The spyware market is a dazzling, worrying place. Since Edward Snowden’s 2013 revelations about the breathtakingly broad nature of warrantless surveillance, much of it conducted by corporations at the behest of the US intelligence community, those with a mind towards using encrypting technologies have been getting busy. Governments, desperate to reverse that trend, have gone to private suppliers to subvert the tendency.
Post-Snowden, governments found that not only could they get effective spyware; they could do so at very affordable prices. David Kaye, former UN special rapporteur on the promotion and protection of the right to freedom of opinion and expression, has wisely called for a moratorium on the sale of such spyware, describing an industry ‘out of control, unaccountable and unconstrained in providing governments with relatively low-cost access to the sort of spying tools that only the most advanced state intelligence services were previously able to use’.
Israel’s NSO Group has become a provider of spyware par excellence, marketing itself as a creator of ‘technology that helps government agencies prevent and investigate terrorism and crime to save thousands of lives around the globe’. It makes much of its mission to target those ‘terrorists’ and ‘criminals’ who go dark in an effort to evade law enforcement. ‘The world’s most dangerous offenders communicate using technology designed to shield their communications, while government intelligence and law-enforcement agencies struggle to collect evidence and intelligence on their activities.’ The group markets itself as a good citizen, making products to ‘help government intelligence and law-enforcement agencies use technology to meet the challenges of encryption to prevent and investigate terror and crime.’
Israel’s Defence Ministry, responsible for issuing export licenses for NSO’s spyware, has also stated that it only issues approvals for such products ‘exclusively to governmental entities, for lawful use, and only for the purpose of preventing and investigating crime and counterterrorism’. Where such items ‘are used in violation of export licenses or end use certificates, appropriate measures are taken’.
One of the key weapons in the NSO Group arsenal is Pegasus, spyware that, when it infects the target phone device, turns it into a surveillance tool. Remote access is granted to the phone’s contents, microphone and camera; the owner is none the wiser that calls and content are being intercepted and monitored. Precisely because of this creepy state of affairs, Snowden gives us a titbit of advice: ‘The first thing I do when I get a new phone is take it apart’. This is not motivated because of any ‘tinkerer’s urge’, he tells us, ‘but simply because it is unsafe to operate’.
Claims by NSO Group that it operates according to squeaky-clean principles in supplying its spyware products are hard to swallow. Notoriously, Pegasus was linked to the demise of the dissident journalist Jamal Khashoggi, who was quite literally butchered by a Saudi death squad in October 2018 on the premises of the Saudi consulate in Istanbul. One of Khashoggi’s contacts, Omar Abdulaziz, claimed that communications with the Saudi dissident were intercepted by the Saudi authorities. His lawyers argued that the hacking ‘contributed in a significant manner to the decision to murder Mr. Khashoggi’.
NSO has also been the subject of a string of legal actions. Twin lawsuits against NSO were filed respectively in Israel and Cyprus by a Qatari citizen and by Mexican journalists in 2018, doing much to expose the company’s complicity in illegal surveillance. NSO also failed to get the lawsuit by Abdulaziz dismissed. Judge Guy Hyman, in ordering the NSO group to pay the plaintiff’s legal costs, called the case ‘broad, especially in matters of the roots of constitutional values and fundamental rights’.
In 2019, WhatsApp brought an action against the company, claiming that Pegasus had been used to target 1400 user accounts between April and May that year across twenty countries. Among the targets were at least 100 human rights activists, journalists and members of civil society. On 16 July 2020, a US district court judge in California ruled that the lawsuit against NSO could proceed, not being convinced by the company’s arguments that it had no role in targeting WhatsApp’s users. Significantly, he also found that NSO could not cite sovereign immunity as a private company despite acting for foreign sovereign clients.
In July this year, Forbidden Stories, a network of journalists with a mission ‘to protect, pursue and publish the work of other journalists facing threats, prison, or murder’, added more ink to NSO’s already blotted copybook. Central to its work is the Pegasus Project, a collective journalism effort of international significance coordinated by Forbidden Stories and Amnesty International’s Security Lab.
On 18 July, Phineas Rueckert of Forbidden Stories revealed that some 180 journalists had been selected as targets by as many as ten NSO customers across twenty countries. Both Forbidden Stories and Amnesty International were given access to a leak of more than 50,000 records of phone numbers selected by NSO clients for surveillance reasons. Those clients range from the more theocratic, autocratic types (Bahrain, Saudi Arabia) to the democratic (India and Mexico).
In a letter to Forbidden Stories, the NSO Group claimed it could not ‘confirm or deny the identity of our government customers’ for ‘contractual and national security considerations’. Rueckert admits that identifying instances where specific phone numbers were compromised would be difficult in the absence of analysing the device. Amnesty International’s Security Lab did, however, provide assistance to overcome some of these challenges, including ‘forensics analyses on the phones of more than a dozen of these journalists—and 67 phones in total’ that revealed ‘successful infections through a security flaw in iPhones as recently as this month’.
The Pegasus Project is significant for revealing the sheer scale of espionage undertaken using the spyware. One of the phone numbers among the 50,000 records had previously been used by Pakistan’s Prime Minister Imran Khan. To the list could be added a number of ambassadors in India and dozens of Delhi-based diplomats from an assortment of countries: Iran, China, Afghanistan, Nepal and Saudi Arabia.
French ministers—as many as fourteen—were also on the target list, all being of interest to the intelligence services of one of NSO’s clients, Morocco. French President Emmanuel Macron, on discovering that he was also a subject of interest, changed his phone and phone number while demanding ‘a strengthening of all security protocols’.
The NSO response to the Forbidden Stories report was bitchy and defiant. The account, the company challenged, was ‘full of wrong assumptions and uncorroborated theories that raise serious doubts about the reliability and interests of the sources’. There was no evidence, NSO said, that the information gathered on the journalists in question could not have been obtained via different means. ‘The claims that the data was leaked from our servers, is a complete lie and ridiculous since such data never existed on our servers.’
As for the murder of Khashoggi, the narrative cooked up by NSO in the immediate aftermath of his murder was reiterated: ‘We can confirm that our technology was not used to listen, monitor, track, or collect information regarding him or his family members mentioned in the inquiry. We previously investigated this claim, which again, is being made without validation.’
The Pegasus Project has shed more light on the attempt by various governments across the globe to challenge encryption as both principle and practice. They have done so by resorting to the amoral expertise provided by private enterprise. The NSO Group, despite ongoing legal actions, continues to operate with money-minded impunity, even with a policy that supposedly abides by the UN Guiding Principles on Business and Human Rights. WhatsApp’s chief, Will Cathcart, sees the reporting by the Pegasus Project as illuminating and affirming, showing ‘what we and others have been saying for years; NSO’s dangerous spyware is used to commit horrible human rights abuses all around the world and it must be stopped’.