Pages

23 July 2021

The Spyware Tool Tracking Dissidents Around the World

Isaac Chotiner

On Sunday, a group of seventeen media organizations launched the Pegasus Project, a series of articles investigating the Israeli surveillance company NSO Group. The consortium of journalists, which works in conjunction with Amnesty International and the French nonprofit Forbidden Stories, found that dissidents, human-rights workers, and opposition politicians around the world have been tracked by an NSO Group spyware tool called Pegasus. Among the thousands of people targeted were reporters at the Times, political opponents of the Indian Prime Minister, Narendra Modi, and the two women closest to the murdered Saudi dissident Jamal Khashoggi.

One of the newspapers involved in the Pegasus Project is the Guardian. Its lead reporter on the series is Stephanie Kirchgaessner, who has written extensively about surveillance as the paper’s U.S. investigations correspondent. We spoke, by phone, on Monday morning, after the first wave of stories was released. (They will continue to be published throughout the week.) During our conversation, which has been edited for length and clarity, we discussed how the story came together, why the spyware industry remains so unregulated, and what role the Israeli government played in allowing this to happen.

The Guardian story that you published says very clearly that authoritarian governments were behind this surveillance. Some of the other stories, from other news organizations, say that the spyware was sold to authoritarian governments, but don’t actually say they know who used it. How certain are you that this is the work of governments specifically?

We do know that the NSO Group only sells to governments, and there has been a body of research before this project that has identified the countries that we believe are clients. Some countries deny that they are clients, but we have overwhelming evidence from groups like Citizen Lab. So we have known since 2016, for example, that the U.A.E. is a client of the NSO Group. Saudi Arabia, as well. And then there are other countries in our coverage this week. Rwanda adamantly denies that they are a client of the NSO Group, but we see Rwandans all over the world who are being targeted with this technology. So we feel comfortable naming those countries as clients.

The NSO Group saying that it only sells to governments puts the group into a logical pickle, because it implies that the governments are the ones doing the spying. But do we feel certain that the NSO Group is being honest about this, and really only does sell to governments?

I would say there is one anomaly, which is Mexico, where we think there were various actors who might have had access to the technology. [In a statement to The New Yorker, NSO Group said it exclusively licenses its technology to “vetted governments.”] And there are countries where there are various clients within the country. It is as if the F.B.I. were one client and the C.I.A. were another. I am not saying they specifically are—we have no evidence of that. It’s just an example of how you could have different clients within the same country with a different focus or emphasis.

So, in an authoritarian government, it wouldn’t necessarily just be the dictator or leader of the country. There could be multiple agencies within the government.

Yes. By the end of this week, you will see a situation where there is an authoritarian leader who we think used it for very personal reasons, to target his own family. It’s quite personal.

How did this consortium and these stories come together?

My colleague in New York, Martin Hodgson, got a call from Forbidden Stories, which is this organization that takes up stories from journalists who are killed or threatened and gets huge journalistic consortiums together to pursue them. I had worked with them before on the Daphne Caruana Galizia story, in Malta. It was all very secretive. We had to be very careful with our communication, because of the subject matter, which is surveillance. We were told the basic information about the project and were asked to come to Paris, where all these media partners would gather and hear the full details. So we went to Paris with a good idea, but we didn’t have access to the data at that point. And then we met all of our colleagues, including the Washington Post.

When you are referring to “the data,” you are referring to the list of fifty thousand or so phone numbers?

Yeah. So, in Paris, we had access to a list of records of phone numbers. We believe that those phone numbers are indicators of the individuals who were potential targets of the surveillance by NSO clients.

Do you have a sense of how Forbidden Stories got these records? And what made you certain they were a list of numbers that NSO clients may have been spying on?

I can’t answer the first question, I’m afraid. And the second question—once we had access to this list, we could identify a significant number of those phone numbers. You had journalists from all over the world, and people who have tons of contacts. You would just match them, and a lot of numbers were found out that way, in countries like India, for example, and Mexico. We had a technical partner on this project, the Amnesty International tech lab, and once we had identified many of those numbers we started carefully approaching individuals who were on the list and asking them if they would let us do forensic examinations on their phones. And that yielded results where we see a very high correlation in the phones that were tested between being on that list and hacks or attempted hacks using Pegasus malware.

Just to clarify something: When you said you could not answer the first part of the question, is that because you don’t know or because it is privileged information?

I just can’t answer it—and that’s all I have to say. I’m sorry.

It’s O.K. Can you talk a little bit about the spyware industry, and if there are any regulations on it?

The NSO Group has been my area of focus in terms of surveillance companies. There are others. Israel is really one of the leading makers of this kind of spyware. And, in Israel, you see a lot of intelligence officials who deal with spyware who then go into private industry. David Kaye, who has looked into this very closely in his previous role with the United Nations, would call it an “unregulated industry,” which means there are no rules globally, really, for how this technology is sold or how it can be used. There are countries who are attacking citizens in other countries with spyware, and hacking their phones. That can go against domestic laws, but it is being used regardless.

In other ways, NSO specifically is a regulated company, and, by that, I mean it goes through a licensing process with the Israeli government, and specifically the Ministry of Defense, which has to approve the export of this weapon, Pegasus, to other countries. Israel says it vets the clients that NSO sells to. And NSO says that. They also get a marketing license to market their product and sell it to other countries.

So, just to clarify: According to NSO and Israel, taking them at their word, if NSO is selling this to the Hungarian or Saudi regimes, that would be something approved by the Israeli government?

Absolutely. Up until this point, people who cover this industry or this company have known that Israel has some oversight over the licenses that are sold. But, I think, by the end of the week, there is going to be scrutiny of Israel that we have not seen to date, and especially of the previous government, because they were in charge at the time when most of our stories take place.

Your stories include some governments that are objectively unelected and authoritarian, such as Saudi Arabia, as well as governments, like India and Mexico, which are democracies and that have elected parliaments and so on. Has the NSO Group been asked about selling this technology to explicitly authoritarian governments?

They don’t talk about specific clients, and you will never really get them to talk about specific clients, so it’s very convenient for them. They can say that they judge a country’s human-rights record before they decide to sell. And then you say, ‘Well, in what universe does Saudi Arabia or the U.A.E. pass a human-rights test?’

And what’s the response to that?

The response to that is we can’t possibly talk about our clients.

There have been stories, going back well before the creation of your journalistic consortium, about Mexican journalists and dissidents being spied on. What did we know before these stories, and what do we know now?

In Mexico, there were quite a lot of stories about the abuse, and the New York Times did a very good job reporting on that, using the research of Citizen Lab. There were stories of journalists being targeted, and there’s just a lot more detail about the scale of that espionage. Mexico was the NSO Group’s first client, and there’s a real sense that it was just a laboratory, with all sorts of people fighting against one another. [In a statement to The New Yorker, NSO Group declined to identify any of its customers.] And the penetration in all areas of society is just breathtaking. Everyone around the current President was spied on.

The current President, Andrés Manuel López Obrador, who came to office a couple of years ago. He was in the opposition until then, correct?

Yeah. Everyone around him was being spied on during his candidacy.

What was Citizen Lab able to figure out before your stories? And what did you know coming into the stories? Because there were hints about stuff like this for a long time.

I’ve done a ton of work on the NSO Group in the last few years, with the help of Citizen Lab. They have really been the gold standard for reporting on this issue. They uncovered some major cases, beginning in 2016, where you had this U.A.E. dissident, Ahmed Mansoor, who alerted Citizen Lab to some bad text messages that he had been sent, and they discovered that those were attempts to hack him. Citizen Lab put out a report about that, and he was [arrested] a year later. That report showed the extent to which this very sophisticated tool was not just going to be saved for heads of state. It was also going to be deployed against people who were activists and dissidents. And I think, in some ways, the fact that a tool like this is deployed against them shows the ways they’re seen as a real threat, and the same is true of journalists. I think sometimes, as journalists, we don’t always appreciate that our work makes the lives of some governments very, very difficult—maybe even more than we realize. We are seen as a high target to snoop on.

But Citizen Lab, going back, has been able to map many of the likely government clients of the NSO Group. Over the years, they’ve just done more and more. And then, in 2019, we saw a big breakthrough, and Citizen Lab will say it was a pretty eye-opening moment, when WhatsApp reported that fourteen hundred of its users had been targeted with Pegasus and then sued the NSO Group. That lawsuit is ongoing. And the reason that Citizen Lab says it was a watershed moment was because it showed the capabilities of the NSO Group—people, in that case, were targeted with malware through simply having a missed call on their phone. There was literally nothing you had to click. It was just a missed call.

Your story refers to authoritarian governments, but some people who were targeted lived in countries like the United States or France. Are we to assume that the people targeted in these countries were targeted by third-party countries?

The NSO Group says that Pegasus does not work against U.S. numbers, and they’re very adamant about that. And yet we do see some in the data—a small handful compared with the tens of thousands, but still significant. One thing that we will be reporting by the end of the week is that there is an authoritarian government that asked for special permission to target a Western country’s phone numbers. So our understanding is that this is a tool that is not just used domestically by these authoritarian governments. Even before the Pegasus Project came out, we’ve had evidence that Rwanda, for example, has targeted people living in Europe and the U.K. It’s absolutely used as a tool of suppression against people around the world. And that’s what makes it really scary.

There’s also a very well-known case of a Saudi dissident living in Canada, a friend of Jamal Khashoggi, who was targeted with Pegasus by Saudi Arabia before Khashoggi was killed. This is one of the main issues with this spyware. You have dissidents, people who have escaped regimes that they’ve lived under, and they’re living in democracies. And yet that foreign government they’ve escaped from is essentially sitting on their phone.

You said that the NSO Group doesn’t target American +1 phone numbers. If they are making certain distinctions about who they will or won’t target, why would they not also say they’re not going to target Indian journalists or Mexican journalists? It’s a little confusing.

What they say is, well, we have no visibility into what our clients are doing. We can just tell you that we do not target U.S. phones. And I think the reason they don’t target U.S. phones is because that would just be seen as messing with the wrong country.

That’s what I was hinting at. It’s quite the rule to say we’re not going to target American phones because America is a big, powerful country, but, if you’re a dissident or an opposition politician in India or Hungary, you might be fair game.

Right. And, by the way, it’s not just like dissidents in any other country and Western countries are fair game, but so are Americans. If you’re an American with a +44 U.K. number, or you have a number anywhere in Europe, there’s no special protection. That is not a U.S. phone, and, as far as I know, there is no protection. You definitely have evidence of Americans, especially journalists, who live in other countries and have been targeted.

Is it the same type of people targeted in every country, essentially journalists and dissidents?

There are similarities, for sure. Across the board, there are journalists, but what you’re going to find by the end of the week is that we also have heads of state in the data. I think the story that will emerge this week is the extent to which this technology is used as a tool for both domestic and foreign espionage. In the recent India story, we see the targeting, by Modi’s government, of political rivals, so that’s pretty serious.

Has there been a larger conversation about regulating this stuff internationally? I think you referred to Pegasus as a “weapon.”

Yes, there are definitely people who refer to it as a weapon, because it goes through the export-license process by the [Israeli] Ministry of Defense.

And there are international systems for regulating certain kinds of weapons, however haphazard or filled with double standards the processes are. Is there a conversation about some mechanism for regulating this?

My great hope is that there will be by the time we are done.

Thank you, Stephanie. I hope some government will not publish this audio before we publish the transcript.

Oh, we’re safe in America.

No comments:

Post a Comment