In the cat-and-mouse game that we are all apparently playing when it comes to keeping our information safe online, Israeli security company NSO is r
In the cat-and-mouse game that we are all apparently playing when it comes to keeping our information safe online, Israeli security company NSO is reportedly advertising to governments that its Pegasus software is able to crack encrypted cloud storage, including iCloud, OneDrive, and Google Drive.
In a statement to AppleInsider, the company said “We do not provide or market any type of hacking or mass-collection capabilities to any cloud applications, services or infrastructure.”
It hasn’t, however, denied that it has such technology, and the Financial Times report indicated that the company’s Pegasus software has been found on devices in the wild. I reached out to the company but did not immediately receive a response.
First, a little good news. In order for the technology to work, the company would have to have root access to your device. That means in order to install software that gives it control over your iPhone or Android device it needs access to the core subsystems on the device, as opposed to simply downloading a normal app.
Since NSO maintains that it only provides software to government agencies, that means it’s highly unlikely that your device is at risk unless it falls into the hands of law enforcement or an intelligence agency.
If that’s the case, there’s a good chance that your iCloud account is not your biggest immediate concern.
The government wants to keep an eye on your data.
But, there’s bad news, and it’s actually a pretty big deal. NSO says that it only markets its technology to governments, which is, I guess, some consolation that at least it’s not likely to end up in the hands of criminal hackers. But is that really any less disconcerting?
Because, really what it means is that your government is constantly looking for ways to invade your privacy if it deems it necessary. The only reason a product like this would exist is because governments aren’t fans of encryption because it means they can’t access the contents of your your mobile device or cloud storage.
Well, you might say, surely the government only wants to get the information from bad guys, right? Except that doesn’t matter. Encryption that can be freely broken when its used by bad guys isn’t actually encryption. It’s an illusion.
And the illusion isn’t actually protecting us from anything.
The illusion of privacy.
Ironically, most of us walk around with the illusion of privacy, or protection, every day. The fact that most of us haven’t had our information breached is simply a factor of random luck really. It’s basically because no one has actually tried.
It would be like painting the outside of a deadbolt lock on your door, and then reassuring yourself that you’re safe. You’re not, but you feel like you are because no one has ever broken into your home.
But they could, if they just tried even a little.
That’s basically the state of affairs when it comes to your personal information when end-to-end encryption has a back door, or can be broken by a government using a master key or brute force software.
Those are hardware or software tools that either enter a global “unlock” password that works on every device, or tools that enter password options in sequence until one works.
Device makers like Apple, Samsung, and Google are constantly working to counter advances in breaking the encryption used to secure your smartphone or cloud storage account, but it’s more and more clear that the government is working just as hard to retain the ability to stick its nose into your stuff.
Google responded with a statement from a spokesperson:
“We’ve found no evidence of access to Google accounts or systems, and we’re continuing our investigation. We automatically protect users from security threats and we encourage them to use tools like our Security Checkup, 2-step verification, and our Advanced Protection Program, if they believe they may be at especially high risk of attack.”
I also reached out to Apple, Microsoft, and Dropbox regarding whether or not they believe their systems are at risk of being compromised, but did not receive a response before publication.
It’s up to you to protect your data.
Look, your data is in high demand. Companies like Google and Facebook make enormous amounts of profit by targeting you with ads that it determines are relevant based on the information it collects. Bad actors want very much to access sensitive information like banking and credit card credentials, or even medical records.
Those would be bad enough, but honestly, at least in those cases there are protections that can counter their attempts. At least public opinion and the free market can intervene when companies go to far, and the law offers some level of redress when the bad guys attack.
What’s far scarier is the idea that the government is very much just as interested in making sure it can get your information if it wants.
Update: Google responded with a statement.
The opinions expressed here by Inc.com columnists are their own, not those of Inc.com.
This article is from Inc.com