Why not both: On backdoors and spyware

Why not both: On backdoors and spyware
Photo by Michel Catalisano / Unsplash

Last week I attended an event convened by Jigsaw on AI and the Public Square. It was an incredible agenda led by implementers and activists who are embracing democracy in all of its flaws, while also doing something about the at-scale effects of the rather disputatious online experience. Two papers were helpful in framing the discussions:

I took away an enormous amount of assuredness that the approach, rigor, curiosity and urgency with which a multitude of experts and researchers are approaching the erosion of civic space must necessarily constitute a lasting and ongoing community of practice.


Backdoors 🤝 Spyware: Or, what you get with broken encryption and government hacking (hint: it’s genocide)

Encryption backdoors and government hacking often emerge as competing solutions. Human rights groups tend to point out that this is a false dichotomy because while olicy makers present them as tradeoffs, they are in fact reinforcing. Both facilitate government access to encrypted communications for law enforcement or intelligence agencies. Both violate civil and human rights if abused or mandated at scale.

However it is important to remember that these two solutions are not theoretical, nor does the future present some “choice” for civil liberties and human rights groups. The reality is that government hacking is flourishing from extrajudicious hoarding of zero-day exploits to spyware products like NSO Group’s Pegasus. What is not yet a reality is mandated backdoors of end-to-end encrypted messaging, but not for lack of trying by, notably, the Five Eyes countries.

It’s worth recalling the key differences between these techniques not because discernment informs a meaningful choice, but because the exercise illustrates how they exist to compliment one another. When combined, backdoored encryption and government hacking leads to surveillance at scale, and in the age of AI leads to disastrous consequences.

Encryption Backdoors

Government Hacking

Built-in to user applications at the protocol or device level, grants third-party access to encrypted content.

The use of tools, services and techniques to gain unauthorized access to devices or networks to target individuals.

Corporate service providers are mandated to implement encryption backdoors through a systemic, built-in access mechanism, potentially allowing access to any user’s data, at scale.

Spyware is its own product. It aims to target specific individuals or groups by gaining access to their data, device, online accounts, local network, etc.

A backdoor is an intentionally designed vulnerability. Backdoored encrypted systems are more likely to expose users to unintentional vulnerabilities, too.

Government hacking tools exploit vulnerabilities. Rather than responsibly patching these known security flaws, they are intentionally not fixed and will eventually be leaked or discovered and misused by malicious actors.

Backdoors face the legal challenge to necessity and proportionality, as well as data privacy protections, given they are implemented at scale in the software of user devices.

The remote surveillance of a target must be granted by a court order in most jurisdictions. Spyware is popular in jurisdictions with weak rule of law.

We have some notion of what happens if even limited data can be gleaned from communications on a mass surveillance level in combination with targeted surveillance for the purposes of national security: Project Lavender.

Project Lavender has been reported on in the press as a tactical toolkit implemented by the Israeli government to find and bomb members of Hamas in Gaza. It uses a variety of data: “visual information, cellular information, social media connections, battlefield information, phone contacts, photos.” The largest and most comprehensive source of data that can be obtained would be cellular data. Mobile networks operate with protocols that facilitate “lawful access”, eg backdoors https://dx.doi.org/10.2139/ssrn.4167105. In Gaza, this is additional data that is available to Israel, who controls Palestinian mobile operators, to the location tracking data that any mobile service can glean from a customer device authenticating with the network.

Mobile communications are a vector for abuse of privacy because of, as DKG of the ACLU explains, “the architecture of the cellular network itself. In order for your carrier to route calls and data to your phone, the network needs to constantly know which cell tower your phone is near. And when you make a call or use data, the provider can see where that traffic is going. Cell carriers track and store this accidental byproduct of the technology in order to record people’s location history and network activity for marketing purposes and, in certain circumstances, for sharing with law enforcement.”

All of that data, obtained through encryption backdoors, is now combined with government hacking methods typically used to target specific individuals. Project Lavender therefore “targets” at scale. And, like many AI, it is inaccurate and imprecise, leading to actual deaths– many, many innocent deaths. So, what do you get when you combine backdoors and spyware? You get a tool of genocide.

Subscribe to Internet Exchange

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.