Inside Access Now’s Digital Security Helpline that probes government spyware

TL;DR

Access Now’s Digital Security Helpline is a small, international team that helps journalists, activists and other civil-society actors who suspect they’ve been targeted with government spyware. The group fields around 1,000 suspected cases a year, runs triage and forensic checks, and has become a referral point for users alerted by platforms such as Apple.

What happened

Over more than a decade, journalists and human-rights defenders in multiple countries have been targeted with sophisticated government spyware. Access Now, a nonprofit headquartered in New York, operates a Digital Security Helpline staffed by fewer than 15 investigators and handlers spread across time zones including Costa Rica, Manila and Tunisia. The Helpline offers a 24/7 service for people in civil society who suspect compromise by mercenary spyware produced by firms such as NSO Group, Intellexa or Paragon. When someone reaches out the team acknowledges receipt, checks whether the person falls within the organization’s mandate, and triages the report. Investigators perform an initial remote check and may request a full device backup for deeper analysis of known exploit indicators. Handlers also advise victims on practical steps, such as whether to switch devices. The Helpline participates in CiviCERT to share tools and reach affected communities regionally.

Why it matters

• High-risk journalists and activists often lack technical support; the Helpline fills that gap with rapid, specialized response.
• Platforms like Apple have begun directing users toward the Helpline after issuing threat notifications, increasing referrals and visibility.
• Government use of commercial spyware appears widespread across many countries, raising cross-border protection needs.
• A small, distributed team is handling a growing caseload, underscoring resource and capacity limits for civil-society digital defense.

Key facts

• Access Now’s Digital Security Helpline is based at the New York nonprofit Access Now but has investigators located in Costa Rica, Manila, Tunisia and other regions.
• The team comprises fewer than 15 people and operates across multiple time zones to provide near-continuous coverage.
• The Helpline receives roughly 1,000 suspected spyware cases a year; about half progress to prioritized investigations.
• Approximately 5% of prioritized cases—around 25 cases per year—result in confirmed spyware infections, per the helpline director.
• Apple has sent so-called threat notifications to users it believes were targeted and has long directed recipients to Access Now investigators.
• Investigators follow a set process: acknowledge contact, check mandate, triage, perform remote checks, and request full device backups for deeper analysis.
• The Helpline handles cases involving mercenary spyware attributed to companies like NSO Group, Intellexa and Paragon.
• Handlers who manage communications typically speak the victim’s language and provide guidance on next steps and precautions.
• Access Now contributes to CiviCERT, a coalition that shares documentation, tools and regional support among organizations assisting targeted civil-society members.

What to watch next

• Whether the Helpline’s staffing and resources scale to match rising demand — not confirmed in the source.
• Continued coordination between platform vendors (e.g., Apple) and civil-society incident responders, including referral patterns from threat notifications.
• Expansion of regional CiviCERT capacity to reach more affected journalists and activists — not confirmed in the source.

Quick glossary

• Mercenary spyware: Commercial surveillance software sold to governments and law-enforcement agencies to monitor targets’ devices and communications.
• Threat notification: An alert from a technology platform informing a user they may have been targeted by a highly sophisticated attacker or commercial spyware.
• Triage: A preliminary assessment process used by responders to prioritize and determine next steps for incoming security incidents.
• Full device backup: A comprehensive copy of a device’s data that investigators can analyze for forensic indicators of compromise.
• Incident response: The coordinated actions taken to investigate, contain and remediate a suspected security breach.

Reader FAQ

Who is eligible to contact Access Now’s Digital Security Helpline?
The Helpline prioritizes people within civil society—journalists, human-rights defenders and dissidents; the team first checks whether a contact falls within its mandate.

How often do suspected cases turn into confirmed spyware infections?
The Helpline handles about 1,000 suspected cases annually; roughly half become investigations and about 5% of those result in confirmed infections.

What does the Helpline do after someone gets an Apple threat notification?
According to the source, Apple has directed affected users to Access Now; the Helpline explains the meaning of the alert, triages the case and advises on next steps.

Will the Helpline provide long-term protection or replacement devices?
not confirmed in the source

For more than a decade, dozens of journalists and human rights activists have been targeted and hacked by governments all over the world. Cops and spies in Ethiopia, Greece, Hungary,…

Sources

• Meet the team that investigates when journalists and activists get hacked with government spyware
• Digital Security
• Access Now's Digital Security Helpline
• Surveillance

Related posts

• Gpg.fail — homepage shows brief message: ‘brb, were on it!!!!’
• Inside an Effort to Automate Federal Retirement Processes Nationwide
• Hochul signs New York law requiring warning labels on addictive social apps