At a glance.

  • Thai ministry admits it knew about government use of spyware.
  • San Francisco Police Department’s proposed use of surveillance footage sparks controversy.
  • Google Chrome zero-day bug used in attacks on Middle Eastern journalists.

Thai ministry admits it knew about government use of spyware.

Thailand’s Minister of Digital Economy and Society, Chaiwut Thanakamanusorn, admitted in parliament this week that Thai authorities are using spyware in “limited” cases, despite not having the legal authority to do so, and despite the ministry previously denying any knowledge of such activity. “It is used on national security or drug matters. If you need to arrest a drug dealer you have to listen in to find where the drop would be,” he stated. Reuters reports that Thanakamanusorn was less than forthcoming with specifics, not disclosing which government agency used the spyware, which type was used, or which individuals were targeted. The statement comes on the heels of reports from Thai human rights group iLaw, Southeast Asian internet watchdog Digital Reach and Toronto-based Citizen Lab that the devices of government critics had been hacked using Israeli firm NSO Group’s Pegasus spyware. The investigation was motivated by a November statement from Apple warning thousands of iPhone users, including those in Thailand, that they were being targeted by “state-sponsored attackers.”

San Francisco Police Department’s proposed use of surveillance footage sparks controversy.

Police in the US city of San Francisco have released plans to monitor footage gathered on business and residential surveillance cameras, and civil rights activists say the move would violate their right to privacy. The San Francisco Police Department’s proposal was presented to the San Francisco Board of Supervisors, with amendments proposed that would limit when police can view live feeds and how the data are stored and shared. Chris Hauk, consumer privacy champion at Pixel Privacy, said, “While the ability to monitor live feeds from surveillance cameras is certainly attractive to officials, we must make sure there are limits on how much video the SFPD can obtain, we need to know exactly how long such video evidence can be stored, and how secure the storage of the video will be. The law sounds as if there are little to no limits on how video can be obtained and for what reasons. Also the unrestricted sharing of such video with other agencies can be considered a violation of citizens’ privacy and safety.”

Axios notes that the police are still working on delineating what consent would be required from camera owners, but the idea has already gained support from the city’s mayor and district attorney. Opponents of the proposal say such details need to be fully clarified before proceeding, especially given that such surveillance has been known to unfairly target minorities and protestors. Paul Bischoff, privacy advocate with Comparitech, stated, “New York City (cameras per square mile) and Los Angeles (cameras per capita) both made it into their respective top ten lists if we exclude all Chinese cities. Although the US doesn’t reach the level of CCTV surveillance as China or India, we still have some of the highest figures worldwide. US cities have the money and infrastructure to ramp up camera surveillance with very few laws or regulations on when or how law enforcement can use it. On top of that, many police departments in the US have access to privately owned ring cameras in their jurisdictions, and Amazon has shared video from users’ cameras with law enforcement without the user’s consent. All of these factors contribute to the growing surveillance state in the US, which threatens freedoms of movement and assembly. This growth is particularly noticeable in our biggest cities, though I expect similar trends to trickle down to smaller cities and towns without intervention.”

What’s more, residents say they were promised that cameras installed by business improvement districts would not be monitored by police. Saira Hussain, staff attorney at the Electronic Frontier Foundation, stated, “It is really important to us there are meaningful safeguards and restricting limitations. We don’t believe that generally private cameras should be in the hands of law enforcement…You should not lose your privacy merely because you venture into public.”

Google Chrome zero-day bug used in attacks on Middle Eastern journalists. 

Security Week reports that a Google Chrome zero-day vulnerability patched by Google this month was exploited in attacks linked to Israeli spyware vendor Candiru. Cybersecurity firm Avast informed Google of the bug and the attacks, which targeted journalists in Lebanon as well as victims in Turkey, Yemen and Palestine. Computing notes that Candiru is known for providing surveillance tools to government customers, and the company has a history of exploiting zero-days to deploy Windows malware known as DevilsTongue, which has been compared to NSO Group’s infamous Pegasus spyware. In this case, the threat actors injected malicious JavaScript code into a website used by staff at a news agency, carrying out a watering hole attack that allowed the attackers to create a profile of the victim’s browser. Jan Vojtesek, malware researcher at Avast, explained, “In Lebanon, the attackers seem to have compromised a website used by employees of a news agency…An attack like this could pose a threat for press freedom.” It’s worth noting that this is the fourth actively exploited Chrome vulnerability patched by Google this year, and that zero-day exploits developed by Candiru were reported by Microsoft, Citizen Lab, and Google last year.