Spyware sold for use in anti-terror investigations is being misused to watch journalists, academics and politicians across the world, according to a report by The Guardian and partner organisations.
NSO Group, based in Israel, is thought to sell the spyware to multiple countries, including Azerbaijan, Bahrain, Saudi Arabia, India and the United Arab Emirates. It allows a user to read data from smartphones and spy via their microphones and cameras. The software, called Pegasus, uses vulnerabilities in smartphone and social media source code.
Technology firms that make these phones and social media platforms are now embroiled in a long-running legal battle with NSO to prevent the hacking of their platforms – but can unmonitored, unregulated state surveillance be stopped?
WhatsApp and Facebook, its parent company, first filed a lawsuit in California in 2019 alleging that NSO had hacked into its servers to infect 1400 phones belonging to WhatsApp users, arguing that it was a violation of the US Computer Fraud and Abuse Act (CFAA). NSO said that it should have “sovereign immunity” because it sells to non-US governments, an argument that was dismissed in December 2020 and that the firm is appealing.
WhatsApp now wants a permanent injunction stopping NSO from attempting to gain access to its systems. The success of the case rests on whether NSO is considered to be hacking into systems or if that is being done by the users of its software. Taking legal action against governments would be a far more difficult proposition. Microsoft, Cisco, GitHub, Google, LinkedIn, VMWare and the Internet Association have now all joined the court case.
Pegasus can use SMS, WhatsApp and iMessage to infect a phone and harvest messages, emails, contacts, GPS data, calendars, photos and videos stored on a phone. It can also activate the microphone and camera to surreptitiously record the owner’s surroundings.
The case is making fresh headlines following an investigation by The Guardian and Forbidden Stories, which claims to have a leaked list of 50,000 phone numbers based across 45 countries that were selected for surveillance by Pegasus’s many users, showing that the tool is being used to monitor journalists, political opponents and campaigners as well as being used for anti-terror or serious crime investigations.
NSO, founded by former Israeli state surveillance operators, has been caught up in similar stories before. Last year, researchers claimed that Pegasus had been used by at least two state agencies to hack the phones of journalists at Al Jazeera and Al Araby TV. In 2018, Amnesty International claimed that NSO software had been used to target its staff. And in 2017, it emerged that Mexico had been using the software to target journalists and their families. Its use was also suspected in the hacking of Amazon founder Jeff Bezos’s phone.
Ron Deibert at the University of Toronto in Canada leads a research group that investigates and publicises the use of surveillance software such as Pegasus. He says that if his small team can uncover details about how NSO customers are using the tool, the company itself should easily be able to do the same.
“Litigation may be one of the most immediate ways to rein in the excesses of the poorly regulated global spyware marketplace,” he says. “Should litigation succeed and bring real financial penalties to companies like NSO, then the industry as a whole may be incentivised to better control to whom they are selling and how it is being deployed.”
Alan Woodward at the University of Surrey, UK, says there is vast profit to be made in finding new ways to exploit software weaknesses, packaging them up and selling them as widely as possible. Unfortunately, once the software is in the hands of a state, it can be targeted at anyone the state sees fit with little oversight.
Woodward says that the customers tend to be governments that don’t have their own offensive cyber capability and that phone manufacturers and social media companies are engaged in a cat-and-mouse game in which exploits are found but then patched. Often these exploits will continue to be useful for some targets because owners don’t update their software with the new patches.
Neil Brown at UK law firm decoded.legal says the issue is a “groundbreaking” and complex legal problem with no obvious solution. Even if the lawsuit against NSO Group is successful, it is unlikely that the practice will be stopped because there are several other companies offering similar services.
Italian company Hacking Team itself suffered a data leak in 2015 revealing that its client list for a similar product to Pegasus included the CIA, the Lebanese Armed Forces and even the bank Barclays. Stopping the practice may require legislation, but Deibert says this will prove problematic because many states have a vested interest in allowing the hacking to continue, adding that it is an “epidemic of global proportions”.
NSO says that it licenses its products to governments “for the sole purpose of preventing and investigating terror and serious crime”. An NSO Group spokesperson said in a prepared statement that the firm denied that its products were being misused but confirmed that the company would investigate all credible claims of misuse and take appropriate action, such as shutting down access to Pegasus by a state customer – something that it has done “multiple times” in the past. It also denied that the leaked list of phone numbers was a list of targets. The company declined to respond to further questions.
More on these topics: