NSO used data of real people to pitch contact-tracing tech: Report

San Francisco

In a case that may involve potential privacy violations of thousands of people, researchers have found that Israeli spyware maker NSO Group resorted to using phone location data of real people while showcasing its Covid-19 contact-tracing software to governments and journalists, TechCrunch reported.

The NSO Group launched its contact-tracing technology named "Fleming" in March 2020 amid rising Covid-19 cases around the world.

Two months later, a database belonging to the Fleming programme was found unprotected online.

The database contained more than five lakh datapoints for more than 30,000 distinct mobile phones.

The NSO Group quickly secured the database when TechCrunch reported, but the Israeli company denied there was a security breach.

Forensic Architecture, an academic unit at Goldsmiths, University of London, received and analysed a sample of the exposed database, which suggested that the data was based on "real" personal data belonging to unsuspecting civilians, putting their private information at risk.

"The sample of the exposed database we received has over 149,000 data points... We investigated the nature of the data: whether it was based on "real" personal data belonging to many unsuspecting civilians and, if so, whether it was properly obfuscated in a way protecting private identities, or if it was "dummy" data," the researchers said on Wednesday.

"The spatial 'irregularities' in our sample -- a common signature of real mobile location tracks -- further support our assessment that this is real data. Therefore, the dataset is most likely not 'dummy' nor computer generated data, but rather reflects the movement of actual individuals, possibly acquired from telecommunications carriers or a third-party source."

The exposed data included location information from Rwanda, Israel, Saudi Arabia, the United Arab Emirates, and Bahrain, the researchers said.

NSO's Covid-19 contact-tracing software is designed to make it easier for governments to visualise and track the spread of the virus by feeding location data from cell phone companies. It aggressively pitched the system earlier this year.

NSO is better known for 'Pegasus' -- a malware sold to governments to enable the remote infection and surveillance of private smartphones.