An international collaboration of 17 major newspapers – including the Washington Post (United States), Guardian (United Kingdom) and Le Monde (France) – has published the first details of a large investigation carried out on NSO, a controversial Israeli company that supplies governments systems for spying on the smartphone activities of terrorists and other criminals. According to the authors of the investigation, the NSO systems in recent years have been used for wider purposes and to spy on journalists, human rights activists and business leaders. Some people linked to the journalist Jamal Khashoggi, for whose murder in 2018 the Saudi regime is suspected, were also spied.
The investigation (“Pegasus Project”) was conducted thanks to a collaboration between the human rights organization Amnesty International and Forbidden Stories, a non-profit journalistic initiative based in Paris. In recent months, the two organizations had come into possession of a list of 50 thousand telephone numbers of countries in which governments often carry out communications surveillance activities, also using the systems developed by NSO. To provide its services in a given country, the company must receive a permit from the Israeli government, but once the software is delivered to the countries that request it, the NSO has limited control over the purposes and methods of use.
At the moment, not much information has been provided on the origin of the list, to protect its sources, nor are there any indications as to who compiled the list of telephone numbers and for what reason. Amnesty International's “Security Lab”, which deals with computer security, conducted an analysis on the list and managed to trace 67 smartphones on which the installation of NSO surveillance systems (spyware) was attempted. From the data collected so far, the laboratory's experts believe that the attacks were successful in 23 cases, while they found evidence that spyware was attempted in another 14 cases.
For the remaining 30 smartphones, the tests did not allow to obtain reliable results, in some cases because the devices had been replaced over the years, compared to what appeared in the list dating back to 2016. The spyware had been installed on both iPhone and smartphone Android, despite both operating systems being developed to reduce the risk of being spied on by unauthorized applications.
The investigations also made it possible to trace the telephone numbers on the list to a thousand people in 50 different countries. Among those involved are members of the Saudi royal family, 65 business executives, 85 human rights activists, 189 journalists and over 600 politicians and government officials. On the list there are also telephone numbers of prime ministers and heads of state.
A newsletter on the damned future of newspapers week. To receive it, write your email address here and press the button below. Having read the information, I agree to send the Newsletter The reporters on the list are part of some of the largest newspapers in the world such as the New York Times, Wall Street Journal, Bloomberg News, Financial Times, Al Jazeera, CNN and Associated Press. However, it is not clear whether some of these have been subjected to spying attempts by individual governments, customers authorized to use NSO technologies such as its Pegasus spyware.
The first versions of Pegasus had been developed around ten years ago by some former components of the Israeli intelligence systems. In a short time NSO had become the reference point in the production of spyware for smartphones, attracting the attention of the secret services of various countries.
Apple and Google, which develop respectively iOS (the operating system of the iPhone) and Android, introduce new features with each update to block the security holes exploited by spyware, but over the years NSO has shown a particular ability in finding alternative ways to continue to spy on devices.
Governments and secret services that use Pegasus send an SMS containing a link to their target's smartphones, usually a fake operator service message or something apparently harmless, which if opened starts the installation of the spyware without the knowledge of whoever received the communication. In recent years, an alternative technique has also been perfected, which allows the installation of the spyware to be started without requiring direct action by the recipient.
Once installed, spyware records and sends everything that happens on the screen, thus making it possible to access app conversations for messages, social networking activities, emails, browsing data, photos and videos. The system can also be used to activate the smartphone's microphone and video camera, in order to carry out environmental wiretapping. The data is then sent to the person who ordered the installation of the spyware, who can thus collect a large amount of information about who is being spied on.
Pegasus' capabilities and NSO's activities had already been the focus of several journalistic inquiries in the past few years, but the new evidence gathered in the latest investigation shows how these systems are used for very different purposes than spying against terrorism and crime. According to the authors of the survey, some governments use these spyware to control journalists and activists, violating their freedoms with serious consequences for their safety.
According to the analyzes carried out by Amnesty International, Pegasus was used to try to spy on two women in close relations with Khashoggi, a journalist who had conducted inquiries and written very harsh editorials against the Saudi royal family in the Washington Post. The smartphone of his partner, Hatice Cengiz, was infected in the days after Khashoggi's killing in Turkey in 2018, by a group of Saudis who dismembered his body. The installation of Pegasus was also attempted on the smartphone of Khashoggi's wife, Hanan Elatr, but it is not clear whether the attempt was successful.
The list includes several thousand telephone numbers attributable to Mexico, one of the first countries to have chosen NSO as its supplier in 2011 for some espionage activities. Among these are the numbers of at least 25 journalists employed in some major newspapers in the country, including Carmen Aristegui, one of the most important investigative journalists in Mexico and a collaborator of CNN. Aristegui mainly deals with corruption and drug cartels and it had been assumed for some time that she had been spied on using Pegasus: the new investigations offer new confirmations to this circumstance, according to Amnesty International experts.
Hungary, India, Morocco and other countries denied using Pegasus, or using the services offered by NSO for purposes other than spying against criminal activities, but without providing many other details.
It is likely that in the coming weeks the 17 newspapers involved in analyzing the data collected by the investigation will publish new information, which could offer new details on the violations or reduce the role and responsibilities of NSO. However, the information circulated so far seems to confirm the extent and scope of online surveillance activities, which emerged in 2013 when Edward Snowden made public many internal documents of the National Security Agency (NSA), the United States intelligence agency involved in a huge online communications control program.
It was those revelations that pushed the largest Internet companies to develop new systems to better protect the privacy of their users, adopting systems to encrypt conversations and make them decryptable only between the devices that send and receive them. These solutions had made wiretapping through the methods previously used by the NSA less simple, increasing the interest of governments in systems like Pegasus, which instead allow them to spy on individual devices directly.
NSO has rejected most of the allegations contained in Pegasus Project, claiming to implement all necessary controls and to the extent possible to prevent its spyware from being used in a way different from the purposes for which they are provided to various customers. At the end of June, NSO had released its own report on the company's “transparency and accountability” in its activities, arguing that these are necessary to combat terrorism and other crimes in the 21st century.
The company says it constantly checks the ways in which its technologies are used and that over time it has terminated contracts with at least five customers, after having ascertained an unauthorized use of its systems. According to a source in the Washington Post, in 2020 NSO would have cut off relations with Saudi Arabia and Dubai, due to problems related to the protection of human rights.