The parliament of Spain’s autonomous region of Catalonia is located on the edge of Barcelona’s Old City, in the ruins of a fortified castle built by King Philip V to control the wild local population. Hundreds of Catalans’ forced labor created the court, and the castle’s structures and gardens are a reminder of oppression for many. The majority of Catalan parliamentarians today support the independence of the region, which the Spanish government deems unconstitutional. In 2017, as Catalonia prepared for its independence referendum, Spanish police arrested at least twelve separatist politicians. Despite the low turnout rate, on the day of the referendum, which received the support of ninety percent of the voters, hundreds of civilians were injured in the police raids on the polling stations. Independence movement leaders, some of whom live in exile in Europe, now meet privately and communicate via encrypted messaging platforms.
One afternoon last month, the pro-independence member of the European Parliament, Jordi Solé, met with digital security researcher Elies Campo in one of the ornate chambers of the Catalan parliament. Solé, forty-five and wearing a loose-fitting suit, handed over his cell phone, a silver iPhone 8 Plus. He was getting suspicious messages and wanted to have the device analyzed. Thirty-eight years old, soft-tongued, and black-haired, Campo was born and raised in Catalonia and supported independence. He spent years working for WhatsApp and Telegram in San Francisco but recently moved to his home country. “In a way, I feel like it’s some kind of mission,” Campo told me. He is currently a researcher at Citizen Lab, a research group at the University of Toronto that focuses on high-tech human rights abuses.
Campo collected activity logs, including crashes Solé’s phone had suffered, then ran special software to look for spyware designed to work invisibly. While waiting, Campo searched the phone for evidence of attacks in various forms: some via WhatsApp or S.M.S., which appeared to have come from known individuals. It comes as messages; some require clicking a link, and others work without user action. Campo detected an ostensible notification from the Spanish government’s social security agency that uses the same format as the malware links Citizen Lab found on other phones. “With this message, we have evidence that you were hacked at some point,” Campo explained. Soon after, Solé’s phone vibrated. The screen reads, “This phone has tested positive.” “There are two confirmed infections,” Campo told Solé in June 2020. “In those days, when your device was infected, they took control of it, and they probably stayed on it for several hours. They were downloading, listening, recording.”
Solé’s phone was infected by Pegasus, a spyware technology designed by Israeli firm N.S.O. Group that can extract a phone’s contents, access texts, and photos, or activate its camera and microphone to provide real-time surveillance – revealing secret meetings, for example. Pegasus is useful for law enforcement looking for criminals or authoritarians looking to suppress opposition. Solé was hacked weeks before he joined the European Parliament to replace a colleague jailed for his pro-independence activities. “There’s a clear political and judicial persecution of people and elected representatives using these dirty things, these dirty methodologies,” Solé told me.
More than sixty phones belonging to Catalan politicians, lawyers, and activists in Catalonia, Spain, and Europe were targeted using Pegasus. This is the most extensive recorded set of forensically documented attacks and infections of this type. Among the victims are three members of the European Parliament, including Solé. Catalan politicians believe Spanish authorities are likely perpetrators of the hacking campaign, and Citizen Lab’s analysis shows that the Spanish government is using Pegasus. A former N.S.O. employee confirmed that the company has an account in Spain. (Governments did not respond to requests for comment.) Citizen Lab’s research results are presented for the first time in this article. I interviewed more than forty people who were targeted, and the conversations revealed an atmosphere of paranoia and insecurity. Solé said: “This type of surveillance in democratic countries and democratic states is incredible.”
[Support The New Yorker’s award-winning journalism. Subscribe today”]
Commercial spyware has become an industry estimated to be worth twelve billion dollars. It has mainly become unregulated and increasingly controversial. Research by Citizen Lab and Amnesty International in recent years has examined politics under oppressive regimes.
Does the government spy on citizens?
The Washington Post has started publishing a series of research called Project Pegasus, describing governments’ widespread use of digital surveillance worldwide. Reports reveal how powerful governments have used software provided by Israeli firm NSO Group to hack citizens’ smartphones, monitor their communications, and sometimes obtain incriminating information as the prelude to the assassination.
This is not a new story – for those of us who keep a close eye on these issues, the prevalence of spyware has been an ongoing problem for years. But Project Pegasus is helping us better understand how widespread these practices are. Nearly 50,000 phone numbers are on a surveillance hack list, including company executives, human rights activists, journalists, politicians, and government officials. These people come from at least fifty countries.
Steven Feldstein is a senior fellow in Carnegie’s Democracy, Conflict and Governance Program and focuses on democracy and technology, human rights, and US foreign policy.
While NSO Group insists that its products are primarily used by law enforcement to combat legitimate crime, information uncovered by the newspaper’s research indicates that NSO Group’s technology frequently targets individuals unrelated to crime or terrorism. It has become clear that the human rights cost of NSO Group’s spyware far outweighs national security considerations.
THREE LESSONS FOR POLICYMAKERS
What can we make of these developments, and what steps should policymakers take in response?
First, the proliferation of spyware is a common problem that democracies do not take seriously. The consequences of providing authoritarian governments with powerful surveillance tools have been dire – citizen safety has been compromised, activists have been jailed, and journalists killed over this spyware. However, other democratic countries, including Israel and the United States, not only condoned the use of spyware but also tacitly supported these sales by approving export licenses. Regarding the private surveillance industry, NSO Group’s operations represent the tip of the iceberg. From Chile to Vietnam, at least sixty-five governments worldwide have purchased commercial spyware surveillance tools (see Table 1 for a few examples), as I write in my book The Rise of Digital Printing and document in a publicly available global spyware database. Related companies such as Cellebrite, FinFisher, Blue Coat, Hacking Team, CyberPoint, L3 Technologies, Verint, and NSO Group are headquartered in the world’s most democratic countries, including:
Second, the Pegasus Project demonstrates the high cost of business with authoritarian leaders. By ignoring the effects of spyware produced in democratic countries and sold to autocrats, the United States and its allies have undermined the human rights causes around the world. Some experts argue that under President Joe Biden, the United States made a mistake by forcing a foreign policy doctrine that “unnecessarily divides the world into good and bad” and that Biden should avoid drawing “a bright line between dictators and democrats.” But Project Pegasus tells us that new technology is increasing the cost of doing business with autocrats. While the United States should be realistic about cooperating with authoritarian regimes on specific issues, US decision-makers should refrain from emphasizing human rights issues in these relationships. Suppose there’s one thing we’ve learned from the stumbles of former President Donald Trump’s administration. In that case, it’s that when the US ceases to support democratic values, authoritarians perceive it as a signal that they can act with greater impunity. The result is the encouragement of wrong behavior and the diminishing of US credibility and influence. The NSO Group spyware story reinforces how bad the world can be, especially how outrageous measures autocrats can take to consolidate their power.
Third, Project Pegasus exposes a foreign policy fallacy: China is mainly responsible for exporting authoritarian technology to bad actors. While China bears an essential responsibility in modeling to other states how digital technology can be used to control their citizens, and Chinese companies have supplied a significant portion of exports to abusive regimes, Chinese firms are far from the only ones providing repressive tools to autocrats. They face stiff competition from companies established in democracies. Recent examples include the Canadian company Sandvine, which provides censorship technology to Belarus and Egypt; French Nexa Technologie, selling internet surveillance equipment to Libya and Egypt
Does the US government use Pegasus spyware?
This is a critical case for digital espionage technology. Security researchers have uncovered evidence that Pegasus software, produced by Israel-based cybersecurity company NSO Group, has been attempted or successfully installed on the phones of activists, human rights workers, journalists, and business people. These individuals appear to be the target of covert surveillance by software aimed at helping governments track down criminals and terrorists, and more Pegasus infections are emerging as the months go by.
According to a report by Citizen Lab, a Canadian security organization affiliated with the University of Toronto, published in July, it was revealed that Pegasus had infected the phones of at least 30 Thai activists. Apple warned those whose phones were infected with the virus in November.
To thwart such attacks, Apple has placed a new Lockdown Mode in iOS 16, the upcoming iPhone software update towards the end of 2022, and the upcoming macOS Ventura.
The New York Times reported in January that although the CIA and FBI are Pegasus clients, the US government is one of the most potent forces to emerge against Pegasus. The US Department of Justice launched a criminal investigation after a whistleblower said NSO Group was offering “a sack of money” for sensitive cell phone data from US technology firm Mobileum, The Guardian reported in February. The spyware was found on the phones of at least nine State Department officials in Uganda or dealing with matters related to the African country, Reuters and The New York Times reported in December.
Pegasus is the latest example of how vulnerable we are to digital espionage. Our phones store most personal information, including photos, text messages, and emails. Spyware can directly reveal what’s going on in our lives by bypassing the encryption that protects data sent over the internet.
Pegasus has been politically explosive, putting Israel under pressure from activists and governments concerned about software misuse. In November, the US federal government took a much more decisive step, blocking the sale of US technology to NSO and placing the company on the government’s Entity List. The NSO suspended some countries’ Pegasus privileges but tried to defend its software and the controls it attempted to enforce over its use. NSO Group did not respond to a request for comment, and the Justice Department declined to comment.
Here’s what you need to know about Pegasus.
What is NSO Group?
It is an Israel-based company that licenses surveillance software to government agencies. The company says Pegasus software provides a valuable service because its encryption technology allows criminals and terrorists to stay “in the dark.” The software works covertly on smartphones, shedding light on their owners’ actions. Other companies also provide similar software.
Hulio founded the company in 2010. NSO also offers other tools to detect where a phone is being used, defend against drones, and extract law enforcement data to see patterns.
NSO has also been involved in other hacking incidents in previous reports and lawsuits, including the 2018 hack of Amazon founder Jeff Bezos. A Saudi dissident sued the company in 2018 for its role in hacking a device belonging to journalist Jamal Khashoggi, who was killed at the Saudi embassy in Turkey that year.
The New Yorker’s report includes some details about the inner workings of NSO Group: The claim that Pegasus resembles military equipment that countries routinely sell to other countries, the company’s tight ties with the Israeli government, and its recent financial difficulties. It was also revealed that NSO employees hung a detailed Google analysis of Pegasus’ attack mechanism on the wall, concluding that NSO’s capabilities “rivaled those previously thought to be accessed by only a handful of nation-states.”
The NSO Group did not comment specifically on the Thai activists but explained to the Washington Post: “Politically motivated organizations continue to make unverifiable allegations against NSO.”
What is Pegasus?
Pegasus is NSO’s best-known product. According to the Washington Post, it can be set up remotely without the surveillance target needing to open a document or website link. Pegasus discloses everything to NSO customers that control it, such as text messages, photos, emails, videos, and contact lists, and it can record phone calls. According to the Washington Post, it can also secretly open the phone’s microphone and cameras to create new recordings.
What is the purpose of government surveillance?
To understand this problem, we must consider state surveillance as a means of enforcing the law. The primary purpose of state surveillance is to get people to comply with the law by ensuring that those who do not comply are legally prosecuted and creating an environment of deterrence.30 This section examines the idea that a fundamental problem with state surveillance is that the government can be used to enforce laws (or, more broadly, government policies) that it has no right to enforce. Edward Snowden claims in his autobiography that.
For example, a world where all pet ownership laws or all zoning laws governing household businesses are fully automated would be intolerable. Extreme justice can turn into extreme injustice, not only in terms of the severity of the punishment for a violation but also in how consistently and comprehensively the law is enforced and prosecuted.
This observation is important and accurate. One problem with comprehensive government surveillance is that we should only want some laws to be consistently and thoroughly enforced and prosecuted. Thus, the problem of state surveillance is closely related to the more general crisis of political legitimacy. This criticism of surveillance is not a criticism of surveillance in and of itself. Surveillance is a tool used to obtain what is allegedly objectionable. This point is well understood. I stated at the beginning that my discussion was more general, and therefore I hoped it would interest academics who have nothing to do with surveillance. But it is also true that the rise of state surveillance has made concerns about legitimacy particularly salient and relevant. It enables the “consistent and thorough enforcement and prosecution of the law” in a way that, until recently, states could only dream of. This is why Snowden’s concern quoted above is not “off-topic,” and it is appropriate to discuss issues of legitimacy below.
Political legitimacy refers to a government’s moral right to pass and enforce laws. Footnote32 Understanding, the ethical significance of government oversight requires understanding the conditions that must be met for coercive government action to be legitimate. Although most people, political theorists, and the laity accept the legitimacy of democratic governments, it should be clear why government actions need legitimacy. Essentially, the problem of political legitimacy is that government actions are coercive. Government orders are backed up by punishments one cannot disobey because one is compelled to obey. The person can refuse to pay a fine, decide not to go to a court hearing, or continue to drive after their license is revoked. But at the end of the chain of sanctions (typically), there is a prison sentence, and the person is ultimately forced to go there using physical force.
It is morally essential for the government to rely on the threat of physical force and imprisonment because it constitutes a severe pro tanto wrong that needs moral justification. Indeed, in non-political settings, people are highly reluctant to condone or personally resort to physical coercion, even to achieve desired ends. Most people would be horrified at private individuals using physical force to enforce policies that governments think they have the perfect right to implement. For example, they would be horrified if a private individual extorted money for charitable purposes by threatening to use physical force to lock their neighbor in the basement. Are needed. This need for justification also carries over to government oversight, which is part of the state’s coercive apparatus. The primary purpose of state surveillance is to ensure compliance with the law and facilitate the prosecution of violators.
One group of people who should find state surveillance objectionable are libertarians and anarchists who, emphasizing the evils of physical coercion, believe that the scope of legitimate state action is too limited or, indeed, zero. Footnote34 They should endorse state surveillance only for implementing the set of policies that governments can legitimately implement, which for them is too small. Or it is empty. From a libertarian or anarchist point of view, the observation that there is anything objectionable in an institution that is an instrument of law enforcement is trivial. Footnote35 Also, libertarianism and anarchism are minority views.
What is this Pegasus?
End-to-end encryption is a technology that encrypts messages on your phone and decrypts them only on recipients’ phones, meaning letters cannot be read by anyone intervening. Dropbox, Facebook, Google, Microsoft, Twitter, and Yahoo are among the companies that use end-to-end encryption for their apps and services.
This type of encryption is suitable for protecting your privacy. Still, governments don’t like it because it makes it harder to spy on people, whether tracking criminals and terrorists or spying on dissidents, protesters, and journalists, as some governments do. NSO Group, an Israeli technology firm, stepped in.
The company’s flagship product, Pegasus, is spyware that can sneak into a smartphone and access everything, including the camera and microphone. Pegasus is designed to infiltrate devices running Android, Blackberry, iOS, and Symbian operating systems and turn them into surveillance devices. The company says it only sells Pegasus to governments and to track criminals and terrorists.
HOW IS IT WORKING
Earlier versions of Pegasus were installed on smartphones through vulnerabilities in widely used applications or spear-phishing, which involves tricking the targeted user into clicking a link or opening a document that secretly installed the software. It can also be set up via a wireless transceiver near a target or manually if an agent can steal the target’s phone.
Since 2019, Pegasus users have been able to install the software on their smartphones with a missed call on WhatsApp and even delete the record of the missed call, making it impossible for the phone owner to know that something is wrong. Another way is to send a message to the user’s phone with no notifications.
This means that the latest version of this spy software does not require the smartphone user to do anything. All that is needed for a successful spyware attack and installation is a specific vulnerable application or operating system installed on the device. This is known as a zero-click exploit.
Once installed, Pegasus can collect all kinds of data from the device and transmit it back to the attacker. It can steal photos, videos, recordings, location logs, communications, web searches, passwords, call logs, and social media posts. It also can enable cameras and microphones for real-time surveillance without the user’s consent or knowledge.
WHO USES PEGASUS, AND WHY
NSO Group says it only produces Pegasus for use by governments in counterterrorism and law enforcement efforts. The company markets Pegasus not for mass surveillance but as a targeted espionage tool to track criminals and terrorists. The company does not disclose its customers.
The Mexican government’s earliest reported use of Pegasus was in 2011 to track down notorious drug lord Joaquín “El Chapo” Guzmán. It was reported that the vehicle was also used to monitor people close to the murdered Saudi journalist Jamal Khashoggi.
It needs to be clear who or what people were targeted and why. However, most of the latest Pegasus news centers around 50,000 phone numbers. The list is attributed to NSO Group, but the source of the list is uncertain. A statement from Amnesty International in Israel said the list included phone numbers marked as “interesting” for several of NSO’s clients. Still, it is still being determined whether any of the phones associated with the numbers were traced.
Sign up for Scientific American’s free newsletters.
A media consortium called Project Pegasus analyzed the phone numbers on the list and identified more than 1,000 people in more than 50 countries. The findings also included individuals outside of NSO Group’s restrictions on investigations into criminal and terrorist activities. These include politicians, government workers, journalists, human rights activists, business executives, and members of the Arab royal family.
OTHER WAYS YOUR PHONE CAN BE TRACKED
Pegasus is breathtaking with its privacy and ability to take complete control of a person’s phone, but that’s not the only way people can be spied on via their phones. Some ways phones can aid surveillance and harm privacy include location tracking, eavesdropping, malware, and data collection from sensors.
Governments and telephone companies can track a phone’s location by monitoring cell signals from cell tower transceivers and cell transceiver simulators such as the StingRay device. Wi-Fi and Bluetooth signals can also be used to monitor phones. Some