Connect with us

Illegal Surveillance

Spyware Group Exposed for using Pegasus to target Journalists Phones has been Ordered to Dislose Software Code



For years, cybersecurity researchers at Citizen Lab have been closely monitoring the activities of the Israeli spyware firm NSO Group, particularly focusing on its flagship product, Pegasus. Their investigations have revealed alarming instances of Pegasus being used to target the phones of journalists and human rights defenders via a WhatsApp security vulnerability, as reported in 2019.

Now, NSO Group, which is blacklisted by the U.S. government for selling spyware to repressive regimes, finds itself embroiled in a lawsuit over the WhatsApp exploit. Filed in U.S. federal court in 2019 by WhatsApp and Meta (then Facebook), the lawsuit alleges that NSO sent Pegasus and other malware to approximately 1,400 devices worldwide. Despite NSO’s repeated attempts to have the case dismissed, it has persisted for over four years.

As the lawsuit progresses, NSO has resorted to demanding access to Citizen Lab’s investigative materials. However, a judge recently denied NSO’s latest attempt to obtain access to Citizen Lab’s documents. Citizen Lab’s lawyers argued that providing raw research data to NSO would endanger individuals already victimized by NSO’s activities and could lead to further harassment, including from their own governments.

NSO has been striving to improve its public image in recent years, particularly since being blacklisted in 2021. The company has even requested meetings with the State Department to discuss Pegasus as a tool for combating terrorism. Nevertheless, NSO continues to face legal challenges in U.S. courts over Pegasus, with ongoing lawsuits brought by various parties, including Salvadoran journalists, Apple, and Hanan Elatr Khashoggi, the widow of murdered journalist Jamal Khashoggi. These lawsuits rely heavily on Citizen Lab’s research findings.

Despite NSO’s efforts to evade accountability, the WhatsApp lawsuit has not been in the company’s favor. Initially, NSO claimed immunity from being sued in American courts, but this argument was rejected by a federal appeals court in 2021. The lawsuit has since faced other legal hurdles, including NSO’s unsuccessful attempts to have it moved to Israel.

In a significant development, earlier this year, Judge Phyllis Hamilton ordered NSO to disclose the software code not only for Pegasus but also for any NSO spyware targeting or directed at WhatsApp servers. This order underscores the extent of NSO’s legal obligations and the gravity of the allegations against it.

While NSO has obtained thousands of documents from Meta and WhatsApp regarding Citizen Lab’s Pegasus investigation, its attempts to extract more information directly from Citizen Lab have been thwarted. Despite NSO’s persistence, Judge Hamilton concluded that its demands were “plainly overbroad.” She has left open the possibility for NSO to try again, but only if it can provide evidence linking specific individuals identified by Citizen Lab as targets to criminal or terrorist activity.

In response to the court’s decision, Citizen Lab’s director, Ronald Deibert, expressed satisfaction that the court recognized NSO Group’s request for information as overbroad and unnecessary at this time to resolve the disputed issues. This legal battle underscores the importance of holding companies like NSO accountable for their actions and protecting the rights of individuals targeted by unlawful surveillance.


Illegal Surveillance

Over 200 Mortgage Brokers Leaked Sensitive Data to Facebook



Sensitive Data Sharing Raises Legal Concerns

When someone applies for a mortgage, they trust a home loan lender or mortgage broker with some of the most sensitive information they have: information about their credit, their home, and personal details of their lives. Unbeknownst to those prospective homeowners, they may also be sharing that information with Facebook.

The Markup tested more than 700 websites offering loans for people looking to purchase or refinance a home, from major online brokers to lesser-known regional lenders. They found that more than 200 of these companies share some amount of user data with Facebook through the Meta Pixel, a small piece of tracking software embedded on their sites. As users filled out mortgage applications or requested quotes, the pixel tracked information about their credit, veteran status, occupation, the specific homes they wanted, and more. Experts told The Markup that it might be against the law for mortgage lenders to feed this kind of information to Facebook.

For instance, Fairway Independent Mortgage Corporation, one of the largest lenders in the country, used the Meta Pixel to track detailed information about visitors, including every button they clicked on a preapproval page and the type of home they were interested in. Responses to a question about estimated credit, which asked visitors to select a numbered band from “Poor” to “Excellent,” were also tracked. Clicking “I Decline” on the site’s cookie notice did not stop the pixel from tracking.

The pixel also sent Facebook a scrambled version of a visitor’s name and email address. Meta says these “hashed” email addresses “help protect user privacy.” However, it’s simple to determine the pre-obfuscated version of the data, and Meta explicitly uses the hashed information to link other pixel data to Facebook and Instagram profiles.

Kirby Bradley, the chief content officer for Fairway Mortgage, said in an emailed response to questions from The Markup that the company has stopped using the pixel. She stated that the credit estimates shared with Facebook were not actual scores but rather “categories made up completely by the respondent based on nothing but their feeling at the time.” Bradley added that Fairway did not collect or transmit personally identifiable information while using the pixel but declined to detail how the company defines such information.

LendingTree, Veterans United Home Loans, Doorway Home Loans, and ZeroDown were among other companies found to have shared sensitive data with Facebook through the Meta Pixel. These companies sent information including unique IDs, details about co-borrowers, bankruptcy status, military history, and the exact address of homes viewed by users.

A spokesperson for Meta, Emil Vazquez, said in an emailed statement that the company’s system uses automated tools to filter out “potentially sensitive data it is able to detect.” Vazquez added, “Advertisers should not send sensitive information about people through our Business Tools. Doing so is against our policies, and we educate advertisers on properly setting up Business Tools to prevent this from occurring.”

Potential Legal Consequences

The online mortgage industry, valued at tens of billions of dollars globally, is subject to strict regulations under laws such as the Gramm–Leach–Bliley Act, which aims to protect consumers’ financial information. The Federal Trade Commission (FTC) and the Consumer Financial Protection Bureau (CFPB) have the authority to enforce these laws and can penalize companies that violate them.

Natalie Loebner, a consultant and former Justice Department trial attorney, told The Markup that sharing sensitive information with Facebook via the Meta Pixel could violate the Gramm–Leach–Bliley Act or other regulations. Loebner suggested that regulators might scrutinize mortgage companies using the pixel to share customer data, particularly if they failed to disclose this practice to customers.

A Call for Regulatory Action

The Markup’s investigation highlights the pervasive and troubling use of tracking technology in the mortgage industry. While some companies used the Meta Pixel more responsibly, others shared highly sensitive information without adequate consumer consent or protection. This widespread data sharing raises significant privacy concerns and underscores the need for more robust regulatory oversight and enforcement.

As digital mortgage services continue to grow, the importance of safeguarding consumer data becomes ever more critical. Regulators, companies, and consumers must work together to ensure that sensitive financial information is protected from unauthorized access and misuse.


Continue Reading