WHOA The market for tracking people via their cellphones remained un-cornered until now
Stingray Manufacturer L3Harris Seeking To Acquire NSO Group
from the oh-no-no-no-dear-god-no dept
Well, this is an unwelcome development.
The US defence contractor L3Harris is in talks to take over NSO Group’s surveillance technology, in a possible deal that would give an American company control over one of the world’s most sophisticated and controversial hacking tools.
Multiple sources confirmed that discussions were centred on a sale of the Israeli company’s core technology – or code – as well as a possible transfer of NSO personnel to L3Harris.
If anyone has any objections, speak now or forever… well, actually there are already objections.
The US federal government has some, namely the sanctions it placed on NSO Group (and competitor Candiru) last November.
In a statement, a senior White House official said: “Such a transaction, if it were to take place, raises serious counterintelligence and security concerns for the US government.”
Those are still in place and that would seem to suggest L3Harris (the company resulting from the merger of Stingray manufacturer Harris Corporation and defense contractor L3 Technologies) can’t actually make this purchase.
Unfortunately, the statement given to the Guardian suggests the White House may not actually be able to stop the purchase from taking place.
This statement, given to Lucas Ropek of Gizmodo, strays even further from a flat statement saying the acquisition would violate the Commerce Department’s sanctions.
In an email to Gizmodo, a senior White House official said that the government “opposes” the circumvention of U.S. sanctions. “The U.S. Government, and the White House specifically, has not been involved in any way in this reported potential transaction,” said the official. “While we can’t speak to this particular report, the U.S. Government opposes efforts by foreign companies to circumvent U.S. export control measures or sanctions, including placement on the U.S. Department of Commerce’s Entity List for malicious cyber activity.”
The White House will oppose this acquisition but there might be an exploitable loophole in the sanctions. Being acquired by an American company won’t remove NSO from the sanctions list, but it would force the federal government to jump through a bunch of hoops (and, presumably, face litigation) to ensure its sanctions are valid and address actual threats to US entities, including other defense contractors whose offerings might be targeted by foreign purchasers of NSO malware.
What might make it less objectionable (and more likely to result in lifted sanctions) is L3Harris’s customer list, which is largely composed of countries and government entities the US government likes, rather than the sprawling list of human rights violators NSO sold to.
========================================================================
Depending on the make and model, stingrays may be used just to track cell phone locations, or they may also intercept live phone calls, read outgoing text messages, or scramble nearby cell phone signals. Stingrays vary in size, are often referred to as roughly the size of a suitcase, and are often carted along in either the trunks of police cars or, as is the case with the U.S. Marshals service, flown in planes to search for individual phones. And they’re everywhere.
Almost by definition, it’s impossible paint a comprehensive look at stingrays in the U.S. That’s largely due to the fact that, as the FBI has testified in an affidavit, the devices came with nondisclosure agreements and police departments and agencies often promise the FBI to never admit they have such devices. According to a 2014 memo uncovered by the investigative journalism nonprofit Oklahoma Watch, the FBI has instructed local police to use stingrays for “LEAD PURPOSES ONLY,” and states that they “may not be used as primary evidence in any affidavits, hearings or trials.”
“The big concern with stingrays is we still don’t know exactly how they’re used and where they’re used,” Jennifer Lynch, an attorney at the Electronic Frontier Foundation who specializes in privacy and civil liberties, told Vocativ.That secrecy means it’s impossible for the public to know, at the moment, exactly how many stingrays are out there.
But thanks to law enforcement purchase orders unveiled by Freedom of Information Act requests from the ACLU, FOIA journalism nonprofit MuckRock, and the Center for Human Rights and Privacy, as well as news reports from investigative reports at local news outlets around the country, Vocativ compiled all known stingray purchase orders across the country.
The result is that state, county, and local police departments have acquired, between 2001 and 2015, a minimum of 124 stingrays (Additional stingrays are owned by federal agencies, more on that later). We’ve made the raw data available here.
The Florida-based Harris corporation, which creates the vast majority of known law enforcement stingrays, trademarked its original StingRay device in 2003. But it wasn’t until after the 2007 or 2008 release of the StingRay II, which included a GPS antennae to upgrade its phone location tracking, that the devices began really spreading across the country.
More information how these networks work [about 30 minutes]
There’s little doubt that the number of stingrays is only going to increase. Thanks to a major report ordered by the House Oversight Committee and released in December, the public now has insight into how many stingrays have been purchased by federal agencies. In total, there were 347, with the FBI purchasing 194 between 2011 and 2014 alone.
========================================================================
That could be something that allows the acquisition to take place with the federal government’s tentative blessing, if the company agrees to trim its customers list down to the US government’s preferred customer list.
Even if it may somewhat whitewash NSO’s reputation, this merger shouldn’t be welcomed by anyone. It adds the abuses of cell tower simulator technology to the abuses of powerful cell phone-compromising exploits. When a single product can force phones to connect with it in order to deploy malware, the abuses observed to date are going to look pretty mild.
Beyond the theoretical combinations of phone-targeting tech, there’s no reason an American company should willingly get in bed with a company currently facing sanctions from the US government. But NSO’s powerful malware may be too tempting to ignore, especially when Harris has played fast and loose with export regulations in the past. Hopefully, this acquisition will remain what it is now: merely one of several possible outcomes."
Filed Under: malware, secrecy, stingray, surveillance
Companies: harris corporation, l3, l3harris, nso group
No comments:
Post a Comment