Edward Snowden Calls For Spyware Trade Ban Amid Pegasus Revelations

Governments must impose a global moratorium on the international spyware trade or face a world in which no mobile phone is safe from state-sponsored hackers, Edward Snowden has warned in the wake of revelations about the clients of NSO Group. The Guardian reports: Snowden, who in 2013 blew the whistle on the secret mass surveillance programs of the US National Security Agency, described for-profit malware developers as "an industry that should not exist." He made the comments in an interview with the Guardian after the first revelations from the Pegasus project, a journalistic investigation by a consortium of international media organizations into the NSO Group and its clients. [...] Snowden said the consortium's findings illustrated how commercial malware had made it possible for repressive regimes to place vastly more people under the most invasive types of surveillance. For traditional police operations to plant bugs or wiretap a suspect's phone, law enforcement would need to "break into somebody's house, or go to their car, or go to their office, and we'd like to think they'll probably get a warrant," he said. But commercial spyware made it cost-efficient for targeted surveillance against vastly more people. "If they can do the same thing from a distance, with little cost and no risk, they begin to do it all the time, against everyone who's even marginally of interest," he said. "If you don't do anything to stop the sale of this technology, it's not just going to be 50,000 targets. It's going to be 50 million targets, and it's going to happen much more quickly than any of us expect."

Part of the problem arose from the fact that different people's mobile phones were functionally identical to one another, he said. "When we're talking about something like an iPhone, they're all running the same software around the world. So if they find a way to hack one iPhone, they've found a way to hack all of them." He compared companies commercializing vulnerabilities in widely used mobile phone models to an industry of "infectioneers" deliberately trying to develop new strains of disease. "It's like an industry where the only thing they did was create custom variants of Covid to dodge vaccines," he said. "Their only products are infection vectors. They're not security products. They're not providing any kind of protection, any kind of prophylactic. They don't make vaccines -- the only thing they sell is the virus."

Snowden said commercial malware such as Pegasus was so powerful that ordinary people could in effect do nothing to stop it. Asked how people could protect themselves, he said: "What can people do to protect themselves from nuclear weapons? "There are certain industries, certain sectors, from which there is no protection, and that's why we try to limit the proliferation of these technologies. We don't allow a commercial market in nuclear weapons." He said the only viable solution to the threat of commercial malware was an international moratorium on its sale. "What the Pegasus project reveals is the NSO Group is really representative of a new malware market, where this is a for-profit business," he said. "The only reason NSO is doing this is not to save the world, it's to make money." He said a global ban on the trade in infection vectors would prevent commercial abuse of vulnerabilities in mobile phones, while still allowing researchers to identify and fix them. "The solution here for ordinary people is to work collectively. This is not a problem that we want to try and solve individually, because it's you versus a billion dollar company," he said. "If you want to protect yourself you have to change the game, and the way we do that is by ending this trade."

Why isnt this illegal?

[saloomy]

If you happen to come across the code to a bank vault, and give the code to would-be thieves, thats prosecuted under accessory charges. If you find a vulnerability, and give it to anyone other than the manufacturer, and that gets exploited, it should be prosecuted as accessory to --along with-- the computer fraud and abuse act. You are access a computer system you have no permission to access.

Re:

[J.L. Pettimore]

So you would infringe on my freedom of speech and association?

Re:Why isnt this illegal?

[saloomy]

Yes. Your freedom of speech stops at the invasion of my privacy. This is akin to revenge porn, or selling the codes to someone's door lock, or the code to copy a car FOB. It is and should be illegal. Just like its a restriction on where I can put my fist based on where your face is.

Re:

[J.L. Pettimore]

I don't see computer code, or who I can give it to, as equivalent to any of that. Making certain computer code illegal is a Pandora's box that you might not want to open.

Re:Why isnt this illegal?

[ArchieBunker]

Which is why I roll my eyes at the people here calling for a ban on bitcoin.

Re:

[J.L. Pettimore]

Why stop at bitcoin? If source code can be deemed illegal, then ANY computer program can be banned, arbitrarily.

Re:

[saloomy]

The crime isnt creating source code. It is aiding and abetting the commission of a crime (violation of the computer fraud and abuse act), which states it is unlawful to access a computer system for which one does not have permission. You are in effect defeating a security mechanism. This is and aught to be illegal.

Re:

[whitroth]

This is stupid. Cars aren't banned, if a bank robber's accomplice drives them away after a robbery. That car, perhaps, but not all.

You saying that the rest of us would call for a ban on all cars.

Re:

[BAReFO0t]

Aaah, ye olde extrapolation fallacy.

Yes, anything at all is a slippery slope leading to the most extreme end result you can think of right now... --.--
And hence we should never ever ban anything whatsoever... --.--

The rule regarding freedom goes like this: Your freedom ends where my freedom begins.
Note the two different meanings of "freedom": Freedom to do to others in the first case, versus freedom from others in the second case. (Something certain libertarians love to mix up.)

The trick is that you paramet

Re:

[Applehu Akbar]

You can't enforce a ban on cryptocurrency, but you can make it really difficult to exchange.

Re:

[drinkypoo]

You don't ban the code. You ban the currency.

Lots of things are illegal that we can't stop, but making them illegal does reduce the relevant activity in at least some cases. This is likely one of them.

Re:Why isnt this illegal?

[Anonymous Coward]

That box is already open, its illegal for a casual user to create malware and distribute it, but when it suddenly becomes big business somehow they're allowed

Re:

[phantomfive]

Technically it depends how you distribute it.

As a general rule of thumb, don't distribute it virally.

Re:Why isnt this illegal?

[AmiMoJo]

It's never the code, it's what it's used for. DeCSS was a civil copyright issue, these guys are endangering the lives of others for profit.

Re:

[WierdUncle]

Making certain computer code illegal is a Pandora's box that you might not want to open.

Knives aren't illegal. Sticking knives in people is definitely illegal. Well maybe some knives are illegal, because their only conceivable use is to cause harm.

Re:

[taustin]

Knives aren't illegal. Sticking knives in people is definitely illegal.

Except [merriam-webster.com] when it's not. [wikipedia.org]

The devil is always in the details.

Re:

[WierdUncle]

Strictly speaking, self defense is a justification for causing harm, which is otherwise assumed to be illegal. The point is tat the tool is not illegal, but the use to which it is put can be.

Re:

[Anonymous Coward]

If we followed the totalitarianism you're espousing, Phil Katz would have received the electric chair, and the modern web as we know it would not exist.

Re:

[Anonymous Coward]

You're conflating code ripping with code finding. If I happen to come across the code to a bank vault, or even distribute it, the speech stands. Accessory to burglary doesn't make SMS illegal, or pigeon mail illegal, or morse code illegal, it makes burglary illegal. Much like how yelling fire in theaters is an endangerment issue, not a speech issue.

> If you find a vulnerability, and give it to anyone it should be prosecuted as accessory
No.
>that gets exploited, it should be prosecuted as accessory
Yes.

Re: Why isnt this illegal?

[VeryFluffyBunny]

Please remind me of how criminal conspiracy works?

Re:

[Cederic]

Which country are you in? It's just that you can legislate for whatever the fuck you like, there are 200 others out there who will happily create a law that says it's perfectly legal for them to access a computer system belonging to someone else.

I'm not posting video of you wanking, or selling your phone's passcode, or a clone of your car key. I'm selling a nation state a means of pursuing its legal investigations into perceived threats.

You have a problem with that? Write to them.

Re:

[taustin]

Try taking all your friends to a crowded theater and yelling "FIRE!" over and over, then (if you're still alive) come back and tell us about how absolute your right to freedom of speech and association is.

Re:Why isnt this illegal?

[youngone]

Because some people are above the law.

Re:

[saloomy]

That is a / the problem.

Re:Why isnt this illegal?

[mysidia]

if you find a vulnerability, and give it to anyone other than the manufacturer, and that gets exploited, it should be prosecuted as accessory

I disagree. Manufacturers would start ignoring researchers and not fixing bugs If they are not allowed to disclose.

What should be made unlawful is (1) For a state entity to exploit a vulnerability to gain access or run code without permission of the owner or a warrant signed by a judge specifying the system and presented to the system owner.

And (2) for a State Entity to possess knowledge of a vulnerability without timely disclosure of details to the maker of the product followed by announcement to the public and require all vulnerability details following the announcement to be maintained as a public record.

Finally, (3) discovering vulnerabilities and selling the details by purchase or subscription should be unlawful By both government and private entities.

In addition: For any of these bans to be effective, They should carry criminal penalties for any Government worker Or employee, manager, or executive carrying out or approving violative activity, or who in the management of their organization or unit fail to ensure reasonably adequate controls to prevent and dissuade violations..

Re:

[J.L. Pettimore]

But the "state entity" in your example, is the exact same party who are the customers of this, and also make the laws.

Dictatorship/China not prosecuting themselves

[Anonymous Coward]

You really expect a dictatorship or China to prosecute themselves for not disclosing vulnerabilities in products? That isn't the fox guarding the hen house, it is the fox owning the hen house!

Re:

[AmiMoJo]

Simply make it mandatory to report vulnerabilities to the manufacturer within a "reasonable time", with reasonably being determined by courts but typically say 5 business days unless strong mitigating circumstances. Manufacturers would also be required to have an official, easily locatable point for submission that allows for anonymity if desired.

Re:

[drinkypoo]

No, requiring reporting of vulnerabilities creates a whole new class of legal problem that is undesirable.

What should be required if anything is that you disclose a vulnerability to the manufacturer before disclosing it to others, and also that any disclosure to anyone but the manufacturer must be made publicly. These laws, if enforced, would greatly reduce the trading of vulnerabilities.

Of course, they would likely not be enforced, but that's another problem.

Re:Why isnt this illegal?

[blahplusplus]

If you happen to come across the code to a bank vault, and give the code to would-be thieves, thats prosecuted under accessory charges.

You're under the dangerous illusion the government works for you, the government has always worked for the rich and corporations not for the average citizen and the upper class is in a full blown war against the bottom 90% of society. So there is no rule of law for the plebs.

See here, Zbigniew brezinski, former national security advisor of the United states:

https://www.youtube.com/watch?... [youtube.com]

Re:

[WierdUncle]

...the government has always worked for the rich and corporations not for the average citizen...

I think rule one of government is to act in the interests of government. The rich folks can help with that, because they are powerful, whereas ordinary folks are not so useful. But governments have been known to turn on the rich and powerful, in order to preserve government as they see it.

Because governments *define* legality.

[BAReFO0t]

Same reason a military contractor is allowed to handle plutonium and build a nuke:
Legal and illegal is what the one with the biggest club decides is legal and illegal. This is what people don't seem to get. It has very little to do with right and wrong. Many laws, like e.g. "intellectual property" or banning cannabis don't exist to protect from harm, but to do harm in favor of a small minority.

So your otherwise very valid complaint can be translated to: "Why am I not in power? (I thought this was a democrac

Re:

[gweihir]

You do not seem to be conversant with the "responsible disclosure" debate. I suggest you read up on it. The problem is a) if you are just allowed to tell the manufacturer, to many scummy, slimy, greedy companies (all the big names among them) will just do nothing. And b) if you prohibit sales of vulnerabilities, some scum prosecutor will find a way to make disclosing a vulnerability or giving it to a disclosure venue a crime.

Currently, the only way that works is to allow this trade, bad as it is. You could

Positive Solution

[Canberra1]

Each entity that has a copy of the malware can reverse engineer it, to determine unfixed flaws (not bugs). The USA has no shortage of smart people, but they choose not to intervene (except rarely). You can be sure they know how to get hold of a copy. Now the problem is, China and Eastern block can also do the same, only pass on defects, when it suits them. The thing is, you never get to hear when the software manufacturer knew there was a problem, but did nothing., or worse, was told NOT to fix the problem.

Never going to happen

[shm]

Snowden is well meaning but asking states to ban a tool which they themselves want is unlikely to fly. Even if some legislation is pushed through they will have an exception under âoenational security.â

Re:Never going to happen

[Lije Baley]

And like nukes, getting rid of yours and trusting the other guy is not a realistic option. Once something like this is out of the box, there's no going back. There will always be those whose life strategy is to take advantage of others.

Re:Never going to happen

[Frank Burly]

Snowden, based on where he is and how he got there, should have no illusions about spyware, or the incentives and motivations of nation-states and information brokers. And yet his suggestion is for everyone to be nice and to punish people who aren't nice.

Re:

[AmiMoJo]

This is nothing like nukes though because getting rid of yours and instead concentrating on finding and disclosing vulnerabilities to vendors, as well as helping corporations and citizens improve their own cyber security is the the best defence.

There is no MAD in this situation, if you secure all your own stuff it doesn't matter if you have any offensive capability or not. It doesn't stop you prosecuting the attackers or applying retaliatory sanctions either.

Re:

[Lije Baley]

MAD was not part of my thinking here. Just the disadvantage of intelligence and control that any "good guy" takes on in a deal like this. Nothing profound, just easy karma-whoring blather in response to Snowden's obvious naivete.
As for the vulnerabilities that facilitate the spyware, it seems that is an endless well. The level of security in business systems will ultimately be driven by insurance companies, similar to auto safety. It will never be perfect, but it will reach a sort of economic equilibriu

Re:

[bluegutang]

(At least in the summary) Snowden did not discuss banning nukes. He discussed banning a private market in nukes, which is the case and for good reason. I think it is a somewhat reasonable parallel to ban spyware sales by/to individuals. Governments will still use spyware, that is unavoidable, but there is no reason for individuals to have that option.

Re:

[Ostracus]

I wonder if the phone Obama had was secure?

Re:

[saloomy]

Indeed. The consent of the governed is lost, and the leviathan is now in charge.

Re:

[PPH]

And while you are at it, get states to stop using barrel bombs, land mines, chemical weapons and nukes.

Re:

[Harvey Manfrenjenson]

There *are* international treaties governing chemical weapons and land mines (although, apparently, the US has not signed the latter treaty). I recognize that signing a treaty isn't the same thing as "getting everyone in the world to stop using a thing". But it's certainly a first step towards curtailing their use.

Re: Never going to happen

[shm]

There are a number of countries which havenâ(TM)t banned landmines. The US is unusual in that they donâ(TM)t really have hostile land neighbours.

It makes perfect sense for - say - South Korea or India to need landmines.

Re:

[lazarus]

Pretty much like the Ottawa Treaty [wikipedia.org] to ban the manufacture and use of land mines. None of the countries who manufacture and/or sell land mines signed it, so it is essentially meaningless. "I'm not signing up to something that will restrict my ability to counter my enemy" leaves us in a perpetual cycle of arms escalation. Israel, Russia, China, and the USA will never sign anything to limit spyware. Snowden's not wrong, which means your choice will be to have effective communications, privacy, but not both

I might still be listening to Snowden

[Anonymous Coward]

if he hadn't turned into a bitcoin pusher. [urbandictionary.com]

Re:

[J.L. Pettimore]

Then were did all the Intercept documents come from? He made them all up?

Re:

[iggymanz]

so you're claiming the Government has awesome security... on its MS Windows based environment.

You're funny.

Re:

[drinkypoo]

It doesn't really matter how he came by the information, he came by it. That part is undisputed.

We know the information is correct, because it's been verified by other sources.

So your book is fucking stupid and it should be burned

Re:

[leptons]

If Snowden hadn't run away to Russia he'd be free in the USA right now, just like Chelsea Manning. Obama commuted her sentence and granted clemency to Manning because Manning showed some humility and came to justice, so the punishment was far less than it could have been. Snowden chose to run instead, and he's still in exile. That didn't really work out so well for him. I hope he likes borscht. He's a traitor in my book.

Re:

[nehumanuscrede]

If Snowden hadn't run away to Russia he would have been jailed forever ( and easily forgotten ) without a trial and even if he did get a trial, it wouldn't have been a fair one. Can't have all our National Security secrets on display for the average Joe now can we. . . . .

In case you haven't figured it out yet, there is no such thing as true " Justice " in the United States Judicial System as the entire system is about as corrupt as it gets. The media decides someone's guilt or innocence months in advance

china first

[fulldecent]

So... China just implemented this, by nationalizing all zero days. Who's next?

---

This is one place I disagree with Snowden. He has good facts, he has good insights, but he is not a qualified expert on multinational game theory and macroeconomics.

The obvious solution is customers should demand Apple to increase its paltry bounties for vulnerabilities (Apple's current bounty is about 4–20 months of one person's Bay Area salary to hack 1 billion devices). If the alternative is some everyone-needs-to-cooperate macroeconomic solution, I'd like to see it compared to this null hypothesis.

This likely won't be appreciated, but....

[jdawgnoonan]

Just because Snowden found and shared some Powerpoints from the SharePoint that he administered doesn't mean he is some sort of expert. I appreciate his whistleblowing, but the dude isn't some unique genius.

Re:This likely won't be appreciated, but....

[BAReFO0t]

Agreed, but you're underselling him too. He's a known non-traitor. He made the right choice. As opposed to everyone at the NSA who chose to fuck the constitution and spy on their own damn people (and mess with all of humanity for someone's power fantasy).
He's also been "on the inside". And importantly, he actually risked his own life and lost most of it, which kinda alters you way of thinking a teensy bit. ;)

And most importantly: He very likely does not merely share his own "opinion". He very likely communicated with a lot of experts due to his unique position, and they very likely ask him to speak for them for the same reason. So he's more like the PR guy. As computer/security experts he is OUR PR guy.

So it's a bit like saying "Don't listen to the loudspeaker, it doesn't know anything, it's an inanimate object.". Yeah, but the person behind it isn't. ;)

At least that's how I see it.

open source firmware

[Burger King]

There are certain industries, certain sectors, from which there is no protection, and that's why we try to limit the proliferation of these technologies.

Open the mobile networks to competition and open source. This is the first time I've disagreed with Snowden, he of all people would know governments want the status quo for the same reasons espionage companies do, it makes spying easier.

Re:

[Ashkenazi]

Your proposition is banal, naive. The source need not result in what one would expect from reading it. Your compiler isn't innocent. Show the comp./linker source you say? Are you certain that it was comp./linked with its bona fide binary counterpart? The Open Source movement is for the stupid, credulous masses. But even if everything was as it should be down to the drivers, what about the hardware? Idiots.

Next headline

[VeryFluffyBunny]

Next headline on this topic: NSO employees accidentally leave hacking tools source code on unprotected AWS bucket instance.

Really?

[DaveV1.0]

Treasonous spy says spying is bad from enemy country he fled to after spying on his own country.

yeah. so not going to happen

[WindBourne]

Why will this not happen? Because only government will be in spyware. What needs to happen is to crack down on securing our computer systems.

Licking their chops

[endus]

Snowden: it's not just going to be 50,000 targets. It's going to be 50 million targets, and it's going to happen much more quickly than any of us expect.
Government: Nice!

If guns...

[groobly]

If guns are outlawed, only outlaws will have guns.

The Guardian and Snowden

[Budenny]

The Guardian's relationship with Snowden has always been troubling, and this is yet another instance of it. Its also another instance of the Guardian's activist agenda contaminating its news coverage.

The Guardian basically sponsored Snowden. It arranged his flights and was instrumental in getting him to Russia, where he now resides, living on funds from.... somewhere, in exchange for working at.... something.

It then promotes him at every opportunity when there is a security news story. Or, it seems to me