The fragility of the mobile phone ecosystem
On July 18, an international media consortium reported the presence of a leaked list of 50,000 phone numbers from across the world which were possible targets of the Pegasus spyware. These phones belonged to politicians, journalists, dissidents, and public personalities; even phones of several heads of State and government were targeted.
This is not the first time that the data of high-profile individuals has been surveilled by governments. But the use of proprietary tools such as Pegasus comes with a price tag of millions of dollars to governments, and when employed without due process, extracts an even heavier price from democracy.
The problem is further exacerbated by the fact that one doesn’t necessarily need expensive proprietary tools to conduct surveillance. Several tools can be employed all too easily in today’s fragile mobile phone ecosystem. The Pegasus saga raises important moral, legal, and political issues. However, we must also focus on the technological challenges posed by targeted or general data leaks and their possible mitigation.
While surveillance is as old as Statecraft, a striking instance of digital surveillance by the State was Operation Stockade in the 1960s. Under Operation Stockade, the British security service (MI5) and the government communications headquarters (GCHQ) intercepted the secret communications of the
French embassy in London. The technology used to intercept the communication was basic radio detection and a low-grade cipher which measured the frequency and decoded the messages. For nearly three years, British intelligence was able to follow every step taken by the French ambassador and the French government, including reports from French president Charles de Gaulle.
Since then, the world has become far more digital, and the opportunities for digital surveillance on a mass scale have increased manifold, and can be accessed at a cheaper cost. The threat of surveillance looms large today because we all carry digital devices that constantly measure and assess a host of information about its users. Apart from the information that we actively part with through our actions in the digital space, we also passively allow a host of sensors fitted on our phones to collect and assess information. Whoever controls this flow of data controls the modern personal information highway.
According to an article in Wired, a Georgia Tech study shows the accelerometer and the gyroscope in your smartphone are capable of detecting the vibrations of and identifying different keystrokes on a computer nearby.
The vibrations created by typing onto the computer keyboard can be detected by the sensors on the phone and translated by a programme into readable sentences with 80% accuracy. This could be achieved through a seemingly innocuous application that doesn’t ask for permission to use any of the phone sensors that might make you suspicious.
There have been similar instances where voice assistant software have been collecting and storing a wide range of data over the past years.
Even a small software company can introduce spyware inadvertently by using a software development kit (SDK) that may forward the users’ data to unknown destinations or servers. SDKs are readily available pieces of software — many of them available as free downloads on the internet to speed up the software development process.
In February 2021, the computer science team at Trinity College in Dublin claimed that both iOS and Android handsets share data with Apple/Google, on average, every 4.5 minutes, even when the phone is idle. As soon as a SIM is inserted in an iPhone or an Android, it sends various details such as the IMEI number, phone number, hardware and SIM serial numbers, and device IDs to Apple or Google without a user logging into the phone. Apple also gains access to users’ locations, the local IP address and nearby Mac addresses too. These critical data points help these tech giants and software track users’ movements better.
The bottom line is that the mobile digital ecosystem is extremely fragile and vulnerable to surveillance and privacy violations. Our privacy conversations will be incomplete unless we acknowledge the overwhelming presence of all the prominent players in the mobile phone space who have easy access to user data at a very granular level.
The lack of awareness about the extent of data collection by various entities in the mobile ecosystem — including small to medium software companies and tech giants surveillance-centric companies such as NSO — makes it difficult to gather public support to push back against these intrusions and ensure a systemic change in the mobile ecosystem that is truly privacy-conserving.
The real solution lies in the users exercising extreme caution when downloading mobile apps from unknown entities. Also, there should be diversity in the operating system providers for smartphones; this diversity is crucial as it changes the incentives and increases the cost of developing advanced surveillance tools. The software development process needs to be monitored through a strict audit process keeping in mind code reviews from a security perspective.
And finally, consent for accessing various sensors should become the norm, not an exception. While acknowledging that the mobile ecosystem is weak, we need to consider options, both regulatory and technical, to provide real privacy-preserving technology options to mobile technology users across the globe.