Politics Foreign Affairs Culture Fellows Program

Pegasus And ‘The End Of Privacy’

Biggest electronic spying scandal since Snowden revelations shakes the globe
Screen Shot 2021-07-20 at 2.40.29 AM

Very big news in Europe right now:

A leak of phone data suggests human rights lawyers, activists and dissidents across the globe were selected as possible candidates for invasive surveillance through their phones.

Their mobile phone numbers appeared in leaked records, indicating they were selected prior to possible surveillance targeting by governmental clients of the Israeli company NSO Group, which developed the Pegasus spyware.

The records were obtained by the nonprofit organisation Forbidden Stories and shared with a consortium of media outlets including the Guardian.

NSO has repeatedly said Pegasus, which can access all data on a target’s device as well as turn it into an audio or video recorder, is meant for use only against terrorists and serious criminals.

The selection of activists, dissidents and journalists by NSO clients paints a very different picture, though one that campaigners will say was grimly predictable given the tool has been sold to some of the world’s most repressive regimes.

Take a look at this short Guardian explainer — it’s absolutely chilling. The reporter says that this software means the end of privacy for anyone targeted by it:

Countries in Africa, Asia, Central America took part. Also, I deeply regret to say, Hungary:

In Hungary, where Viktor Orbán’s government stands accused of using NSO’s hacking software against journalists, opposition MPs said they would convene an extraordinary meeting of parliament’s national security committee to discuss the allegations.

“If any part of this is true, even half of it, it’s one of the deepest national security scandals I have seen,” said opposition MP Péter Ungár, who sits on the committee.

In response, Hungary’s deputy prime minister, Katalin Novák, said she “would not like to comment on press rumours”, while the foreign minister, Péter Szijjártó, said Hungarian foreign intelligence did not use Pegasus, and he was “not aware” as to whether domestic agencies used it.

European leaders also voiced anxiety about the deployment of NSO in Europe, with one calling for MEPs to hold their own inquiry. “No more ‘deeply concerned’… the EU has a dictatorship growing inside of it,” wrote the MEP, former Belgian prime minister and longtime Orbán critic, Guy Verhofstadt, on Twitter, in response to the Pegasus project allegations. “We need a full inquiry by the European parliament!”

“Freedom of the press is a core value of the European Union,” said the European Commission chief, Ursula von der Leyen, on Monday while on a visit to Prague. She said if the allegations were true, “it is completely unacceptable”.

This is terrible news for a couple of reasons. First, if true, it’s awful on its face: no government should be doing this, and certainly not a government in a free country like Hungary. Period. Full stop.

Second, the Orban government did not need this scandal at this moment, with a difficult election on the horizon, and while it’s under pressure from the EU for its entirely defensible law governing sex and sexuality information to minors.

Here is a clip (translated via Google) from a Czech investigative website, interviewing a Hungarian journalist who was allegedly spied on by his government using Pegasus:

We have published an article on how different governments are tapping mobile phones around the world. It involved fifty countries. You were one of the victims. Why you?

First of all, I would like to emphasize that there were more than one hundred and eighty journalists who were identified as victims of surveillance and wiretapping. In my case, we can talk about happiness, because my observation was not followed by any imprisonment or physical harassment. I’m really grateful for that. I read stories about what happened to other journalists who were followed by more drastic methods or ended up in prison.

Years ago, I received a ” friendly warning ” that I could be monitored from time to time because I was dealing with sensitive topics and writing articles that the government did not like. Someone in Hungary seems to have targeted me and marked me as a target for Pegasus spyware tracking.

It is quite obvious that this happened because of my journalistic work. There is also evidence that the same tracking program was used on my Direkt colleague András Szabo. Which means that the results of our investigative work have attracted the attention of someone of high rank.

You mentioned that you received several friendly warnings from your sources. Do you know exactly when the monitoring took place?

I received several types of warnings. At the end of 2015, my closest friend, colleague and very good journalist was long blackmailed by the Hungarian secret services. They were trying to find some dirt on him that they could use to blackmail. They wanted him to work with them and divulge his resources. Which he refused and he managed to stop the pressure. That was in 2015 and 2016. Since I was a close friend of mine, I believe I was also part of this monitoring.

In the following years, there were cases where I was to meet, for example, a government source, and he sent me a message through an intermediary that we would not meet, because I was being watched and he did not want to be compromised by this meeting. Or I got a friendly warning that I should watch my phone. It even happened that my source told me that the Hungarian government can hack encrypted applications such as Signal. Only now do I really know what these reports meant. They came at a time when I was actually being watched using Pegasus software. It seemed ridiculous to me then. I didn’t know if it was true or if my sources were just very paranoid.

Your sources warned you, but didn’t you think that someone could break the encrypted Signal? 

Yes, I’m not a very technical type. (laughs) I admire people who understand technology. But what these people told me was that the only way to compromise any correspondence on the encrypted channel was to hack the terminal. And the end device was supposed to be my cell phone, which I always had with me. Therefore, I did not click on any suspicious links. Now I know it’s not enough that in the case of Pegasus software, I can’t really do anything for my safety.

More from the Czech source, on how Pegasus works:

Although the Pegasus project revealed the unfair practices of the NSO Group, it presents only one of the many players in the field of surveillance and spy technology. However, based on an annual profit of around a quarter of a billion US dollars and more than 700 employees, the company can be said to be one of the largest in this field. It was founded in 2010 by two friends with the aim of providing a paid service or hacking into mobile phones for money.

As with most private companies producing spy software, the most significant currency of the NSO Group is the

so-called “zero-day exploits” – ie finding errors in the operating program of phones or applications through which it can be hacked into the phone. Pegasus and similar spy technologies are extremely effective precisely because the phone attacks unnoticed without its user having to click on a link, for example.

It is these tools that provide governments with a way around bypassing applications specifically designed for secure, encrypted communications, such as Signal or WhatsApp, that should prevent surveillance. However, as soon as the spy software gets into the phone, the customer gets access to these – normally normally secure – applications and, of course, to all other data – e-mails, photos, contacts, or even individual keystrokes. In addition, the phones have microphones and cameras that the Pegasus can freely turn on and off, making them de facto remote control recorders.

“If you want to break into encrypted communication, all you have to do is on one side, either the recipient or the sender,” explains Claudio Guarnieri, head of Amnesty International’s Security Lab technology center. And that’s exactly what Pegasus is doing. “A Pegasus can do more with a device than its own user. For example, when Signal encrypts messages, a third party can use the microphone to record or take screenshots so that the conversation can be read by someone later.

The model used by the NSO Group is so successful because the company retains a plethora of various errors and gaps in the code of mobile applications – so as soon as the application or phone manufacturer (Apple, Google, etc.) corrects the error, the company responds immediately by using other errors or using other “zero-day exploits”. In this way, companies producing spy technology always stay one step ahead of large technology companies. According to Guarnieri, such a company has a team of professionals who specifically search for systems and application vulnerabilities. In addition, various externs often work with companies, looking for potential security gaps on their own and then selling their discoveries.

Again, this has been happening all over the world. Not, so far as we know, in America — but that doesn’t mean America has nothing to do with it. From the Washington Post:

The company’s attempts to secure U.S. contracts appear to have been unsuccessful, with federal and local law enforcement agency representatives saying in emails and interviews that they balked at its Pegasus spyware tool’s million-dollar price tag.

But an influential network of Washington consultants, lawyers, lobbyists and other prominent personalities have earned money from the company, its parent company or its founders, a Washington Post review of government and company filings shows. Those beneficiaries include some of the most powerful members of the Obama, Trump and Biden administrations.

Among those who’ve received payments from NSO or related companies are former chiefs of the Homeland Security and Justice departments, as well as Washington’s most prestigious law and public-relations firms, the public filings show.

These political heavyweights have defended NSO’s spy tool as an invaluable weapon against terrorists and human traffickers, and they have worked to soften the public image of a company accused in a federal lawsuit of helping spy on allies of Washington Post contributing columnist Jamal Khashoggi before his grisly murder in 2018. Reuters reported last year that FBI agents were investigating NSO’s role in targeting Americans, though the FBI has not confirmed that report. The agency declined to comment for this article.

In a statement to The Post, NSO said it had retained “top U.S. counsels” to help support its “life-saving mission” but declined to name its government customers or answer questions about its pursuit of contracts inside the United States.

The company said its “products, sold to vetted foreign governments, cannot be used to conduct cybersurveillance within the United States, and no foreign customer has ever been granted technology that would enable them to access phones with U.S. numbers.”

NSO, however, continues to look for opportunities in the United States. In Justice Department foreign-agent filings last month, the law firm Pillsbury Winthrop Shaw Pittman said it had signed a six-month contract, at $75,000 a month, to advise NSO on “potential business partners,” “U.S. government procurement regulations” and “assistance with education of government officials about NSO’s technology.” Two law firm employees on the account, Brian Finch and Nicole Steinberg, advise clients on the Safety Act, a DHS program offering “liability protections to sellers of qualified anti-terrorism technologies.” The firm and the two attorneys did not respond to requests for comment.

These people should be driven out of business. But you know they won’t be. Let’s keep in mind that according to the Snowden revelations, the US Government’s National Security Agency already has the capability to do what Pegasus does. Pegasus makes that capability available to anyone who buys its software. It is an incredibly destabilizing technology.

Meanwhile, there is related news about the US Government’s spying on dissidents:

The Pentagon is reportedly working with an extremism analysis company that considers the web search “the truth about Black Lives Matter” and others to be signs of interest in or engagement with White supremacism.

According to Defense One, the contractor Moonshot CVE, which has ties to the Obama Foundation, is working on data that would identify which military bases and branches have the most troops searching for domestic extremist content. While that particular project’s contours are unclear, the company previously released a June report, in conjunction with the left-leaning Anti-Defamation League, on purported “White supremacy trends in the United States.”

In it, the U.K.-based company said it “monitored a list of almost 1,600 indicators of interest in or engagement with White supremacism, focused specifically on anti-Black and anti-Semitic narratives being used by extremist groups.”

As examples, it listed the search phrases “George Floyd deserved to die,” “Jews will not replace us” and “the truth about black lives matter.”

For “the truth about black lives matter,” the group said: “This search suggests that the BLM movement has nefarious motives, and is a disinformation narrative perpetuated by White supremacist groups to weaponize anti-BLM sentiment.”

You got that? To suspect that Black Lives Matter has “nefarious motives” is to signal to the Pentagon that you might be a white supremacist. More:

It’s unclear why the Pentagon chose a U.K.-based company for monitoring purported U.S. extremism. The Center for Security Policy raised concerns about the company in an article last month in which it highlighted how Moonshot CEO Vidhya Ramalingam served as a leader in the Obama Foundation’s Europe program.

She also participated in a panel hosted by the highly controversial Southern Poverty Law Center and has ties to other left-leaning organizations. As the Center for Security Policy notes, she authored a paper that acknowledged financial support from Open Society Foundation, the group founded by liberal billionaire George Soros.

This is the excuse every snoop uses: that they’re doing it for the Good.

Congress should pass a law immediately banning the sale of Pegasus software in the US, or by any US-based entity, private or public. However, I don’t think they will do it. Too many powerful interests, both left and right, wanting that Ring of Power, certain that they would use it for the Good.

Like I’ve been saying, we have to prepare to live under a soft totalitarian regime. It seems inevitable to me. In a polarized society, all you have to do is convince half the country that this technology is necessary to protect the Good People from the Bad People. I mean, look, nothing is fated, but if Snowden’s revelations didn’t marshal the public to stop this stuff, what will?

UPDATE: Everybody I’ve talked to today — Hungarians, I mean — are talking about Pegasus. Most people seem totally blasé about it: they assume that it’s true, but they assume that their government has been doing this all along, and that most governments do. I have to admit that I think it’s more likely than not that the US Government does something like this. We know it has the capability. If it doesn’t do it now as part of “protecting” America from “domestic terrorists,” it soon will.

I was just having lunch with a journalist visiting from another EU country. He said that a decade ago, a close friend who was at the time a very senior intelligence official in his country, warned him not to ever get a smartphone. Ever. He said if you have a smartphone, and do business on it, you should assume it has been compromised.

I notice in the comments some of you seem to have the idea that I must have been shocked into not favoring Orban’s government because of this. Not true. There are threats against Hungary, and against our civilization, that are more significant than this Pegasus thing. Orban is on the right side of those issues. He’s on the wrong side of Pegasus, but I am far less worried about Viktor Orban than I am about George Soros and Ursula von der Leyen. In other news, I can walk and chew gum at the same time.



Want to join the conversation?

Subscribe for as little as $5/mo to start commenting on Rod’s blog.

Join Now