In response to COVID-19, the NSO Group, an Israeli developer of cyber intelligence and spyware technologies, developed FLEMING, ‘an epidemiological analytics system’ that features ‘an advanced mapping tool that identifies the spread of coronavirus in real-time.’ NSO group has marketed the contact-tracing system to governments and law enforcement agencies across the globe, advertising its ability to generate ‘state-level situation reports’ that can map infection rates across whole countries, along with heat maps to ‘identify unusual movement patterns’ and to see if populations are complying with social distancing measures.
Since the release of Fleming, the NSO group has been embroiled in controversy. In May 2020, a cybersecurity researcher found that their Fleming database was left exposed. An analysis of a sample of the data by Forensic Architecture revealed the location data of over 32,000 unsuspecting civilians, or ‘targets’ as they were labelled by NSO.
From tracking people's movements, we can estimate how the virus will travel; from watching crowds, we can observe who is sick. But what happens when this valuable location data is in the hands of companies we know little about? And how can we be sure these systems will be used for their stated purposes?