Earlier this week, the Department of Justice revealed that three former U.S. intelligence operatives were facing federal charges in connection with their work for DarkMatter, a foreign cybersecurity company based in the United Arab Emirates.
The men, who formerly worked for the National Security Agency, were part of a secretive operation entitled “Project Raven,” which, between 2016 and 2019, helped the UAE government spy on critics of its regime. To that end, the hackers-for-hire helped the Middle Eastern monarchy break into computer systems and devices throughout the world—including ones located in the U.S.
While the culprits have since reached a deferred prosecution agreement with the government—allowing them to basically pay their way out of seeing any jail time (a loophole with a $1.6 million price tag)—the ramifications of the case surely aren’t so easily put to bed.
Suffice to say, the idea of former American national security operatives targeting U.S. systems at the behest of a foreign government is a pretty chilling scenario. Yet such activity is likely only the tip of the iceberg when it comes to the nefariousness of the spyware industry—a poorly understood realm that, as many have noted, has little meaningful legal or regulatory guardrails to stop this sort of depraved shit from happening.
The “Raven” incident itself shows that there are few constraints on U.S.-based companies that want to sell powerful cyber weapons to foreign governments: DarkMatter operatives apparently collaborated with an American cyber firm, Denver-based Accuvant—which sold them a $1.6 million iPhone hacking tool that was used in subsequent hacking escapades.
Also compounding the scandal is the fact that one of the accused, Daniel Gericke, is currently employed as the chief information officer of ExpressVPN, one of the most widely used privacy products of its kind on the market. Yup, a guy who was charged with breaking federal laws to compromise American networks and devices is also currently employed with a company that’s supposed to protect your privacy online. Creepy, no?
News of Gericke’s involvement in Project Raven naturally stirred up no small amount of outrage online—fueling a conversation about whether the average privacy product can be trusted.
However, the company has defended its decision to hire him and even admitted that it knew about his background when it hired him back in 2019.
“We find it deeply regrettable that the news of the past few days regarding Daniel Gericke has created concerns among our users and given some cause to question our commitment to our core values,” the company said in a blog post Thursday. “To be completely clear, as much as we value Daniel’s expertise and how it has helped us to protect customers, we do not condone Project Raven. The surveillance it represents is completely antithetical to our mission.”
But how comforting can these assurances really be when it’s clear that the privacy industry is apparently populated by the same people who run the surveillance industry?
This year, controversies involving the surveillance industry have continued to crop up, one piling on top of another, fueling calls for national and global regulations that can tackle the abuses.
Most notably, outrage was renewed over the abuses of the NSO Group, a notorious Israeli spyware firm that has been known to sell its powerful, device-compromising malware to repressive regimes throughout the world. In July, a number of non-profits and news outlets began publishing stories connected to the “Pegasus Project,” an investigation into the extent to which the company’s malware has been distributed globally. The investigation revealed a trove of some 50,000 “potential targets” of Pegasus which, according to researchers, included the phones of dignitaries and diplomats such as French leader Emmanuel Macron, as well as devices belonging to other presidents, former prime ministers, and the king of Morocco, among others. Even more problematically, just last week Apple announced patches for security flaws that had been seeing Pegasus-related exploitation. The patches applied to some 1.65 billion Apple products, the likes of which had been vulnerable since March.
Despite all this, there may be some hope on the horizon with some indication that regulatory bodies are finally yielding to calls for action.
As example, consider the case of SpyFone—a “stalkerware” firm that critics say has aided “stalkers and domestic abusers” in their quest to surveil victims. The company was recently banned from operation by the Federal Trade Commission—a first of its kind decision that could signal a coming crackdown on the spyware industry overall. FTC Commissioner Rohit Chopra also suggested that law enforcement agencies might consider whether criminal charges were warranted.
However, privacy advocates have suggested that simply banning the occasional company from operation or the occasional prosecution is not going to be enough. Amnesty International, which helped expose NSO abuses, has called for a global moratorium on the sale of spyware products until a “human rights-compliant regulatory framework” can be developed and implemented. Other activists have similarly suggested that all sales should be halted until governments can “investigate and regulate this industry”—the likes of which is poorly understood by lawmakers and everyday people alike.
Correction: A previous version of this article incorrectly referred to the UAE cybersecurity firm DarkMatter as BlackMatter. We regret the error.