Ramy Raoof is an Egyptian technologist and privacy researcher currently volunteering in Beirut, Lebanon. In November 2016, he was working in the office of the Egyptian Initiative for Personal Rights (EIPR) when something suspicious happened. The organization received a call from a journalist about an upcoming press conference — but they hadn’t planned a press conference.
Raoof soon learned that hundreds of emails had been sent out in the organization’s name. The emails invited journalists, activists, and civil society groups to a fictitious press conference about a draft law in Egypt that would effectively ban non-governmental organizations.
“The journalists believed it, of course, because the attackers used our logos, our language, our address, our phone number,” Raoof says. “I asked to see the email, and the moment I saw it I realized we were under attack.”
The ongoing and extensive phishing campaign was part of a wide-scale crackdown on civil society and dissent in Egypt. Hundreds of activists were — and still are — being subjected to “phishing” attacks, where they are lured into clicking on malware links or revealing passwords, two-factor authentication codes, or password reset codes.
The large-scale series of attacks was dubbed “Nile Phish” by Raoof and his fellow researchers. The name is a play on the words “fish” (sounds like phish) and the Nile river which flows through Egypt.
Together with colleagues at The Citizen Lab at the University at Toronto, Raoof co-wrote a research paper investigating the ongoing attacks. It was published in February 2017. As one explanation for the increase of attacks, they noted how free and open-source software that is designed for network security testing can also be abused to stage attacks.
Every day, Raoof thinks about technical attacks like Nile Phish. “I work as a technologist and privacy researcher with different civil society organizations,” he explains. (Among his credentials: He sits on Tor Project’s board of directors.)
Raoof notes that over time, the fields of targeted and mass surveillance have grown more complicated. In the early 2000s, governments would often conduct surveillance themselves. But not so today. “There was a tactical shift,” Raoof says, and governments began outsourcing surveillance activities to private companies and individuals. “It minimizes the fingerprints,” and “is more efficient,” he explains.
There is sharing of surveillance tools between nations and companies. “Not all countries develop their own resources. They purchase resources from different countries,” Raoof explains. “Some countries are more well known for developing targeted surveillance, like Italy. Others are well known for mass surveillance, like Israel.”
Raoof says there’s no single playbook for protecting civil society groups.
“I customize the advice based on a few variables,” like location and type of work, he adds. Raoof might give one set of tips to an anti-torture campaigner in Libya, and another set of tips to a civil rights activist in Latin America. “For example, some technical solutions would never work in Libya or Syria,” says Raoof, explaining that a common privacy tool like a VPN (virtual private network) wouldn’t be advisable because governments actively filter them there.
When asked about thwarting unwarranted surveillance through public policy, Raoof is both optimistic and frustrated. “Policy is always effective,” he says. “But it takes ages and ages for small achievements.”
And so, policy must happen in tandem with more rapid response mechanisms, like encryption technology. And that’s where Raoof’s passion lies. “Me and you,” Raoof says, “could build effective privacy technology, helping more people in a shorter time frame.”