Ciaran Martin
CEO, National Cyber Security Centre
Sent by email on 8 November 2019
Dear Ciaran
We are writing to underline our concerns and request urgent clarifications regarding the targeting of individuals in the UK by commercially available “spyware” sold to government authorities.
The Financial Times reports that Mr Rukundo, a British citizen who lives in Leeds and is a member of a Rwandan opposition group in exile, was targeted by malware developed by Israeli-based surveillance company NSO Group. The report states that Mr Rukundo was called by unknown numbers on WhatsApp, which may have resulted in the installation of malware on his device even if the call was unanswered. NSO Group markets malware to government agencies for the surveillance of devices, which is capable of extracting data, keylogging, and controlling device functions. Previous reports have shown that similar “spyware” may have been used to target Ethiopian political refugees and exiled Bahraini activists in the UK.
Investigating the surveillance method, WhatsApp has reported that at least 1,400 people around the world were targeted through such calls on the platform, including at least 100 members of civil society.
As you will understand, the incident and the ongoing use of commercially available surveillance tools targeted at civil society is of urgent concern. We are writing to ask therefore that you confirm:
- If the NCSC is aware of these reports regarding the use of a vulnerability in WhatsApp against UK persons, and if any UK authority is investigating whether an offence has been committed?
- What steps the NCSC has taken to address the threat posed to UK persons by commercially available surveillance technology?
- Whether the NCSC will itself investigate or advise another UK authority to investigate whether NSO Group is providing advice from within the UK as to how to interfere with equipment, given that a UK number is listed within an NSO contract stating that “the Company’s support engineers are available by telephone to receive support requests”?
- If NSO Group can extract targets’ 3G keys from the UK, given that their contract states that “The system will not extract targets’ 3G keys from and in specific countries such as the USA and Israel”?
- If so, will you demand that NSO Group do not extract targets’ 3G keys from the UK?
We look forward to a prompt response.
Yours sincerely
Article 19
Open Rights Group
Privacy International