Dang! Notorious spyware company NSO Group is marketing #COVID19 tracking in US, according to @NBCNightlyNews. Time to go CSI on screenshots of the product. THREAD

So I assembled as many screenshots of the product that I could find from their 'demos.' Looks like they use "Targets" to refer to civilians. Guess this is expected from a spyware company?

They seem to have a co-presence criterion for identifying whether two people got close together. Makes sense right? So, can we figure out whether their software could perform as promised?

Well, to figure out of two people met you are going to need some pretty precise location data. So what data are they using? From their public statements it sounds like its carrier location data. Is it? Lets see...

In this tweet I found a screenshot that had geographic coordinates of a particular event. So maybe we can make some guesses as to accuracy. Looks like this is in decimal degrees.

Six digits after the decimal here gives us the precision, in theory, of somewhere around ~110-120mm. Thats person sized. This is weird, because cellular location data has an accuracy between 10-50 METERS depending on lots of factors.

So let's see about this actual location. Here it is. A field of scrub next to a roadway. Could a person really be located there? Maybe...

Lets ENHANCE ;) with some ground imagery. Yeah, this looks like a scrubby field with a fence around it. I'm going to guess that unless this is a landscaper, this point is inaccurate, and has some serious spatial error. But how much?

My bet is this was a car driving by. If we charitably assume that the car was at the edge of the roadway and this person was a passenger the point is a minimum of ~20 METERS off.

So, to recap, the location data that NSO is rolling with is probably super imprecise. Carrier location data is mad inaccurate: phones appear to jump around, even when they aren't moving. Here's some data from Song et al (2017) to make the point. https://www.hindawi.com/journals/misy/2017/7653706/

Here are two people walking together within the 2m droplet distance that we have all heard about by now as the CDC exposure criterion used in contact / #COVID19 tracking apps. I hope they are both healthy. Sorry, my renderings are goofy.

Now let's toss in the ~20m spatial error term that we just found in NSO's screenshot. Suddenly this is beginning to look like theres a lot of chance that two people within that uncertainty could live entire lives without meeting the CDC exposure criterion.

For fun, let's go up to 50 Meters. A higher bound of error in carrier location data. Ok. Like a half of a block in my little rendering. If you thought bluetooth contact tracing was inaccurate...you could hide busloads of people with near zero chance of mutual exposure in here.

Let's get concrete. Imagine all of these people are in sort of a similar area, each rocking 20 meter spatial error or worse. What on earth do you actually do if one of them tests positive for #COVID19?

When you are working with data with this much built-in inaccuracy, it would be pretty intense to issue alerts each time this happened. Or to require quarantines. Or testing. The rates of false positives here would be through the roof. But...so would false negatives.

Remember him? Arrested after biking past a crime scene. Tracked by Google w/on-phone location data (wifi beacons, GPS, etc). Massively more precise than carrier location data. Still a false positive. It caused plenty of harm & took time to puzzle thru. https://www.nbcnews.com/news/us-news/google-tracked-his-bike-ride-past-burglarized-home-made-him-n1151761

Recap thus far: NSO is showing dots approaching each other on sidewalks and talking about infection risk. Which it sure looks like their data isn't accurate to make consistent guesses about, without wagonloads of false positives and false negatives...

Trust is essential if you are a government managing crisis, and if you push out false alerts, or fail to alert people, you lose that trust fast. And people will start ignoring your alerts, or (i bet) leaving phones home etc.

If you want to do #COVID tracking in the US, you should have an unimpeachable reputation, be accountable to US law, and be transparent. NSO is under FBI investigation & is in court right now saying they CANNOT BE HELD ACCOUNTABLE UNDER US LAW. https://twitter.com/jsrailton/status/1253502213353361412

NSO refuses to name customers for their tracker. Why? My pet theory: "Fleming" is actually a skin on NSO's existing surveillance software. NSO can't say because they are pushing it some existing espionage customers, and naming them is forbidden by contract.

You want to go outside, eat messy sandwiches, & handle doorknobs. Me too! If a stranger says I'll discretely follow your family & kids 24/7 in exchange for letting you out I might just say yes! ... If I learned that the stranger was under FBI investigation? Pass.

NSO claimed that they cannot see who is being tracked with Fleming. So Relax guys! Right? They said the same thing about Pegasus spyware....yet legal filings from @WhatsApp this week showed that NSO could easily monitor customers' targeting. https://twitter.com/jsrailton/status/1253531135990267906

So, NSO is probably overhyping their product's accuracy, and not being honest about it. Nothing new for #COVID19 startup-land. Or NSO. So, how did they get that notorious reputation? By making a billion dollars selling spy tools to dictators who abused them...

Exhibit A: Reporter Javier Valdez was pulled from his car and shot dead by a cartel in Mexico. NSO's Pegasus spyware was then used to target his grieving spouse and colleagues. https://citizenlab.ca/2019/03/nso-spyware-slain-journalists-wife/

Exhibit B: Reporter @aristeguicnn uncovered a massive bribery scandal against Mexico's president. Then she and her *14 year old son* at boarding school in the United States were targeted with Pegasus. https://citizenlab.ca/2017/06/reckless-exploit-mexico-nso/

Exhibit C: Just before before Jamal Khashoggi was killed & dismembered by the Saudi government, they were using Pegasus spyware to track his associates, including @oamaz7 in Canada. https://www.theglobeandmail.com/world/article-saudi-dissident-in-canada-spoke-to-khashoggi-about-fighting-riyadhs/

Exhibit D: NSO actually does have a history with public health. @SBarquera, a Director at Mexico’s National Institute of Public Health was targeted with Pegasus. He'd been promoting a tax on soda. https://www.nytimes.com/2017/02/11/technology/hack-mexico-soda-tax-advocates.html

The list of NSO-fueled abuses is growing. So is the number of lawsuits, criminal complaints, and criminal investigations into NSO. How has NSO responded? Denials. Victim blaming. Most recently: questionable claims in Cali Federal court that they can't be held legally accountable.

Speaking of dubious ethics around NSO: Remember Harvey Weinstein? Same notorious spy firm he used against #Metoo targeted me in NYC. They wanted know about my work on NSO. Went after Pegasus victims' lawyers too. Got caught. (NSO denies responsibility) https://www.nytimes.com/2019/01/28/world/black-cube-nso-citizen-lab-intelligence.html

Recap: out-of-control spyware firm NSO denies its accountable to US law. History of false claims & mountain of abuses. Active @FBI investigation. Pitches questionable product on @NBCNightlyNews, asks for access to the cellular tracking data of all Americans. Is this a prank?

We have choices in how to go through this critically important time. We need trust, accountability, and transparency from any company involved in the #COVID19 response. NSO's reputation, recent behavior, and product should disqualify it from being seriously considered.

PS: I suppose NSO might say of my earlier tweets "oh this is just broad location analytics, stop complaining about spatial error." Response: show your math, assumptions and models, and open up to testing by 3rd parties. Also...that ethics / @fbi / lawsuit problem etc.