Cybersecurity and Palestinian Civil Society: Evidence From a Web Scan
10 January 2023
Alexei Abrahams and Etienne Maynier reflect on the impacts of digital surveillance on Palestinian civil society - and on the importance of cybersecurity for social justice movements.
Authoritarian rule in the Middle East is notoriously durable, in part because authorities run very effective surveillance. Militants, labor unionists, agitators, activists, dissidents, human rights defenders, journalists, and any other member of civil society whose words or actions challenge authorities, are identified early and surveilled persistently. Their habits, proclivities, and weaknesses are carefully documented, then exploited either to repress or co-opt them. Now that people's lives are increasingly interfaced to digital technology, authorities have evolved to surveil civil society by hacking its devices and networks. If civil society is to preserve its reformative potential, something must be done to curtail authorities’ digital surveillance powers.
Towards this, advocacy organizations like Amnesty International or Access Now typically follow the approach of highlighting shocking incidents of state surveillance, then making a moral appeal to the international community to censure the offending governments, restrict the export of surveillance technology, or establish norms around the use of such technology. Unfortunately, this approach reproduces a colonial pattern in which weak actors in the global south must rely on powerful actors in the global north to intercede on their behalf, and implies an optimism as to the likelihood of such intercession that defies historical record. In Measuring the (In)security of Palestinian civil society websites, we emphasized the agency of Middle Eastern civil societies to act unilaterally to defend themselves against surveillance. To underscore this we focused on Palestine, a context where the authorities have both the means and motive to surveil, and where intercession by the international community is particularly implausible.
Is Palestinian civil society taking precautions to secure itself against digital surveillance? And if not, why? We looked at civil society organizations (CSOs), arguably the enduring backbone and central reference structure of the Palestinian struggle. Among various digital attack surfaces we focused on websites and web servers, arguably the easiest targets for attackers to find.
We developed a web scanner, a computer program that scans websites and web servers to gather basic security information: are web sessions automatically encrypted? Is the site protected against distributed denial of service (DDoS) attacks? Is the site running up-to-date software? We ran the scanner against 228 Palestinian CSO websites, finding them to be very insecure.
Many sites fail to enable or insist on encrypted sessions (HTTPS), all but one fail to avail themselves of DDoS protection; and roughly one in five is served from a computer running software with serious vulnerabilities.
What explains this pervasive insecurity? While we could not satisfactorily answer this question, we cast doubt on a few possible explanations. Firstly, and contrary to how it is often portrayed, the problem is not technological. While preparing our manuscript, Palestinian civil society was riveted with revelations that Pegasus, the flagship spyware of Israel’s top mobile surveillance vendor, NSO Group, had been deployed against several activists. But while such cutting-edge threats easily make headlines, our data show that Palestinians are leaving themselves open to more ordinary attacks. Without HTTPS, web sessions can be easily monitored and tampered with by authorities. Without keeping software up to date, Palestinian servers and sites can be compromised with off-the-shelf exploits. Why do adversaries need to pole-vault through a third-storey window when Palestinians are leaving the front door open? There is much Palestinian civil society could do to steel itself against attack before worrying about rarefied threats like Pegasus. So why aren’t Palestinian CSOs taking these steps already?
Perhaps, we wondered, the explanation lies in the NGO-ization of Palestinian civil society. Under the auspices of the Oslo Accords, and particularly after the Fatah-Hamas schism of 2007, an infusion of Western aid earmarked for development projects transformed Palestinian civil society from an incubator of contentious politics to a rather tame, professionalized, and “upwardly accountable” neoliberal technocracy. Perhaps these CSOs neglect their cybersecurity because they feel they pose no threat to the authorities. To test this explanation, we scanned the sites of 73 CSOs, most of them non-Palestinian, that are publicly allied with the Boycott, Divestment, and Sanctions (BDS) movement. The BDS movement is undeniably contentious, so BDS affiliates, we reasoned, should anticipate attack and exhibit a greater degree of security preparedness. Scanning their websites, however, we found rates of insecurity comparable to ordinary Palestinian CSOs. Entering openly into contentious politics, it would seem, did not prompt greater vigilance.
Surprised by these findings, we settled on two hypotheses for future research. Firstly, it is possible that CSOs lack sufficient digital literacy, and are exposing themselves unwittingly to attack. Insofar as this is the case, we are hopeful that our research will constitute a wakeup call for individuals and organizations in Palestinian civil society and beyond to revisit their decisions about cybersecurity. To make sure the opportunity is not missed, we are already reaching out to CSOs to alert them and open a dialogue.
Alternatively, however, it is possible that CSOs are fully aware of the dangers, but see the matter through the prism of rational fatalism. According to this line of thinking, the authorities have such powers of surveillance that any attempt to defend against them is futile. Rather than waste resources on a lost cause, CSOs simply accept that everything they do will be surveilled from above.
Whatever the explanation, civil society in Palestine and elsewhere can no longer afford to neglect their cybersecurity. Social justice movements, particularly those drawing upon far-flung diasporic communities, increasingly rely on digital infrastructure for connectivity and coordination. If that infrastructure is compromised, its members will be surveilled and controlled, blunting their potential for reform, and “freezing in place the status quo forever” . There will be no revolution without secure comms. Shifting the balance of power between civil society and authorities requires making moves below the radar, in the blind spots of the state. Cybersecurity vigilance is a key part of frustrating surveillance, ensuring operational secrecy, and preserving civil society’s liberative potential.
Alexei Abrahams is a cybersecurity and social media researcher with the Technology and Social Change Project at Harvard. He applies a mixed methods approach drawing on data science, social science, and regional knowledge. He holds a doctorate in economics from Brown University, and was previously a researcher at Citizen Lab.
Etienne Maynier is a security researcher and activist, currently working as Technologist at Amnesty International’s Security Lab. He has been studying targeted attacks against civil society for more than 6 years and has published multiple reports on spyware attacks and disinformation.
 Barton Gellman (2020), Dark Mirror: Edward Snowden and the American surveillance state