The image shows a laptop with a screen displaying a sign saying "Ministry of Business, Innovation & Employment." Surrounding the laptop are multiple surveillance cameras pointed towards it.
Image: The Spinoff

InternetJune 19, 2024

Unpacking MBIE’s bad romance with a US-Israeli surveillance-for-hire firm

The image shows a laptop with a screen displaying a sign saying "Ministry of Business, Innovation & Employment." Surrounding the laptop are multiple surveillance cameras pointed towards it.
Image: The Spinoff

The Ministry of Business, Innovation and Employment has called it quits with shady spyware peddlers Cobwebs Technologies, but is now in the market for another data-harvesting cyber mercenary match. Violet Blue explains.

Last week’s announcement that Aotearoa’s Ministry for Business, Innovation and Employment ended its contract with Israeli-US surveillance-for-hire “cyber mercenaries” Cobwebs Technologies likely came as a surprise to many. That’s probably because MBIE worked pretty hard to keep it quiet.

Before you pour one out for MBIE’s spyware besties, rest assured the ministry is planning to replace Cobwebs citizen-tracking data collection tools with another flavour of spyware peddlers. 

Just maybe not the same one in a different hat. “As the procurement process is ongoing, we are unable to provide further comment on possible decisions around future suppliers, including the option not to renew the contract with Cobwebs,” Jacqui Ellis, MBIE’s general manager of data, insights and intelligence, told The Spinoff via email. “As part of evaluating the options, MBIE will continue to ensure that the use of these types of tools is responsible, appropriate, and proportionate.”

That’s going to make for some tricky shopping in the surveillance-for-hire space. Even Hacking Team sold “lawful interception” tools to governments and law enforcement until their active role in global human rights abuses came to light. 

Let’s rewind for a minute. In 2020 MBIE contracted Cobwebs Technologies (now PenLink Cobwebs) to use its surveillance product suite. No one, including the Office of the Privacy Commissioner, knew until MBIE was forced to admit it. The Office of the Privacy Commissioner confirmed this to The Spinoff via email, saying it “became aware of MBIE’s use of Cobwebs Technologies in October 2022, following media coverage”.

Per RNZ, “The first searches using Cobwebs began in 2022. MBIE said they had been carefully targeted and closely controlled.” Phew, sounds less bad when you put it like that. But to speak infosec for a minute, it’s weird for someone to take two years from buying an off-the-shelf capability to actually running their first intelligence search.

According to product descriptions and demos, the Cobwebs family of products harvest personal and online data, geolocate targets using mobile ad tokens and other tools, scrape the dark web, image and face processing modules, profile creation including friend and family connections, and carry out AI-driven “predictive monitoring” and predictive policing. 

One of the company’s add-ons, Lynx, provides a network of proxies so clients, like government analysts or the LAPD, can hide their identities. That’s handy, because predictive policing tools are notoriously inaccurate, consistently racist, and astonishingly incompetent at monitoring threats.

Cobwebs maintains that it only creates and stores creepy detailed profiles about us by collecting publicly available information, like your old LiveJournal posts rating X-Files actors by hotness, or Mum’s embarrassing Facebook baby photo collection of you. 

Image: Tina Tiller

Yeah, about that.

One year into MBIE’s contract with Cobwebs, a funny thing happened to Cobwebs’ access to Facebook, Instagram and WhatsApp. Meta banned them in December 2022. That’s saying a lot coming from a company who spent years turning the word “Facebook” into an antonym for “privacy”, and the ban wasn’t even a matter of professional jealousy. 

“​​We removed about 200 accounts which were operated by Cobwebs and its customers worldwide,” Meta’s Threat Report on the Surveillance-for-Hire Industry explained. “This firm was founded in Israel with offices in the United States and sells access to its platform that enables reconnaissance across the internet, including Facebook, Instagram, WhatsApp, Twitter, Flickr, public websites and ‘dark web’ sites… the accounts used by Cobwebs customers also engaged in social engineering to join closed communities and forums and trick people into revealing personal information.”

One of the Cobwebs clients Meta named in these violations was New Zealand, along with Saudi Arabia, Hong Kong and other countries. “In addition to targeting related to law enforcement activities, we also observed frequent targeting of activists, opposition politicians and government officials in Hong Kong and Mexico.”

Well, that’s awkward. Especially considering that per RNZ, MBIE’s “business case had specified the tools must be able to search the encrypted WhatsApp platform, and span audio, video, images and text – collecting information without a person knowing – which could include family details, financial, health, political and religious information.” Further, documents RNZ obtained showed that MBIE’s intelligence spy unit MI “had sought and got the ability through Cobwebs to reach into people’s private Whatsapp channels, as well as search the likes of Facebook and Twitter”. 

Responding to Meta’s threat report, Cobwebs CEO Udi Levy, one of three ex-Israel Defence Force intelligence operatives who founded the company, told Israeli business daily Globes, “This report was false.” 

But that was then, and this is now-ish. An investigation by Vice found that Cobwebs’ core system, Tangles, was marketed as late as 2023 as being designed to circumvent changes social media sites make to their API rules. If you’re unfamiliar, APIs handle a wealth of sensitive user data and rule changes often come after breaches, or similar inappropriate access (like Cambridge Analytica). Currently, Cobwebs’ Web Intelligence Webinar explains that one of its main challenges and goals is to “get past privacy restrictions as much as possible”.

Conceptual image with a bunch of floating eyeballs in different sizes overlooking a red phone
Image: Getty Images

It’s good MBIE let that contract lapse this year, though I bet it was uncomfortable to be in the room during 2023’s US Summit for Democracy. That’s when New Zealand joined 11 nations, including Australia, the United Kingdom and the United States, in agreeing to responsible use of commercial spyware. “Israel, a key spyware exporter, is not part of the deal,” reported Cyberscoop. “At time of purchase, Cobwebs Technologies was an Israeli-based company,” MBIE said in its email comments to The Spinoff. “In July 2023, Cobwebs Technologies was acquired by Spire Capital, changing ownership to a wholly owned US company.”

Let’s just hope MBIE makes sure to get all its data back after the breakup. Cobwebs offers clients the options of self-storing the data, or keeping it on Cobwebs’ own servers. Among what information RNZ was able to obtain, “One of the documents, the business case, shows Cobwebs stores the data.” 

An OIA obtained by RNZ showed that MBIE’s “data collected using the Cobwebs tools is stored in Australia”. That’s also where the Office of the Privacy Commissioner stores their data, confirming via email: “It made this decision following a full privacy impact assessment (PIA)… It is our expectation that agencies also undertake this level of care.”

We still don’t know who might’ve been swept up in those Cobwebs-powered MBIE dragnet searches. One of the serious risks inherent in products like those sold by Cobwebs is that they scrape data indiscriminately and profile people inaccurately, with lots of racial bias and collateral collection of innocent people’s data, not just those under suspicion – even on a good day, when they’re not bragging about breaking API rules like Cobwebs has

MBIE (which Immigration New Zealand is part of) told The Spinoff via email: “The Cobwebs tools were not focused on any specific nationality or ethnic group. They were solely used for the purpose of managing the risk of, including preventing, maritime mass arrivals.” 

MBIE acknowledged, “A mass arrival has never arrived in New Zealand; however, they have in many other countries and present an ongoing risk.”

In light of that, the pretence that New Zealand needs to protect itself from mass maritime arrivals feels like the half-drawn horsie meme of excuses. Unless MBIE has a time travel machine, in which case concerns about invading boatloads of migrants are warranted. 

Anyway, we all hope the Office of the Privacy Commissioner gets to go on the next MBIE surveillance-as-a-service shopping trip. It does too, telling The Spinoff it “would expect to be informed of any significant surveillance procurement by a government agency particularly where this technology is new or untested in New Zealand. Our expectation is that the agency would have conducted a PIA and provided assurance to the Privacy Commissioner.”

So who is Aotearoa’s next top surveillance model? It sure seems like MBIE’s trust in Cobwebs may have been misplaced, and we wish them luck in their next cyber mercenary Tinder match.

Keep going!