What the latest Pegasus spyware leaks tell us
New documents show journalists and activists are being surveilled using the tools built by secretive Israeli security company NSO.
Over the weekend, a consortium of international news outlets published their findings from an investigation into the use of Pegasus, the marquee spyware product of the secretive billion-dollar Israeli surveillance company NSO Group.
The reports from the Guardian, the Washington Post, and 15 other media organizations are based on a leak of tens of thousands of phone numbers that appear to have been targeted by Pegasus. While the devices associated with the numbers on the list were not necessarily infected with the spyware, the outlets were able to use the data to establish that journalists and activists in many countries were targeted—and in some cases successfully hacked.
The leaks indicate the scope of what cybersecurity reporters and experts have said for years: that while NSO Group claims its spyware is designed to target criminals and terrorists, its actual applications are much more broad. (The company released a statement in response to the investigation, denying that its data was leaked, and that any of the resulting reporting was true.)
My colleague Patrick Howell O’Neill has been reporting for some time on claims against NSO Group, which “has been linked to cases including the murder of Saudi journalist Jamal Khashoggi, the targeting of scientists and campaigners pushing for political reform in Mexico, and Spanish government surveillance of Catalan separatist politicians,” he wrote in August 2020. In the past, NSO has denied these accusations, but it has also more broadly argued that it can’t be held responsible if governments misuse the technology it sells them.
The company’s central argument, we wrote at the time, is one “that is common among weapons manufacturers.” Namely: “The company is the creator of a technology that governments use, but it doesn’t attack anyone itself, so it can’t be held responsible.”
Leaks are an important tool for understanding the way Pegasus is used, in part because it is so hard for researchers to spot the software when it is on devices. In March, one researcher at the cybersecurity watchdog Citizen Lab—which has focused on studying the software—explained how Apple’s high security measures had allowed NSO to breach iPhone security but block investigators.
“It’s a double-edged sword,” said Bill Marczak, a senior researcher at Citizen Lab. “You’re going to keep out a lot of the riffraff by making it harder to break iPhones. But the 1% of top hackers are going to find a way in, and once they’re inside, the impenetrable fortress of the iPhone protects them.”
It is not the first time NSO has found itself embroiled in controversy. Facebook is currently suing the company over allegations that Pegasus manipulated the infrastructure of WhatsApp to infect more than 1,400 cell phones. Facebook has said in court documents that its own investigation has identified more than 100 human rights defenders, journalists, and public figures targeted by Pegasus.
Last August, NSO Group CEO and cofounder Shalev Hulio told MIT Technology Review that he knew his company had “been accused, with good reason, of not being transparent enough,” and that his industry should be held more accountable for its secrecy, particularly as its methods become harder to detect by outside watchdogs and researchers.
As the Post notes, NSO Group does not provide details on its clients, citing confidentiality. Two weeks ago, the company released its first “Transparency and Accountability Report,” where it revealed that it has 60 clients in 40 countries. Most of the clients are intelligence agencies or law enforcement.
Learning to code isn’t enough
Historically, learn-to-code efforts have provided opportunities for the few, but new efforts are aiming to be inclusive.
IBM wants to build a 100,000-qubit quantum computer
The company wants to make large-scale quantum computers a reality within just 10 years.
The inside story of New York City’s 34-year-old social network, ECHO
Stacy Horn set out to create something new and very New York. She didn’t expect it to last so long.
Delivering a quantum future
Innovations require engineering breakthroughs and focus on real computational problems.
Get the latest updates from
MIT Technology Review
Discover special offers, top stories, upcoming events, and more.