In a demonstration of its Covid-19 contact-tracing system earlier this year, researchers allege NSO Group used real people’s location data
Israeli surveillance specialist NSO Group is at the centre of another privacy row after researchers alleged it used location data of real people in a product demonstration.
A report in Techcrunch said the firm used the location data of unsuspecting people when it demonstrated its new Covid-19 contact-tracing system to governments and journalists.
It is reported that NSO earlier this year in March demoed ‘Fleming’, its system to allow governments to feed location data from mobile phone companies to visualise and track the spread of the virus to both journalists and governments.
Real location data?
But it seems that in May, a security researcher told TechCrunch that he found an exposed database storing thousands of location data points used by NSO to demonstrate how Fleming works – the same demo seen by reporters weeks earlier.
TechCrunch then reported the apparent security lapse to NSO, which quickly secured the database, but said that the location data was “not based on real and genuine data.”
According to Techcrunch, NSO’s claim that the location data wasn’t real differed from reports in Israeli media, which said NSO had used phone location data obtained from advertising platforms, known as data brokers, to “train” the system.
Indeed, academic and privacy expert Tehilla Shwartz Altshuler, who was also given a demo of Fleming, reportedly said NSO told her that the data was obtained from data brokers, which sell access to aggregate location data collected from the apps installed on millions of phones.
In light of this, TechCrunch then asked researchers at Forensic Architecture, an academic unit at Goldsmiths, University of London to investigate the matter.
The researchers published their findings on Wednesday, and they concluded that the exposed data was likely based on real phone location data.
“In March 2020, with the rise of Covid-19, Israeli cyber-weapons manufacturer NSO Group launched a contact-tracing technology named ‘Fleming’,” said the researchers. “Two months later, a database belonging to NSO’s Fleming program was found unprotected online.”
“It contained more than five hundred thousand datapoints for more than thirty thousand distinct mobile phones,” the researchers said. “NSO Group denied there was a security breach. Forensic Architecture received and analysed a sample of the exposed database, which suggested that the data was based on ‘real’ personal data belonging to unsuspecting civilians, putting their private information in risk.”
NSO however has dismissed the researchers’ findings.
“We have not seen the supposed examination and have to question how these conclusions were reached,” an unnamed spokesperson was quoted by Techcrunch as saying. “Nevertheless, we stand by our previous response of May 6, 2020. The demo material was not based on real and genuine data related to infected Covid-19 individuals.”
“As our last statement details, the data used for the demonstrations did not contain any personally identifiable information (PII),” the spokesperson added. “And, also as previously stated, this demo was a simulation based on obfuscated data. The Fleming system is a tool that analyzes data provided by end users to help healthcare decision-makers during this global pandemic. NSO does not collect any data for the system, nor does NSO have any access to collected data.”
Last week a report by Citizen Lab at the University of Toronto alleged that dozens of Al Jazeera journalists were allegedly hacked with the help of NSO spyware, reportedly by exploiting a vulnerability in the iPhone operating system.
NSO it should be remembered is currently engaged in a legal battle with WhatsApp, after Facebook sued NSO in October 2019 and alleged it was behind the cyberattack in 2019 that infected devices with advanced surveillance hacks (reportedly from NSO) in May 2019.
NSO denied the allegation, but Facebook won the first round of its legal battle in early March, after the surveillance software maker failed to show up in a US court.