Should private companies be allowed to create and sell, as commercial products, digital spying tools with capabilities that equal or exceed those built by some of the world’s most sophisticated national surveillance agencies?
After another flurry of revelations this month about the misuse of Israeli company NSO Group’s Pegasus software – powerful malware that has been used to hack the personal devices of politicians, officials, journalists, activists and human rights defenders – the answer should be no. And if a “no” cannot be agreed, then at the very least, not without the urgent introduction of strict international controls, scrutiny and monitoring.
This should be especially clear now at this fragile point in 21st-century history, at a moment of devastating conflict in Ukraine balanced on the fine edge of global conflagration, and after ongoing military and humanitarian tragedy in so many other parts of the world.
Pegasus is marketed by NSO Group for use only against "serious crimes and terrorism". That's a phrase far too familiar now in the defence of many questionable surveillance initiatives by governments all across the globe, including in Ireland. All too often, surveillance is used well outside of those supposed restrictions. And so the evidence indicates with Pegasus, too.
It emerged in recent weeks that Israel blocked a sale of Pegasus to Ukraine, worried it might anger Russia
Designed to take advantage of the capabilities of modern phones as powerful computing and communication devices, Pegasus gives broad access to information held on a phone. Once installed, the software can reveal a phone’s messages, emails, media, passwords, voice calls (including over encrypted messaging apps), location data and contacts. Pegasus also enables a phone’s microphone and camera to be controlled remotely.
Currently, a Pegasus sale to any client must be vetted by the Israeli government. In January, the New York Times said that Israel was leveraging its Pegasus gatekeeper role, claiming the government's "ability to approve or deny access to NSO's cyberweapons has become entangled with its diplomacy". Meanwhile, it emerged in recent weeks that Israel blocked a sale of Pegasus to Ukraine, worried it might anger Russia.
Investigation
In several reports verified by internationally recognised digital forensics organisations, Dublin-based international human rights group Front Line Defenders has revealed how Pegasus has been used against human rights defenders from many countries, including Palestinians, Jordanians and Bahraini activists and lawyers.
A comprehensive investigation last year into the NSO Group by more than a dozen media organisations in an initiative called the Pegasus Project, revealed the sheer scale of the improper use of Pegasus. Working off a leaked list of more than 50,000 phone numbers selected by NSO clients since 2016, the project noted that phone numbers of top EU ministers and officials – including Emmanuel Macron and much of his cabinet – were on the list, as well as those of journalists, human rights defenders and lawyers.
Being on the list was not an indication that a person’s phone had actually been hacked, and NSO Group has always denied all allegations of improper usage by clients. But numerous forensic investigations have exposed the software’s digital traces on devices belonging to individuals who should never have been targeted under the supposed restrictions placed on its use.
Front Line Defenders has long argued that world leaders must address the problem of such powerful surveillance tools being up for sale on the open market
Critics and forensic analysts have argued that even if clients have been vetted, other malicious users seem nonetheless to have got hold of Pegasus and deployed it, or that some governments are using it against targets in ways that violate restrictions on its use. Certainly, past example shows that malware, including some created by US security agencies, inevitably leaks out into the wider wild web of use.
Adding to the growing body of Pegasus evidence, just last week, Front Line Defenders revealed that Pegasus was on the phones of five Jordanian activists and lawyers, and expressed particular concern that several victims were women, who for many reasons, are more vulnerable targets than men.
Catastrophic
Then on Monday, Reuters disclosed that, last year, several senior European Commission officials were targeted with Pegasus.
Perhaps the current crisis in Ukraine will finally bring home to more people and governments just how catastrophic such hacking tools are in the wrong hands. Evidence certainly points to alarming misuse well outside of NSO Group’s own stated client and usage restrictions.
Front Line Defenders has long argued that world leaders must address the problem of such powerful surveillance tools being up for sale on the open market.
Mohammed Al-Maskati, digital protection co-ordinator at the group, told me: “I believe that companies should bear moral responsibility as well as legal responsibility regarding the sale of dangerous electronic weapons such as Pegasus, which are used by some totalitarian regimes to target their opponents or human rights defenders.”
He added: “These deals must be subject to periodic review and accountability, as well as to international review by the international community to ensure that they respect human rights.”
World governments must come together to better delineate the uncrossable lines for such tools, if they are to remain on the market, and institute a unified framework through which all use can be carefully monitored. Or, agree to ban them outright.