The Guardian • Issue #1978

Cybersecurity – who’s secure? Revelations by the Pegasus Project

Since 2016, Amnesty International’s Security Lab has been involved with a group known as the Pegasus Project to investigate the abuse of more than 50,000 phone numbers, in more than fifty countries, selected for surveillance by customers of the Israeli cybersecurity company, NSO Group – described as a hacker for hire, using Pegasus spyware as a tool for monitoring targeted people.

Agnès Callamard, Secretary General of Amnesty International, stated that “The Pegasus Project lays bare how NSO’s spyware is a weapon of choice for repressive governments seeking to silence journalists, attack activists, and crush dissent, placing countless lives in peril.” She insists that “it’s clear its technology facilitates systemic abuse. They paint a picture of legitimacy while profiting from widespread human rights violations.”

A massive data leak revealed how this company’s spyware has been used to target activists, journalists, and political leaders globally.

The Pegasus Project is a ground-breaking consortium of more than eighty journalists from seventeen media organisations in ten countries. With the technical support of Amnesty International, they conducted extensive forensic tests on mobile phones to identify traces of the spyware.

Their investigation has revealed how once the NSO Group’s Pegasus spyware is installed on a target’s phone, it vacuums up personal and location data and seizes control of the device’s microphones and cameras.

NSO has vigorously denied these accusations and claims its spyware is only sold to “vetted government agencies” and only used for legitimate criminal and terror investigations.

However, Amnesty International maintains the Pegasus malware is so effective it can even hack into the latest versions of Apple’s iPhone operating system. Many well-informed sources are concerned about the countless vulnerabilities linked to Apple’s messaging service iMessage, which they say are worsening.

From the 1,000 phone numbers able to be identified, it has been shown that French President Emmanuel Macron, Pakistan’s Prime Minister Imran Khan, South African President Cyril Ramaphosa, and Moroccan King Mohammed VI are on the list along with hundreds of journalists, politicians, and government officials, as well as at least sixty-five business executives and eighty-five human rights activists.

The leaked data also revealed that some 180 journalists in countries as varied as India, Mexico, Hungary, Morocco, and France had been targeted.

Evidence has emerged that Saudi journalist, Jamal Khashoggi and his family were targeted with Pegasus software before and after his murder by Saudi operatives on the 2nd October 2018, and Amnesty International’s Security Lab has established that Pegasus spyware was installed on his fiancée’s phone four days after his murder.

Such unlawful surveillance is a serious threat to our human rights. How can we ever find out what those in power are doing when investigative journalists are targeted?

In Mexico, journalist Cecilio Pineda’s phone was selected for targeting just weeks before his killing in 2017. The Pegasus Project identified at least twenty-five Mexican journalists were selected for targeting over a two-year period. NSO claimed that even if Pineda’s phone had been targeted, the data collected from his phone would not have contributed to his death.

More than forty Azerbaijani journalists were selected as potential targets according to the investigation. Amnesty International’s Security Lab found the phone of Sevinc Vaqifqizi, a freelance journalist for independent media outlet Meydan TV, was infected over a two-year period until May 2021.

In India, at least forty journalists from nearly every major media outlet in the country were selected as potential targets between 2017-2021. Forensic tests revealed the phones of Siddharth Varadarajan and MK Venu, co-founders of independent online outlet The Wire, were infected with Pegasus spyware as recently as June 2021.

The investigation also identified journalists working for major international media including the Associated Press, CNN, The New York Times, and Reuters as potential targets. One of the highest profile journalists was Roula Khalaf, the editor of the Financial Times.

“The number of journalists identified as targets vividly illustrates how Pegasus is used as a tool to intimidate critical media. It is about controlling public narrative, resisting scrutiny, and suppressing any dissenting voice,” said Agnès Callamard.

“These revelations must act as a catalyst for change. The surveillance industry must no longer be afforded a laissez-faire approach from governments with a vested interest in using this technology to commit human rights violations.”

So where to now? According to The Committee to Protect Journalists, few effective barriers exist to prevent autocratic governments from using sophisticated surveillance technology in an attempt to intimidate or silence a free press.

Following first reports by consortium members in July, the Paris prosecutor’s office is investigating the suspected widespread use of Pegasus to target journalists, human rights activists, and politicians in multiple countries.

Amnesty International Security Lab technologist, Etienne Maynier, now has irrefutable evidence that NSO’s claim that its spyware is undetectable and only used for criminal investigations, is a complete falsehood. He stated that:

“The widespread violations Pegasus facilitates must stop. Our hope is the damning evidence published over the next week will lead governments to overhaul a surveillance industry that is out of control.”

I’m not holding my breath.

Last word to Agnès Callamard – “Until this company and the industry, as a whole, can show it is capable of respecting human rights, there must be an immediate moratorium on the export, sale, transfer and use of surveillance technology.”

The Guardian can also be viewed/downloaded in PDF format. View More