The controversial Israeli technology company NSO Group is attempting to woo Western governments with software it says can analyse the spread of COVID-19 using mobile phone data.
NSO Group is currently being sued by Facebook for allegedly hacking WhatsApp, an accusation which the company denies.
It also denies developing spyware tools which critics say it sells to governments who use them to undermine human rights.
Although Sky News does not know if the company is in talks with the British government regarding its new technology, it does appear to have reached out to a number of western countries to pitch them its coronavirus-tracking software.
Despite normally being highly secretive – often failing to respond to requests for comment when asked about its software being used to target human rights activists – NSO Group has offered several media organisations, including Sky News, demonstrations of its new technology as part of a marketing push aimed at western governments.
Until now there has been no public information about how that technology works and what privacy protections it contains, despite a heated debate in Israel about the software’s effectiveness following proposals by the country’s defence minister to allow NSO Group to analyse mobile phone data of the population.
According to the demonstration shown to Sky News, the platform will be hosted on government customers’ own systems, meaning the company would not have access to any data being uploaded to it – which is provided by the governments themselves.
Governance of the data and the decision on how granular that data would be would remain in the hands of the customers.
Individuals are featured on the platform using a random identifier. Their location movements are timestamped, offering the authorities the ability to trace where infected people have been following a diagnosis and potentially to check who may have been infected by them.
Reaching such people early is critical. A study published in March suggested that people who have contracted the coronavirus are at their most contagious in these early days after becoming infected.
Re-identification of individuals who are pseudonymised on the platform would be possible if the government retained a separate correlation table, however this re-identification would need to occur outside of the platform according to the demonstration.
For instance, matching the random identifiers to phone numbers would be possible, and potentially desirable if individual-level messaging in response to potential exposure was something the government wanted to do, but turning the random IDs into real people would happen off of the platform.
Tweeting about the project, Israel’s defence minister Naftali Bennett described it as a “national AI monitoring system”, including an image which matched the platform demonstration shown to Sky News.
“Every citizen at any moment will have a score from 1 – 10 measuring the likelihood they could transmit the coronavirus,” Mr Bennett explained.
“A score of 3 says they probably aren’t contagious; a score of 9.5 means they are probably contagious, and then we will ask you to be tested with a PCR throat swab.”
It is not clear how granular the location data being used in Israel would be were it deployed – this would be a decision for the authorities using the platform.
However the demonstration suggested that if the government used GPS data from smartphone devices then could identify individuals who had met with each other, potentially transmitting the virus.
For other people whose location could only be estimated through cell-tower triangulation, there was a risk of introducing false positives if individual-level messaging was attempted.
But regardless of the level of granularity, the demonstration focused on showing its capability of showing aggregate analysis of population-volume movements.
This geoanalysis feature showed heat-maps which included two categories – the movements of known COVID-19 patients and those of people who had been potentially exposed to the virus after coming into contact with them.
NSO Group hopes that by using this tool on a nation-scale view, its software could reveal regions where there were a lower number of people who had potentially been exposed to the virus.
This could be used to inform predictions and allocate resources.
For instance, the demonstration showed relatively low numbers in the southern Israeli city of Beersheeba, suggesting the large hospital there would be able to free up ventilators for Tel Aviv where a large number of cases were putting medical systems under strain.
Despite the claims by Mr Bennett that “every citizen” would be given a score, the NSO system is only capable of analysing data for those with mobile phones, approximately only 70% of Israel’s population.
Communities where these devices aren’t present, notably including Ultra Orthodox communities where transmission rates are significantly higher than the rest of the population, would require additional government efforts to monitor and treat patients.
Reports in Israel linking the company to government efforts to tackle the outbreak have provoked concerns from citizens complaining about what are seen as counter-terrorism powers being used for a medical emergency.
Politicians in the Knesset, Israel’s parliament, have opposed Mr Bennett’s suggestions that NSO Group be given direct access to citizens’ data – although the company’s demonstration shows this is not how the platform would work.
NSO Group has been criticised domestically for its links to regimes considered to be involved in human rights abuses, with some expressing discomfort that the company’s products were associated with the government’s efforts to address the coronavirus outbreak.
Friends of the murdered journalist Jamal Khashoggi have claimed that his phone was hacked by the Saudi Arabian government using an NSO Group product called Pegasus, a tool which Toronto-based Citizen Lab has followed being used to target human rights activists, journalists and dissidents around the world.
The company has also faced accusations of developing a hack for messaging app WhatsApp which was used to target dozens of its users, including human rights organisations and a UK-based lawyer, and is currently fighting a legal case brought by Facebook on this topic.
The company has denied responsibility for targeting the UK-based lawyer: “Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies.
“NSO would not, or could not, use its technology in its own right to target any person or organisation, including this individual.”