On January 29th, the Privacy Day 2024 online conference welcomed a panel of experts based in Kazakhstan in an event dedicated to International Data Privacy Day. The conference was organized by the DRC Group and Privacy Accelerator. Event partners included international and Russian IT companies, human rights and civic organizations, legal associations, media outlets and privacy start-ups.
The initial discussion focused on privacy issues in business and government regulations (article here). In the second part, experts examined the recent trend of journalist surveillance through spyware, illustrating their points with specific case studies. Another key topic of discussion was the blocking of VPN services and the extent of their viability in regions with high levels of censorship (in russian here).
Galina Arapova on the “legal” methods of state surveillance in Russia
The hacking of journalists is becoming a prolific issue worldwide. Control and surveillance, however, aren’t being enforced solely through spyware infrastructure, with several legal alternatives also in the fray. This issue was highlighted by Galina Arapova, the director at the Mass Media Defense Centre, during her speech, where she touched upon the concepts of financial control and control via telecommunications operators.
“Russia, for example, carries out financial surveillance through Rosfinmonitoring. We have seen clear evidence of this through documents presented during court hearings of “foreign agents” contesting their status. Typically, the defendant, represented by the Justice Ministry, brings forth evidence of foreign financing, although this should fall under banking confidentiality privileges, meaning that civil structures, like the Justice Ministry, aren’t permitted access”, Arapova expounded.
Another vessel of control is through telecom operators. The basis for this type of surveillance was laid down by the “Yarovaya law”, according to which all communications must be stored and transferred to special services. Data is stored for six months, metadata – for three years.
“In legal cases, such surveillance tactics have so far gone unmentioned, but there’s no doubt that it’s technically possible”, the lawyer proclaims.
All these measures violate the right to privacy, threatening the confidentiality of communication between citizens and, even more so, journalists, for whom confidentiality holds professional significance.
“Legally speaking, when there is a political desire to snoop on people’s finances and personal communications, which is then justified by an ambiguous law, authorities are at liberty to proclaim everything as lawful. From the perspective of international law, however, this is a flagrant violation of human rights”, concluded Arapova.
Oleg Ageev on the omnipotence of the secret services and their absolute control in Belarus
Oleg Ageev, a representative of the Belarusian Association of Journalists, elaborated on the legalistic side of the problem and highlighted the law on operational search activities (OSA) in Belarus.
“Out of the 14 operational search activities mentioned in the legislation, 9 pertain to surveillance or control”, he noted.
However, the enforcement of the OSA law itself isn’t subject to any control or judicial protocol. In fairness, for certain activities, like covert operational searches of premises (without the presence of the owner), the Prosecutor General Office’s permission is required. A convenient loophole exists however: if the matter is urgent and there’s an apparent threat to public safety, obtaining permission isn’t necessary, and the prosecutor may be notified later. Anyhow, Ageev explains, the prosecutor is afraid of the special services.
“If you speak with a member of the Prosecutor General’s Office about an important social issue, you will see instant panic in their eyes, quickly scrambling to turn off their phone. This shows that special services exert control over the prosecutor, not the other way around. The Prosecutor’s Office is probably more afraid of them than you or I are”, commented Ageev.
Out of the eight special services that enforce the OSA, two are directly subordinated to the President, and in the other six, he appoints the head.
“If asked how the special service conducts its surveillance, the correct answer is – however they want. They operate without restrictions, only limited by their own imagination and the availability of specialist equipment”, the speaker concluded.
Anastasia Zhyrmont on the hacking of Galina Timchenko’s phone with Pegasus malware
The first documented use of Pegasus malware (developed by the NSO Group) against a Russian journalist, was the infection of Galina Timchenko’s iPhone, the CEO of Meduza. Anastasia Zhyrmont, the Regional Public Affairs Coordinator for Eastern Europe and Central Asia at Access Now, presented details of the case. She reminded participants that the attack took place just two weeks after Meduza was declared an undesirable organization and against the backdrop of calls by European leaders to closely monitor Russian migrants.
“Unfortunately, it’s difficult to determine who was behind the attack. The malware is designed in such a way that it’s impossible to discover which government is responsible”, Zhyrmont explained.
However, Access Now, through a joint investigation with CitizenLab, determined three possible culprits. The first suspect is Latvia, which is most probably a client of the NSO Group and where Meduza received asylum. However, CitizenLab has no data to suggest that Latvia may be conducting surveillance outside its territory. The second scenario accuses Germany: their police and intelligence services are known clients of the NSO Group. And according to the third theory, the Netherlands and Estonia are possible suspects, whose structures also utilize the service. In terms of Estonia, however, information suggests that the use of Pegasus malware against Russian citizens is prohibited by legislation (although Timchenko had a Latvian phone number).
Theoretically, countries like Azerbaijan, Uzbekistan and Kazakhstan could also have instigated the attack (perhaps upon Russia’s request). CitizenLab, however, doesn’t have the evidence to prove that these nations deploy Pegasus on the territories of European states.
Of course, the most obvious suspect is Russia. And yet, there is no direct evidence that Russia is a client of the NSO Group.
“The surveillance of journalists using intrusive tools like Pegasus is a violation of human rights, international humanitarian law and European legislation. The use of programs that bypass encryption to gain full control over a victim’s phone, including access to photos, contacts, messages, camera, and microphone, poses a real threat to press freedom and journalists’ ability to protect the confidentiality of their sources. It also incites the rise of domestic and transnational repression and numerous human rights violations; including torture, enforced disappearance, and even murder”, Zhyrmont stated.
According to her, representatives of the UN, European Parliament, and the European Data Protection Supervisor, have condemned the use of spyware. Furthermore, the U.S government added the NSO Group and other similar companies onto its list of prohibited organizations.
“We call for a complete moratorium on the sale, export, and servicing of spyware until proper safeguards are established. We urge companies and their investors to be held accountable. Additionally, companies should publicly disclose the identities of their clients and what methods they use for data collection and processing. Finally, we call for the imposition of sanctions against the NSO Group and its employees, as well as other companies that develop spyware and pose a threat to global security”, Zhyrmont concluded.
The speaker additionally called on the governments of all nations (including Latvia and Germany) to investigate cases of spyware usage and provide surveillance victims the necessary protections.
Zhyrmont also recommended the following protective measures:
· Frequently install software updates (but it’s important to remember that governments focus on targeted attacks on specific devices rather than the quantity of attacks, so updates don’t safeguard against potential future breaches).
· Reduce the amount of sensitive information on devices
· Monitor security alerts from Apple (for iPhones)
· If you want your device checked, contact the Access Now support service
For additional recommendations from Roskomsvoboda’s technical specialists, click here.
Samvel Martirosyan on the use of Pegasus in Armenia
Samvel Martirosyan, co-founder of the CyberHUB, continued the discussion on Pegasus spyware and shared insights from a study on its usage in Armenia. The conclusion drawn was that the spyware isn’t used against individual targets, but rather on a mass scale.
“In one editorial office, devices belonging to the owner, editor and a random journalist were all infected”.
Additionally, journalists’ family members can also have their devices infected.
“This is very frightening because you can’t control what’s happening in your own home. Maybe your child’s iPhone is infected, and the intelligence services are listening into all your conversations”, warns Martirosyan.
Aside from the NSO Group, there are dozens of other options available on the market, meaning cash-strapped governments can readily purchase cheaper alternatives. Crucially, these alternatives may be just as dangerous, or even more so. For example, Preditor can be installed not only on mobile phones, but also laptops. Moreover, phone reboots have no impact on this type of spyware. As government demand for malicious software grows, so does the market.
“The prospect of obtaining control over hundreds of people, for a two-three million dollar payout, is a difficult temptation for governments to resist”, Martirosyan believes.
In addition, the spyware is installed covertly, meaning that any cyber hygiene measures taken by the individual would be entirely futile.
“Even the most attentive and paranoid person can still get infected”, the expert lamented.
According to him, the worst part is that those working to combat these threats cannot react quickly enough to the software’s constant innovations, and therefore fail to effectively defend against it.
Nevertheless, the speaker gave examples of some useful preventative measures:
· Use an iPhone or Google Pixel as they’re more secure;
· Frequently install software updates;
· Activate “Lockdown Mode” on iPhones (available on iOS 16 and over);
· Reboot the device several times a day.
Andrey Zakharov on examples of “standard” surveillance
Investigative journalist Andrey Zakharov expounded several examples of “standard” surveillance techniques (according to him, Pegasus is primarily used for the purpose of VIP hacks). For instance:
· Hacking the WhatsApp account of Baza editor, Nikita Mogutin (he didn’t have two-factor authentication);
· Obtaining The Bell correspondent Irina Pankratova’s phone call data, using a duplicate SIM card;
· Spam attacks on Important Stories journalists Alesya Marokhovskaya and Irina Dolinina;
· Phishing attacks on journalist Svetlana Reyter’s email.
The threat of remote hacking persists for those who have left Russia, noted Zakharov. Meanwhile, journalists remaining in Russia must also grapple with the threat of detention and searches, during which law enforcement officers demand passwords, often using force.
“The recommendations I, and other experts, provide, only extend so far. Currently, the landscape is virtually unrestricted”, the expert said.
Therefore, in his view, the development of software that conceals sensitive information is particularly important and should be a priority for programmers. For ordinary users, to avoid falling into paranoia, it’s important to keep the threat in perspective (certain individuals are of greater interest to the intelligence agencies than others) and to maintain at least a minimal level of cyber hygiene.
Stanislav Seleznyov on the legalities of using VPN services
Stanislav Seleznyov, a lawyer at Network Freedoms, stated that discussions over VPNs often neglect mention of their original purpose. The chief concern is the provision of secure connections, a key issue not only for ordinary citizens but also for banks, corporations, and government agencies. Circumventing blockings is merely an ancillary function of VPN services.
Ironically, it’s precisely because of this function that VPN services are subject to blockings and sanctions. While most major service providers have already been blocked (or attempts have been made to block them), microservices (networks for relatives and friends) have so far fallen under the radar of the regulatory bodies, and it’s precisely to these that the “dormant” law on fines for accessing prohibited information may be applied, Seleznyov notes.
The lawyer also cited a recent law passed in November 2023, which expanded Article 153 of the Information Law with an additional provision for blocking an online resource based on the presence of information which may allow access to other blocked materials.
“Does this mean that reporting on VPN services is now prohibited? The wording suggests that persecution is a real possibility. Then the question arises, can one talk about information security at, say, a banking conference? The technology itself isn’t banned. However, whether one will be prosecuted for spreading information pertaining to the services depends upon the entity that identifies the wrongdoing, namely the Prosecutor General”, concluded Seleznyov.
He also pointed out that the law doesn’t include provisions for the accountability of users bypassing blockings or installing VPN services. Unlike in Turkmenistan, Iran, or China, where users are held liable.
Phil Kulin on the nature of VPN blockings in Russia
Blockings analyst Phil Kulin reflected on the technical nature of the blockages. Firstly, he reminded participants that the blockings are done selectively. (It should be noted that, as very few people are conducting testing, statistics often lack precision).
Secondly, most services are blocked upon specific instruction, not en masse. Microservices (as Seleznyov called them) are, indeed, still working well.
Kulin subsequently commented on why some services are blocked while others escape unharmed. One theory is that enterprises rely on VPN services, meaning that when blockings target IP addresses, the work of these enterprises can also be disrupted. Another theory suggests that authorities wanted to block foreign providers but failed to gather the relevant data for directed attacks.
“I don’t understand why they couldn’t [gather the data] and whether they will be able to in the future is unknown. If they can’t, then the question over who to block will always be there”, Kulin said.
Nevertheless, the expert predicts that more blockings will come under the TSPU (“Technical Measures to Combat Threats”), including obfuscation protocols like WireGuard.
“In this tense political climate, they may yet resort to blocking everything they can’t understand. We understand – it can stay, we don’t understand – it must go”, he concluded.
Alexey Kozluk on VPN service blockages in Belarus
Using a VPN is still possible in Belarus, says digital freedom researcher, Alexey Kozluk. According to the legislation, the means by which blockages are circumvented can be blocked, but such measures aren’t widespread. In addition, users hold no liability for using VPNs.
In 2020, during the mass protests amid the presidential election, individual protocols were swiftly blocked, then shortly afterwards, everything was blocked. “At least that’s how we assess the situation”, Kozlik stated in response to the moderator’s question.
Currently, VPN protocols aren’t blocked on a permanent basis in Belarus, he concluded. Later, during the discussion, the speaker suggested that the authorities avoid implementing mass blockages in order to prevent people from adapting too quickly.
“It makes sense to block VPNs selectively so that activists don’t have time to develop something new”, he observed.
Mazay Banzaev on AmneziaVPN
Mazay Banzaev, founder of AmneziaVPN, agrees with Phil Kulin that the scenario which sees all unfamiliar traffic being blocked is highly likely. However, individual protocols won’t be blocked and will still be able to function in standard situations.
“I think that in the near future, everyone will still have access to a VPN”, he optimistically concluded.
You can read about how AmneziaVPN was established here.
Translation by Sasha Molotkova
The main news of the week in the field of law.
On December 23, 2022, the Ministry of Justice included Roskomsvoboda in the register of unregistered public associations performing the functions of a foreign agent. We disagree with this decision and are appealing it in court.