In late July, an investigation known as Project Pegasus alleged widespread spying by multiple states using the Pegasus spyware. The report was conducted by Paris-based media non-profit Forbidden Stories, in collaboration with Amnesty International and a host of journalists and news organizations. Based on leaked data, it revealed a list of around 50,000 phone numbers, which are alleged to have been targeted by governments using Pegasus.
Pegasus is likely the most sophisticated tool of surveillance ever developed. With just a single text, it can bypass a phone’s security, granting complete access to the device. It can access every message ever sent or received, every photo, every video, every email. Once infected, a phone’s microphone can be turned on remotely to listen in on what is happening in the phone’s vicinity. The spyware also allows an infected phone’s camera to be turned on remotely and permits access to GPS (to track a phone’s location) and screen (to track current activity). Crucially, Pegasus can do all of this while remaining virtually undetectable and without ever alerting the attention of the person targeted. The target does not even have to click on a message or an incoming call for Pegasus to successfully infiltrate their phone. Taken together, this arguably amounts to the most invasive form of surveillance imaginable.
Speaking to the Guardian, investigative reporter David Pegg, who worked with Project Pegasus, put it simply: “Any idea that you had that aspects of your life could be kept private on the mobile phone are wrong.”
“Any idea that you had that aspects of your life could be kept private on the mobile phone are wrong.”
Acclaimed Indian novelist Arundhati Roy described the scandal in even more sinister terms. Given the role phones play in modern life, she wrote, “the revelations of Project Pegasus show that the potential threat of this spyware is more invasive than any previous form of spying or surveillance. It’s like having the love of your life – or worse, having your own brain, including its inaccessible recesses – informing on you.” In other words, if used widely enough, Pegasus has the potential to put an end to individual privacy.
Pegasus primarily attacks a phone by capitalizing on a “zero-day vulnerability” – a security flaw officially unknown to the phone-manufacturer. The spyware is astronomically expensive, allegedly breaking down at hundreds of thousands of US dollars per phone infected.
Pegasus is produced and sold by Israeli surveillance company NSO Group. NSO Group claims that it only sells its products to governments and does so solely for the purpose of assisting them in their fight against terrorism and organized crime. While the company has not revealed which governments it has sold the technology to, its officials claim that all clients are vetted closely to ensure that they are compliant with human rights standards. However, critics are skeptical of this, especially after the Pegasus Project leaks revealed that NSO Group’s clients include states such as Rwanda, Saudi Arabia, Bahrain, and the UAE.
A spokesperson for NSO Group said that the company “will continue to investigate all credible claims of misuse and take appropriate action based on the results of these investigations.” They went on to say that their technology helps to fight terrorism, gun violence, and serious crime. The company further declared that it was on a “life-saving mission…despite any and all continued attempts to discredit it.” Saudi Arabia classifies campaigning for secular democracy as a terrorist offense, so perhaps this is what NSO Group means when it says that its clients only use the technology in the fight against terrorism and organized crime.
The list of clients and targets revealed by the Pegasus Project lays bare the widespread abuse of the spyware. Many whose numbers appear on the list have no connection to criminality. Forensic analysis carried out on some of the phones of those targeted strongly suggests that governments have used Pegasus to surveil actors such as journalists, political opponents, and pro-democracy activists.
One of the countries at the center of this storm is Morocco. According to analysis by University of Toronto’s Citizen Lab, which tracks hacking activities, Pegasus was used by the Moroccan secret service to target Moroccan, French, and Algerian numbers. It is alleged that, like other states, Morocco used Pegasus to advance its geostrategic interests by surveilling targets that the government regards as a potential threat to those interests.
It is alleged that Morocco used Pegasus to advance its geostrategic interests by surveilling targets that the country regards as a potential threat.
In late July, Le Monde reported that former French Prime Minister Edouard Philippe and 14 ministers had been targeted in 2019 by actors using Pegasus, based on investigations by cybersecurity firm LookOut. The most serious accusation made in the Le Monde report was that French President Emmanuel Macron’s phone may also have been targeted with Pegasus software. However, experts have not yet been able to analyze Macron’s phone in order to confirm this. Le Monde’s report claimed that one of Macron’s phone numbers, which he has used regularly since 2017, appears on the list of numbers selected by Morocco’s intelligence service as a potential target. Macron himself responded by calling the accusations extremely serious and saying that they would be investigated.
French prosecutors have launched a probe into the alleged hacking of the phones of French journalists and political officials by the Moroccan authorities. The investigation was triggered after a complaint by news website Mediapart, which claimed that two of its journalists had been spied upon by Moroccan intelligence. Mediapart tweeted: “The only way to get to the bottom of this is for judicial authorities to carry out an independent investigation on widespread spying organized in France by Morocco.” While Mediapart blamed Morocco for the alleged spying, the Paris prosecutor did not mention the North African country by name.
It appears that Morocco’s security forces may have cast an extremely wide net in their search for potential cyber-spying targets. Even a personal number of Morocco’s King, Mohammed VI, appeared on the list of numbers being surveilled, although it is unclear what source had listed it. An NSO spokesperson stated that: “Emmanuel Macron or King Mohammed VI are not and never have been Pegasus targets.”
In a statement, the Moroccan government denied using Pegasus outright and rejected what it called “unfounded and false allegations” on behalf of France. The government also filed a lawsuit against Amnesty International and Forbidden Stories for their role in publishing the list of alleged targets.
The abuse of the Pegasus spyware also potentially puts the Israeli government in hot water, as Israeli law stipulates that the country’s authorities must approve security exports by Israeli firms. It is for this reason that Israel’s Defense Minister Benny Gantz flew to Paris shortly after the story broke to discuss the scandal with French officials. During the visit, President Macron called for Israel’s Prime Minister Naftali Bennett to provide clarifications on the matter.
There is suspicion that the Israeli government may have had knowledge of the abuse of Pegasus.
There is also suspicion that the Israeli government may have had knowledge of the abuse of Pegasus, if not an active role in that abuse. The phone numbers of the individuals targeted by Indian security forces, for example, began to appear on the government’s list around the time that Indian Prime Minister Narendra Modi visited Israel in 2017. The visit prompted the Indian press to wax lyrical about the “bromance” of Modi and the then-Israeli Premier Benjamin Netanyahu, with the pair staging photo-ops such as rolling up their trousers and wading into the sea together.
Regardless of where the blame lies in such matters, the Project Pegasus revelations further weaken the claims of those in power and companies such as NSO Group that these technologies protect the safety of citizens. The identity of those being surveilled strongly suggests that these technologies are not keeping us safe. More than this, the abuse of such technologies represents an extension of government control over the individual and therefore a serious threat to democracy. “One of the impacts is that it makes it much less likely that a dictatorial regime will become a democracy,” David Pegg told the Guardian.
Pegasus has the potential to violate not only the rights of targeted individuals but also all of those with whom they have contact. When used, therefore, its reach grows exponentially – it is a feature, not a bug. NSA whistleblower Edward Snowden has warned that, armed with such technology, those in power will not stop at 50,000 targets. If left unchecked, Pegasus will be put to use in surveilling the world’s population at large.
Arundhati Roy believes that we can only safeguard ourselves against such dangers by radically transforming our relationship with the devices that technologies such as Pegasus need to function. “To cynically dismiss [Pegasus] as a new technological iteration of an age-old game in which rulers have always spied on the ruled would be a serious mistake. This is no ordinary spying. Our mobile phones are our most intimate selves. They have become an extension of our brains and bodies,” she wrote. “We will have to migrate back to a world in which we are not controlled and dominated by our intimate enemy – our mobile phones.”