BOSTON (AP) — The internet watchdog Citizen Lab has been remarkably effective in calling to account governments and private sector firms that use information technology to put people in peril.
Its digital sleuths at the University of Toronto's Munk School of Global Affairs are best known for exposing abusive targeted espionage, particularly through the use of hyper-intrusive spyware from Israel’s NSO Group . Its Pegasus tool has been used to hack and surveil dozens of journalists, human rights activists and dissidents globally. In November, the U.S. government blacklisted NSO Group and Apple sued it and notified Pegasus victims.
Citizen Lab’s work elsewhere is less known. It exposes digital espionage campaigns and insecure software, most recently an app the Chinese government created for athletes, journalists and other foreigners attending the Winter Olympics.
The Associated Press recently spoke with Citizen Lab's director, 57-year-old political scientist and prize-winning author Ron Deibert . The interview has been edited for length and clarity.
Q: You founded Citizen Lab in 2001. How did that happen?
A: I was doing work on how intelligence agencies use satellite reconnaissance technology for arms control verification. It exposed me to a world that I didn’t even know existed. I saw the mixture of tools being used to gather electronic evidence and wondered why something like that could not be done in the public interest, on behalf of journalists, NGOs, and human rights activists. And what better place to do such evidence-based research – alongside people with technical skills I didn’t have -- than at a university? This was all in the back of my mind when the Ford Foundation reached out to see if I was interested in a project on information tech and international security. So I pitched the lab as “counterintelligence for global civil society.” It was hubris at the time. I had no case to make such a claim. But here we are many years later, fulfilling that role.
Q: What do you consider Citizen Lab’s greatest contributions? And is it growing?
A: I think the greatest thing we’ve done is develop a reputation for research that is highly credible, methodical and unbiased. We go where the evidence leads us and are beholden to no one. I have been able to surround myself with very talented, highly ethical people most of whom could be earning 5-6 times more in the private sector. We have about 25 full-time researchers and a half dozen or so fellows or affiliates. We can’t really grow much larger. We are a professor’s lab and I need to do due diligence properly. So we have to stay this size.
Q: We seem to be at a perilous digital juncture. The experts say disinformation and cybercrime are rampant and online safety is eroding. The public is losing trust in digital systems. We seem to need a Citizen Lab in every country. What are your current challenges?
A: It seems to me, and a lot of people agree, the world is heading into a pretty dark period, kind of a worldwide descent into authoritarianism coupled with all the maladies around social media, Big Tech and artificial intelligence. The challenges grow and amplify, so we have no end of work. Ever since Apple made those notifications, it’s like we’re on a world tour of despotism (confirming Pegasus infections on victims’ phones ). We are currently searching at the University of Toronto for a professor in information security and could potentially hire someone to offload some work and maybe eventually replace me as lab director. The bigger mission: We want to build more Citizen Labs – they don’t have to be named that! I’d like to see 5-6 in the U.S. and Europe. It’s frustrating that more universities don’t jump into digital accountability research. I think it’s just a matter of time.
Q: You have called ending the global spyware scourge a tall order. You can’t see governments agreeing to ban it. So what can we collectively do to discourage unethical cyber mercenaries?
A: I see three pillars of what can by done : First, investigative journalism is vital to expose abuses and more awareness-raising to be done in civil society. A lot more can also be done in the private sector. We need tech platforms to better protect their users from this threat. Apple and WhatsApp (a Facebook subsidiary that sued NSO Group in 2019) have sent strong signals that they are not going to put up with it as they have in the past. We need governments to act, too, as the Commerce Department did in blacklisting NSO. If we can get them to build export controls around the sector and pass laws so individuals can sue these companies -- and maybe even foreign governments who hire them — a lot could be done to mitigate some of the harms we’re seeing.