New Zealand / Politics

MBIE ends contract with spyware company - but is looking for a replacement

09:50 am on 9 June 2024

Photo: 123rf.com

A government ministry has ended its contract with a foreign commercial spyware company, but is shopping around to replace it.

The Ministry for Business Innovation and Employment hired Israeli-US company Cobwebs Technologies in 2020 to search social media and other sites, on the rationale it needed to deter mass arrivals of asylum seekers.

The first searches using Cobwebs began in 2022. MBIE said they had been carefully targeted and closely controlled.

Its business case had specified the tools must be able to search the encrypted WhatsApp platform, and span audio, video, images and text - collecting information without a person knowing - which could include family details, financial, health, political and religious information.

The ministry initially tried to keep the Cobwebs deal, and why it was set up, secret, when RNZ began enquiries three years ago.

The government last year signed up to a US-led international campaign for stricter domestic and international controls on commercial spyware, amid alarm at its proliferation and misuse. The ministry said its use of commercial spyware "does not conflict" with that.

Photo: RNZ / Dom Thomas

It told RNZ it did not renew the Cobwebs contract in April but would not say why, nor what the contract had cost taxpayers, arguing this would erode its commercial position in negotiations.

Cobwebs, first set up by ex-Israel Defence Force intelligence operatives, is now renamed PenLink Cobweb. It is based in the US and has close links with US law enforcement.

"MBIE can confirm we do not have any agreements in place with Cobwebs' parent, PenLink," the ministry said. "MBIE is currently evaluating its options for open-source tools in this area... MBIE will continue to ensure that the use of these types of tools is responsible, appropriate and proportionate."

Its records released earlier show the tools were "used successfully" half a dozen times "to investigate leads... at a scale", half a dozen times in 2022-23.

Multiple references in documents received under the Official Information Act - released only after a year of RNZ trying - that referred to mass maritime arrivals were blanked out, and only reinstated later.

New Zealand has never had a mass arrival of boat people.

The laws around mass arrival were changed just last month to allow asylum seekers to be detained for longer.

One aim in contracting Cobwebs was to achieve "reduced reliance on overseas partners", ministry papers said. The tools had to be able to search by geographic area.

Commercial spyware has proliferated globally in recent years, spurred by rapid technological advances such as AI. Security and law enforcement entities, public and private, have used social media analytics companies to more effectively collect and analyse masses of personal information on the internet, both open and the dark web.

MBIE said it only looked at open sources.

The proliferation alarmed the US to the extent Congress ordered the director of national intelligence to report back in 2023 on how the country could lead "a common approach with allied countries... including the Five Eyes Partnership, to mitigate the counter-intelligence risks posed by the proliferation of foreign commercial spyware", according to congressional papers.

New Zealand is in Five Eyes.

Around this time, New Zealand signed up to the US-led joint statement to counter proliferation and misuse of commercial spyware.

Alarm had coalesced in 2019 around revelations that spyware called Pegasus, from another Israeli Defense Force-origin company NSO, had been used by repressive regimes to target the phones of journalists and human rights activists via a WhatsApp security vulnerability.

The US blacklisted NSO, though the FBI had itself purchased and tested Pegasus, according to the New York Times.

Facebook deleted Cobwebs' account in 2021, putting it in a group of seven banned firms it labelled "'cyber mercenaries" that it accused of helping spy on dissidents and journalists.

Meta's 'Threat Report on the Surveillance-for-Hire Industry' in 2021 said: "In addition to collecting information about their targets, the accounts used by Cobwebs customers also engaged in social engineering to join closed communities and forums and trick people into revealing personal information."

By then, MBIE had already had a contract with Cobwebs for a year. A second unidentified public agency also was using Cobwebs, papers show; police have refused to say if this was them.

"MBIE's use of the Cobwebs tools was for the sole purpose of preventing or detecting mass arrival activity offshore," the ministry told RNZ.

"As you are aware, MBIE has responsibility for the prevention of human trafficking, in particular the prevention of a mass arrival as part of the government's work on transnational organised crime and the Maritime Security Strategy.

"MBIE considers that its use of the Cobwebs tools for the collation of publicly available information, does not conflict with the 'Guiding Principles on Government Use of Surveillance Technologies' and the 'Joint statement on efforts to counter the proliferation and misuse of commercial spyware'," it said on Thursday.

The guiding principles released by the US last year encourage governments to log the uses of surveillance technologies so there is "meaningful oversight and monitoring of outcomes and to foster procedural fairness".

The ministry's use of Cobwebs had internal monitoring and audit, but lacked dedicated external oversight such as is placed over the actual spy agencies, the SIS and GCSB, papers show.

The ministry told RNZ that the Privacy Commissioner provided external oversight.

"Any use was recorded and logged including to support internal and external oversight of MBIE's use of the tool," it said.

The spy agencies are subject to regular audit by an external Inspector-General.

The commercial spyware sits within the ministry's MBIE Intelligence (MI) unit, that expanded dramatically to over 100 people in 2022, from being confined within Immigration only, to cover all the ministry's 17 regulatory spheres.

A memo on setting up the MI unit said it would have a "new dedicated National Security Intelligence Team" within it, to respond to increased demand for intelligence coordination both from within the ministry and from "the NZIC" - the New Zealand Intelligence Community that includes the GCSB and SIS.

The Cobwebs contract ended not long after an internal ministry report said it had only just been implemented "and is still under development".

Now that a new procurement process was ongoing, "we are unable to provide further comment on possible decisions around suppliers", the ministry told RNZ.

The Federation of Islamic Associations said it was concerning that the ministry's use of Cobwebs for national security purposes did not come to light during the royal commission into the 2019 mosque attacks, even though this surveyed the entire national security framework.

The ministry said it was transparent about its information gathering, and that its updated information gathering policy allowed it to engage external security consultants under tight controls.

The policy dictated that it must not request them to do anything that "would be unlawful, unreasonable, or unethical for MBIE itself to conduct updated information gathering policy".

At the first reading of the bill to amend the mass arrivals law, in March 2023, National MP Gerry Brownlee spoke in support of it, saying: "While we think that there is a whole lot of things about the Immigration Department at the moment - or the department inside the Ministry of Business, Innovation and Employment that handles immigration - that could be described as a bit of a shambles, it is important that the integrity of the immigration system is maintained.

"And so some look at this sort of provision is important."