The news that an iPhone owned by Amazon.com Chief Executive Officer Jeff Bezos had been hacked prompted widespread speculation about how it happened and whether the Saudi crown prince may have been involved, as some investigators have alleged. But it also led many people to wonder whether their own phone might be turned against them. Spyware is used by law enforcement and intelligence agencies to track criminals and terrorists, and by repressive governments to spy on enemies. Beyond targeted spyware that secretly hacks phones, hundreds of companies track people’s everyday internet use.

1. What is spyware?

It’s a subset of malware, the name given broadly to software that harms unsuspecting users. Spyware specifically is software meant to extract information such as internet browsing history or private communications from devices it’s installed on without the user’s consent. In its most sophisticated form, spyware can be unwittingly downloaded on a phone and extract texts and private files and monitor a user’s actions. Those types of spyware are often developed by intelligence agencies or a small but growing number of private firms -- many run by former military intelligence officers. Spyware can also be used by the private sector to send consumers pop-up ads, redirect them to unwanted websites or track browsing history to predict what types of products and services they may be interested in.

2. Is spyware only on phones?

No, but phones are increasingly becoming the primary target. Some spyware is so advanced that is can turn on your phone’s microphone, secretly record and even take pictures with the camera. The fact that many users now keep sensitive data on mobile devices makes them even more attractive targets. With the use of encrypted chat apps growing, governments around the world want the most sophisticated tools to conduct clandestine surveillance on mobile phones. The result is an industry that’s expanding rapidy. “This industry seems to just keep growing,” said Eric Kind, director of AWO, a London-based data rights law firm and consulting agency. “Ten years ago, there were just a few companies. Now there are 20 or more.” That’s left the creators of popular devices and software racing to patch newly discovered vulnerabilities before spyware makers can exploit them.

3. What happened to Bezos?

We still don’t know exactly what happened, and it’s unclear if we ever will. Here’s what we do know: On May 1, 2018, Bezos allegedly received a video file on his iPhone X from a WhatsApp account used by Mohammed Bin Salman, the crown prince of Saudi Arabia; the two men had exchanged numbers at a dinner in Los Angeles a few weeks earlier. A forensic analysis of Bezos’s phone, conducted last year by FTI Consulting Inc., concluded that massive amounts of data started being secretly uploaded from Bezos’s phone within hours of receiving the video file. The analysts didn’t find the spyware on Bezos’s phone, but concluded with medium to high confidence that it had been infected by malware contained in the message from the crown prince’s account. They cited the timing of the spike in data being transmitted from Bezos’s phone and two later messages from the crown prince’s account that allegedly contained information that wasn’t widely known to the public. Saudi Arabia has denied any involvement.

4. What happened to that data?

That’s also unclear. However, in January 2019, the National Enquirer published an expose of Bezos’s extramarital affair with television news personality Lauren Sanchez. The supermarket tabloid paid $200,000 to Sanchez’s brother for the billionaire’s secrets, according to the Wall Street Journal; the brother, Michael Sanchez, has called the Journal’s reporting “wrong.” An investigator hired by Bezos raised doubts that Sanchez was the Enquirer’s only source, suggesting instead that the Saudis may have been involved. “Our investigators and several experts concluded with high confidence that the Saudis had access to Bezos’ phone, and gained private information,” the investigator, Gavin De Becker wrote, in a March 31, 2019 column in the Daily Beast. De Becker hired FTI Consulting, which later confirmed his allegation. The Saudi Embassy called allegations that the kingdom is behind the Bezos hack “absurd” and the Enquirer’s parent company said they only had one source for the story.

5. Could that happen to me?

Yes, but the likelihood of that varies greatly. If you are a lawyer, journalist, activist or politician in possession of sensitive data, or an enemy of a regime that has little regard for human rights, you could be especially vulnerable to this kind of digital attack. The Citizen Lab at the University of Toronto has identified over 100 cases where the powerful spyware developed by NSO Group has been abused. NSO Group has pushed back on Citizen Lab’s claims, saying it has no role in choosing the targets of its spyware, only that it sells its software to governments around the world for use in law enforcement investigations. A Saudi dissident sued NSO Group in 2018, alleging that his phone was hacked by the Saudi government using the company’s spyware, in part to eavesdrop on communications between him and Washington Post journalist Jamal Khashoggi, who was later murdered by a Saudi assassination team. WhatsApp has also filed a lawsuit against NSO group, alleging that it violated its terms of service by using WhatsApp as a delivery mechanism for its spyware.

6. What can I do?

The best way to try to protect yourself against the most intrusive spyware is to keep your phone and computer’s software updated and to beware of suspicious emails and text messages. When it comes to the everyday surveillance and harvesting of information by social media companies and app makers, your best bet is to check your privacy settings, read terms and conditions closely and do without programs you’re uneasy about. But even sophisticated users -- like Bezos -- find it hard to shield their phones against the most advanced spyware on the market. Also hard to avoid are the dragnet surveillance programs operated by governments around the world that indiscriminately sweep up massive amounts of internet traffic, though using encrypted chat apps like Signal may help.

7. Are there rules about spyware?

Not too many, though activists are hoping that the Bezos hack will change that. Some countries, including the U.K., Germany, Austria and Italy, have laws governing hacking by law enforcement. A judicial warrant is required in the U.S., except under certain circumstances. But it is still unclear which countries are engaging in this kind of hacking. And the private companies that develop these hacking tools typically go to great lengths to ensure that its customers are never revealed. The most in-depth look we’ve ever had into the operations of a spyware developer was when Hacking Team itself got hacked, exposing its customers and the inner workings of its tools.

To contact the reporter on this story: William Turton in New York at wturton1@bloomberg.net

To contact the editors responsible for this story: Andrew Martin at amartin146@bloomberg.net, John O’Neil

©2020 Bloomberg L.P.