„Nothing is unhackable“

From “smart” homes to educational apps for remote schooling, from employee-monitoring software to the geolocation devices we carry in our pockets, the extent to which our intensely surveilled life became normal would have shocked even the most future-focused mid-twentieth-century creative.

Should we be afraid? Is any of this reversible, and would we want it to be? We were happy to discuss these and other hard questions this past week with Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation. Eva has extensive experience in IT systems and security in Silicon Valley, and is focused on targeting malware, as well as organizing and educating citizens about digital privacy, security, and why we all could stand to get smarter about it.

Tim Leberecht: Eva, thanks so much for your time. Tell me a bit about your work with the Electronic Frontier Foundation. How long have you been at the foundation? What are the accomplishments you’re most proud of?

Eva Galperin: I’m the director of cyber security at the Electronic Frontier Foundation, and lead a team called the Threat Lab, where we research threats to vulnerable populations. Most of the last 14 years at the Electronic Frontier Foundation I’ve been working on threats to journalists and activists, tracking APTs—Advanced Persistent Threats—which is just a fancy security way of saying state actors that spy on people. More recently I moved into the realm of intimate partner abuse and helped found an organization called the Coalition Against Stalkerware, which has been helping to increase the detection of stalkerware and to secure devices against this type of commercially available software that people use for spying.

And most recently, I’ve been working on threats from physical trackers. So Apple put out this thing called the AirTag, which is supposed to make it easier for you to locate things you’ve lost or that have been stolen. But it is extremely easy to abuse, or to use as a physical tracker to spy on people. And the AirTag is not a particularly new technology. For example, before the AirTag, there was a product called Tile that does much the same thing. So I’ve been working on getting those companies to change the way their products are built so that it’s harder to use them for stalking.

Eva Galperin at a TED Talk about stalkerware in 2020. | Source: YouTube/TED

What exactly is an Advanced Persistent Threat?

Well, most of the time, if you are a systems administrator, or you work in information security, and you’re trying to lock down a network or a corporation, the kind of threat you are facing is usually limited to criminals and hackers and scammers—people whom you can deter by simply making it hard enough to break into your system that they move on to the next guy. An advanced persistent threat, which is often a government, is somebody who will keep trying, who will essentially make it their job 9-5 to compromise a specific person or a specific organization. And that takes a very different kind of set of mitigations to work against.

You already mentioned state actor surveillance, nation state surveillance, and of course, that’s in the news right now because of the Pegasus scandal, revealed by a coalition of journalists. Were you surprised? What do you make of the whole scandal? What’s going to be the fallout?

I’m not even slightly surprised. I have been working on nation-state spying, and the increasing commodification of the kind of software that is being sold specifically to governments and law enforcement, and that gets sold to authoritarian states and used as a tool of abuse, for the better part of a decade. And the NSO Group is not even the only company that does this. Prior to this we put a bunch of pressure on Gamma Group, which spun off into FinFisher and Hacking Team which is located in Italy, and also NSO Group. So this is not new. This is not even the first report on abuses by this one particular company. What’s really different is the sheer number of possible targets—the list that Amnesty International has. That really gave rise to a nearly endless supply of stories about people who have been targeted by this very scary and powerful software. And that’s what allowed it to catch on in the public imagination.

Help us understand how it’s possible to spy on mobile phones. Apple, for example, prides itself on being a safe, protected, privacy-based environment—unhackable, basically. Are companies not doing enough to protect the phones? Is there anything they could do to better protect users? 

Nothing is unhackable. It is extremely important for everyone to understand that nothing is unhackable. The more complicated the device, and the more complicated the software, or the more open it is to interaction with other applications, or research by security researchers or hackers, the more likely it is that you have created an additional attack surface. 

Playing offense is easy, because all you need to do is find a vulnerability. And playing defense is hard, because you need to defend yourself on all fronts all the time. 

In fact, we are fairly certain that the kind of capability the NSA has is a capability all of the Five Eyes countries have had for many years. We’re fairly certain the U.S. has it, the UK has it, that Canada and Australia have it, and that China and Russia may have it. What is novel is that in the last 10 years or so, companies have come up that take advantage of these vulnerabilities and sell this capability to any tin-pot dictator with a million dollars to spend. So suddenly we’re not just looking at the U.S. or Russia or China having these capabilities, but also Kazakhstan and Azerbaijan, and Mexico and Ethiopia and Saudi Arabia and UAE. And that is particularly disturbing, because we have human rights abuses linked directly to this kind of surveillance, over and over and over again.

Do you think we live in a surveillance society? I’m thinking of Shoshana Zubov’s book The Age of Surveillance Capitalism. Is it a reality that we can no longer reverse, just the world we live in—and we can only try to manage it or navigate it and behave accordingly? Or do we still have a chance for a fundamental reset?

Yes and no. I think to some extent, the horse is out of the barn. A lot of our lives are now digital. And controlling that digital life is increasingly complicated and difficult. But at the same time, I don’t believe privacy is dead. If privacy were really dead, governments and law enforcement wouldn’t be trying to kill it all the time. I would have much less work to do if privacy were already lying on the floor twitching. There is a lot we can do to take back our privacy. And it’s incredibly important that we do so, and that we don’t give up. 

When I do my security training for vulnerable populations, when I talk to journalists, and when I talk to activists, one of the most disturbing bits of pushback I get sometimes is, “why should I keep anything private, because the government can already see everything all the time anyway?” And that’s simply not true. If the government could already see everything you do all the time, they would not be pushing policies that allow them to see more. They would not be pushing for laws that give them more power. And the impression that they can already see everything and know everything means that they don’t actually have to do it, because that is what causes you to self censor. And as far as I’m concerned, that is the worst possible outcome for making change happen in the world.

So as professionals and citizens, what can we do? What is safe? What should we not do? And then also, what is our responsibility and duty? What can we do to basically prevent further spying

There are a couple of things we can do in a lot of ways. Telling people how to maintain their privacy and security online is very similar to basic hygiene. And so while there are super-specific cases where there are very particular things you need to do, there are a few things which are good for everybody to do, and will prevent 90 percent of all compromises. That includes securing your accounts. The way you secure your accounts is to make sure you’re using a password manager, and that your password manager is creating a strong and secure password that is different for every one of your accounts. Turning on two-factor authentication so that even if somebody manages to steal your password, they still need that second method of authentication to break into your account, is also very important. Not all two-factor authentication is created equal. For example, SMS two-factor authentication (when the second factor is sent to you in an SMS message) is less secure than when the second factor is sent to you in an app like Google Authenticator or Authy. But having some level of two-factor authentication turned on is definitely better than having nothing.

The other thing I recommend to people is to take your security updates. You will not benefit from the tireless efforts of people working to secure software and platforms if you do not take your updates. And the majority of compromises that happen as a result of security vulnerabilities happen not as a result of unknown vulnerabilities, but from vulnerabilities that are known and have been patched, and that happen between the time they become known and the time you actually patch the vulnerability yourself on your device.

This is a shortened version of the interview that was conducted by Tim Leberecht at the House of Beautiful Business – a global think tank and community with an annual gathering in Lisbon that brings together leaders and changemakers with the mission to humanize business in an age of machines. You can read the full interview here.