We have just learned about a powerful spyware known as Pegasus, manufactured and leased by the Israeli company NSO Group and capable of extracting just about every kind of data stored in a smart phone. The Pegasus Project, a consortium of 17 organizations and individuals, mostly journalists, has acquired a leaked list of 50,000 individuals around the world whose phones may have been hacked, though not necessarily penetrated.
Purportedly developed to track criminals and terrorists, Pegasus is also being widely used to hack into the smart phones of human rights activists, journalists, and their political opponents at home and even abroad.
Who is using Pegasus to track enemies? Only a fraction of the 50,000 hacked phone numbers so far obtained have been examined, but that’s enough to reveal that governments from left to right have made use of Pegasus. Among them: Saudi Arabia, India, and Hungary.
The two people closest to the murdered Saudi journalist Jared Khashoggi, including his widow, are among those whose phones were penetrated. The Modi government in India and the Orban government in Hungary have caused uproars over their use of Pegasus to spy on critics.
Pegagus is also being used against current high-level government officials. Among the people on the list: Three presidents, from France, Iraq, and South Africa; three current prime ministers, from Pakistan, Egypt, and Morocco; and one king (Morocco). That means all of them have been tracked and their private messaging probably collected—though exactly what was culled and who is doing the hacking are uncertain. All these officials refused to turn over their phones for forensic analysis.
There’s a connection between the surveillance industry and lobbying, which I examined a few weeks ago. NSO can only sell its technology with Israeli government approval, which means it must lobby Israel’s defense ministry. And that effort extends to the US. For while NSO maintains that Pegasus will never be used “to conduct cybersurveillance within the United States,” why has it retained a prominent Washington, DC law firm to lobby US officials about NSO’s technology?
It is entirely possible that Pegasus has been used or might yet be used against Americans who, for example, write from home about human rights abuses abroad.
The fact that nothing in a smart phone is safe from Pegasus makes it a weapon, another piece of infowar technology, and all the more insidious for being able to hide within the phone and, even if discovered, be difficult to track.
Just think of all the information a smart phone contains: contacts, passwords, text and email messages, videos, pictures. Planting bugs and wiretapping seem ancient by comparison. A technology like Pegasus conceivably can infect millions of phones anywhere, anytime, giving a government or a gang access to potentially lethal information.
We are nearing the point where technology is driving conflict rather than the other way around. Satellites, drones, spyware, malware, and other forms of cyber attacks—all these enable states to compete and fight at a distance, sometimes (as we have seen with Russian and Chinese hacking gangs) using nonstate actors.
They pose very difficult decisions for individuals on the receiving end. Unless they are government officials, there is no way to retaliate. In the case of Pegasus, its discovery may be sufficient this time around to bring that particular technology down. But it may only encourage others to make a new version that is less detectable.
The fairly obvious solution to cyber attacks is to ban the technology, somewhat the way land mines were banned. In that case, and perhaps in this one, citizen action may work better than relying on the technology’s producer or governments.
But at some point an international cyber security agreement will be necessary. Still, as the Pegasus case shows, you can’t prevent a powerful spyware from getting in the wrong hands and causing inestimable damage.
Consider what the CEO of NSO said: “We understand that in some circumstances our customers might misuse the system.” Surely the understatement of the year. Just recall China’s ubiquitous surveillance system. And the fact that democratic governments are fully capable of misusing the technology—recall that in 2013 the US hacked the phone of Germany’s chancellor Angela Merkel—means that no government and no private company can really be trusted to prevent large-scale abuse.
About the only good news I can report is that management of the fund that controls NSO Group and therefore Pegasus is now being challenged. As The Guardian reports, “Public investors in the private equity firm that owns a majority stake in the Israeli spyware company NSO Group are in talks to transfer management of that fund to . . . a US consulting firm.” Interestingly, the largest of those public investors is the state of Oregon’s public pension fund. Stay tuned.