At a glance.
- Pegasus updates.
- Key GDPR terms.
- Cybersecurity education and the (US) states.
Updates on the Pegasus controversies.
Following a year-long investigation, the New York Times reveals that the US Federal Bureau of Investigation (FBI) made moves to purchase NSO Group’s controversial Pegasus surveillance software, despite knowing that it had been used to spy on journalists and dissidents across the globe. In 2019, even after abuses of Pegasus in nations like Mexico and United Arab Emirates had begun to surface, the FBI began talks with NSO to acquire the spyware for themselves. NSO even offered the FBI a new system dubbed Phantom that would allow hacking of US devices only when used by the US government. Talks between the FBI and NSO halted after last summer’s massive Forbidden Stories exposé revealed widespread global abuse of Pegasus, and the surveillance system is now sitting dormant in an FBI building in New Jersey. This sort of interaction isn't uncommon in what's often called the lawful intercept market.
As the New York Times points out, the recent blacklisting of NSO by the US government has drawn anger from Israeli officials, some of whom view the move as punishment directed against the nation itself. Director General of the Israel National Cyber Directorate, Yigal Unna, stated, “The people aiming their arrows against NSO are actually aiming at the blue and white flag hanging behind it.” The Times of Israel reports that in a recent interview, CEO of NSO Group Shalev Hulio called the global disparagement of Pegasus “hypocritical,” stating “There is not one country we’ve sold to, not one… that the US does not sell to, or that Israel doesn’t sell to. So it’s a bit hypocritical to say it’s okay to sell F-35s and tanks and drones, but it’s not okay to sell a tool that collects intelligence.” He went on to specifically deny allegations that Pegasus was used to hack the phone of French President Emmanuel Macron and assassinated journalist Jamal Khashoggi.
New evidence has emerged indicating that Israeli police used Pegasus to spy on their own citizens, and as the Wall Street Journal notes, the allegations have led Israeli lawmakers to unite across party lines against the abuse of spyware (formerly known as lawful intercept) tools. An investigation has been launched by Israeli attorney general Avichai Mandelblit, and Moshe Raz, a member of liberal party Meretz, stated “Israelis’ feelings…changed when the software started being used against them…What we want to understand is whether there was a violation of privacy and of basic human rights.” Some Israeli privacy experts say the use of Pegasus is not permitted by current laws, which were written long before such technology existed. In response to the allegations, Hulio stated, “I, as a citizen, if the things that were written are true, it worries me personally. But as a citizen, I tell you I choose to believe the attorney general, the public security minister and the police chief who say time and again these things never happened.”
Cooley explains key GDPR terms.
In honor of Data Privacy Day, observed last Friday, Cooley offers a primer on three essential concepts of the EU’s General Data Privacy Regulation (GDPR): “controller,” “processor,” and “transfer.”
- "The controller determines the purposes of the processing of the relevant personal data."
- "Joint controllership results from joint participation in the determination of the purposes and means of a processing operation."
- "The processor processes personal data on behalf of the controller, in accordance with its instructions."
- A “transfer implies that personal data are sent or made available by a controller or processor (exporter) which, regarding the given processing, is subject to the GDPR pursuant to Article 3, to a different controller or processor (importer) in a third country, regardless of whether or not the importer is subject to the GDPR in respect of the given processing.” (This definition is still in draft.)
Cooley’s experts explain what makes a company a controller or joint controller, noting that access to data is not necessarily required for a party to qualify as a controller. They also discuss the ins and outs of being a processor, noting that last June the European Commission adopted a set of standard contractual clauses that controllers and processors must fulfill in order to meet data processing requirements. In regard to data transfers, the European Commission is working on a set of additional contractual clauses for transfers to controllers or processors who are based outside the EEA but still subject to the GDPR.
US governors told cybersecurity education is essential.
Over the weekend US governors gathered at the National Governors Association winter meeting, where state leaders discussed how to allocate funds from the White House’s recently signed $1 trillion bipartisan infrastructure law. UPI reports that Cybersecurity and Infrastructure Security Agency Director Jen Easterly encouraged state leaders to invest in cybersecurity education, stating, "What we want to do is communicate about this topic in a way where people are not scared to death of it.” Arkansas Governor Asa Hutchinson, agreed, deeming the country's lack of cybersecurity education a threat to national security. “Either we're going to fall behind in our technology development and our innovation, or we're simply going to acquire all the talent from overseas," Hutchinson stated.