The Pegasus Project
The spyware technology that threatens democracy
Written by Kalyani, Edited by Aadhi
What is Pegasus?
Pegasus is software developed by an Israeli security company called NSO. This software infiltrates your phone or any device, using a vector. The vector carries the software to your device. It starts exporting your data and information to the attacker.
The military-grade spyware was leased by NSO to governments for tracking terrorists and criminals. It was then reportedly used to attempt and successfully hack 37 smartphones belonging to journalists, human rights activists, business executives, and 2 women close to the murdered Saudi Arabian journalist, Jamal Khashoggi.
How is it violating your privacy?
Once hacked into your device, Pegasus has access to all your data. It has more control over the device than the owner. A Pegasus operator can secretly extract chats, photos, emails, and location data, or activate microphones and cameras without a user knowing. They leave behind no tracks and this is called zero-click vulnerability.
What is the Pegasus Project?
The Pegasus Project is a collaborative journalistic investigation into the NSO Group and its clients. Forbidden Stories, a Paris-based nonprofit journalism organization, and Amnesty International had access to a leak of more than 50,000 phone numbers selected as targets by clients of NSO since 2016. Access to the data was then shared with the Guardian and 16 other news organizations, including the Washington Post, Le Monde, Die Zeit, and Süddeutsche Zeitung. More than 80 journalists have worked collaboratively over several months on the investigation, which was coordinated by Forbidden Stories.
Source: Amnesty
NSO’s Response
The company says they police their clients for abuses. In its defence, the company said, “The list is not a list of targets or potential targets of Pegasus. The numbers in the list are not related to the NSO group. Any claim that a name in the list is necessarily related to a Pegasus target or Pegasus potential target is erroneous and false.” It said it may be part of a larger list of numbers that might have been used by NSO Group customers “for other purposes”.
NSO made several statements and has now refused to interact with the media.
Regarding the Jamal Khashoggi case, NSO wrote: Our technology was not associated in any way with the heinous murder of Jamal Khashoggi. This includes listening, monitoring, tracking, or collecting information. We previously investigated this claim, immediately after the heinous murder, which again, is made without validation.
Policing the Use of the Spyware
There are restrictions on the usage of Pegasus and the Israeli government monitors who it sold to. But once it's sold, the system really belongs to the customer. So, how they use it, whether they use it to track terrorism activities or journalists that threaten their system, there's really no one there to monitor that.
Some Cases Related to Pegasus
A client of NSO was sending Mansoor suspicious text messages on his iPhone. When he sent the links to researchers at Citizen Lab, which is affiliated with the University of Toronto, it found the link was infected with malware made by the Israeli company. Clicking it would have turned Mansoor’s phone into a “digital spy in his pocket”, tracking his movements and listening to his calls. Within a year of the discovery, security forces raided Mansoor’s home and arrested him. A report by Human Rights Watch found Mansoor – a father of four who has been described as a poet and an engineer – spent years in an isolation cell following his arrest. His “crimes” included WhatsApp exchanges with human rights organizations.
In the years since commandos dragged Princess Latifa, a daughter of Dubai’s ruler, from her getaway yacht in the Indian Ocean in 2018, her friends and associates have wondered how the escape was foiled. A new investigation shows that in the days after she went missing, her phone number and those of friends were added to a list that also includes numbers of phones targeted by the powerful Pegasus spyware. Numbers for the ruler’s estranged wife, Princess Haya, and her legal and security team members were also entered into the list when she fled later to London. The surveillance of the princesses was among the reasons the spyware’s owner, NSO Group, terminated Dubai’s contract, a person familiar with the company’s operations told The Washington Post.
According to an examination of her phone, Jamal Khashoggi’s fiancee, Hatice Cengiz, was hacked using Pegasus by an NSO client – believed to be Saudi Arabia – four days after the journalist was killed by Amnesty International’s security lab. Other friends and associates of the journalist were also hacked or targeted by the company’s clients. Within months of the murder, Saudi Arabia was cut off from NSO, though its access would be reinstated within six months.
The serious implications of Pegasus are that it makes it much less likely that dictatorships turn into democracies. Systems and regimes are already obsessed with controlling and containing their people. The people are monitored to prevent overthrowing or uprisings. This technology further increases the capacity to do so. This project exposes that a lot of these technologies designed to protect us and keep us safe, are not really keeping us safe. In truth, they abuse a lot of our human rights.
Sources: BBC - Amnesty International - Washington Post - Reuters