Special Report: Cyber-intel firms pitch governments on spy tools to trace coronavirus

By Joel Schectman, Christopher Bing and Jack Stubbs

WASHINGTON (Reuters) – When law enforcement agencies want to gather evidence locked inside an iPhone, they often turn to hacking software from the Israeli firm Cellebrite. By manually plugging the software into a suspect’s phone, police can break in and determine where the person has gone and whom he or she has met.

Now, as governments fight the spread of COVID-19, Cellebrite is pitching the same capability to help authorities learn who a coronavirus sufferer may have infected. When someone tests positive, authorities can siphon up the patient’s location data and contacts, making it easy to “quarantine the right people,” according to a Cellebrite email pitch to the Delhi police force this month.

This would usually be done with consent, the email said. But in legally justified cases, such as when a patient violates a law against public gatherings, police could use the tools to break into a confiscated device, Cellebrite advised. “We do not need the phone passcode to collect the data,” the salesman wrote to a senior officer in an April 22 email reviewed by Reuters.

A Cellebrite spokeswoman said the salesman was offering the same tools the company has long sold to help police enforce the law. The company is also offering a version of its product line for use by healthcare workers to trace the spread of the virus that causes COVID-19, but the tools can only be used with patient consent and can’t hack phones, she said.

Cellebrite’s marketing overtures are part of a wave of efforts by at least eight surveillance and cyber-intelligence companies attempting to sell repurposed spy and law enforcement tools to track the virus and enforce quarantines, according to interviews with executives and non-public company promotional materials reviewed by Reuters.

The executives declined to specify which countries have purchased their surveillance products, citing confidentiality agreements with governments. But executives at four of the companies said they are piloting or in the process of installing products to counter coronavirus in more than a dozen countries in Latin America, Europe and Asia. A Delhi police spokesman said the force wasn’t using Cellebrite for coronavirus containment. Reuters is not aware of any purchases by the U.S. government.

FILE PHOTO: A man displays a screen at a stand of Cellebrite, a company an Israeli company that manufactures data extraction, transfer and analysis devices for cellular phones and mobile devices, at the annual European Police Congress in Berlin, Germany, February 4, 2020. REUTERS/Hannibal Hanschke

So far, Israel is the only country known to be testing a mass surveillance system pitched by the companies, asking NSO Group, one of the industry’s biggest players, to help build its platform. But the rollout of NSO’s surveillance project with the Israeli Ministry of Defense is on hold pending legal challenges related to privacy issues, an NSO executive said. A spokesman for Israeli Defense Minister Naftali Bennett said NSO was involved in the project but did not provide further details.

Surveillance-tech companies have flourished in recent years as law enforcement and spy agencies around the world have sought new methods for countering adversaries who now often communicate through encrypted mobile apps. The firms argue that their experience helping governments track shadowy networks of militants makes them uniquely qualified to uncover the silent spread of a novel disease.

“I really believe this industry is doing more good than bad,” said Tal Dilian, a former Israeli intelligence officer and now a co-chief executive officer of Cyprus-based Intellexa, a cyber-surveillance firm that works with intelligence agencies in Southeast Asia and Europe. “Now is a good time to show that to the world.”

Yet some technologists remain skeptical that spying tools reliant on phone location data can be used to effectively combat a virus.

“It’s not precise enough, that’s the point. It’s not nearly going to get you down to whether you’re next to a certain person or not,” said Michael Veale, a lecturer in digital rights and regulation at University College London.

While the methods for location tracking and accuracy vary, surveillance companies say they can narrow down a person’s coordinates to within three feet, depending on conditions.

PRIVACY RIGHTS VS. HEALTH CONCERNS

Privacy issues loom. Civil liberties advocates fear that virus tracking efforts could open the door to the kind of ubiquitous government surveillance efforts they have fought for decades. Some are alarmed by the potential role of spyware firms, arguing their involvement could undermine the public trust governments need to restrain the spread of the virus.

“This public health crisis needs a public health solution – not the interjection of for-profit surveillance companies looking to exploit this crisis,” said Edin Omanovic, advocacy director for the UK-based civil liberties group Privacy International.

Claudio Guarnieri, a technologist with the human rights organization Amnesty International, said any new surveillance powers embraced by states to combat the virus should be met with “high scrutiny.”

“New systems of control, from location tracking to contact tracing, all raise different concerns on necessity and proportionality,” said Guarnieri.

Cellebrite, for one, said it requires “agencies that use our solutions to uphold the standards of international human rights law.”

Government officials have sought to address such concerns by pointing to the unprecedented nature of the crisis. COVID-19, the respiratory disease caused by the new coronavirus, has so far infected more than 3 million people worldwide, killing over 210,000.

In South Africa, for example, after the government last month announced it would use telecom data to track the movements of citizens infected with COVID-19, a communications minister acknowledged concerns about loss of privacy.

“We do respect that everyone has a right to privacy, but in a situation like this our individual rights do not supersede the country’s rights,” Stella Ndabeni-Abrahams, the communications minister, said at a press conference for South Africa’s COVID-19 command council this month.

The South African Health Ministry declined to comment on details of the program and whether it had contracted with any of the intelligence firms.

A number of countries are developing and deploying COVID-19 contact-tracing apps that do not rely on location data. Instead, these apps, already in use in Singapore, India and Colombia, tap the smartphone connectivity technology Bluetooth to sense and record when other devices are nearby. When someone tests positive for coronavirus, typically, everyone that person made contact with is notified.

Christophe Fraser, an epidemiologist at Oxford University’s Big Data Institute, said this approach, if implemented properly, could save lives and shorten lockdowns. “The idea is to try and maximize social distancing practices of those at risk of infection and minimize the impact on all the other people,” he said.

This app-based approach to contact tracing is considered, by its advocates, as more privacy friendly because people voluntarily download the app and sensitive personal data are visible only to health authorities. This method of containing the disease is the focus of a rare collaboration between Apple Inc and Alphabet Inc’s Google to quickly deploy the Bluetooth-based technology for use in the United States and elsewhere. But the approach relies on widespread adoption of the apps, and its accuracy remains unproven.

Apple says its plan is designed to “help amplify the efforts of the public health authorities” and that “many factors will help flatten [infection] curves — no one believes this is the only one.” A Google spokesman referred to a prior statement, which said “each user will have to make an explicit choice to turn on the technology.”

By contrast, deploying a mass surveillance platform like Intellexa’s means everyone would be under collection right away; no one needs to opt in, nor could anyone opt out. Such a setup can be done remotely in a matter of weeks, said an executive at NSO Group, which is also offering its wares to fight the coronavirus.

PUBLIC HEALTH SPY TECH

The surging spyware business is estimated by research firm MarketsandMarkets to be worth $3.6 billion this year.

But the industry has been dogged by legal and ethical concerns. Human rights groups have accused some companies of helping undemocratic governments target dissidents and activists. The companies say they help governments prevent terrorism and capture criminals.

Last year, for example, Facebook’s WhatsApp unit accused NSO Group of helping governments hack 1,400 targets that included activists, journalists, diplomats and state officials. NSO denies the allegations, saying it only provides the technology to government agencies under strict controls and is not involved in operations.

Intellexa’s Dilian fled Cyprus last year after an arrest warrant was issued for him, on accusations that he used a surveillance van to illegally intercept communications in the country. Dilian denies the allegations, returned to Cyprus last month and said he is cooperating with authorities. A Cypriot police spokesman told Reuters the investigation is active.

Now, industry executives, investors and analysts say the coronavirus crisis offers intelligence firms the possibility of billions of dollars in business, while burnishing their reputations.

India is among the courted countries. In April, New York-based Verint Systems asked Indian officials to pay $5 million for a year’s subscription to a host of services designed to track and surveil people with coronavirus. Those included a cellphone tower geolocation platform and a program to monitor social media activity, according to documents seen by Reuters and a person with knowledge of the negotiations. No sale has yet been agreed in India, the source said.

A Verint spokesman declined to answer questions, instead referring to an April 16 press release which said unspecified products were being used by an unnamed country to help respond to COVID-19. India’s Ministry of Interior said it had not purchased a system from Verint.

NSO Group and Intellexa are also both pitching COVID-19 tracking platforms to countries across Asia, Latin America and Europe. Their technology could allow a government to track the movement of nearly every person in the country who carries a cellphone, sucking up a continuous trove of location data. Installed within telecom providers, the technology functions through the analysis of call records, said NSO and Intellexa executives.

When a person tests positive, the systems would allow authorities to input the result, tracking those who made contact with the patient in the past few weeks. Those exposed would receive a text message encouraging them to get tested or self-isolate. NSO said the system’s administrators would not see the identity of individuals.

Revelations in 2013 that the U.S. National Security Agency had collected this kind of mobile phone data about Americans to track national security threats created a storm of controversy and fueled new restrictions on surveillance.

Suzanne Spaulding, a former U.S. intelligence community lawyer and senior Homeland Security official, described this potential COVID-19 tracking approach as “among the most privacy-invasive.” That’s because it “envisions all of the data about everyone’s movements, not just infected individuals and their known contacts, going to the government.”

South Korea, Pakistan, Ecuador and South Africa have all indicated in public statements they were rolling out contact tracing systems using telecom data to track infected citizens, though the details haven’t been released.

South Korean officials say any loss of privacy from surveillance must be weighed against the disastrous economic consequences caused from a long-term shutdown.

“It is also a restriction of freedom when you ban free movement of people in crisis,” Jung Seung-soo, a deputy director at the Ministry of Land, Infrastructure and Transport, told Reuters. The country is not using outside surveillance vendors, the official said.

Intellexa is in the process of installing its system in two Western European countries, Dilian said. He declined to name them.

In an interview with Reuters, NSO employees responsible for the product said the company is piloting the approach in 10 countries in Asia, the Middle East and Latin America, but declined to name them.

Three other Israeli companies, Rayzone Group, Cobwebs Technologies and Patternz, are offering countries coronavirus tracking capabilities. These largely rely on location data gathered from mobile advertising platforms, according to company promotional documents reviewed by Reuters and people familiar with the companies.

Rayzone Group declined to comment. Requests for comment to Patternz went unanswered. Omri Timianker, president and co-founder of Cobwebs Technologies, said his company is working with five governments to help track the spread of the virus, but declined to identify them.

While some experts say advertising data isn’t precise enough to combat the spread of COVID-19, the documents reviewed by Reuters suggest the three firms are marketing technology which they contend can ingest and process advertising data into a form that’s useful for narrowly tracking individuals.

Intellexa’s Dilian said his company’s platform will cost between $9 million and $16 million for countries with large populations. He believes COVID-19 tracking will be just the beginning. Once the pandemic ends, he hopes countries that invested in his mass surveillance tool will adapt it for espionage and security. “We want to enable them to upgrade,” he said.

(Additional reporting by Nqobile Dludla in Johannesburg, John Geddie in Singapore, Alexandra Valencia in Quito, Frank Jack Daniel in Mexico City, Sankalp Phartiyal in New Delhi, Douglas Busvine in Berlin, Tova Cohen in Tel Aviv, Asif Shahzad in Islamabad, Michele Kambas in Athens and Sangmi Cha in Seoul. Editing by Ronnie Greene and Jonathan Weber)