Posted inGlobal Affairs

The Pegasus Spyware Scandal: Revelations, repercussions, and a need for new regulations

As our lives are transposed into a virtual world running parallel to our own, we can no longer hide from the grim realities of a digital age. Nor, as the revelations of the past weeks show, can we always hide from the penetrating gaze and telescopic reach of governments.

On 18th July, an exposé was released detailing an unprecedented leak of over 50,000 phone numbers in more than 50 countries across four continents. These numbers belong to government-selected targets for surveillance using a piece of military-grade spyware: Pegasus.

Pegasus was created by the Israeli company, NSO Group, which sells to military, law enforcement and intelligence agencies in 40 countries. Its stated aim is to enable clients to “investigate terrorism and crime to save thousands of lives around the globe.”

To this end, Pegasus is a powerful tool—perhaps the most powerful piece of spyware ever developed by a private company. Pegasus can infiltrate any one of the billions of phones running on iOS or Android operating systems via malicious links and, more recently, “zero-click” attacks. 

Once installed, Pegasus can extract anything—texts, emails, encrypted messages, GPS data, calendar entries, contacts, photos or videos—and transmit it to the attacker. It also allows the attacker to operate the phone remotely, recording calls and activating the camera or microphone. In short, any terrorist or criminal with a Pegasus-infected phone is toast.

However, the leaked data reveal that governments largely weaponised these considerable capabilities, not against terrorists or criminals, but against people with no evident links to terror or crime.

The Pegasus Project—an investigative consortium of 17 media organisations in 10 countries coordinated by Forbidden Stories, with technical support from Amnesty International’s Security Lab—revealed that numbers on the leaked list of potential targets for surveillance included human rights defenders, lawyers, academics, business people, doctors, union leaders, dissidents, diplomats, politicians and several heads of state.

To note, the presence of a phone number in the data does not show that a device was infected or attacked by Pegasus. The list is nonetheless indicative of the targets NSO’s client governments identified before potential surveillance attempts. Analysis conducted by Amnesty’s Security Lab found traces of Pegasus activity on 37 out of the 67 phones examined from the list—an 85% infection or attempted infection rate.

The consortium’s analysis identified at least 10 governments believed to be NSO clients: Azerbaijan, Bahrain, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Hungary, India, and the United Arab Emirates.

Alongside over 180 journalists, some of the best-known names include 15 current or former heads of state, such as French President Emmanuel Macron, President Imran Khan of Pakistan, and Cyril Ramaphosa of South Africa. Prominent opposition politicians such as former Congress President Rahul Gandhi also feature on the list.

The leaked numbers are connected to some of the most shocking stories of the past few years. The findings suggest that the Saudi government used NSO’s spyware to pursue people close to Jamal Khashoggi, before and after his murder. Forensic analysis shows that his fiancée, Hatice Cegniz’s, phone was first infected with Pegasus a mere four days after his death.

The governments of Rwanda, Hungary, Morocco and India vehemently deny abusing Pegasus spyware, with the Indian government responding that the allegations have “no concrete basis or truth associated with [them] whatsoever” and accusing the report of being a “fishing expedition” designed to “malign the Indian democracy and its institutions.”

The United Arab Emirates, Dubai, Saudi Arabia, Azerbaijan, Bahrain, Kazakhstan and Mexico did not respond to requests for comment by the Pegasus Project.

NSO Group, too, denies all allegations. Its statements call the 50,000 number “exaggerated” and claim that “there can be no factual basis to suggest that a use of the data somehow equates to surveillance.” The company said NSO would “continue to investigate all credible claims of misuse.”

NSO emphasises that its products are sold only to “vetted” governments. The company’s Transparency and Responsibility Report, released in June, claimed it had an industry-leading attitude to human rights and that Pegasus was “not a mass surveillance technology”, but only used with “a legitimate law enforcement or intelligence-driven reason.”

The report contained excerpts from contracts, stating that clients must use the products only for criminal and national security purposes. NSO’s customers may well have used Pegasus for such investigations, but the prevalence of numbers on the list belonging to people with no conceivable link to criminality suggests that governments are breaching their contracts. Where governments might argue that their targets fall within NSO’s stipulated categories brings out the issue of how vague the terms of use—such as the ever-subjective term “national security”—for such powerful technology should be. 

This leaves us in a bind when it comes to accountability. Some would point the finger at the governments disregarding their agreements with NSO, wielding Pegasus against those they deem capable of challenging their hold on power. Others may bemoan the failure of regulation in the private malware market, facilitating governmental abuse—if not fostering the perfect conditions for it. Others will blame NSO. How credible can a vetting system be that deems the record of, say, the Saudi government, consistent with the use of spyware in a way that respects the rights of dissidents?

Whomever we hold responsible, the Pegasus spyware scandal has made several things clear: the scale of surveillance is massive, anybody can become a target, and—most importantly—the problem is not going to disappear on its own.

The Pegasus Project reveals the sheer scale of unmonitored, unregulated state surveillance. Many of those targeted had committed no crime, nor had they spread terror—unless we consider political dissent a crime, or activism terror. The reality sinks in even deeper when we consider that Pegasus is only a single tool offered by just one of dozens, if not hundreds, of spyware vendors worldwide.

The industry is not a new one. But the National Security Agency (NSA) documents leaked by Edward Snowden in 2013 gave it a boost by revealing America’s electronic surveillance capabilities, pushing other states to obtain similar technologies. It also triggered the widespread encryption of web traffic and messaging, making mass surveillance harder.

Demand for Pegasus and similar tools to sidestep new obstacles is one motor driving the privatised government surveillance industry. Three other factors indicate that, unless we change the game, this kind of spyware—and the abuse to which it is prone—are going nowhere.

Firstly, smartphones continue to gain importance to their users, giving actors further incentives to attack them, turning the owners of these devices into their victims. Further, each product and OS release sees smartphone manufacturers append new features to existing wares. But each additional layer of complexity provides a potential chink in a product’s armour, which can be exploited by actors searching for an entry point. Thirdly, the global regulatory framework for commercial hacking tools is about as bulletproof as gossamer—and it is a long, long way from becoming the Kevlar it increasingly needs to be.  

To change the game, the most feasible option is to rewrite the rules. Governments, or international regulatory bodies, must control the export of spyware if we are to continue living in a world, or preserve parts of it, where the relatively powerless can speak truth to power without losing their right to privacy and even fearing for their lives. 

Existing frameworks controlling the export of commercial and military technology should be beefed up. Particularly relevant is the Wassenaar Arrangement, which aims to prevent the acquisition of conventional arms and dual-use technologies by terrorists. According to Professor David Kaye, former UN special rapporteur on freedom of expression, the arrangement should be updated to cover spyware that is used to attack human rights. All governments would have to commit to implementing globally agreed export controls.

But coming to an international agreement is notoriously slow-going, and painfully so in cases of preventing flagrant abuse. Prof Kaye presented a report to the UN in June 2019, calling for an immediate moratorium on the transfer of spyware until rigorous international controls are drawn up.

Edward Snowden made a similar argument when commenting on the first revelations from the Pegasus Project. According to Snowden: “If you don’t do anything to stop the sale of this technology, it’s not just going to be 50,000 targets. It’s going to be 50 million targets, and it’s going to happen much more quickly than any of us expect.”

Asked how people might protect themselves, he replied: “What can people do to protect themselves from nuclear weapons? There are certain industries, certain sectors, from which there is no protection, and that’s why we try to limit the proliferation of these technologies. We don’t allow a commercial market in nuclear weapons.”

Image description: Secret agent in tuxedo against a backdrop of computer code. Illustration credit: Khadijah Ali.