In the summer of 2021, a collaborative network of journalists and NGOs published the report “The Pegasus Project,” unveiling the use and misuse of spyware technology. The scale of surveillance that was uncovered by a major data leak shocked the public: a list of 50,000 phone numbers infected with the software that monitors every activity on a targeted person’s smartphone. It included well-known journalists in countries such as Poland, Hungary, and Azerbaijan, but also less obviously, in France, the Netherlands, and the United Kingdom, to name just a few examples.

Now, one might argue that some of the targeted journalists in countries already struggling with press freedom would not have been surprised to find out that their work and even their private lives were under close observation by authorities – however unethical and contradicting with democratic principles this practice is. Yet in the same leak published in the Pegasus Project, independent experts and researchers identified the phone numbers of high- ranking state officials such as France’s President Macron and some of his cabinet members. Another targeted person was the chief police commissioner of Istanbul who led the investigation on Saudi journalist Jamal Khashoggi’s murder in Saudi Arabia’s Istanbul consulate – a killing that triggered worldwide condemnation and horror. Khashoggi’s wife and one of his closest associates were also being surveilled with Pegasus via their smartphones.

Not only are states using the spyware to fight terrorism, as they usually claim to do when questioned about Pegasus, but also to spy on foreign government officials. The French newspaper Le Monde’s piece about Moroccan agents spying on French President Macron’s smartphone provoked a diplomatic crisis in an already tense relationship between the closely linked countries which, quite understandably, harmed trust and confidence between the two countries. As much as Pegasus empowers law enforcement, it also comes with a high level of risk to vital bilateral relations, as this example proves. The Moroccan authorities surely did not appreciate their spying activities going public, especially since a fifth of all leaked phone numbers were allegedly registered into the Pegasus system from Moroccan soil.

After having investigated Pegasus’s customers and victims, where does this leave the Israeli group NSO Technologies, the outfit which provides the software? Which principle do they apply when clients order? How does the tool work? Let’s first dive into the technical details of the software.

Decrypting privacy: a lucrative hack and a blow to democracy

In order to gain access to encrypted applications such as WhatsApp, Telegram, E-Mail, calendar, etc., the phone’s system core must first authorise the decryption of the app and the contained information and functions. Pegasus can do this with a so-called “zero-click attack,” which enables the spyware to infect the phone’s system. An example of a zero-click attack is a “missed call” notification that the user opens without having to click any further links. This coding method is called “sandboxing.”

Even though Google and Apple advertise rewards for researchers uncovering security gaps, they cannot compete with the astronomical sums offered by private companies such as NSO or Zerodium, a British-American hacking group that bid up to 2.5 million USD to individuals developing “zero-click attack sandboxing.” For the research of the Project Pegasus, experts from Hidden Stories and Amnesty International compared the operating systems of infected phones with those of non-infected phones. They noticed traces of codes disguised as ordinary iOS or Android codes in which Pegasus made almost invisible replacements, e.g., the number 0 with the letter O or a small l with a capital I. Experts tested 48 of the 50,000 phones on the leaked infected numbers list. All the devices showed evidence of Pegasus and matched the additional data accessible to the journalists. This was proof of the existence of the large-scale surveillance which was leaked to the research collaboration. The results of these tests were also confirmed by the independent Citizen Lab of the University of Toronto, Canada.

NSO uses the global fight against terror to justify the sale of its spyware. The company was founded in 2010 by three friends who met during their service in the military intelligence body “Aman” of the Israel Defense Forces. The export of the firm’s software underlies regulations that are monitored by the Israeli Ministry of Defense; therefore, its customers must be approved by the Israeli authorities and comply with national security interests. The company states that it strictly follows the respect of human rights and privacy laws and that it does not use Pegasus to limit the freedom of expression. It further claims to constantly review contracted clients and potential breaches. Following the investigations around the murder of Saudi journalist Jamal Khashoggi, NSO cancelled its contract with Saudi Arabia. Most recently, NSO has been blacklisted in the United States while Apple and Facebook are suing the company in US courts to ban NSO from using Apple software or devices for its operations. American officials justified the decision as a means of promoting human rights values as a vital part of US foreign policy.

States’ desire to increase control and surveillance is understandable considering security problems worldwide, such as the fight against extremist terrorism or drug cartels. However, once the software falls into the hands of autocratic regimes, it gives the state an unprecedented power to observe its own citizens. The temptation to go beyond simply monitoring suspected criminals is huge, especially for states with very low or suppressed democratic checks and balances. This poses a serious threat to press freedom and journalistic principles. Journalists must be able to communicate incognito in order to keep their sources and themselves safe. What is more, Pegasus is featured on an international list of cyber weapons. Authorities show a disrespect for the freedom of expression and democratic values when they use an espionage tool against individuals who are committed to the progress and development of their own society. A government spying on a foreign country’s officials harms trust and destabilises bilateral relations, as described in the case with Morocco and France. The illicit use of Pegasus by some governments diverts its intended function to tackle security problems and instead creates an atmosphere of surveillance and control which is unhealthy for any society.

Written by Benedikt Stolberg; Edited by Stefan Bartl; Photo Credit to Lianhao Qu, Unsplash