Yesterday, the Guardian’s Pegasus Project revealed how governments worldwide have used—or have considered using—the Pegasus malware to spy on journalists, lawyers, activists, and other innocent people.
Edward Snowden has described the Pegasus Project as the “story of the year.” So what is Pegasus—and how significant are these revelations?
What is Pegasus?
Pegasus is a spyware product developed by Israeli software firm NSO Group, designed to help governments and law enforcement spy on mobile phones.
Once installed on a phone, Pegasus is a very powerful spying tool. The software can harvest photos, record calls and messages (including encrypted messages), turn on a camera or microphone, monitor device location, and more.
Pegasus can be covertly installed on any iOS or Android device using crude phishing methods or more sophisticated “zero-click” techniques.
In October 2019, Facebook sued NSO, alleging that the company was using WhatsApp to secretly inject Pegasus onto people’s phones.
(It’s worth noting that, two years before this lawsuit, Facebook allegedly approached NSO as a potential customer. Facebook wanted an iOS workaround to collect more data about iPhone users.)
Why is this software allowed?
NSO Group says it only works with “licensed government intelligence and law-enforcement agencies.” The firm says its products are used exclusively for activities like finding missing children, rescuing disaster victims, and preventing terrorism, pedophilia, and drug trafficking.
According to the company’s Human Rights Policy, NSO Group has contracts with its clients requiring them to “limit the use of the company’s products to the prevention and investigation of serious crimes…” and not to “violate human rights.”
However, evidence suggests that some governments have been attempting to use Pegasus for more nefarious purposes.
What is the Pegasus Project?
The “Pegasus Project” is an investigation into how governments may have been using Pegasus.
The project began when French NGO Forbidden Stories approached the Guardian with a trove of leaked data, consisting of over 50,000 phone numbers. The group believed it had discovered a list of potential targets of the Pegasus spyware.
The Guardian will be revealing some of the owners of these phone numbers throughout this week. The list reportedly includes human rights activists, lawyers, business executives, and academics.
Were all these people actually spied on?
It’s important to note that the data doesn’t reveal whether all these devices were actually infected with Pegasus. Indeed, it’s not clear whether NSO Group approved the deployment of Pegasus on these devices.
But the investigators believe that each phone number on the list belongs to someone that a government considered spying on.
Journalists working on the project have described how they prevented their own devices from being monitored throughout their investigation. One journalist said he would place his phone between two mattresses to prevent it from being used to record his conversations.
Does that sound paranoid? Perhaps not. Over 180 journalists—including those working for the Wall Street Journal, CNN, and the New York Times—were among the potential candidates selected as spyware targets.
What does NSO say about this?
NSO strongly denies that the numbers on the list necessarily belong to potential Pegasus surveillance targets.
The firm says that the investigators are misinterpreting the data, some of which comes from Home Location Register (HLR) lookup services. But an HLR lookup, which confirms whether a phone is contactable, could be the first step in a surveillance attempt.
What are the implications of these revelations?
Edward Snowden—who, in 2013, was responsible for one of the most significant state surveillance data leaks of all time—described the Pegasus Project as the “story of the year.”
While the Pegasus investigation is highly significant, it doesn’t appear to be as earth-shattering as Snowden’s revelations about the U.S. National Security Agency (NSA)’s vast surveillance operations.
Unlike the full extent of the NSA’s spying apparatus, Pegasus was already well-known. What we have here is a list of people who were potential targets for highly intrusive surveillance.
Pegasus is very powerful spyware that arguably should not exist. NSO Group, however, would argue that the software is justifiable in the context of preventing terrorism and serious crime.
The big news here is that ordinary people are on this list—not just suspected terrorists, pedophiles, and drug traffickers.
The governments allegedly implicated by this investigation include Azerbaijan, Bahrain, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Hungary, India, and the United Arab Emirates.
Many of these states have questionable human rights records—but there are some surprises. Perhaps most notable is the presence of Hungary—an EU Member State, but one whose government has repeatedly been accused of breaching the EU’s democratic values.
Tools like Pegasus are sold as a way to fight crime—and, indeed, they can be very useful for law enforcement agencies.
But it’s clear that states also want to use software like Pegasus to spy on journalists, activists, and other innocent people.
It’s important to remember the lessons from the Pegasus Project when debating whether governments should have a backdoor into people’s phones—or whether the police should be allowed to use facial recognition to catch criminals.
These revelations remind us that we should always consider how surveillance tools can be used—not just how they should be used.