At a glance.
- Pakistan's government blocks access to Wikipedia.
- New York AG fines stalkerware maker.
- UN and new book address government abuse of commercial spyware.
- Is the US headed for prescriptive cybersecurity regulations for tech companies?
Pakistan’s government blocks access to Wikipedia.
Pakistani officials have blocked the free online encyclopedia website Wikipedia due to the presence of “sacrilegious” content. Last week the Pakistan Telecommunication Authority gave the operators of Wikipedia forty-eight hours to remove the content in question, but when some of the content was still present after the deadline, the authority followed through on blocking access to the site. Malahat Obaid, spokesperson for Pakistan Telecommunication Authority, told Bloomberg that the authority will consider removing the block if talks with Wikipedia officials result in the complete removal of the content.
UN and new book address government abuse of commercial spyware.
UN human rights experts released a statement Thursday demanding that Spanish authorities investigate allegations that the Spanish government conducted a surveillance operation against individuals in the Catalan region of the country. The statement reads, “Spanish authorities must conduct a full, fair, and effective investigation into these allegations, publish the findings and stop any unlawful interference into the fundamental rights of the Catalan minority activists in Spain.” As the UN News explains, it’s alleged that after the October 2017 independence referendum, the mobile phones of at least sixty-five Catalan politicians and activists were hacked using Pegasus and Candiru spyware. The victims were targeted through SMS messages containing malicious links, and some of the messages included highly personalized official notifications from Spanish government entities like tax and social security authorities. The experts explained, “The sophistication and personalisation of the messages varied across attempts, but reflect a detailed understanding of the target’s habits, interests, activities, and concerns.”
Spain was among the many countries rocked by last year’s revelations that NSO Group’s Pegasus spyware had been used to spy on politicians, journalists, and activists across the world. Laurent Richard and Sandrine Rigaud, who led the investigation, have co-authored “Pegasus: How a Spy In Your Pocket Threatens the End of Privacy, Dignity, and Democracy,” a new book that recounts how the abuse of Pegasus came to light through a collaborative journalistic effort called The Pegasus Project. In a recent interview, the authors recount how the investigation unfolded. Richard told the Washington Post, “We showed how these technologies have been massively misused by state actors against journalists, human rights defenders, lawyers, political opponents – and how the Pegasus spyware became a kind of magic tool for tyrants and dictators to track dissidents and any kind of people who might challenge their power.”
New York AG hits stalkerware maker with fine.
The attorney general's office for the US state of New York has fined a developer $410,000 for distributing stalkerware. Bleeping Computer reports that the Florida-based developer, Patrick Hinchy, runs sixteen companies that operate a number of apps including Auto Forward, Easy Spy, PhoneSpector, and TurboSpy that copy information from a target’s device including call logs, text messages, images and videos, location data, and messaging app records. As the Record by Recording Future explains, some of the apps even allow customers to turn on the device’s cameras and audio recorders or exfiltrate data from the target’s iCloud server. The attorney general also alleges that deceptive marketing was used to mislead customers into thinking they were not violating the law, and that Finchy’s companies faked glowing reviews of the benefits of using spyware. New York Attorney General Letitia James stated, “Snooping on a partner and tracking their cell phone without their knowledge isn’t just a sign of an unhealthy relationship, it is against the law…Today’s agreement will block these companies from allowing New Yorkers to be monitored without their awareness, and will continue our ongoing fight to protect New Yorkers’ rights, safety, and privacy.” In addition to paying the fine, Hinchy has agreed to amend his business practices.
Is the US headed for prescriptive cybersecurity regulations for tech companies?
As the Washington Post reports, the US Cybersecurity and Infrastructure Security Agency (CISA) has been working to get tech manufacturers to make security an intrinsic part of their product design. CISA officials have announced plans to more clearly define the terms “secure-by-design” and “secure-by-default” in order to make it easier for tech companies to work toward these standards. Eric Goldstein, executive assistant director for cybersecurity at CISA, says the agency will be using NIST’s “secure software development framework” as a guide, as well as the set of voluntary “performance goals” CISA has already developed for critical infrastructure owners and operators. CISA also plans to highlight the companies that are doing it right. Goldstein said, “We don’t need to be punitive if we can say, ‘Here is what good looks like. Here are companies that are doing it.’ We can help send those market signals to say, ‘Here’s what to ask for when you're buying technology.’ And we think that industry will follow suit.”
While CISA doesn’t have much regulatory authority, the Biden administration simultaneously released a national cybersecurity strategy focused on improving the cybersecurity of key industries by calling for more security mandates. Some experts predict that the White House is signaling a shift to more stringent cyber regulations. The Federal News Network spoke with Megan Brown, a partner at leading Washington, DC law firm Wiley Rein, to discuss what Biden’s strategy could mean from a legal perspective. Rein states, “Recently, some administration officials were characterizing that strategy and used language that certainly suggests more of a regulatory push. I think that one of the words that folks liked to use was sort of reallocate the burdens of cybersecurity from smaller players to larger players. And I think across federal agencies, you’re seeing just such a flurry of activity, that we’re definitely headed down this path in many forms.”