Last week a consortium of journalism outlets and NGOs dropped a bomb of cross-border journalism. According to a leaked list of 50,000 names, at least ten of the world’s authoritarian regimes have been spying on their own citizens, using cutting edge surveillance software developed by an Israeli security firm called NSO Group.
The software, dubbed Pegasus, used malware to give governments practically unlimited access to a surveillance target’s phone, with new hacking techniques that left victims with practically no way of knowing they were being monitored.
Once it has wormed its way on to your phone, without you noticing, it can turn it into a 24-hour surveillance device. It can copy messages you send or receive, harvest your photos and record your calls. It might secretly film you through your phone’s camera, or activate the microphone to record your conversations. It can potentially pinpoint where you are, where you’ve been, and who you’ve met. (Guardian)
The ten countries are known for various degrees of human rights abuses, but the scale of unlawful surveillance was still stunning. (The countries: India, Hungary, Morocco, United Arab Emirates, Dubai, Saudi Arabia, Azerbaijan, Bahrain, Kazakhstan and Mexico.)
The list of numbers belonged to dozens of freelance and legacy news journalists (including a journalist from Mexico who, was murdered under mysterious circumstances), activists, citizen investigators and even a, number of heads of state, including French Prime Minister Emmanuel Macron and the King of Morocco.
India appears to be, one of the most prolific abusers, monitoring opposition party members like former Congress leader Rahul Gandhi, a member of the Supreme Court, a top virologist, journalists, activists and even members of Prime Minister Narendra Modi’s own right-wing Bharatiya Janata Party.
Saudi Arabia’s appearance on the list is not totally surprising, but the, reporting that Jamal Khashoggi’s fiancee was monitored using Pegasus software in the days leading up to his murder is chilling.
Nevertheless, for people living and organizing in Europe, the appearance of Hungary on the list must be the detail that raises the most questions. If Hungary could flagrantly violate the European privacy and human rights laws and get away with it, what does it say for the other countries in the EU? Will Fidesz finally face some consequences?
The consortium of reporters could only confirm Pegasus infection on phones that they could forensically examine themselves- meaning the actual scale of surveillance is still not clear.
Reporting is still coming out daily, but there are a few big questions that are especially relevant for journalists, activists and organizers.
How could NSO not know their product was being used for evil?
NSO Group has denied that they keep any kind of list like the massive leak that kicked off the Pegasus Project. In fact, they deny that they keep tabs on clients whatsoever, saying that they license software and then have no further insight to how their products are used. These denials make very little sense, for several reasons.
First, NSO claims that each client they license to is thoroughly vetted for human rights violations in cooperation with the Israeli Ministry of Defense. Now, Israel is not exactly the standard bearer for human rights, but even so, the countries on the client list are infamous for harassing, imprisoning, and in one case, dismembering journalists. If Hungary, India and Saudi Arabia passed the human rights test, just how low was that bar?
Even so, they claim that they would stop selling to countries who abuse their software. But if they don’t monitor how their software is used, how exactly would they find out about such abuse? Were they relying on the very journalists being surveilled and harassed to discover abuse of their products?
Where did the NSO list come from?
“The list of 50,000 phone numbers has nothing to do with us.”
Founder and CEO of NSO Group (Haaretz)
NSO has denied making the list, or possessing any list like it. But who else would have had a global overview of each of their clients’ surveillance targets? In some cases, Pegasus Project journalists were able to compare a time-stamp of when people’s numbers were added to list with the attempt to infiltrate the phones, and showed they were within seconds of one another. Who could have access to information like that, other than someone who worked at NSO?
NSO has suggested the list might have been something governments used for “other purposes”, which is maddeningly vague, but again, makes no sense. If you had a surveillance “wish list” for one country, one might assume the leak somehow came from the Security Agency of that country. But having access to hundreds of government surveillance targets spread across the world is incredibly valuable intel.
And if they are lying about whether or not they monitor the use of their software, does that mean they ultimately had access to all the information accessed? And who might they have shared that information with?
NSO employees apparently earn upwards of $30,000 per month, meaning they have strong incentives not to undermine their employer. Could the leak come from someone the data was shared with? Or was someone able spy on the spyware firm?
Who else was using NSO technology?
NSO is ,just one of many such spyware firms, so the fact that certain governments were not on the list does NOT mean they weren’t using similar types of spytech. In addition, the Pegasus Project only revealed ten of NSO’s clients, when there are reported to be around 40. So who else is illegally spying on their citizens, or has the power to do so?
EU Commission head, Ursula Van der Leyen, responded to the reporting with verbal condemnation:
“What we could read so far, and this has to be verified, but if it is the case, it is completely unacceptable. Against any kind of rules we have in the European Union.”
Nevertheless, the government of Hungary has suggested that some of their European Union allies employ similar tactics:
Have you asked the same questions of the governments of the United States of America, the United Kingdom, Germany or France? In the case you have, how long did it take for them to reply and how did they respond? Was there any intelligence service to help you formulate the questions? (WaPo)
It could be a tactic to distract and deflect. But Germany has ,used controversial spyware in the past (albeit, possibly lawfully), and it defies belief that some of the wealthiest and most powerful countries in the world do not have access to such spytech, simply because they weren’t on the Pegasus Project list. How could Hungary possess technology that, say, the UK or Germany would not?
Is Germany boycotting Israeli products?
Which leads to our final question: If Germany was not using Israel-based NSO’s brand of spyware, but that of a different country, is it because they knew it was being misused by authoritarian regimes? And if that’s the case, weren’t they basically boycotting Israeli products over human rights concerns?
Inquiring minds and ice cream companies would love to know.