Maybe we can all 'live without' private messaging?
Pay attention.
Denmark is set to take over the rotating EU Council presidency.
And is sending signals that they want to go after encryption.
Backdoors end badly.
Demanding backdoors isn't just surest way to chase away innovation...it's collective punishment for security services' own failures to adapt.
And the history of democracies is littered with states abusing secret surveillance powers to undermine core values.
Article: ‘Fighting crime blindfolded’: Europe is coming after encryption – POLITICO
Anyone come across good analyses of new US #tariffs .
Longer term projections a bonus. #AskNostr
I've spent my adult life thinking about defending digital privacy.
Yet until a few years ago, financial freedom & privacy was barely on my radar.
This would have probably continued but for a handful of good humans that took the time to talk me through things.
Thanks to thinking they kicked off for me, I now think that individual access to aspects of financial freedom & privacy are necessary to a healthy society.
Why did it take so long? Well, there was a failure of adversarial imagination on my part.
And partly because if you aren't actively asking hard questions, this state of affairs will be hidden from you.
The financial system & how it is taught is set up to hide structural privacy violations & disempowerment.
I'm pretty sure my ignorance was closer to the norm than the exception.
But when you completely restrict financial privacy & freedom, you disempower people...constantly.
And it will keep eroding & blocking the exercise of other core rights.
Until this changes & awareness grows, we're stuck paying the price for it in a thousand ways.
Shoutout to 
โIn Serbia, you can hire a hitman for a half of the money...what else would they be prepared to pay for?!โ - a spyware-targeted reporter.
Indeed.
Notice that the targeting is happening over a messenger program with a link, not a zero-click?
The why is unclear. Maybe Pegasus didn't have a working exploit against those phones. Or maybe the customer didn't get the platinum zero click package and so had to do some social engineering. Interesting.
BACKGROUND:
This is the THIRD report of Pegasus abuses in Serbia in 2 years.
And nearly a decade after the first Pegasus abuses got reported, NSO Group is still fueling attacks against freedom of speech.
We're here because spyware companies still don't feel meaningful consequences.
And DC is home to a seemingly-infinite number of lobbyists that are willing to help them try to get off sanctions lists...
READ THE REPORT by Amnesty Tech & BIRN. 
How did a reporter get added? Well, the use of encrypted chat is ubiquitous but not explicitly accepted, supported or discussed in most institutions.
Which means users are left to fend for themselves in how they use & understand these tools.
And are usually about 1 mistake away from self-doxxing group contents.
This also left me wondering: is anyone screening these devices for mercenary spyware like Pegasus?
Experience tells me the answer is: maybe not.
Article: 
...And more ethical too!
This caught our attention at #Citizenlab. And we were skeptical. 
So.. it was time to start digging. 
We got a tip about a single bit of #Paragon infrastructure & my brilliant colleague Bill Marczak developed a technique to fingerprint some of the mercenary spyware infrastructure (both victim-facing & customer side) globally. 
So much for invisibility.
What we found startled us.
We found a bunch of apparent deployments of Paragon's mercenary spyware in places like #Australia, #Denmark, #Israel, #Cyprus #Singapore and... #Canada.
Fun. 
We also found interesting stuff at a datacenter in #Germany 
Caveats: the methodology we use only surfaces a subset of customers at a particular time.
So ...about #Canada.
My colleagues on the legal side began digging. The more they pulled, the more questions surfaced about whether the Ontario Provincial Police is rolling mercenary spyware. 
While investigating, we found signs #WhatsApp was being used as a vector for infections.
We shared our analysis with Meta which had an ongoing investigation into Paragon.
They shared findings with WhatsApp which discovered & mitigated a zero-click attack.
They went public, and notified ~90 users that they believed were targeted.
WhatsApp's notifications to targets turbocharged what we all knew about #Paragon.
Cases began coming out: an investigative journalist in #Italy and sea rescue activists were among the first. Francesco Cancellato. Editor in Chief of Fanpage.it, & Luca Casarini and Dr. Giuseppe โBeppeโ Caccia of Mediterranea Saving Humans
They consented to us doing a forensic analysis... 
Sure enough, we found traces of infection on several Androids.
We call the indicator #BIGPRETZEL & #WhatsApp confirms that they believe BIGPRETZEL is associated with #Paragon's spyware.
In the weeds a bit: Android log forensics are tricky. Logs get overwritten fast, are captured sporadically & may not go back very far. So, not finding BIGPRETZEL on a targeted phone wouldn't be enough to say it wasn't infected. In such a case, the only safe course of action for a notified Paragon target would be to presume they had been infected.
Our analysis is ongoing.
.... but There's more!
There's more! We'd been analyzing the iPhone of human rights activist David Yambio, who is focused on abuses against migrants in Libya (they are often victims of torture, trafficking, and killings) who works closely with the other targets. 
Last year he got notified by Apple that he was targeted with sophisticated spyware.
We've forensically confirmed the infection & shared details with Apple.
Apple confirms they fixed the vectors used to target him as of iOS 18.
We're not doing a full technical attribution of this novel spyware to a particular company yet. But it's not like anything we've seen.
Troublingly, timeline of David's spyware targeting lines up with when he was providing information to the International Criminal Court about torture by human traffickers in #Libya.
But there's even more spying afoot against this cluster of activists!
Luca also got a notification last February about targeting with a different kind of surveillance tech. 
He wasn't alone. Father Mattia Ferrari, chaplain of Luca's lifesaving organization' also got a notification.
#Italy's response to the unfolding #Paragon scandal has been exceptionally chaotic. So we included a little timeline.
Denials, then admissions, then refusals to say more citing secrecy. 
Honestly, deja vu of how Pegasus-abusing governments have handled PR...
TAKEAWAYS:
TAKEAWAY 1: you can't abuse-proof mercenary spyware. Selling just democracies won't prevent abuses. Most democracies have plenty of historic examples of surveillance abuses. Why should spyware be different?
TAKEAWAY 2: #Paragon's technical tradeoffs to be less detectable didn't prevent them getting discovered.
Just made it harder.
TAKEAWAY 3: I think we're only looking at the tip the #Paragon hackberg
For example, the ~90 notification number from #WhatsApp
only represents 1 infection vector that got caught & notified.
There may be non-notified spyware victims walking around right now who were infected via a different mechanism.
In #Italy, too we also need to better understand the other surveillance technologies pointed at this cluster of people.
Finally, we gave #Paragon room to respond to a summary of our key findings.
Their US Executive Chairman, a 30+ year #CIA veteran, responded in a way that sounded very familiar to how NSO Group did PR.
1 - Say there are inaccuracies..
2- ..But refuse to specify them
3-Cite customer confidentiality as a reason to not say more.
We welcome any clarifications they have now that they've read our full report.
FINAL NOTES: our #citizenlab investigations are usually big, collaborative team productions. Smart co-authors, awesome collaborators. 
The key to nearly all our research into spyware is targets' brave choice to speak out.
And work with us to forensically analyze their devices... We are very grateful to them.
This is how we collectively get a better understanding of mercenary spyware abuses.
And journey towards accountability.
Thanks for reading! Drop questions in the replies!
READ THE FULL REPORT 
