12 Oct 2022

Immigration NZ enlists 'cyber mercenaries' banned from Facebook to covertly collect data

11:37 am on 12 October 2022
Hacker, cyber attack, (File photo)

Cobwebs is among seven foreign companies accused by tech giant Meta of setting up fake accounts to spy on almost 50,000 people, including journalists, human rights activists, politicians. Photo: 123RF

This is the first of two stories looking at surveillance firm Cobwebs Technologies' work for the New Zealand government.

The government is working with an Israeli-born surveillance firm named among a group of "cyber mercenaries" and kicked off Facebook for spying on people.

It is keeping most of the operations with Cobwebs Technologies secret, but they include Immigration NZ.

Cobwebs is among seven foreign companies accused in late 2021 by tech giant Meta of setting up fake accounts to spy on almost 50,000 people, including journalists, human rights activists, politicians and others in more than 100 countries.

Meta, formerly Facebook, reported it had identified "customers" of Cobwebs in at least seven countries including New Zealand.

"In addition to collecting information about their targets, the accounts used by Cobwebs' customers also engaged in social engineering to join closed communities and forums and trick people into revealing personal information," its report claimed.

RNZ is reporting this aspect of the 10-month-old investigation for the first time, after forcing officials here to release information about their own dealings with Cobwebs for the first time, by appealing to the Ombudsman.

Meta said in late 2021 it had removed about 200 accounts operated by Cobwebs and its customers worldwide.

The OIA documents released this week show Immigration NZ has been a customer of Cobwebs for about two years.

Immigration NZ required the firm to be able to covertly collect data including people's "political information" and "religious preference", the documents show.

It also has to be able to collect banking, health and family relationships information for Immigration.

Zeroing in

Cobwebs scours publicly-available social media platforms, including Twitter, Facebook, Instagram, Reddit, Tumblr, LinkedIn, Snapchat and WhatsApp.

To get the contract, it was required by Immigration NZ to leave no trace behind and totally protect analysts' identities.

RNZ understands police have trained with Immigration on Cobwebs tools.

Cobwebs, set up in 2015 by ex-Israeli defence special forces members, and now based in New York, was placed first last year in a Silicon Valley ranking for its surveillance power.

RNZ has approached the firm for comment.

The "tools" it uses for Immigration NZ automatically raise alerts about key words or phrases from publicly-available Internet sites, and can zero-in on "country/region targets", the business case said.

The Ministry of Business, Innovation and Employment said the Cobwebs operations were legal, closely controlled and vital.

They helped it meet its "legislative responsibilities", in an undefined but "specific" area where there were active threats, the ministry told RNZ in its OIA response.

Revealing more would "enable and embolden" groups overseas seeking to undermine it.

"We are aware of activity overseas showing an intent (and ability) of such groups to do exactly this, specifically in response to the public release of information of the kind we are withholding, including tactically altering their behaviour, increasing their operational security or deliberately injecting misinformation to reduce the effectiveness of collection methods.

"If even a moderate event in this particular area were to eventuate, the consequences for New Zealand could be significant and costly to fix," MBIE said.

'Surveillance for hire'

Cobwebs' work is the latest example to come to light in the public sector of an approach known overseas as "surveillance for hire".

Others include New Zealand Police accessing private CCTV camera footage; and Internal Affairs setting up a master agreement to hire facial recognition services.

Meta in its investigation into spyware makers claimed Cobwebs activates counterfeit accounts for its clients that conduct surveillance online.

"In addition to targeting related to law enforcement activities, we also observed frequent targeting of activists, opposition politicians and government officials in Hong Kong and Mexico," Meta said.

Google in July called for a US government ban on using "surveillance-for-hire" services.

Last December, Cobwebs launched new technology targeted directly at the public sector.

It claims to have identified terrorists and promotes its ability to combat the "global problem" of social unrest, by "identifying threat actors known for instigating social unrest and to pinpoint hotspots in real-time to prevent escalations".

The Ministry of Business, Innovation and Employment in mid-2021 refused to release any information to RNZ about Cobwebs on security grounds.

The two documents it released to RNZ this week, after the Ombudsman's intervention, are 95 percent blanked out.

One of the documents, the business case, shows Cobwebs stores the data.

It sends the data to analysts in the small, little-known MBIE Intelligence Unit (MIU), which advertises jobs that "contribute to the National Security System".

The MIU also works with "domestic and international agencies on law enforcement and regulatory issues", the job ad said.

The data from Cobwebs might be shared with the government's border partners, the second document, a privacy impact assessment, said.

It might also be shared with other domestic government agencies if the MIU had a "reasonable belief and lawful basis" for doing this.

The Ministry of Business, Innovation and Employment said the Cobwebs tool had significant capability and was used in a very targeted way.

"Cobwebs does not provide MBIE with counterfeit accounts nor has it been asked to," general manager of data, insights and intelligence, Jacqui Ellis, said in a statement.

"MBIE has no reason to believe it had any impact on, or was impacted by, Meta's removal of 200 accounts."

The spyware's use was heavily prescribed by processes that strictly limited its use by subject matter experts, Ellis said.

"Strict criteria must be met before it can be used. MBIE considers the significant capability is appropriate in light of the risks the tool is used to mitigate."

Asked for more details about how people's data is stored, and whether that was in New Zealand or overseas, the ministry said this "raises technical and commercially sensitive information" and turned that into an Official Information Act request.

Asked whether its analysts had done cross-training on Cobwebs with police, Ellis did not deny it but said "cross-agency training is not uncommon and joint training activities may contain sections or content tailored for each participant's context and responsibilities".

Police have declined to comment.

Get the RNZ app

for ad-free news and current affairs