interview Digital rights activist Esra’a Al Shafei found FinFisher spyware on her device more than a decade ago. Now she’s made it her mission to surveil the companies providing surveillanceware, their customers, and their funders.

“You cannot resist what you do not know, and the more you know, the better you can protect yourself and resist against the normalization of mass surveillance today,” she told The Register.

To this end, the Mozilla fellow founded Surveillance Watch last year. It’s an interactive map that documents the growing number of surveillance software providers, which regions use the various products, and the investors funding them. Since its launch, the project has grown from mapping connections between 220 spyware and surveillance entities to 695 today.

These include the very well known spy tech like NSO Group’s Pegasus and Cytrox’s Predator, both famously used to monitor politicians, journalists and activists in the US, UK, and around the world.

They also include companies with US and UK government contracts, like Palantir, which recently inked a $10 billion deal with the US Army and pledged a £1.5 billion ($2 billion) investment in the UK after winning a new Ministry of Defense contract. Then there’s Paragon, an Israeli company with a $2 million Immigration and Customs Enforcement (ICE) contract for its Graphite spyware, which lets law enforcement hack smartphones to access content from encrypted messaging apps once the device is compromised.

Even LexisNexis made the list. “People think of LexisNexis and academia,” Al Shafei said. “They don’t immediately draw the connection to their product called Accurint, which collects data from both public and non-public sources and offers them for sale, primarily to government agencies and law enforcement.”

Surveillance is a global trade. It’s not just being used in Iran, China, North Korea

Accurint compiles information from government databases, utility bills, phone records, license plate tracking, and other sources, and it also integrates analytics tools to create detailed location mapping and pattern recognition. 

“And they’re also an ICE contractor, so that’s another company that you wouldn’t typically associate with surveillance, but they are one of the biggest surveillance agencies out there,” Al Shafei said.

It also tracks funders. Paragon’s spyware is boosted by AE Industrial Partners, a Florida-based investment group specializing in “national security” portfolios. Other major backers of surveillance technologies include CIA-affiliated VC firm In-Q-Tel, Andreessen Horowitz (also known as a16z), and mega investment firm BlackRock.

This illustrates another trend: It’s not just authoritarian countries using and investing in these snooping tools. In fact, America now leads the world in surveillance investment, with the Atlantic Council think tank identifying 20 new US investors in the past year.

“Surveillance is a global trade,” Al Shafei said. “It’s not just being used in Iran, China, North Korea. And a lot of the time you don’t even have to be doing or saying anything: a hotel lobby uses smart cameras that detect unusual behavior, and if you pause too long in a hallway, your movements are flagged and logged, and sometimes automatically sent to police.”

“This could be happening in New York. You don’t have to be in Beijing for something like this to happen,” she added. “You exit the building, cameras with facial recognition and gait analysis identify you automatically. Sensors track your phone’s location. If a crime happened nearby, they say, ‘Well, maybe [you] did it.'”

‘It completely changes how you interact online’

Twelve years ago, Al Shafei received what looked like a Firefox browser update notification. In reality, it was a ploy to trick her into downloading FinFisher (aka FinSpy) on her computer – part of a larger campaign targeting her and her team of social justice advocates across Asia and North Africa. In addition to Surveillance Watch, she is also co-founder of feminist-tech-focused Numun Fund, is a founding director of social justice not-for-profit org Majal, and serves on the boards of the Wikimedia Foundation, the Tor Project, and Mastodon.

Developed by Gamma Group, FinFisher has been used by governments and law enforcement agencies around the world to monitor and intercept communications, gather intelligence, and track individuals’ activities. It provides a whole range of snooping capabilities, giving users remote access to victims’ machines, keylogging to capture passwords and account info, audio and video recording, and real-time monitoring of targets’ communications and online activities.

In 2013, Mozilla accused Gamma of violating its Firefox trademark in a cease-and-desist demand.

That experience fundamentally changed Al Shafei’s views on data privacy – and her digital activity, which can be tricky for someone very much in the public eye. 

It creates a troubling pattern of isolation, feelings of guilt, feelings of not being able to express myself, feelings of being targeted and controlled

“My first feeling was guilt,” she said, adding that she wasn’t just worried about her own safety. “I worried about the fact that, by monitoring me, surveilling me, I had exposed everybody now in my network to this, so that guilt carries a lot of weight.”

It also required her to alert everybody in her orbit that she had been surveilled, and that meant that the snoops may have collected personal details about her family, friends, coworkers – everyone in her network, too.

“The second thing is: it completely changes how you interact online. Period. I don’t have social media profiles anymore,” Al Shafei said, with one exception: she has a Mastodon profile because she’s a board member. “But I don’t share anything very sensitive or controversial.”

While Al Shafei knows her biometric data is easily accessible because she travels frequently, she doesn’t post any photos or videos of herself online, and doesn’t use any applications that require biometric identification.

“It changed how I use the web,” Al Shafei continued. “It changed who I interact with on the web. It changed how much I’m willing to do on the web while protecting myself, because I don’t want to put myself at any further risk. It changed how I express my views, how I access information, whether or not I would be comfortable accessing specific types of information if I felt like I could not do so safely.”

And all of this “creates a troubling pattern of isolation, feelings of guilt, feelings of not being able to express myself, feelings of being targeted and controlled.”

‘They know who you are’

The Surveillance Watch homepage announces: “They know who you are. It’s time to uncover who they are.”

It’s creepy and accurate, and portrays all of the feelings that Al Shafei has around her spyware encounters. Her Majal team has “faced persistent targeting by sophisticated spyware technologies, firsthand, for a very long time, and this direct exposure to surveillance threats really led us to launch Surveillance Watch,” she said. “We think it’s very important for people to understand exactly how they’re being surveilled, regardless of the why.”

The reality is, everybody – not just activists and politicians – is subject to surveillance, whether it’s from smart-city technologies, Ring doorbell cameras, or connected cars. Users will always choose simplicity over security, and the same can be said for data privacy. 

“We want to show that when surveillance goes not just unnoticed, but when we start normalizing it in our everyday habits, we look at a new, shiny AI tool, and we say, ‘Yes, of course, take access to all my data,'” Al Shafei said. “There’s a convenience that comes with using all of these apps, tracking all these transactions, and people don’t realize that this data can and does get weaponized against you, and not just against you, but also your loved ones.” ®