For more than a decade, dozens of journalists and human rights activists have been targeted and hacked by governments all over the world. Police and intelligence agencies in countries including Ethiopia, Greece, Hungary, India, Mexico, Poland, Saudi Arabia, and the United Arab Emirates have used sophisticated spyware to compromise the phones of these victims. These individuals have at times also faced real-world violence, being intimidated, harassed, and in extreme cases, even murdered.
In the fight to protect these higher-risk communities, a team of a dozen digital security experts has played a key role. They work for the New York-headquartered nonprofit Access Now, specifically its Digital Security Helpline. Their mission is to be the team that journalists, human rights defenders, and dissidents can turn to if they suspect they have been hacked with mercenary spyware made by companies like NSO Group, Intellexa, or Paragon.
The idea is to provide a 24/7 service to civil society and journalists so they can reach out whenever they have a cybersecurity incident, explained Hassen Selmi, who leads the incident response team at the Helpline. According to Bill Marczak, a senior researcher at the University of Toronto’s Citizen Lab, Access Now’s Helpline is a frontline resource for journalists and others who may have been targeted or hacked with spyware.
The helpline has become a critical funnel for victims. When Apple sends its users a threat notification alerting them that they have been targeted with mercenary spyware, the tech giant directs victims to Access Now’s investigators. Selmi described how having someone who could explain the notification, tell them what they should do and what it means, provides a big relief for victims.
According to several digital rights experts, Apple is generally taking the right approach, even if it appears like a large company is offloading responsibility to a small nonprofit team. Being mentioned by Apple in the notifications was one of the biggest milestones for the helpline, said Selmi.
Selmi and his colleagues now look into about 1,000 cases of suspected government spyware attacks per year. Around half of those cases turn into actual investigations, and only about 5% of them, roughly 25 cases, result in a confirmed spyware infection, according to Mohammed Al-Maskati, the helpline’s director.
When Selmi started this work in 2014, Access Now was investigating only around 20 cases of suspected spyware attacks per month. At the time, a small team worked across time zones in Costa Rica, Manila, and Tunisia to have someone online throughout the day. The team is not much bigger now, with fewer than 15 people working for the helpline, though it has more people in Europe, the Middle East, North Africa, and Sub-Saharan Africa, which are hotspots for spyware cases.
The increase in cases is due to several factors. The helpline is now more well-known, attracting more people. Government spyware has gone global and become more available, leading to potentially more abuse. Finally, the helpline team has done more outreach to potentially targeted populations, finding cases they may not have found otherwise.
When someone contacts the helpline, investigators first acknowledge receipt and check if the person is within the organization’s mandate, meaning they are part of civil society. Then, the investigators assess the case in triage. If a case is prioritized, they ask questions to understand why the person believes they were targeted and what device they own.
After an initial remote check of the device, the investigators may ask for more data, such as a full backup, to do a more thorough analysis looking for signs of intrusion. The team has a process for checking each known kind of exploit used in recent years and knows what is normal and what is not. The handlers, who often speak the victim’s language, also give advice on what to do, such as whether to get another device.
Every case the nonprofit looks into is unique, differing from person to person and culture to culture. Selmi believes more research and more people, not just technical staff, are needed to know how to best deal with these victims.
The helpline has also been supporting similar investigative teams in some regions of the world, sharing documentation, knowledge, and tools as part of a coalition called CiviCERT, a global network of organizations that help members of civil society targeted with spyware. This network has helped reach journalists and others in places where the helpline otherwise could not. No matter where victims are, they have people who can talk to them and understand their context, which helps a great deal.