The growing suspicion in recent days, recently dispelled by the Italian government, that the state secret service had used Paragon spyware to eavesdrop on a journalist and an activist brought to mind Juvenal’s eternal question – who controls the controllers? – but with the need for reformulation: who controls the suppliers of the controllers? by Andrea Monti – Initially published in Italian by La Repubblica-Italian Tech
Are we all under surveillance?
Before answering this question, a necessary premise is required.
Unpleasant as the situation may be, we must realise that no state, regardless of its level of democracy, can exist without the collection of information, even clandestinely, and that practically no one, including lawyers and journalists, is outside the perimeter of those who can be monitored.
To quote the character in one of Altan’s ironic cartoons, ‘spies spy’, and the interviewee replies: ‘it’s crazy’.
The realpolitik of (counter)surveillance
This is not the place to address the issue of the paternalistic state, which invokes surveillance in the name of the security of its citizens, but in reality does so to ensure its own survival. Tranquillitas, non libertas – security, but not freedom – is what the successors of Octavian Augustus still promise today, in all latitudes. In such a context, it is clear that the ‘best interests of the state’ or ‘national security’ become nothing more than rhetorical devices to ensure a free hand in suppressing dissent or, which is the same thing, manipulating consent.
In parallel, but not here, we should ask how, with equal hypocrisy, freedom of expression and information have been transformed from instruments of democracy into false idols to be worshipped for equally less noble purposes.
Thus, in the name of a self-proclaimed ethical superiority, activists and information professionals almost everywhere in the world, who claim to act in the name of the “greater good” (again, sometimes a hypocritical veil of personal and power agendas), believe that this alone justifies them in breaking the rules and not being punished or even monitored.
The privatisation of control
It’s worth noting that between the two extremes, the real protagonists of this ‘all against all’ are two private companies on opposite sides: Paragon with the “spies” and Meta with the “spied upon”.
Like the heads of the Lernaean Hydra, it doesn’t help to get rid of one spyware producer because another one will take its place. This is what happened with Galileo, the remote control system from the Italian company Hacking Team, then with Pegasus, the spyware from the Israeli company NSO that was sued by Apple, which then backed down and asked for the case to be dropped, and now with the Trojan horse from Paragon, also an Israeli company.
The fact that tools such as spyware are supplied to governments by private companies shouldn’t come as too much of a surprise. The defence/intelligence contractor sector – the ‘suppliers’ of intelligence and defence – has always existed, so it’s perfectly normal for a non-institutional subject to develop offensive weapons and tools to resell to governments.
Like weapons, spyware is sold to specific countries. However, while in the case of weapons the ‘customer list’ is clearly determined by geopolitical balances, in the case of spyware – and Paragon in particular – the selection criterion is also a contractual commitment not to spy on journalists and activists, a breach of which would be the reason for the ‘cancellation’ of contracts with Italy.
This choice is rather unusual because, to use the analogy of weapons, a manufacturer of bombs or bullets does not forbid his customers to use the weapons and ammunition against certain targets, on pain of having the goods withdrawn.
If this principle applies to ‘traditional’ means of attack, why shouldn’t it apply to computers?
Why shouldn’t a prosecutor (also) be able to wiretap journalists and activists suspected of committing crimes?
And therefore, in what capacity does a private company, and a non-EU company at that, reserve the power to limit the scope of action of the prosecution and intelligence services of a democratic country?
The answer to these questions is quite complex and involves several issues.
One is the political will of countries with technological superiority not to hand over to other governments full control of a tool that is harmless from the point of view of physical lethality, but extremely dangerous if used to gather information on anyone (including “friendly” countries).
Another, although there is no evidence of it, is the possibility of agreements similar to the ‘pink contracts’ that ISPs have with spammers being drawn up in this sector: I’ll pretend I don’t know what you’re doing with my service, but if the news gets out, I’ll cancel your contract. The legal form is secure, the substance of the rights a little less so.
In short, in such a context, the declared will to protect ‘human rights’ (and not even all of them, by the way) looks more like an exploitation of legal principles than a sincere concern to strike a balance between the exercise of power and the protection of (certain categories of) citizens.
Counter-surveillance made public
The attention paid to Paragon and the governments that used its spyware has overshadowed the role of another company, Meta, which played an equally important part in the affair.
According to a press release, the discovery of the WhatsApp accounts affected by the spyware is due to the social network giant’s declared commitment to ensuring that its users can continue to communicate privately (even at the cost, editor’s note, of compromising police or intelligence operations and a state’s ability to carry them out, as in the case of Paragon).
So, on the one hand, there are the ‘bad guys’ who try at all costs to violate citizens’ privacy by becoming ‘complicit’ (but not too much) with governments, and on the other hand, there are the ‘good guys’ who protect it in the disinterested interest of guaranteeing citizens’ rights.
The first consideration that comes to mind in the face of this simplistic narrative is that if (in this case) Paragon has assumed the power to decide the limits of a sovereign state’s power, (in this case) Meta assumes the power that would belong to the judiciary to decide how rights are protected and for whom.
The appropriation of rights
In other words, we are facing a further step in the march towards the privatisation of rights, which began some time ago and has already passed through several stages. To name just a few, we need only think of Apple’s attempt (unsuccessful) to include client-side scanning (preventive content control) in iOS and its stated desire not to “weaken” the security of its products for the benefit of the judiciary; or Cloudflare’s use of the ODoH (Oblivious DNS over http) protocol, which, in the name of protecting users’ privacy, makes it impossible to associate requests to connect to a website with the IP that made them, and for this reason lost a civil case in Italy for refusing to provide the data necessary to identify customers involved in the illegal streaming of sporting events. Or again, one only has to analyse the opaque and cumbersome way in which platforms manage the procedures for controlling content and restoring closed accounts for unspecified ‘policy violations’.
In this case, as with the ‘termination clause for violation of the rights of journalists and activists’ in Paragon’s contract, invoking the protection of fundamental rights to justify industrial decisions seems more like a marketing tool than the result of a genuine concern for the fate of humanity.
To be convinced of this, just replace the word ‘users’ with the word ‘customers’ in Big Tech press releases that mention confidentiality and freedom of expression (and, in truth, little else), and everything becomes clearer. Who would buy or use products and services knowing that they can be controlled at will by the state (and perhaps even more so by thugs and criminals of various kinds)? And why should the valuable treasure trove of user-generated data be jeopardised by the fact that someone else may have direct access to it, more or less legitimately?
The crisis of the role of the state (and of a-national institutions)
It is clear from what should be called the ‘Paragon-Meta case’ that Big Tech’s iron grip on information technology is (has been) made possible by the transformation of rights into an object that can be sold, bought and, above all, confiscated, without the involvement or even the interested collaboration of states.
Regulations such as the European ‘Digital Service’ regulation, which privatises the reporting of ‘inappropriate’ and ‘illegal’ content to private snitches and the decisions on its removal, are nothing more than an admission of failure in the attempt to guarantee public protection for those who suffer the violation of their copyright, reputation or privacy. And at the same time, such rules are an admission of failure to guarantee everyone, guilty or innocent, a fair trial by a real judge.
Be that as it may, one thing is certain: when it comes to rights, states or supranational and a-national organisations are no longer the only ones who can take decisions that affect all our lives.