Apple vs Pegasus: Is it fair that private companies decide the limits of security?

Apple is suing Israeli company Nso to stop its spyware. But what happens when private companies decide the limits of national security instead of entrusting this power to parliaments and civil society? by Andrea Monti – Initially published in Italian by

The case of Pegasus, the Israeli spyware of the government-owned NSO Group, which was allegedly also used against activists and journalists, is not the first case of private companies being involved by the institutions of a country to develop and use mass surveillance systems. The case of Hacking Team is undoubtedly the most illustrious precedent and has many points in common with the Israeli software affair.

Both have aroused controversy for the levels of invasiveness of surveillance that they allow States. Still, they overlook the fact that surveillance is a structural component of any State, even the most democratic, and that intelligence operations against other countries, friendly or not, are the order of the day. The latest fact to hit the headlines concerns the French clandestine operations in Egypt, but the list would be long and embarrassing if one wanted to go deeper. Many questions are raised by this affair, but the main one is what happens when private companies decide the limits of national security instead of entrusting this power to parliaments and civil society.

Updates on the Nso case

The last act (or rather, the last two) in the Nso affair are the filing of an amicus curiae by Google, Microsoft, Cisco, Linkedin and Vmware in the lawsuit between the Nso Group and Whatsapp, and Apple’s announcement that it is taking legal action against the Nso Group. In both cases, the core of the arguments put forward by the big tech companies is that this spyware, no matter whether it is used on the instructions of a state, infringes on the civil rights of users, or rather, as Apple’s statement says, customers.

Two-speed civil rights protection

Therefore, and this is the first bullet point, one must take into account that the (more than legitimate) interest of these companies’ is first and foremost the protection of their market. In other words, the ‘protection of the privacy’ of customers from external intrusions is functional to commercial needs and not to the respect as such of individual rights. For instance, Apple itself received criticism for its commercial choices in its dealings with China. Microsoft operating systems are also used in Iran in prisons where prisoners’ rights have been violated without any action being taken. Google has to deal with severe criticism from civil society about how it designs its services.

Once again, the right of a company to protect its investments is not in question. Still, one should ask whether this right can be exercised to the extent of substituting civil society and the legislature to establish the limits and contents of a fundamental right. Privacy is not the same as ‘that’s none of your business’, the slogan with which a smartphone was advertised, and is not necessarily protected by commercial VPNs, even if they are presented as ‘suitable’ for the purpose.

Private companies and national security

Similar to the power to define what is a fundamental right, the reaction of Big Tech to the Nso case shows that they are adopting a similar approach to protecting their interests as they do to privacy, but this time geared towards criminal investigations and national security. In 2016, Apple did not cooperate with the FBI in decrypting an iPhone used in the San Bernardino massacre. This decision raised criticism. More recently, the decision (later postponed) to introduce a client-side scanning system in iOS to search for and report child pornography images also raised protests. Now the goalposts have been moved further forward. After criminal prevention and investigation, it is precisely the State’s security that becomes the object of negotiation between public institutions and private companies.

An impossible balance?

In terms of ruthless pragmatism, it is unthinkable that a State, any State, could reduce or even cease the use of surveillance systems, which are inherent in the activities for the protection of the security of the State. It is also difficult to imagine that these systems could be managed without recourse to private companies, more or less explicitly linked to the government or the State.

The mechanisms of control over state apparatuses and the broad grassroots control promoted by journalists, citizen groups, and activists (Wikileaks is the best known but not the only example) are an improvable nonetheless effective remedy that limits State’s powers. However, the reaction of big tech in the Nso case changes the rules of the game and brings into play entities whose agenda does not necessarily coincide with that of citizens and institutions.

It dramatically re-proposes the traditional question that has hovered unanswered for centuries in the halls of power and in the nightmares of citizens: Quis custodiet ipsos custodes? Who controls the controllers, actually?

Leave a Reply

Your email address will not be published. Required fields are marked *