Warning that companies that claim to protect national security are the “greatest danger” to it, Edward Snowden has urged the dismantling of this ‘Insecurity Industry’ by banning trade in intrusive software and penalizing enablers.
In a searing post on his blog, ‘Continuing Ed’, the NSA whistleblower pointed to the Pegasus scandal as a “turning point” that exposed the “fatal consequences” of private-sector companies like the NSO Group that are part of this “out-of-control” industry – whose “sole purpose is the production of vulnerability.”
“The phone in your hand exists in a state of perpetual insecurity, open to infection by anyone willing to put money in the hand of this new Insecurity Industry,” Snowden noted, adding that its clients range from countries to “sex-criminal Hollywood producers who can dig a few million out of their couch cushions.”
As news of the Pegasus scandal broke last week, it emerged that over 50,000 phones were infected by Israeli surveillance firm NSO Group’s flagship malware. Many of the numbers on the leaked list reportedly belong to political opponents of these client countries.
The former US intelligence contractor described the mobile ecosystem as a “dystopian hellscape of end-user monitoring and outright end-user manipulation.” Similarly, he stated that the world is “in the midst of the greatest crisis of computer security in computer history.”
This is partly because, he noted, software developers and device manufacturers like “Apple, Google, Microsoft (and) miserly chipmakers who want to sell…not fix things” are still writing code in “unsafe” programming languages because it is easier and more cost-effective than modernizing.
In recent years, both Google and Microsoft engineers have said that roughly 70% of all serious security bugs in the Chrome codebase and Microsoft products respectively are related to memory safety problems – that Snowden puts down to the lack of incentive to switch to a safer programming language.
“The vast majority of vulnerabilities that are later discovered and exploited by the Insecurity Industry are introduced, for technical reasons related to how a computer keeps track of what it’s supposed to be doing, at the exact time the code is written,” he noted.
As examples of “incentivizing change,” Snowden suggests that “defining legal liability for bad code in a commercial product” would give Microsoft a “heart attack.” As well, he noted, make Facebook legally liable for any leaks of its users’ “unnecessarily collected” personal records and “Mark Zuckerberg would start smashing the delete key.”
Similar liability clauses needed to be applied to “amoral” global capital firms that bankroll companies like the NSO Group. Without these funds, Snowden noted, neither the scale nor the global consequences of ‘Insecurity industry’ activities would be possible.
However, the “first digital step” must be to “ban the commercial trade in intrusion software.” By “eliminating the profit motive” there would be a reduction in the risk of proliferation by private companies while preserving avenues for genuine research.
“If we don’t do anything to stop the sale of this technology, it’s not just going to be 50,000 targets: It’s going to be 50 million targets, and it’s going to happen much more quickly than any of us expect,” Snowden noted, warning of a future where “people (are) too busy playing with their phones to even notice that someone else controls them.”
If you like this story, share it with a friend!