Fleming demo, preserving their anonymity.

Gary Miller, a mobile network security expert and founder of cyber intelligence firm Aggent Media, reviewed some datasets and graphs, and concluded that it was actual phone location data.

Miller said the number of data points around population centers has increased. “If you take a scattered plot of cell phone locations at a certain time, there will be a steady number of points in suburban versus urban locations,” he said. Miller also found evidence of people traveling together, which he said “looked consistent with actual phone data.”

He also said that even “unknown” location data sets can be used to tell a lot about a person, such as where they live and work, and who they go to . He said, “One can learn a lot about a person just by looking at the location movement pattern.”

“If you combine all the similarities, it would be very difficult to conclude that it was not real mobile network data,” he said.

Timeline of location data of a person in Bahrain over a period of three weeks. Researchers state that these red lines represent journeys that seem plausible within the indicated times. (Image: Forensic Architecture / Supply)

John Scott-Raylton, a senior researcher at Citizen Lab, said the data originated from phone apps that use a mix of direct GPS data, nearby Wi-Fi networks, and the phone’s in-built sensors to improve quality Possible location data. “But it’s never really right,” he said. “If you are looking at advertising data – like you buy from a data broker – it will look like this.”

Scott-Raylton also said that using simulated data for a contact-tracing system would be “counterproductive”, as the NSO would “like to train” [Fleming] On as much real and representative data as possible. “

Scott-Railton told the NSO that referring to educational data, he said, “Based on what I saw, the analysis provided by Forensic Architecture is consistent with previous statements by Tehila Schwetsert Altshuler.”

“The entire situation presents a picture of a spyware company once sensitive and potentially with personal information,” he said.

The NSO rejected the researchers’ findings.

“We have not seen the test and we have to question how these conclusions are reached. Nevertheless, we stand by our previous response of May 6, 2020. The demo content was not based on actual and actual data related to infected COVID-19 individuals, ”an anonymous spokesperson said. (NSO’s earlier statement No reference given For individuals with COVID-19.)

“As per our final statement, the data used for the demonstrations did not contain any personally identifiable information (PII). And, as previously stated, this demo was a simulation based on obfuscated data. The Fleming System is a tool that analyzes data provided by end users to help health decision-makers during this global epidemic. The NSO does not collect any data for the system, nor does the NSO have any access to the collected data. “

The NSO did not answer our specific questions, including where the data came from and how it was obtained. The company claims on its website that Fleming is “already being operated by countries around the world”, but declined to confirm or deny when questioned by its government customers.


Got a tip? Contact us safely using SecureDrop. Get more knowledge here.

Contact tracing sees Israeli spyware manufacturer’s push As a way to improve your image, As the company Fights lawsuit Those who can see it in the United States can find more information about governments accessing their Pegasus spyware.

The NSO is currently embroiled in a Facebook-owned WhatsApp lawsuit that blamed the NSO for exploitation last year An unknown vulnerability in WhatsApp To infect some 1,400 phones with Pegasus, including journalists and human rights defenders. The NSO states that it should be included in legal immunity as it works on behalf of governments. But Microsoft, Google, Cisco and VMware Entered an amicus brief this week in support The court called for WhatsApp and the NSO to dismiss the immunity claim.

The amicus brief arrived shortly after the Citizen Lab was found Evidence of dozens of journalists Pegasus was also targeted with spyware by NSO customers including Saudi Arabia and the United Arab Emirates. The NSO disputed the findings.