❈ ❈ ❈
Data Leak Exposes Global Surveillance Plot Targeting Journalists and Dissidents
Kenny Stancil
NSO Group, a private Israeli firm that sells surveillance technology to governments worldwide, insists that its Pegasus spyware is used only to “investigate terrorism and crime.” Leaked data, however, reveals that the company’s hacking tool “has been used to facilitate human rights violations around the world on a massive scale.”
That’s according to an investigative report published Sunday by the Pegasus Project, a media consortium of more than 80 journalists from 17 news outlets in 10 countries. The collaborative endeavor was coordinated by Forbidden Stories, a Paris-based media nonprofit, with technical assistance from Amnesty International, which conducted “cutting-edge forensic tests” on smartphones to identify traces of the military-grade spyware.
The Guardian, one of the newspapers involved in the analysis, reported that “Pegasus is a malware that infects iPhones and Android devices to enable operators of the tool to extract messages, photos, and emails, record calls, and secretly activate microphones.” The Washington Post, another partner in the investigation, noted that the tool “can infect phones without a click.”
A massive data leak turned up a list of more than 50,000 phone numbers that, according to the Post, “are concentrated in countries known to engage in surveillance of their citizens and also known to have been clients of… NSO Group, a worldwide leader in the growing and largely unregulated private spyware industry.”
More phone numbers were based in Mexico than any other country, with over 15,000 on the list, “including those belonging to politicians, union representatives, journalists, and other government critics,” the Post noted.
As The Guardian reported: “The phone number of a freelance Mexican reporter, Cecilio Pineda Birto, was found in the list, apparently of interest to a Mexican client in the weeks leading up to his murder, when his killers were able to locate him at a carwash. His phone has never been found so no forensic analysis has been possible to establish whether it was infected.”
Other nations that either had large shares of numbers on the list or were deemed to be potential government clients of NSO include: France, Hungary, Turkey, Morocco, Togo, Algeria, Rwanda, Saudi Arabia, the United Arab Emirates (UAE), Dubai, Qatar, Bahrain, Yemen, India, Pakistan, Azerbaijan, and Kazakhstan.
While “the presence of a phone number in the data does not reveal whether a device was infected with Pegasus or subject to an attempted hack,” The Guardian noted, the consortium believes that “the data is indicative of the potential targets NSO’s government clients identified in advance of possible surveillance attempts.”
Amnesty’s Security Lab analyzed a small sample of phones belonging to activists, journalists, and lawyers whose numbers appeared on the leaked list. Of the 67 phones examined, traces of Pegasus spyware were found on 37 devices, including 23 that had been successfully infected and 14 with signs of attempted hacking.
“NSO claims its spyware is undetectable and only used for legitimate criminal investigations,” Etienne Maynier, a technologist at Amnesty’s Security Lab, said in a statement. “We have now provided irrefutable evidence of this ludicrous falsehood.”
According to the Post:
The list does not identify who put the numbers on it, or why, and it is unknown how many of the phones were targeted or surveilled. But forensic analysis of the 37 smartphones shows that many display a tight correlation between time stamps associated with a number on the list and the initiation of surveillance, in some cases as brief as a few seconds.
The numbers on the list are unattributed, but reporters were able to identify more than 1,000 people spanning more than 50 countries through research and interviews on four continents: several Arab royal family members, at least 65 business executives, 85 human rights activists, 189 journalists, and more than 600 politicians and government officials—including cabinet ministers, diplomats, and military and security officers. The numbers of several heads of state and prime ministers also appeared on the list.
Among the journalists whose numbers appear on the list, which dates to 2016, are reporters working overseas for several leading news organizations, including a small number from CNN, the Associated Press, Voice of America, the New York Times, the Wall Street Journal, Bloomberg News, Le Monde in France, the Financial Times in London, and Al Jazeera in Qatar.
The newspaper added that Amnesty found evidence of NSO’s spyware being used by Saudi Arabia and UAE to target the phones of close associates of Post columnist Jamal Khashoggi before and after he was brutally murdered by Saudi operatives in 2018.
“The Pegasus Project lays bare how NSO’s spyware is a weapon of choice for repressive governments seeking to silence journalists, attack activists, and crush dissent, placing countless lives in peril,” Agnès Callamard, secretary general of Amnesty International, said in a statement.
“These revelations,” Callamard continued, “blow apart any claims by NSO that such attacks are rare and down to rogue use of their technology. While the company claims its spyware is only used for legitimate criminal and terror investigations, it’s clear its technology facilitates systemic abuse. They paint a picture of legitimacy, while profiting from widespread human rights violations.”
Callamard emphasized that “[NSO’s] actions pose larger questions about the wholesale lack of regulation that has created a wild west of rampant abusive targeting of activists and journalists.”
“Until this company and the industry as a whole can show it is capable of respecting human rights,” she added, “there must be an immediate moratorium on the export, sale, transfer, and use of surveillance technology.”
NSO, for its part, issued a statement denying “false claims” in the report, including those related to Khashoggi. Attorneys for the company argued that the Pegasus Project’s investigation was based on “wrong assumptions” and “uncorroborated theories.” The company claimed that it is pursuing a “life-saving mission” to stamp out crime.
The Guardian noted that while the consortium “found numbers in the data belonging to suspected criminals… the broad array of numbers in the list belonging to people who seemingly have no connection to criminality suggests some NSO clients are breaching their contracts with the company, spying on pro-democracy activists and journalists investigating corruption, as well as political opponents and government critics.”
According to the Post, “After the investigation began, several reporters in the consortium learned that they or their family members had been successfully attacked with Pegasus spyware.”
In response, Callamard stressed that “the number of journalists identified as targets vividly illustrates how Pegasus is used as a tool to intimidate critical media. It is about controlling [the] public narrative, resisting scrutiny, and suppressing any dissenting voice.”
“These revelations must act as a catalyst for change,” said Callamard. “The surveillance industry must no longer be afforded a laissez-faire approach from governments with a vested interest in using this technology to commit human rights violations.”
The human rights expert demanded that NSO “immediately shut down clients’ systems where there is credible evidence of misuse.” She added that “the Pegasus Project provides this in abundance.”
NSO stated that it “will continue to investigate all credible claims of misuse and take appropriate action based on the results of these investigations.”
Timothy Summers, a former cyber security engineer at a U.S. intelligence agency and now director of IT at Arizona State University, told the Post that Pegasus “is nasty software.” One could use the technology, said Summers, to “spy on almost the entire world population.”
The Guardian noted that the Pegasus Project “will be revealing the identities of people whose number appeared on the list in the coming days.”
Amnesty’s Maynier said that “our hope is the damning evidence published over the next week will lead governments to overhaul a surveillance industry that is out of control.”
(Courtesy: Common Dreams, a US non-profit news portal.)
❈ ❈ ❈
Amnesty International Hits Out at ‘False’ Media Reports, ‘Fully Stands By’ Pegasus Project Data
The Wire Staff
Reports from some websites misquoting, mistranslating and misinterpreting a Hebrew statement issued by Amnesty International Israel on the Pegasus Project and its leaked database have been seized upon by the Modi government in an attempt to discredit the allegation that an official agency in India might have been snooping on journalists and opposition politicians.
In a sharply worded official statement issued on Thursday afternoon in response to what it said where false allegations on social media and inaccurate media stories in relation to the Pegasus Project,” Amnesty International said:
“Amnesty International categorically stands by the findings of the Pegasus Project, and that the data is irrefutably linked to potential targets of NSO Group’s Pegasus spyware. The false rumours being pushed on social media are intended to distract from the widespread unlawful targeting of journalists, activists and others that the Pegasus Project has revealed.”
Amnesty International has said it will issue an English translation of the Amnesty International Israel statement shortly.
The Wire also spoke to Gil Naveh, spokesperson of Amnesty International Israel, who confirmed that the organisation’s Hebrew statement had been wrongly reported by a section of the media in Israel and is being wrongly quoted in English.
Naveh said that Amnesty’s Hebrew statement had described the leaked data at the heart of the Pegasus Project in exactly the same way as the 17 media organisations which are part of the global investigation.
Amnesty International is a part of the project and its technical lab has conducted a forensic examination of 67 phones operated by persons on the database, 37 of which were found to have evidence of a successful or attempted Pegasus hack. Pegasus is military grade spyware sold by the Israeli company NSO Group to vetted governments around the world. The company does not disclose the identity of its customers but the presence of Pegasus infections on the smartphones of journalists, an opposition leader and others is evidence the spyware has been deployed in India by some official agency or agencies.
One of the false stories doing the rounds is that Amnesty says the list of numbers is “indicative” of NSO customers.
Naveh told The Wire this is a mistranslation, and that what he had said in his statement is that this is a list of numbers that the company’s customers’ have expressed interest in, which includes journalists and human rights activists, political rivals, lawyers and so on.
The Amnesty Israel statement had also reiterated what the 17 media partners on the Pegasus Project have been saying about the leaked database, which is that it has never presented this list as “the list of numbers infected with NSO’s Pegasus Spyware”. It said that while some media outlets around the world may have done so,
“Amnesty, and the journalists involved in the investigation, made it clear from the outset in very clear language that this was a list of numbers marked or targeted as numbers of interest for NSO’s customers, who are various regimes in the world.” (emphasis added)
What The Wire and its media partners have been saying from Day 1
In all their reporting, the 17 media organisations involved with the Pegasus Project have stuck to a responsible and cautious description of the database, even if other media organisations that are following the story may have used looser language.
The Pegasus Project consortium has never implied and does not believe that all phone numbers present on the leaked list of 50,000 witnessed infiltration attempts or were successfully snooped upon by governments using the Pegasus spyware.
What the media partners on the project believe it to be is a list of persons of interest selected by clients of NSO Group, or, in other words, possible candidates for surveillance.
There are multiple takeaways from our investigation of the database of phone numbers.
First, among those that were verified and identified by media partners, a majority of them fall in countries in which experts have in the past identified Pegasus infections and the active functioning of a Pegasus operator.
Second, and more importantly, the forensic analysis of 37 phones from the list shows in most cases a strong correlation between the time a phone number appears in the leaked records and the beginning of surveillance. The gap usually ranges between a few minutes, or a couple of hours. In some cases, including forensic tests conducted for two India numbers, the time between a number appearing on the list and the successful detection of a trace of Pegasus infection is just seconds.
Third, some of the persons notified by WhatsApp in 2019 about a Pegasus attack on their phones also appear in the leaked database, with date and time stamps which match the period that WhatsApp identified.
While not all phones whose numbers were verified could undergo forensic analysis – for a number of reasons, which are laid out in our FAQ – the above-mentioned correlation suggests that for a small cross-section of numbers, their presence on the list was linked to specific targeting and snooping by a client of the NSO Group.
❈ ❈ ❈
Pegasus Reports Highlight Need for Better Regulation of Spyware: UN Rights Chief
The Wire Staff
United Nations humans rights chief Michelle Bachelet has issued a statement on the revelations brought forth by the Pegasus Project, a consortium of 17 organisations from across the world, including The Wire. The project has revealed how governments in various parts of the world, including India, may have been using spyware developed by the Israeli company NSO Group to gain access to citizens’ phones and other devices.
The numbers on a leaked list of potential targets of Pegasus clients includes human rights defenders, journalists, politicians, businesspersons and others.
“Revelations regarding the apparent widespread use of the Pegasus software to spy on journalists, human rights defenders, politicians and others in a variety of countries are extremely alarming, and seem to confirm some of the worst fears about the potential misuse of surveillance technology to illegally undermine people’s human rights,” Bachelet said in a statement.
“Various parts of the UN Human Rights system, including my own Office, have repeatedly raised serious concerns about the dangers of authorities using surveillance tools from a variety of sources supposed to promote public safety in order to hack the phones and computers of people conducting legitimate journalistic activities, monitoring human rights or expressing dissent or political opposition.”
The UN human rights chief said that “Journalists and human rights defenders play an indispensable role in our societies, and when they are silenced, we all suffer.”
Bachelet also said that companies like the NSO Group have the responsibility to ensure their spyware is not used to harm human rights. “Companies involved in the development and distribution of surveillance technologies are responsible for avoiding harm to human rights. They need to take immediate steps to mitigate and remedy the harms their products are causing or contributing to, and carry out human rights due diligence to ensure that they no longer play a part in such disastrous consequences, and avoid being involved in similar future scenarios.”
“These reports also confirm the urgent need to better regulate the sale, transfer and use of surveillance technology and ensure strict oversight and authorisation. Without human rights-compliant regulatory frameworks there are simply too many risks that these tools will be abused to intimidate critics and silence dissent,” Bachelet continues.
(Courtesy: The Wire.)
❈ ❈ ❈
A Test for Pegasus – and Indian Democracy
M.K. Venu
This saga started with 50,000 cell phone numbers in a database received by Forbidden Stories and Amnesty Technology Lab. They approached media in 16 countries to verify names and, if possible, send system ‘images’ of suspect phones to be tested for Pegasus.
Normally, and quite understandably, most citizens would hesitate to subject themselves to such a test, like I was. But for a larger cause, my colleague Siddharth Varadarajan and I sent digital images of our phones to be tested. The rest, as they say, is history. It appears that media personnel must bear an unusually heavy burden, now that authoritarian governments think they can silence them. High technology has made high surveillance possible.
But now, we have a window of opportunity, as rights groups arm themselves to detect surveillance, understand it and check it. Governments cannot continue to snoop, without pushback. We must urge other citizens in the list, across countries, to help in this process and volunteer to have their phones checked. Actually, testing for Pegasus was a small fraction of the process of scanning for illegal surveillance. This process needs to expanded for more people on the leaked list; a process that can only happen if people allow their data to be analysed. And at some stage, it must even become a universal practice, a development that Amnesty International hopes will happen with the release of its mobile verification toolkit.
Forbidden Stories, the Paris-based non-profit news platform, also contacted partner media across countries via secure communication platforms, to mitigate risks for investigative journalists across borders. It is important for citizens to familiarise themselves with the processes followed by Amnesty Technology Lab and Toronto-based Citizen Lab, whose efforts have helped to expose the privacy breach. Perhaps this exercise must become an ongoing one, since governments around the world remain in denial about the illegal use of Pegasus-like spyware.
The Israeli NSO Group has publicly and repeatedly said it sells Pegasus spyware only to “vetted governments” and expects them to use it for specific national security and criminal investigations. This makes it even more important to shine the light on transgressions that some governments are committing, deviously imposing blanket surveillance on some of its citizens. Why are constitutional authorities, judges and journalists being selected as possible candidates for surveillance? NSO maintains that it only supplies software to governments, and has no role in operations. With the leaked list of phone numbers, it is very legitimate to ask: what exactly is the ‘division of labour’ between NSO and governments that buy its spyware?
We knew this was coming. The Ministry of Electronics and Information Technology and WhatsApp had a conversation in 2019, when a Pegasus security breach was first confirmed by WhatsApp. WhatsApp said that it notified the government about 121 compromised phones. The government first tried to duck, saying that WhatsApp had not informed it about a privacy breach targeting Indian activists, lawyers and journalists. WhatsApp categorically stated that it had alerted the government twice, in May and in September, 2019. Responding to a notice from the IT Ministry, WhatsApp attached both the vulnerability notes it filed in May and its letter of September. The government eventually confirmed that it did receive the September intimation from WhatsApp about Pegasus targeting 121 Indians. Stubbornly, The Indian Express reported, the ministry claimed the letter was “still too vague” to be alarming.
The first alarm bell rang in India on October 31, 2019, but eventually, nothing happened. There was no probe, and the government sat tight, hoping perhaps that it would blow over. In fact, it went on to draft very aggressive and restrictive IT Intermediary Guidelines in December 2019, covering social media platforms, to fully control the digital conversation.
This is where we stand after two years, and there’s more information to be unveiled.
When governments pretend they know nothing about illegal hacking on such a massive scale, they hack democracy. We must be the antivirus that prevents it. We must keep speaking. and make ourselves heard. To be silent is to be complicit, to consent to this violation of democracy itself. It is a crime against the nation, committed by the state.
(Courtesy: The Wire.)
