The most invasive surveillance imaginable can be found within your smartphone. Without the user ever noticing it, smartphone spyware technology can access every message or email individuals have ever sent or received, as well as every photo or video ever taken. It can turn on microphones and cameras to record screens or surroundings and even access GPS to monitor locations. According to NSA whistleblower Edward Snowden, smartphones are “worse than a spy in your pockets”, as they can be weaponized by the users who hack them. Currently, unprecedented breaches of privacy are made possible by Pegasus spyware, a flagship software created by the Israeli company ‘NSO group’. The NSO group profits off of this commercial spyware technology by marketing it to governments worldwide. This often creates ample opportunity for the powerful spyware to fall into the wrong hands, equipping repressive governments with the technological ability to threaten democracy and violate fundamental human rights.
In 2016, CitizenLab, an international research lab based at the University of Toronto specializing in data surveillance, was the first to expose the existence of Pegasus spyware. The group discovered an “exploit infrastructure” connected to a phone traced to the United Arab Emirates, leading to the arrest of human rights offender and dissident Ahmed Mansoor. From there, CitizenLab was able to link the malware’s source to the NSO group. Their findings have since sparked worldwide controversy. While the NSO group claims only to sell its spyware to governments approved by Israel with the purpose of helping agencies “detect and prevent terrorism and crime”, its true intentions are unknown and raise a contentious debate. Under the guise of combating violence, the NSO Group has targeted specific individuals, leaving a slimy trail of prisoners and dead bodies.
After gaining considerable media attention, Pegasus spyware was purchased by several governments for their own use. To expose government espionage, a project was spearheaded by French non-profit Forbidden Stories in conjunction with detailed forensics analyses conducted by Amnesty International. This “international investigative journalism initiative”, named Pegasus Project, leaked data revealing at least 180 journalists in countries including India, Mexico, Hungary, Morocco and France, as targets of Pegasus spyware. Over 50,000 phone numbers were found selected for surveillance, including human rights defenders, academics, business people, lawyers, doctors, union leaders, diplomats, politicians, and numerous heads of state. In the published transparency report from June 2021, the NSO group stressed that Pegasus was “not a mass surveillance technology” and was “used only where there [was] a legitimate law enforcement or intelligence-driven reason”. The data, however, depicts a vastly different story.
Targeted Surveillance: A Cause for Global Concern
Pegasus Spyware has been misused by several countries, precipitating a multitude of political implications. Last year, Amnesty International’s Security Lab confirmed that the phones of four Kazakh activists were infected with Pegasus. Hungarian Prime Minister Viktor Orbán’s government was also caught illegally spying on journalists, activists, lawyers, and an opposing politician. This past January, CitizenLab linked a Pegasus spyware operator working exclusively in El Salvador to a potential government hacking scheme involving activists and journalists investigating state corruption. A myriad of other regimes have exploited this power, using it as a tool of oppression to enforce their abusive practices. Evidently, the use of this technology poses a grave threat to democracy and the protection of human rights.
Publicly outspoken women’s rights activists have been disproportionately targeted by spyware. Bahraini human rights defender Ebtisam al-Saegh, who previously faced detention and abuse by interrogators seeking to crush her activism, was hacked at least eight times in 2019. Hala Ahed Deeb, a Jordanian defender of women’s labour rights, likewise saw her phone compromised by Pegasus spyware. In these instances, not only did Pegasus spyware violate the several rights to privacy, freedom of expression, association, and peaceful assembly, but also forced its victims into a state of perpetual anxiety. Fearing that they may expose their friends, family, fellow activists, and victims they work with, the women targeted by this spyware have evidently been intimidated into silence by government culprits.
Through Pegasus spyware, states can access information that enables them to penalize dissenters way beyond their sovereign borders. Fiercely critical of the Saudi regime and the crown prince Mohammed bin Salman, Saudi activist and Washington Post columnist Jamal Khashoggi faced this brutal reality. In 2018, Saudi Arabia’s despotic regime utilized Pegasus spyware to track the Saudi dissident, brutally murdering him inside the Saudi embassy in the Turkish city of Istanbul. Several of Khashoggi’s close friends and family were hacked in the months leading up to and following his assassination. Despite being located within Turkish borders, the Saudi government was able to track Khashoggi’s location in Istanbul. Pegasus spyware makes transnational repression possible, enabling authoritarian governments to transcend geographical boundaries to crack down on critics or activists abroad. Dictatorial governments are able to enforce censorship and compromise freedom of expression on a global scale. Based on the reach of this technology, there is no escape for activists facing government opposition.
The NSO Group has further exacerbated Israel’s tensions with Palestine, suppressing Palestinian voices online. Within the Palestinian social movement, progressive left-wing advocates are systematically harassed. One such activist, Ubai Aboudi, was targeted by Pegasus for his leadership in Bisan, an organization dedicated to documenting and exposing injustices against Palestinians. Aboudi was arrested, leaving his whole family impacted by the immense violation of privacy. In an interview with the president of Foundation for Middle East Peace, Lara Friedman, Aboudi explained the danger of Pegasus potentially making phone calls to terrorist organizations or watching illegal activity without a cell phone user’s knowledge as a means to frame them. For instance, Pegasus spyware could send messages to ISIS members from a person’s cell phone without their knowledge, serving as evidence to indict the user. In this sense, the Israeli government can easily slander or wrongfully accuse powerful activists as a means to tear them down for their own political purposes of weakening Palestine.
Despite promises of keeping Israeli citizens safe from Pegasus, Israel has also subjected its own population to surveillance by the software. Though any police involvement was denied, Pegasus spyware sold under the license of the Israel Ministry of Defense was deployed without a court order. Israeli police were caught spying on anti-Netanyahu activists, mayors, and anti-LGBTQ activists. The technology was not explicitly covered by existing laws, allowing Israeli police officers to exploit a legal loophole. It is alarming to witness the police force seize such invasive spyware, as corrupt policemen may use this technology to abuse their power, posing grave threats to the protection of citizens’ rights.
How Pegasus Hacks & How to Stop It
In the past, Pegasus relied on spearfishing, which required cellphone users to click on a link to activate the hack. The technology, however, has become more advanced operating under a “zero-click attack” system which can exploit a vulnerability in one of the apps in a phone without any interaction. For instance, WhatsApp calls can infect a phone even if a call is not picked up. Once the spyware is in a phone, it has root access to everything in it. It is near impossible to detect this hack as it does not display any viral symptoms. Some researchers suggest the newest version of Pegasus gets saved onto temporary files and will not show up on one’s hard drive. Amnesty International has developed a Mobile Verification Toolkit (MVT) with a source code available on GitHub in order to detect the malware. It, however, is only a viable option for tech-savvy users who suspect they are being tracked by Pegasus. At the moment, the only way to get rid of the spyware is to dispose of a current mobile phone and change the cellular number; a factory reset of a phone will not remove it. As Snowden puts it, NSO’s products are mere “infection vectors” not meant for security purposes: “They’re not providing any kind of protection”. The NSO group doesn’t “make vaccines – the only thing they sell is the virus”.
In response to the hackings, tech companies including Microsoft Corp, Facebook parent Meta Platforms Inc, Google parent Alphabet Inc, and Cisco Systems Inc have all taken action against NSO, both legally and critically. Facebook sued NSO group in 2019 attributing mass WhatsApp hackings to the Pegasus spyware. This past November, Apple followed suit. Harsh disapproval against the NSO group has put individual pressures on them, but a more severe response from the international community is imperative in successfully condemning the group. Despite the FBI purchasing Pegasus in 2019, the US has since taken a harsh stance against the NSO group, black-listing them. No other countries, however, have taken stringent measures to boycott the NSO group. Snowden urges governments to enforce a ban and halt the trade around this technology. As he puts it, the worst is yet to come as it won’t just “be 50,000 targets, it’s going to be 50 million targets, and it’s going to happen much more quickly than any of us expect.”
Though media outrage has overwhelmingly scandalized the NSO group, there are countless others operating silently. The Israeli offensive surveillance industry encompasses an intricate web of hundreds, possibly thousands, of cyber companies. In a concerning trend, Israeli firms closely associated with Israeli military intelligence units are surging. Military, security, and surveillance technology trade are vital to Israel’s ties with the rest of the world. The Israeli army is increasingly training offensive hackers within the military, suggesting more technological tactics of warfare to be incited in the future. As the spyware industry intertwines with the military intelligence global agenda, Israel benefits, creating low incentives to address the spyware abuses they have facilitated.
Moving forward, there must be international regulatory frameworks to impose oversight and transparency on spyware technology groups. This may entail a collaborative international effort to uphold a certain global code of conduct and ensure that rules on lawful interception, or law enforcement agencies’ ability to inspect device users, are made stricter. There is a dire lack of human rights policies and ethical practices surrounding spyware companies. Governments must adopt requirements for spyware use that are consistent with human rights principles and international law. Accountability is necessary, and if the NSO group repeatedly fails to regulate spyware distribution, they must be held responsible for the oppressive acts committed by participating governments.
Featured Image by Blogtrepreneur