Recently, Amnesty International and Forbidden Stories, a French journalism nonprofit, obtained a list of 50,000 phone numbers that were potentially targeted by Pegasus, the now infamous spyware created by NSO Group, an Israeli technology firm. Amnesty and Forbidden Stories shared that list with a group of 17 news organizations, and reporters then started tracking down who the numbers belonged to. They identified about 1,000 people by phone number, and more than 60 agreed to hand over their phones for forensic examination. Of those phones, 37 showed some evidence of an attempted or successful hack. They belonged to journalists, human rights activists, two women who were very close to Jamal Khashoggi, the murdered Washington Post columnist. The original list of 50,000—and we don’t know if these people were hacked—included numbers belonging to French President Emmanuel Macron as well as Rahul Gandhi, a very prominent opponent to India’s prime minister.
On Friday’s episode of What Next: TBD, I spoke with John Scott-Railton—a researcher at the University of Toronto’s Citizen Lab who has tracked NSO since 2016—about the dangers of the NSO Group, the vulnerabilities in our technology, and what, if anything, can be done to protect it.
Lizzie O’Leary: How would you describe what it is that NSO does?
John Scott-Railton: At its core, the mercenary spyware industry comes to governments with a pitch. And they say, look, there are people you want to target, but increasingly they’re using encryption. You still want to know what they’re saying. So we have a solution for you. Use our product and hack their telephones. And then you can see anything that they can say, you can do anything that they can do on their phones. And moreover, you can do it silently. Without your victims knowing about it.
And that, it turns out, is dictator catnip. The industry covers itself in the fig leaf of saying that they sell to track terror and criminals. But what they know, and what we all now know, is that their growth model involves selling to authoritarian regimes, who—surprising no one—turn right around and abuse this technology to target their perceived enemies, critics, their family members, whoever else is bothering Mr. Strongman on a Tuesday afternoon.
NSO is pretty tight-lipped about its clients. What do we know about who they are?
NSO’s customer base is, at this point, kind of the familiar set: Gulf countries, the United Arab Emirates, Saudi Arabia. But also, some pretty random small places. For example, there are a lot of NSO targets in Togo who happen to be government critics. Morocco seems to be a profligate user as well. It appears that they’ve tried to sell to various places in West Africa. What’s interesting about this customer base is that it’s mostly authoritarian regimes.
If your phone’s infected with Pegasus, what can someone surveilling you see?
As soon as your phone is infected, the Pegasus operator can see whatever you see. They can see your encrypted chats. They can see the messages you send. They can see the pictures you take of your friends and yourself. They can read your notes to yourself, look at your web browsing. They can even activate the camera and microphone and listen in, from your pocket, to the room that you’re in. It’s incredibly invasive stuff.
Considering the recent news that found 50,000 phones were potentially targeted by Pegasus software, do you feel validated that you’ve been warning about this stuff for years? Or was the scope of that even beyond what your research has hinted at?
This is the horrible thing that we’ve been trying to warn people about. Here it is. This is exactly what you could expect.
It’s common for government customers of spyware companies to use this not as a criminal investigative tool, but as a leg up into the intelligence game. It should be no surprise. Everybody wants to be able to do some sort of signals intelligence. It’s just that many states can’t. I like to call this guerilla signals intelligence. It’s no surprise that heads of state and other prominent powerful people are targeted. It would be a bigger surprise if they weren’t.
There are the obvious reasons an autocratic government might want to hack a phone. To track critics, see what they’re saying, spy on them. But is there something more intangible that just the fear of tracking can instill?
Most authoritarians and strongmen rulers use fear and censorship as the glue to hold their Mad Max constructions of states together. And I really believe that spyware and the threat of it, the threat of being able to just completely dig into somebody’s personal life and rout around through it for something to harm them, is a new tool for authoritarians. And they all want it. They love the idea of being able to threaten people—across borders—with this possibility.
One thing that’s pretty striking to me in this reporting is just how vulnerable people’s phones were, including iPhones. Apple has made such a big deal about security and privacy protections. I mean, that is sort of how they market themselves. I wonder what that says to you about how secure those devices actually are.
There is a never-ending arms race between people trying to find their ways in, and platforms and operating system developers and companies like Apple trying to shut them out. What makes players like NSO so tricky is that they spend huge amounts of time, and effort, money, and resources, just looking for the next hole in an iPhone or an Android device. Unless the companies are really actively tracking these groups, these groups will always have a way around whatever even the most current security protection is.
We have to nuance our conversation about security away from the idea that there’s a device that you can buy that will just be perfectly secure and that will insulate you from this kind of hack, and toward something that looks more like, OK, so when a company learns about a bad thing being done to their users, what do they do about it? What’s interesting is that in recent years, WhatsApp, Facebook, Microsoft, Google have become increasingly muscular and public in the way that they’re not only calling out some of the mercenary groups that are doing this, but in the case of WhatsApp and Facebook, actually going after them in U.S. courts. They’re suing them. And that, to me, is a really good signal that the spyware industry has stepped over a lot of lines at this point, and big tech sees them as a threat to their business and as a threat to the privacy of their users and their reputations.
How then, even if you’re a user, do you fight—or even know about—an attack where you don’t have to click on something? Here, we’re talking about stuff where phones are attacked without the user’s knowledge.
Nothing. There’s nothing you could do. You can be perfect and still get hacked. What’s interesting about Pegasus and NSO and the whole industry is that they’re really moving toward a model where they can compromise a phone without any behavior required on the part of the victim. And it just means that users are there, naked and twisting in the digital wind. And right now, it’s a situation where it touches everybody. Which means unlike the situation which is often true with cybersecurity, where only people who can’t pay for certain kinds of support are vulnerable, here, 10 prime ministers, three presidents, and a king can’t be wrong. Everyone seems to be vulnerable right now.
Well, if there’s something that I can’t do that’s going to fix this thing, is there something that Apple or Google could do at the level of their security?
Yes. There is. One of the problems that tech always has is when a threat actor is in a country where they’re not susceptible to the usual consequences, like Russia or Iran, you have to figure out some other way to limit the damage that this group does to your users and to your security. In this case, NSO, for too long, appears to have a pretty free hand and is basically skidding along without much consequence.
I think the other half of this is that companies need to put their research where their mouth is. If they’re going to promise their users security, they have to be able to say, yep, we’re investing a lot of money, we have people who spend their days thinking about nothing but what the commercial spyware industry is doing and trying to anticipate their next move, and protecting our users from it. That also means that those companies have to be regularly working with government and saying, look, we have a problem, we need to use your channels, or help us find some accountability or use diplomatic channels to get this thing to stop. Because right now it is totally out of control.
Why should the average person care about Pegasus and the mercenary spyware industry in general?
It is hard to explain, in ways that are simple, certain kinds of harm. And it’s hard to show them. It’s like climate change, right? People want to see it. And one of the things that’s powerful about this Forbidden Stories/Amnesty work is that they see harm. They see people who are victims. They see people who are targets. Now, it may be the case that they see people who they don’t know, right? Most people are not going to personally know any of these targets. But the thing is, you don’t know if that’s going to be true tomorrow. The holy grail of NSO and the mercenary spyware industry is to get into the U.S. marketplace. And I don’t just mean selling to the FBI. I mean selling to local cops.
Does their technology work on U.S. phones?
They have said that their technology does not allow foreign customers to target U.S. phone numbers. They have also spent years pitching their tech to U.S. police departments. Presumably there’s just a switch they could flick, right? If they’re going to sell this to a U.S. police department, they’re obviously going to sell them the capacity to target a U.S. number. There’s no magic in the DNA of Pegasus that prevents that.
Ten years ago, people were just beginning to report on the industry. And it was hard to get people to care. Because the victims didn’t look like them, and they didn’t live in their countries. With each cycle of this, the victims look more and more like them, and are increasingly likely to be in their country. This shockwave of surveillance is going to end up, literally, at our collective doorsteps. And we need to figure out how to slow this industry down before it does.