Preventing terrorism is often used as the valid reason for states to engage in surveillance of some individuals or organisations. However when that surveillance invades the privacy of journalists or civil society actors then not only does it break security laws designed to protect, it also undermines trust in the wider institutions of governments. It used to be the mantra of IT departments everywhere not to click on the unknown email link, but now that step is not even needed to access phones, messaging apps and emails. How safe are we in a digital world?

This week the tip of a very large data security iceberg was revealed when Paris-based NGO Forbidden Stories and Amnesty International exposed the use of Pegasus spy software that was supposed to only be available to vetted governments for specific use. 

The investigative reports published by Forbidden Stories and Amnesty International, in collaboration with international media organisations including the Guardian newspaper, was based on their investigation of a data leak involving over 50,000 phone numbers. Pegasus, NSO Group’s spyware which was developed over a decade ago with the help of Israeli ex-cyberspies, has been employed by several states to target human rights activists, journalists, lawyers, and political leaders globally.

Reports of the leaked records show that since 2016, NSO Group’s government clients have been selecting phone numbers for surveillance. Forbidden Stories and Amnesty International explained that while the data indicates intent of surveillance, it does not necessarily reveal whether there was a successful attempt to infect the targeted phones with Pegasus spyware.

Pegasus spyware works by infecting iPhones or Androids, enabling operators to access messages, emails, photos and videos, as well as activating the device’s microphone and camera without the knowledge of the user. The spyware was developed in a way that allows it to easily circumvent smartphone privacy measures such as encryption and even strong passwords.

NSO Group’s response:

NSO Group has always maintained that their spyware does not have access to the data of its customers’ targets and in their official response to the allegations they stated:

“NSO Group has good reason to believe that claims that you have been provided with, are based on misleading interpretation of leaked data from accessible and overt basic information… there can be no factual basis to suggest that a use of the data somehow equates to surveillance.”

The group insists that Pegasus was only ever meant for use against serious criminals and terrorist, stating that their systems are being used to:

“…break up paedophilia rings, sex and drug-trafficking rings, locate missing and kidnapped children, locate survivors trapped under collapsed buildings, and protect airspace against disruptive penetration by dangerous drones.”

Evidence from the leak however tells a different story. Agnès Callamard, Secretary General of Amnesty International commented:

“While the company claims its spyware is only used for legitimate criminal and terror investigations, it’s clear its technology facilitates systemic abuse. They paint a picture of legitimacy, while profiting from widespread human rights violations.”

The targets of surveillance:

As part of their investigation, Amnesty International examined 67 smartphones where surveillance attacks were suspected. Out of the 67, 23 phones were successfully infected by Pegasus spyware and 14 showed signs of attempts. The tests were inconclusive for the remaining 30 phones since in several cases the handsets had been replaced.

Furthermore, evidence revealed that the selection of individuals for surveillance was mainly carried out by ten governments. These were identified as Azerbaijan, Bahrain, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Hungary, India, and the United Arab Emirates. Among those infected by the spyware are activists, business executives, politicians, heads of state, Arab royal family members, and over 180 journalists from organisations including the New York Times, CNN, and Al Jazeera.

Several activists from Azerbaijan appear in the leaked data, some of which found their intimate pictures and personal messages published online or on television, a clear violation of their human rights. In addition, writers and lawyers from India who have been campaigning for low-caste citizens as well as indigenous communities had their phone numbers published in the data.

Furthermore, the data shows that in Mexico, a large number of campaigners and human rights defenders were selected for possible targeting. This included Eduardo Ferrer Mac-Gregor Poisot, former president of the Inter-American court of human rights, as well as Alejandro Solalinde, a catholic priest who campaigned for migrants’ rights.

Concerningly, the leak also revealed attempted surveillance of human rights lawyers such as Rodney Dixon who’s clients included Hatice Cengiz, fiancée of the murdered Saudi journalist Jamal Khashoggi. Dixon commented:

“No one should be targeted in this fashion. For lawyers it is particularly concerning as it violates the fundamental principles of lawyer-client privilege and confidentiality, which are central to fair and just legal proceedings.”

The misuse of NSO Group’s Pegasus spyware is a clear violation of human rights and demonstrates the rising numbers of threats and challenges faced by those who try to campaign for the rights of others. This exposure again raises the question of who is in control of this environment, who can stop this type of abuse and how can people protect themselves from such invasive surveillance. If there is impunity for state actors and a lack of cohesive international action to bring them to account, then this behaviour will continue unchecked to the detriment of society.