They keep insisting they don’t do it. But companies such as the Israeli NSO Group are global vendors for regimes,
whatever stripe or colour, for surveillance tools to spy on those they deem of interest. The 2013 revelations by Edward
Snowden that exposed the warrantless world of mass surveillance by entities such as the US National Security Agency and
Britain’s GCHQ caused a global rush towards encryption. Governments, left groping in the dark, sought out private
providers of surveillance devices in an unregulated market. Not only could they get effective spyware; they could do so
at very affordable prices.
The NSO Group was one such provider. It sees its mission was a noble thing, marketing itself as a creator of “technology that helps government agencies prevent and investigate terrorism and crime to save
thousands of lives around the globe.”
The company also emphasises their mission to target those “terrorists” and “criminals” who have gone dark. “The world’s
most dangerous offenders communicate using technology designed to shield their communications, while government
intelligence and law-enforcement agencies struggle to collect evidence and intelligence on their activities.” The group
insists that its “products help government intelligence and law-enforcement agencies use technology to meet the
challenges of encryption to prevent and investigate terror and crime.”
Forbidden Stories, a network of journalists with a mission “to protect, pursue and publish the work of other journalists facing threats, prison, or
murder”, sees things differently. One of the topics that figures prominently in the ranks is the Pegasus project, a
collective journalism effort of global proportion coordinated by Forbidden Stories and Amnesty International’s Security
Lab. Its primary purpose: to expose the depredations of the Pegasus spyware, the golden child of the NSO Group.
Pegasus is a rather vicious thing, enabling those deploying it to access a phone’s contents and remotely access its
microphone and camera functions, turning into a surveillance device. It was given a gloss of notoriety in 2018 when it
was revealed that Saudi dissident Omar Abdulaziz had been one of its victims. Abdulaziz claimed that communications with journalist Jamal Khashoggi, butchered by a Saudi squad of assassins in Istanbul in October
2018, were intercepted by the Saudi authorities because of the spyware. His lawyers argued that the hacking “contributed in a significant manner to the decision to murder Mr. Khashoggi.”
On July 18, Phineas Rueckert of Forbidden Stories revealed that some 180 journalists had been selected as targets by some 10 NSO customers across 20 countries. He begins with the
Azerbaijani investigative journalist Khadija Ismayilova, whose phone was “regularly infected with Pegasus” for almost
three years. Ismayilova was baffled on realising how the security of her phone had been compromised. “I feel guilty for
the messages I’ve sent. I feel guilty for the sources who sent me [information] thinking that some encrypted messaging
ways are secure and they didn’t know that my phone is infected.”
Details are then supplied. Both Forbidden Stories and Amnesty International were given access to a leak of more than
50,000 records of phone numbers selected by NSO clients for surveillance reasons. The clients are a varied bunch, from
those of the autocratic flavour - Bahrain, Morocco and Saudi Arabia – to the more democratic ones, such as India and
Mexico. The NSO Group, in a letter to Forbidden Stories, claimed it could not “confirm or deny the identity of our government customers” for “contractual
and national security considerations”. Rueckert admits that identifying instances where the specific phone number was
compromised would be difficult short of actually analysing the device. But, with the assistance of Amnesty
International’s Security Lab, “forensics analyses on the phones of more than a dozen of these journalists – and 67
phones in total – [revealed] successful infections through a security flaw in iPhones as recently as this month.”
The Pegasus project is significant for revealing the sheer scale of espionage. The Guardian, a participating media outlet, promises to reveal more details about targets that “include lawyers, human rights defenders, religious figures, academics,
businesspeople, diplomats, senior government officials and heads of state.” At this writing, a rather juicy detail has come to light: the potential targeting of French President Emmanuel Macron by Morocco using Pegasus.
The NSO response to the Forbidden Stories report was snootily dismissive. The account was “full of wrong assumptions and uncorroborated
theories that raise serious doubts about the reliability and interests of the sources.” The company ducks the issue by
suggesting that the information gathered on the individuals in question could have been obtained via other services.
“The claims that the data was leaked from our servers, is a complete lie and ridiculous since such data never existed on
our servers.”
As for the murder of Khashoggi, old defences are resurrected. “We can confirm that our technology was not used to
listen, monitor, track, or collect information regarding him or his family members mentioned in the inquiry. We
previously investigated this claim, which again, is being made without validation.”
For an outfit such as the NSO Group, such rebuttals have proven to be meaningless. Twin lawsuits against NSO filed in Israel and Cyprus by a Qatari citizen and by Mexican journalists in 2018 revealed extensive evidence of the
company’s complicity in illegal surveillance. NSO also failed to get the lawsuit by Abdulaziz dismissed, and was ordered to pay his legal costs, with the judge Guy Hyman calling the
case “broad, especially in matters of the roots of constitutional values and fundamental rights”. In 2019, WhatsApp
brought an action against the company, claiming that Pegasus had been used to target 1400 user accounts. For WhatsApp’s
chief Will Cathcart, the Pegasus project reporting revealed “what we and others have been saying for years; NSO’s dangerous spyware is used to commit horrible human rights abuses
all around the world and must be stopped.”
The Pegasus project has shed more light on the government revolt against encryption, one facilitated by private
enterprise. Left unregulated, the NSO Group and its competitors can operate with vigilante disdain and amoral
proficiency. David Kaye, former UN special rapporteur on the promotion and protection of the right to freedom of opinion
and expression, has wisely called for a moratorium on the sale of such spyware, describing an industry “out of control, unaccountable and unconstrained in providing governments with relatively low-cost access
to the sort of spying tools that only the most advanced state intelligence services were previously able to use”.
Control, accountability and constraint have never quite featured in the NSO Group operations manual.
Dr. Binoy Kampmark was a Commonwealth Scholar at Selwyn College, Cambridge. He lectures at RMIT University, Melbourne.
Email: bkampmark@gmail.com